SYMBOLCOMMON_NAMEaka. SYNONYMS
win.jripbot (Back to overview)

JripBot

Actor(s): WildNeutron


There is no description at this point.

References
2016-09-07Virus BulletinBrian Bartholomew, Juan Andrés Guerrero-Saade
@techreport{bartholomew:20160907:wave:96e9f50, author = {Brian Bartholomew and Juan Andrés Guerrero-Saade}, title = {{Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks}}, date = {2016-09-07}, institution = {Virus Bulletin}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf}, language = {English}, urldate = {2020-03-13} } Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks
DuQu JripBot Sinowal Stuxnet Wipbot
2015-07-08Kaspersky LabsGReAT
@online{great:20150708:wild:4e853a7, author = {GReAT}, title = {{Wild Neutron – Economic espionage threat actor returns with new tricks}}, date = {2015-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/}, language = {English}, urldate = {2019-12-20} } Wild Neutron – Economic espionage threat actor returns with new tricks
JripBot
Yara Rules
[TLP:WHITE] win_jripbot_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_jripbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bec 83ec0c ff7508 8365f400 8365fc00 }
            // n = 5, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8365f400             | and                 dword ptr [ebp - 0xc], 0
            //   8365fc00             | and                 dword ptr [ebp - 4], 0

        $sequence_1 = { 83c704 8b07 85c0 75de 6800040000 ff33 }
            // n = 6, score = 100
            //   83c704               | add                 edi, 4
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   85c0                 | test                eax, eax
            //   75de                 | jne                 0xffffffe0
            //   6800040000           | push                0x400
            //   ff33                 | push                dword ptr [ebx]

        $sequence_2 = { ff15???????? 59 33ff 59 391d???????? 7420 b8???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   59                   | pop                 ecx
            //   33ff                 | xor                 edi, edi
            //   59                   | pop                 ecx
            //   391d????????         |                     
            //   7420                 | je                  0x22
            //   b8????????           |                     

        $sequence_3 = { 83c178 e8???????? 8b4b74 83c414 83c178 e8???????? 8b4b74 }
            // n = 7, score = 100
            //   83c178               | add                 ecx, 0x78
            //   e8????????           |                     
            //   8b4b74               | mov                 ecx, dword ptr [ebx + 0x74]
            //   83c414               | add                 esp, 0x14
            //   83c178               | add                 ecx, 0x78
            //   e8????????           |                     
            //   8b4b74               | mov                 ecx, dword ptr [ebx + 0x74]

        $sequence_4 = { 8b44240c e9???????? 8bc3 8d4802 668b10 83c002 6685d2 }
            // n = 7, score = 100
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   e9????????           |                     
            //   8bc3                 | mov                 eax, ebx
            //   8d4802               | lea                 ecx, [eax + 2]
            //   668b10               | mov                 dx, word ptr [eax]
            //   83c002               | add                 eax, 2
            //   6685d2               | test                dx, dx

        $sequence_5 = { 1bc0 83d8ff 3bc3 7511 ff7508 ff15???????? 89471c }
            // n = 7, score = 100
            //   1bc0                 | sbb                 eax, eax
            //   83d8ff               | sbb                 eax, -1
            //   3bc3                 | cmp                 eax, ebx
            //   7511                 | jne                 0x13
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   89471c               | mov                 dword ptr [edi + 0x1c], eax

        $sequence_6 = { 741e 8bc3 8d5002 668b08 83c002 6685c9 }
            // n = 6, score = 100
            //   741e                 | je                  0x20
            //   8bc3                 | mov                 eax, ebx
            //   8d5002               | lea                 edx, [eax + 2]
            //   668b08               | mov                 cx, word ptr [eax]
            //   83c002               | add                 eax, 2
            //   6685c9               | test                cx, cx

        $sequence_7 = { 57 8945fc 53 83f8ff 7511 891e }
            // n = 6, score = 100
            //   57                   | push                edi
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   53                   | push                ebx
            //   83f8ff               | cmp                 eax, -1
            //   7511                 | jne                 0x13
            //   891e                 | mov                 dword ptr [esi], ebx

        $sequence_8 = { 23d8 8bf8 f7d7 237dfc 8945ec 0bfb }
            // n = 6, score = 100
            //   23d8                 | and                 ebx, eax
            //   8bf8                 | mov                 edi, eax
            //   f7d7                 | not                 edi
            //   237dfc               | and                 edi, dword ptr [ebp - 4]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   0bfb                 | or                  edi, ebx

        $sequence_9 = { 49 743d 49 742a 49 7417 49 }
            // n = 7, score = 100
            //   49                   | dec                 ecx
            //   743d                 | je                  0x3f
            //   49                   | dec                 ecx
            //   742a                 | je                  0x2c
            //   49                   | dec                 ecx
            //   7417                 | je                  0x19
            //   49                   | dec                 ecx

    condition:
        7 of them and filesize < 507904
}
[TLP:WHITE] win_jripbot_w0   (20180301 | No description)
rule win_jripbot_w0 {
	meta:
		author = "Florian Roth"
		reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$s0 = "LiveUpdater.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '25.00' */
		$s1 = "id-at-postalAddress" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.00' */
		$s2 = "%d -> %d (default)" fullword wide /* PEStudio Blacklist: strings */ /* score: '17.00' */
		$s3 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide /* score: '15.00' */
		$s8 = "id-ce-keyUsage" fullword ascii /* score: '12.00' */
		$s9 = "Key Usage" fullword ascii /* score: '12.00' */
		$s32 = "UPDATE_ID" fullword wide /* PEStudio Blacklist: strings */ /* score: '9.00' */
		$s37 = "id-at-commonName" fullword ascii /* score: '8.00' */
		$s38 = "2008R2" fullword wide /* PEStudio Blacklist: os */ /* score: '8.00' */
		$s39 = "RSA-alt" fullword ascii /* PEStudio Blacklist: strings */ /* score: '8.00' */
		$s40 = "%02d.%04d.%s" fullword wide /* score: '7.02' */
	condition:
		all of them
}
Download all Yara Rules