Infy (Malware Family)

Infy

aka: Foudre

VTCollection

There is no description at this point.

References

2026-02-04 ⋅ safebreach ⋅ Tomer Bar
Prince of Persia, Part II: Covering Tracks, Striking Back & a Revealing Link to the Iranian Regime Amid the Country’s Internet Blackout
Infy StormKittyRAT

2025-12-18 ⋅ safebreach ⋅ Tomer Bar
Prince of Persia: A decade of Iranian Nation State APT Campaign Activity
Infy Tonnerre

2021-02-18 ⋅ Bitdefender ⋅ Cristina Vatamanu, Gheorghe Adrian Schipor, Rickey Gevers
Iranian APT Makes a Comeback with “Thunder and Lightning” Backdoor and Espionage Combo
Infy Tonnerre

2021-02-08 ⋅ Checkpoint ⋅ Checkpoint Research, Safebreach Labs
After Lightning Comes Thunder
Infy Tonnerre

2020-11-03 ⋅ ⋅ Gcow-Sec ⋅ Shadow Chaser Group
美人鱼(Infy)APT组织的归来——使用最新的Foudre后门进行攻击活动的分析
Infy

2018-08-17 ⋅ Intezer ⋅ Jay Rosenberg
Prince of Persia: The Sands of Foudre
Infy Infy

2017-08-01 ⋅ Palo Alto Networks Unit 42 ⋅ Simon Conant, Tomer Bar
Prince of Persia – Ride the Lightning: Infy returns as “Foudre”
Infy Infy

2016-06-28 ⋅ Palo Alto Networks Unit 42 ⋅ Lior Efraim, Simon Conant, Tomer Bar
Prince of Persia – Game Over
Infy Infy

2016-05-02 ⋅ Palo Alto Networks Unit 42 ⋅ Simon Conant, Tomer Bar
Prince of Persia: Infy Malware Active In Decade of Targeted Attacks
Infy

2016-05-02 ⋅ Github (pan-unit42) ⋅ Josh Grunzweig
Prince of Persia Hashes
Infy

2016-05-02 ⋅ Palo Alto Networks Unit 42 ⋅ Simon Conant, Tomer Bar
Prince of Persia: Infy Malware Active In Decade of Targeted Attacks
Infy Infy

Yara Rules

[TLP:WHITE] win_infy_auto (20251219 \| Detects win.infy.) rule win_infy_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-01-05" version = "1" description = "Detects win.infy." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_rule_date = "20260105" malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" malpedia_version = "20251219" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { 85ff 7e2e 4e 8bd0 } // n = 4, score = 200 // 85ff \| test edi, edi // 7e2e \| jle 0x30 // 4e \| dec esi // 8bd0 \| mov edx, eax $sequence_1 = { 33d2 e8???????? eb2d 3b7df8 7514 8b45f0 } // n = 6, score = 200 // 33d2 \| xor edx, edx // e8???????? \| // eb2d \| jmp 0x2f // 3b7df8 \| cmp edi, dword ptr [ebp - 8] // 7514 \| jne 0x16 // 8b45f0 \| mov eax, dword ptr [ebp - 0x10] $sequence_2 = { 740e 8d45d0 50 6a03 ff15???????? 8bd8 85db } // n = 7, score = 200 // 740e \| je 0x10 // 8d45d0 \| lea eax, [ebp - 0x30] // 50 \| push eax // 6a03 \| push 3 // ff15???????? \| // 8bd8 \| mov ebx, eax // 85db \| test ebx, ebx $sequence_3 = { 50 89c6 8b449d04 85c0 7412 } // n = 5, score = 200 // 50 \| push eax // 89c6 \| mov esi, eax // 8b449d04 \| mov eax, dword ptr [ebp + ebx4 + 4] // 85c0 \| test eax, eax // 7412 \| je 0x14 $sequence_4 = { 837dec00 740b 8b45f0 8b55f8 } // n = 4, score = 200 // 837dec00 \| cmp dword ptr [ebp - 0x14], 0 // 740b \| je 0xd // 8b45f0 \| mov eax, dword ptr [ebp - 0x10] // 8b55f8 \| mov edx, dword ptr [ebp - 8] $sequence_5 = { 833d????????00 740e 8d55d0 52 6a01 } // n = 5, score = 200 // 833d????????00 \| // 740e \| je 0x10 // 8d55d0 \| lea edx, [ebp - 0x30] // 52 \| push edx // 6a01 \| push 1 $sequence_6 = { b8???????? e8???????? b8???????? e8???????? 807b2800 7514 } // n = 6, score = 200 // b8???????? \| // e8???????? \| // b8???????? \| // e8???????? \| // 807b2800 \| cmp byte ptr [ebx + 0x28], 0 // 7514 \| jne 0x16 $sequence_7 = { 85f6 7d04 33ff eb0a 8bf8 2bfb } // n = 6, score = 200 // 85f6 \| test esi, esi // 7d04 \| jge 6 // 33ff \| xor edi, edi // eb0a \| jmp 0xc // 8bf8 \| mov edi, eax // 2bfb \| sub edi, ebx $sequence_8 = { 7502 eb06 8b1b 85db } // n = 4, score = 200 // 7502 \| jne 4 // eb06 \| jmp 8 // 8b1b \| mov ebx, dword ptr [ebx] // 85db \| test ebx, ebx $sequence_9 = { 0fb74af4 870c24 51 8b4afc e9???????? } // n = 5, score = 200 // 0fb74af4 \| movzx ecx, word ptr [edx - 0xc] // 870c24 \| xchg dword ptr [esp], ecx // 51 \| push ecx // 8b4afc \| mov ecx, dword ptr [edx - 4] // e9???????? \| condition: 7 of them and filesize < 147456 }
[TLP:WHITE] win_infy_w0 (20170803 \| Detects Foudre Backdoor) rule win_infy_w0 { meta: author = "Florian Roth" description = "Detects Foudre Backdoor" info = "foudre dropper" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "7e73a727dc8f3c48e58468c3fd0a193a027d085f25fa274a6e187cf503f01f74" hash = "7ce2c5111e3560aa6036f98b48ceafe83aa1ac3d3b33392835316c859970f8bc" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "initialization failed: Reinstall the program" fullword wide $s2 = "SnailDriver V1" fullword wide $s3 = "lp.ini" fullword wide condition: filesize < 100KB and 2 of them }
[TLP:WHITE] win_infy_w1 (20170803 \| Detects Foudre Backdoor) rule win_infy_w1 { meta: author = "Florian Roth" description = "Detects Foudre Backdoor" info = "foudre dropper 2" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "6bc9f6ac2f6688ed63baa29913eaf8c64738cf19933d974d25a0c26b7d01b9ac" hash = "da228831089c56743d1fbc8ef156c672017cdf46a322d847a270b9907def53a5" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "536F594A96C5496CB3949A4DA4775B576E049C57696E646F77735C43757272656E7456657273696F6E5C5C52756E" fullword wide $x2 = "2220263024C380B3278695851482EC32" fullword wide $s1 = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\\\Startup\\" fullword wide $s2 = "C:\\Documents and Settings\\All Users\\" fullword wide $s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\\\Shell Folders" fullword wide $s4 = "ShellExecuteW" fullword wide condition: filesize < 100KB and ( 1 of ($x*) or 4 of them ) }
[TLP:WHITE] win_infy_w2 (20170803 \| Detects Foudre Backdoor) import "pe" rule win_infy_w2 { meta: description = "Detects Foudre Backdoor" author = "Florian Roth" info = "foudre backdoor" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "7c6206eaf0c5c9c6c8d8586a626b49575942572c51458575e51cba72ba2096a4" hash = "db605d501d3a5ca2b0e3d8296d552fbbf048ee831be21efca407c45bf794b109" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: /* $s1 = "Project1.dll" fullword ascii / / Better: Project1.dll\x00D1 */ $s1 = { 50 72 6F 6A 65 63 74 31 2E 64 6C 6C 00 44 31 } $s2 = "winmgmts:\\\\localhost\\root\\SecurityCenter2" fullword wide $s3 = "C:\\Documents and Settings\\All Users\\" fullword wide condition: filesize < 2000KB and 3 of them or (2 of them and pe.exports("D1")) }

Download all Yara Rules

[TLP:WHITE] win_infy_auto (20251219 \| Detects win.infy.) rule win_infy_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-01-05" version = "1" description = "Detects win.infy." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_rule_date = "20260105" malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" malpedia_version = "20251219" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { 85ff 7e2e 4e 8bd0 } // n = 4, score = 200 // 85ff \| test edi, edi // 7e2e \| jle 0x30 // 4e \| dec esi // 8bd0 \| mov edx, eax $sequence_1 = { 33d2 e8???????? eb2d 3b7df8 7514 8b45f0 } // n = 6, score = 200 // 33d2 \| xor edx, edx // e8???????? \| // eb2d \| jmp 0x2f // 3b7df8 \| cmp edi, dword ptr [ebp - 8] // 7514 \| jne 0x16 // 8b45f0 \| mov eax, dword ptr [ebp - 0x10] $sequence_2 = { 740e 8d45d0 50 6a03 ff15???????? 8bd8 85db } // n = 7, score = 200 // 740e \| je 0x10 // 8d45d0 \| lea eax, [ebp - 0x30] // 50 \| push eax // 6a03 \| push 3 // ff15???????? \| // 8bd8 \| mov ebx, eax // 85db \| test ebx, ebx $sequence_3 = { 50 89c6 8b449d04 85c0 7412 } // n = 5, score = 200 // 50 \| push eax // 89c6 \| mov esi, eax // 8b449d04 \| mov eax, dword ptr [ebp + ebx4 + 4] // 85c0 \| test eax, eax // 7412 \| je 0x14 $sequence_4 = { 837dec00 740b 8b45f0 8b55f8 } // n = 4, score = 200 // 837dec00 \| cmp dword ptr [ebp - 0x14], 0 // 740b \| je 0xd // 8b45f0 \| mov eax, dword ptr [ebp - 0x10] // 8b55f8 \| mov edx, dword ptr [ebp - 8] $sequence_5 = { 833d????????00 740e 8d55d0 52 6a01 } // n = 5, score = 200 // 833d????????00 \| // 740e \| je 0x10 // 8d55d0 \| lea edx, [ebp - 0x30] // 52 \| push edx // 6a01 \| push 1 $sequence_6 = { b8???????? e8???????? b8???????? e8???????? 807b2800 7514 } // n = 6, score = 200 // b8???????? \| // e8???????? \| // b8???????? \| // e8???????? \| // 807b2800 \| cmp byte ptr [ebx + 0x28], 0 // 7514 \| jne 0x16 $sequence_7 = { 85f6 7d04 33ff eb0a 8bf8 2bfb } // n = 6, score = 200 // 85f6 \| test esi, esi // 7d04 \| jge 6 // 33ff \| xor edi, edi // eb0a \| jmp 0xc // 8bf8 \| mov edi, eax // 2bfb \| sub edi, ebx $sequence_8 = { 7502 eb06 8b1b 85db } // n = 4, score = 200 // 7502 \| jne 4 // eb06 \| jmp 8 // 8b1b \| mov ebx, dword ptr [ebx] // 85db \| test ebx, ebx $sequence_9 = { 0fb74af4 870c24 51 8b4afc e9???????? } // n = 5, score = 200 // 0fb74af4 \| movzx ecx, word ptr [edx - 0xc] // 870c24 \| xchg dword ptr [esp], ecx // 51 \| push ecx // 8b4afc \| mov ecx, dword ptr [edx - 4] // e9???????? \| condition: 7 of them and filesize < 147456 }
[TLP:WHITE] win_infy_w0 (20170803 \| Detects Foudre Backdoor) rule win_infy_w0 { meta: author = "Florian Roth" description = "Detects Foudre Backdoor" info = "foudre dropper" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "7e73a727dc8f3c48e58468c3fd0a193a027d085f25fa274a6e187cf503f01f74" hash = "7ce2c5111e3560aa6036f98b48ceafe83aa1ac3d3b33392835316c859970f8bc" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "initialization failed: Reinstall the program" fullword wide $s2 = "SnailDriver V1" fullword wide $s3 = "lp.ini" fullword wide condition: filesize < 100KB and 2 of them }
[TLP:WHITE] win_infy_w1 (20170803 \| Detects Foudre Backdoor) rule win_infy_w1 { meta: author = "Florian Roth" description = "Detects Foudre Backdoor" info = "foudre dropper 2" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "6bc9f6ac2f6688ed63baa29913eaf8c64738cf19933d974d25a0c26b7d01b9ac" hash = "da228831089c56743d1fbc8ef156c672017cdf46a322d847a270b9907def53a5" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "536F594A96C5496CB3949A4DA4775B576E049C57696E646F77735C43757272656E7456657273696F6E5C5C52756E" fullword wide $x2 = "2220263024C380B3278695851482EC32" fullword wide $s1 = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\\\Startup\\" fullword wide $s2 = "C:\\Documents and Settings\\All Users\\" fullword wide $s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\\\Shell Folders" fullword wide $s4 = "ShellExecuteW" fullword wide condition: filesize < 100KB and ( 1 of ($x*) or 4 of them ) }
[TLP:WHITE] win_infy_w2 (20170803 \| Detects Foudre Backdoor) import "pe" rule win_infy_w2 { meta: description = "Detects Foudre Backdoor" author = "Florian Roth" info = "foudre backdoor" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "7c6206eaf0c5c9c6c8d8586a626b49575942572c51458575e51cba72ba2096a4" hash = "db605d501d3a5ca2b0e3d8296d552fbbf048ee831be21efca407c45bf794b109" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: /* $s1 = "Project1.dll" fullword ascii / / Better: Project1.dll\x00D1 */ $s1 = { 50 72 6F 6A 65 63 74 31 2E 64 6C 6C 00 44 31 } $s2 = "winmgmts:\\\\localhost\\root\\SecurityCenter2" fullword wide $s3 = "C:\\Documents and Settings\\All Users\\" fullword wide condition: filesize < 2000KB and 3 of them or (2 of them and pe.exports("D1")) }

Infy Propose Change

References

Yara Rules

Infy