SYMBOLCOMMON_NAMEaka. SYNONYMS
win.infy (Back to overview)

Infy

aka: Foudre

There is no description at this point.

References
2021-02-18BitdefenderGheorghe Adrian Schipor, Rickey Gevers, Cristina Vatamanu
@techreport{schipor:20210218:iranian:a6516fb, author = {Gheorghe Adrian Schipor and Rickey Gevers and Cristina Vatamanu}, title = {{Iranian APT Makes a Comeback with “Thunder and Lightning” Backdoor and Espionage Combo}}, date = {2021-02-18}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf}, language = {English}, urldate = {2021-02-20} } Iranian APT Makes a Comeback with “Thunder and Lightning” Backdoor and Espionage Combo
Infy Tonnerre
2021-02-08CheckpointSafebreach Labs, Checkpoint Research
@online{labs:20210208:after:3e97412, author = {Safebreach Labs and Checkpoint Research}, title = {{After Lightning Comes Thunder}}, date = {2021-02-08}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2021/after-lightning-comes-thunder/}, language = {English}, urldate = {2021-02-09} } After Lightning Comes Thunder
Infy Tonnerre
2020-11-03Gcow-SecShadow Chaser Group
@online{group:20201103:infyaptfoudre:e546c27, author = {Shadow Chaser Group}, title = {{美人鱼(Infy)APT组织的归来——使用最新的Foudre后门进行攻击活动的分析}}, date = {2020-11-03}, organization = {Gcow-Sec}, url = {https://cloud.tencent.com/developer/article/1738806}, language = {Chinese}, urldate = {2020-11-04} } 美人鱼(Infy)APT组织的归来——使用最新的Foudre后门进行攻击活动的分析
Infy
2018-08-17IntezerJay Rosenberg
@online{rosenberg:20180817:prince:d4d3b9c, author = {Jay Rosenberg}, title = {{Prince of Persia: The Sands of Foudre}}, date = {2018-08-17}, organization = {Intezer}, url = {https://www.intezer.com/prince-of-persia-the-sands-of-foudre/}, language = {English}, urldate = {2020-01-13} } Prince of Persia: The Sands of Foudre
Infy Infy
2017-08-01Palo Alto Networks Unit 42Tomer Bar, Simon Conant
@online{bar:20170801:prince:db6038a, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia – Ride the Lightning: Infy returns as “Foudre”}}, date = {2017-08-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/}, language = {English}, urldate = {2019-12-20} } Prince of Persia – Ride the Lightning: Infy returns as “Foudre”
Infy Infy
2016-06-28Palo Alto Networks Unit 42Tomer Bar, Lior Efraim, Simon Conant
@online{bar:20160628:prince:b1d2cdd, author = {Tomer Bar and Lior Efraim and Simon Conant}, title = {{Prince of Persia – Game Over}}, date = {2016-06-28}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/}, language = {English}, urldate = {2019-10-28} } Prince of Persia – Game Over
Infy Infy
2016-05-02Palo Alto Networks Unit 42Tomer Bar, Simon Conant
@online{bar:20160502:prince:cfd5940, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2020-04-06} } Prince of Persia: Infy Malware Active In Decade of Targeted Attacks
Infy Infy
2016-05-02Github (pan-unit42)Josh Grunzweig
@online{grunzweig:20160502:prince:bd368e1, author = {Josh Grunzweig}, title = {{Prince of Persia Hashes}}, date = {2016-05-02}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv}, language = {English}, urldate = {2020-01-08} } Prince of Persia Hashes
Infy
2016-05-02Palo Alto Networks Unit 42Tomer Bar, Simon Conant
@online{bar:20160502:prince:8b14d7f, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2019-12-20} } Prince of Persia: Infy Malware Active In Decade of Targeted Attacks
Infy
Yara Rules
[TLP:WHITE] win_infy_auto (20220516 | Detects win.infy.)
rule win_infy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.infy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf8 85ff 0f85fe000000 8b45dc 81780400010000 }
            // n = 5, score = 200
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   0f85fe000000         | jne                 0x104
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   81780400010000       | cmp                 dword ptr [eax + 4], 0x100

        $sequence_1 = { 8bd8 8d85b0fdffff 50 8bc3 e8???????? 50 e8???????? }
            // n = 7, score = 200
            //   8bd8                 | mov                 ebx, eax
            //   8d85b0fdffff         | lea                 eax, [ebp - 0x250]
            //   50                   | push                eax
            //   8bc3                 | mov                 eax, ebx
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_2 = { 8bec 0fb64d0c 8b4508 8b5510 }
            // n = 4, score = 200
            //   8bec                 | mov                 ebp, esp
            //   0fb64d0c             | movzx               ecx, byte ptr [ebp + 0xc]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]

        $sequence_3 = { 59 833b00 75f3 bb01000000 68???????? e8???????? 8bc3 }
            // n = 7, score = 200
            //   59                   | pop                 ecx
            //   833b00               | cmp                 dword ptr [ebx], 0
            //   75f3                 | jne                 0xfffffff5
            //   bb01000000           | mov                 ebx, 1
            //   68????????           |                     
            //   e8????????           |                     
            //   8bc3                 | mov                 eax, ebx

        $sequence_4 = { 2bfb 3bf7 7d02 8bfe 837dfc00 740b }
            // n = 6, score = 200
            //   2bfb                 | sub                 edi, ebx
            //   3bf7                 | cmp                 esi, edi
            //   7d02                 | jge                 4
            //   8bfe                 | mov                 edi, esi
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   740b                 | je                  0xd

        $sequence_5 = { 8d1401 895308 01f7 29cf }
            // n = 4, score = 200
            //   8d1401               | lea                 edx, [ecx + eax]
            //   895308               | mov                 dword ptr [ebx + 8], edx
            //   01f7                 | add                 edi, esi
            //   29cf                 | sub                 edi, ecx

        $sequence_6 = { 83c408 8945fc 8b45fc c1e002 034610 f6400380 0f94c2 }
            // n = 7, score = 200
            //   83c408               | add                 esp, 8
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   c1e002               | shl                 eax, 2
            //   034610               | add                 eax, dword ptr [esi + 0x10]
            //   f6400380             | test                byte ptr [eax + 3], 0x80
            //   0f94c2               | sete                dl

        $sequence_7 = { 8b08 81e1ffff0000 894de4 33ff 833d????????00 7417 }
            // n = 6, score = 200
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   81e1ffff0000         | and                 ecx, 0xffff
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   33ff                 | xor                 edi, edi
            //   833d????????00       |                     
            //   7417                 | je                  0x19

        $sequence_8 = { 7424 89c6 8955fc 8b449504 }
            // n = 4, score = 200
            //   7424                 | je                  0x26
            //   89c6                 | mov                 esi, eax
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b449504             | mov                 eax, dword ptr [ebp + edx*4 + 4]

        $sequence_9 = { 8b45dc e8???????? 8bf8 85ff 0f85fe000000 8b45dc 81780400010000 }
            // n = 7, score = 200
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   0f85fe000000         | jne                 0x104
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   81780400010000       | cmp                 dword ptr [eax + 4], 0x100

    condition:
        7 of them and filesize < 147456
}
[TLP:WHITE] win_infy_w0   (20170803 | Detects Foudre Backdoor)
rule win_infy_w0 {
    meta:
        author = "Florian Roth"
        description = "Detects Foudre Backdoor"
        info = "foudre dropper"
        reference = "https://goo.gl/Nbqbt6"
        date = "2017-08-01"
        hash = "7e73a727dc8f3c48e58468c3fd0a193a027d085f25fa274a6e187cf503f01f74"
        hash = "7ce2c5111e3560aa6036f98b48ceafe83aa1ac3d3b33392835316c859970f8bc"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy"
        malpedia_version = "20170803"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "initialization failed: Reinstall the program" fullword wide
        $s2 = "SnailDriver V1" fullword wide
        $s3 = "lp.ini" fullword wide
    condition:
        filesize < 100KB and 2 of them
}
[TLP:WHITE] win_infy_w1   (20170803 | Detects Foudre Backdoor)
rule win_infy_w1 {
    meta:
        author = "Florian Roth"
        description = "Detects Foudre Backdoor"
        info = "foudre dropper 2"
        reference = "https://goo.gl/Nbqbt6"
        date = "2017-08-01"
        hash = "6bc9f6ac2f6688ed63baa29913eaf8c64738cf19933d974d25a0c26b7d01b9ac"
        hash = "da228831089c56743d1fbc8ef156c672017cdf46a322d847a270b9907def53a5"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy"
        malpedia_version = "20170803"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "536F594A96C5496CB3949A4DA4775B576E049C57696E646F77735C43757272656E7456657273696F6E5C5C52756E" fullword wide
        $x2 = "2220263024C380B3278695851482EC32" fullword wide

        $s1 = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\\\Startup\\" fullword wide
        $s2 = "C:\\Documents and Settings\\All Users\\" fullword wide
        $s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\\\Shell Folders" fullword wide
        $s4 = "ShellExecuteW" fullword wide
    condition:
        filesize < 100KB and ( 1 of ($x*) or 4 of them ) 
}
[TLP:WHITE] win_infy_w2   (20170803 | Detects Foudre Backdoor)
import "pe"

rule win_infy_w2 {
    meta:
        description = "Detects Foudre Backdoor"
        author = "Florian Roth"
        info = "foudre backdoor"
        reference = "https://goo.gl/Nbqbt6"
        date = "2017-08-01"
        hash = "7c6206eaf0c5c9c6c8d8586a626b49575942572c51458575e51cba72ba2096a4"
        hash = "db605d501d3a5ca2b0e3d8296d552fbbf048ee831be21efca407c45bf794b109"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy"
        malpedia_version = "20170803"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        /* $s1 = "Project1.dll" fullword ascii */
        /* Better: Project1.dll\x00D1 */
        $s1 = { 50 72 6F 6A 65 63 74 31 2E 64 6C 6C 00 44 31 }
        $s2 = "winmgmts:\\\\localhost\\root\\SecurityCenter2" fullword wide
        $s3 = "C:\\Documents and Settings\\All Users\\" fullword wide
    condition:
        filesize < 2000KB and 3 of them or (2 of them and pe.exports("D1"))
}
Download all Yara Rules