Infy (Malware Family)

Infy

aka: Foudre

VTCollection

There is no description at this point.

References

2021-02-18 ⋅ Bitdefender ⋅ Cristina Vatamanu, Gheorghe Adrian Schipor, Rickey Gevers
Iranian APT Makes a Comeback with “Thunder and Lightning” Backdoor and Espionage Combo
Infy Tonnerre

2021-02-08 ⋅ Checkpoint ⋅ Checkpoint Research, Safebreach Labs
After Lightning Comes Thunder
Infy Tonnerre

2020-11-03 ⋅ ⋅ Gcow-Sec ⋅ Shadow Chaser Group
美人鱼(Infy)APT组织的归来——使用最新的Foudre后门进行攻击活动的分析
Infy

2018-08-17 ⋅ Intezer ⋅ Jay Rosenberg
Prince of Persia: The Sands of Foudre
Infy Infy

2017-08-01 ⋅ Palo Alto Networks Unit 42 ⋅ Simon Conant, Tomer Bar
Prince of Persia – Ride the Lightning: Infy returns as “Foudre”
Infy Infy

2016-06-28 ⋅ Palo Alto Networks Unit 42 ⋅ Lior Efraim, Simon Conant, Tomer Bar
Prince of Persia – Game Over
Infy Infy

2016-05-02 ⋅ Palo Alto Networks Unit 42 ⋅ Simon Conant, Tomer Bar
Prince of Persia: Infy Malware Active In Decade of Targeted Attacks
Infy

2016-05-02 ⋅ Github (pan-unit42) ⋅ Josh Grunzweig
Prince of Persia Hashes
Infy

2016-05-02 ⋅ Palo Alto Networks Unit 42 ⋅ Simon Conant, Tomer Bar
Prince of Persia: Infy Malware Active In Decade of Targeted Attacks
Infy Infy

Yara Rules

[TLP:WHITE] win_infy_auto (20230808 \| Detects win.infy.) rule win_infy_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.infy." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7e24 8945d4 807de300 7409 8b45e4 66833820 } // n = 6, score = 200 // 7e24 \| jle 0x26 // 8945d4 \| mov dword ptr [ebp - 0x2c], eax // 807de300 \| cmp byte ptr [ebp - 0x1d], 0 // 7409 \| je 0xb // 8b45e4 \| mov eax, dword ptr [ebp - 0x1c] // 66833820 \| cmp word ptr [eax], 0x20 $sequence_1 = { 7409 8b13 8bc3 e8???????? 85c0 7405 83e804 } // n = 7, score = 200 // 7409 \| je 0xb // 8b13 \| mov edx, dword ptr [ebx] // 8bc3 \| mov eax, ebx // e8???????? \| // 85c0 \| test eax, eax // 7405 \| je 7 // 83e804 \| sub eax, 4 $sequence_2 = { 57 33c9 894df8 8955f0 } // n = 4, score = 200 // 57 \| push edi // 33c9 \| xor ecx, ecx // 894df8 \| mov dword ptr [ebp - 8], ecx // 8955f0 \| mov dword ptr [ebp - 0x10], edx $sequence_3 = { 7553 837e1400 7442 837e1c00 } // n = 4, score = 200 // 7553 \| jne 0x55 // 837e1400 \| cmp dword ptr [esi + 0x14], 0 // 7442 \| je 0x44 // 837e1c00 \| cmp dword ptr [esi + 0x1c], 0 $sequence_4 = { 668378f602 7412 6a00 89e0 } // n = 4, score = 200 // 668378f602 \| cmp word ptr [eax - 0xa], 2 // 7412 \| je 0x14 // 6a00 \| push 0 // 89e0 \| mov eax, esp $sequence_5 = { 68???????? 8d45c8 ba09000000 e8???????? 8d45ec } // n = 5, score = 200 // 68???????? \| // 8d45c8 \| lea eax, [ebp - 0x38] // ba09000000 \| mov edx, 9 // e8???????? \| // 8d45ec \| lea eax, [ebp - 0x14] $sequence_6 = { 807de300 7409 8b45e4 66833820 7304 33c0 eb02 } // n = 7, score = 200 // 807de300 \| cmp byte ptr [ebp - 0x1d], 0 // 7409 \| je 0xb // 8b45e4 \| mov eax, dword ptr [ebp - 0x1c] // 66833820 \| cmp word ptr [eax], 0x20 // 7304 \| jae 6 // 33c0 \| xor eax, eax // eb02 \| jmp 4 $sequence_7 = { c1e002 034610 f6400380 0f94c2 83e201 8955e0 85d2 } // n = 7, score = 200 // c1e002 \| shl eax, 2 // 034610 \| add eax, dword ptr [esi + 0x10] // f6400380 \| test byte ptr [eax + 3], 0x80 // 0f94c2 \| sete dl // 83e201 \| and edx, 1 // 8955e0 \| mov dword ptr [ebp - 0x20], edx // 85d2 \| test edx, edx $sequence_8 = { e8???????? 8bd0 81e2ff000000 2500ff0000 c1e808 83fa05 7505 } // n = 7, score = 200 // e8???????? \| // 8bd0 \| mov edx, eax // 81e2ff000000 \| and edx, 0xff // 2500ff0000 \| and eax, 0xff00 // c1e808 \| shr eax, 8 // 83fa05 \| cmp edx, 5 // 7505 \| jne 7 $sequence_9 = { e8???????? 83c40c 5b 5d c20800 55 8bec } // n = 7, score = 200 // e8???????? \| // 83c40c \| add esp, 0xc // 5b \| pop ebx // 5d \| pop ebp // c20800 \| ret 8 // 55 \| push ebp // 8bec \| mov ebp, esp condition: 7 of them and filesize < 147456 }
[TLP:WHITE] win_infy_w0 (20170803 \| Detects Foudre Backdoor) rule win_infy_w0 { meta: author = "Florian Roth" description = "Detects Foudre Backdoor" info = "foudre dropper" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "7e73a727dc8f3c48e58468c3fd0a193a027d085f25fa274a6e187cf503f01f74" hash = "7ce2c5111e3560aa6036f98b48ceafe83aa1ac3d3b33392835316c859970f8bc" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "initialization failed: Reinstall the program" fullword wide $s2 = "SnailDriver V1" fullword wide $s3 = "lp.ini" fullword wide condition: filesize < 100KB and 2 of them }
[TLP:WHITE] win_infy_w1 (20170803 \| Detects Foudre Backdoor) rule win_infy_w1 { meta: author = "Florian Roth" description = "Detects Foudre Backdoor" info = "foudre dropper 2" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "6bc9f6ac2f6688ed63baa29913eaf8c64738cf19933d974d25a0c26b7d01b9ac" hash = "da228831089c56743d1fbc8ef156c672017cdf46a322d847a270b9907def53a5" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "536F594A96C5496CB3949A4DA4775B576E049C57696E646F77735C43757272656E7456657273696F6E5C5C52756E" fullword wide $x2 = "2220263024C380B3278695851482EC32" fullword wide $s1 = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\\\Startup\\" fullword wide $s2 = "C:\\Documents and Settings\\All Users\\" fullword wide $s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\\\Shell Folders" fullword wide $s4 = "ShellExecuteW" fullword wide condition: filesize < 100KB and ( 1 of ($x*) or 4 of them ) }
[TLP:WHITE] win_infy_w2 (20170803 \| Detects Foudre Backdoor) import "pe" rule win_infy_w2 { meta: description = "Detects Foudre Backdoor" author = "Florian Roth" info = "foudre backdoor" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "7c6206eaf0c5c9c6c8d8586a626b49575942572c51458575e51cba72ba2096a4" hash = "db605d501d3a5ca2b0e3d8296d552fbbf048ee831be21efca407c45bf794b109" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: /* $s1 = "Project1.dll" fullword ascii / / Better: Project1.dll\x00D1 */ $s1 = { 50 72 6F 6A 65 63 74 31 2E 64 6C 6C 00 44 31 } $s2 = "winmgmts:\\\\localhost\\root\\SecurityCenter2" fullword wide $s3 = "C:\\Documents and Settings\\All Users\\" fullword wide condition: filesize < 2000KB and 3 of them or (2 of them and pe.exports("D1")) }

Download all Yara Rules

[TLP:WHITE] win_infy_auto (20230808 \| Detects win.infy.) rule win_infy_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.infy." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7e24 8945d4 807de300 7409 8b45e4 66833820 } // n = 6, score = 200 // 7e24 \| jle 0x26 // 8945d4 \| mov dword ptr [ebp - 0x2c], eax // 807de300 \| cmp byte ptr [ebp - 0x1d], 0 // 7409 \| je 0xb // 8b45e4 \| mov eax, dword ptr [ebp - 0x1c] // 66833820 \| cmp word ptr [eax], 0x20 $sequence_1 = { 7409 8b13 8bc3 e8???????? 85c0 7405 83e804 } // n = 7, score = 200 // 7409 \| je 0xb // 8b13 \| mov edx, dword ptr [ebx] // 8bc3 \| mov eax, ebx // e8???????? \| // 85c0 \| test eax, eax // 7405 \| je 7 // 83e804 \| sub eax, 4 $sequence_2 = { 57 33c9 894df8 8955f0 } // n = 4, score = 200 // 57 \| push edi // 33c9 \| xor ecx, ecx // 894df8 \| mov dword ptr [ebp - 8], ecx // 8955f0 \| mov dword ptr [ebp - 0x10], edx $sequence_3 = { 7553 837e1400 7442 837e1c00 } // n = 4, score = 200 // 7553 \| jne 0x55 // 837e1400 \| cmp dword ptr [esi + 0x14], 0 // 7442 \| je 0x44 // 837e1c00 \| cmp dword ptr [esi + 0x1c], 0 $sequence_4 = { 668378f602 7412 6a00 89e0 } // n = 4, score = 200 // 668378f602 \| cmp word ptr [eax - 0xa], 2 // 7412 \| je 0x14 // 6a00 \| push 0 // 89e0 \| mov eax, esp $sequence_5 = { 68???????? 8d45c8 ba09000000 e8???????? 8d45ec } // n = 5, score = 200 // 68???????? \| // 8d45c8 \| lea eax, [ebp - 0x38] // ba09000000 \| mov edx, 9 // e8???????? \| // 8d45ec \| lea eax, [ebp - 0x14] $sequence_6 = { 807de300 7409 8b45e4 66833820 7304 33c0 eb02 } // n = 7, score = 200 // 807de300 \| cmp byte ptr [ebp - 0x1d], 0 // 7409 \| je 0xb // 8b45e4 \| mov eax, dword ptr [ebp - 0x1c] // 66833820 \| cmp word ptr [eax], 0x20 // 7304 \| jae 6 // 33c0 \| xor eax, eax // eb02 \| jmp 4 $sequence_7 = { c1e002 034610 f6400380 0f94c2 83e201 8955e0 85d2 } // n = 7, score = 200 // c1e002 \| shl eax, 2 // 034610 \| add eax, dword ptr [esi + 0x10] // f6400380 \| test byte ptr [eax + 3], 0x80 // 0f94c2 \| sete dl // 83e201 \| and edx, 1 // 8955e0 \| mov dword ptr [ebp - 0x20], edx // 85d2 \| test edx, edx $sequence_8 = { e8???????? 8bd0 81e2ff000000 2500ff0000 c1e808 83fa05 7505 } // n = 7, score = 200 // e8???????? \| // 8bd0 \| mov edx, eax // 81e2ff000000 \| and edx, 0xff // 2500ff0000 \| and eax, 0xff00 // c1e808 \| shr eax, 8 // 83fa05 \| cmp edx, 5 // 7505 \| jne 7 $sequence_9 = { e8???????? 83c40c 5b 5d c20800 55 8bec } // n = 7, score = 200 // e8???????? \| // 83c40c \| add esp, 0xc // 5b \| pop ebx // 5d \| pop ebp // c20800 \| ret 8 // 55 \| push ebp // 8bec \| mov ebp, esp condition: 7 of them and filesize < 147456 }
[TLP:WHITE] win_infy_w0 (20170803 \| Detects Foudre Backdoor) rule win_infy_w0 { meta: author = "Florian Roth" description = "Detects Foudre Backdoor" info = "foudre dropper" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "7e73a727dc8f3c48e58468c3fd0a193a027d085f25fa274a6e187cf503f01f74" hash = "7ce2c5111e3560aa6036f98b48ceafe83aa1ac3d3b33392835316c859970f8bc" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "initialization failed: Reinstall the program" fullword wide $s2 = "SnailDriver V1" fullword wide $s3 = "lp.ini" fullword wide condition: filesize < 100KB and 2 of them }
[TLP:WHITE] win_infy_w1 (20170803 \| Detects Foudre Backdoor) rule win_infy_w1 { meta: author = "Florian Roth" description = "Detects Foudre Backdoor" info = "foudre dropper 2" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "6bc9f6ac2f6688ed63baa29913eaf8c64738cf19933d974d25a0c26b7d01b9ac" hash = "da228831089c56743d1fbc8ef156c672017cdf46a322d847a270b9907def53a5" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "536F594A96C5496CB3949A4DA4775B576E049C57696E646F77735C43757272656E7456657273696F6E5C5C52756E" fullword wide $x2 = "2220263024C380B3278695851482EC32" fullword wide $s1 = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\\\Startup\\" fullword wide $s2 = "C:\\Documents and Settings\\All Users\\" fullword wide $s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\\\Shell Folders" fullword wide $s4 = "ShellExecuteW" fullword wide condition: filesize < 100KB and ( 1 of ($x*) or 4 of them ) }
[TLP:WHITE] win_infy_w2 (20170803 \| Detects Foudre Backdoor) import "pe" rule win_infy_w2 { meta: description = "Detects Foudre Backdoor" author = "Florian Roth" info = "foudre backdoor" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "7c6206eaf0c5c9c6c8d8586a626b49575942572c51458575e51cba72ba2096a4" hash = "db605d501d3a5ca2b0e3d8296d552fbbf048ee831be21efca407c45bf794b109" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: /* $s1 = "Project1.dll" fullword ascii / / Better: Project1.dll\x00D1 */ $s1 = { 50 72 6F 6A 65 63 74 31 2E 64 6C 6C 00 44 31 } $s2 = "winmgmts:\\\\localhost\\root\\SecurityCenter2" fullword wide $s3 = "C:\\Documents and Settings\\All Users\\" fullword wide condition: filesize < 2000KB and 3 of them or (2 of them and pe.exports("D1")) }

Infy Propose Change

References

Yara Rules

Infy