SYMBOLCOMMON_NAMEaka. SYNONYMS
win.jripbot (Back to overview)

JripBot

Actor(s): WildNeutron


There is no description at this point.

References
2016-09-07Virus BulletinBrian Bartholomew, Juan Andrés Guerrero-Saade
@techreport{bartholomew:20160907:wave:96e9f50, author = {Brian Bartholomew and Juan Andrés Guerrero-Saade}, title = {{Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks}}, date = {2016-09-07}, institution = {Virus Bulletin}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf}, language = {English}, urldate = {2020-03-13} } Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks
DuQu JripBot Sinowal Stuxnet Wipbot
2015-07-08Kaspersky LabsGReAT
@online{great:20150708:wild:4e853a7, author = {GReAT}, title = {{Wild Neutron – Economic espionage threat actor returns with new tricks}}, date = {2015-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/}, language = {English}, urldate = {2019-12-20} } Wild Neutron – Economic espionage threat actor returns with new tricks
JripBot
Yara Rules
[TLP:WHITE] win_jripbot_auto (20220411 | Detects win.jripbot.)
rule win_jripbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.jripbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bec 51 8b83ac000000 56 57 bf00420000 85c0 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   8b83ac000000         | mov                 eax, dword ptr [ebx + 0xac]
            //   56                   | push                esi
            //   57                   | push                edi
            //   bf00420000           | mov                 edi, 0x4200
            //   85c0                 | test                eax, eax

        $sequence_1 = { 8b7f10 83ff05 7405 83ff07 75e1 c786a800000001000000 ebbb }
            // n = 7, score = 100
            //   8b7f10               | mov                 edi, dword ptr [edi + 0x10]
            //   83ff05               | cmp                 edi, 5
            //   7405                 | je                  7
            //   83ff07               | cmp                 edi, 7
            //   75e1                 | jne                 0xffffffe3
            //   c786a800000001000000     | mov    dword ptr [esi + 0xa8], 1
            //   ebbb                 | jmp                 0xffffffbd

        $sequence_2 = { 53 53 6800000040 8d842448010000 50 ffd6 8bf8 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6800000040           | push                0x40000000
            //   8d842448010000       | lea                 eax, dword ptr [esp + 0x148]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8bf8                 | mov                 edi, eax

        $sequence_3 = { c1e905 53 8d4608 33d2 57 894604 894d0c }
            // n = 7, score = 100
            //   c1e905               | shr                 ecx, 5
            //   53                   | push                ebx
            //   8d4608               | lea                 eax, dword ptr [esi + 8]
            //   33d2                 | xor                 edx, edx
            //   57                   | push                edi
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   894d0c               | mov                 dword ptr [ebp + 0xc], ecx

        $sequence_4 = { e9???????? 83fa02 0f85de020000 8365b800 8b770c }
            // n = 5, score = 100
            //   e9????????           |                     
            //   83fa02               | cmp                 edx, 2
            //   0f85de020000         | jne                 0x2e4
            //   8365b800             | and                 dword ptr [ebp - 0x48], 0
            //   8b770c               | mov                 esi, dword ptr [edi + 0xc]

        $sequence_5 = { 8b9574ffffff c1c70e c1ca07 33fa 8b9574ffffff 8b5da8 c1ea03 }
            // n = 7, score = 100
            //   8b9574ffffff         | mov                 edx, dword ptr [ebp - 0x8c]
            //   c1c70e               | rol                 edi, 0xe
            //   c1ca07               | ror                 edx, 7
            //   33fa                 | xor                 edi, edx
            //   8b9574ffffff         | mov                 edx, dword ptr [ebp - 0x8c]
            //   8b5da8               | mov                 ebx, dword ptr [ebp - 0x58]
            //   c1ea03               | shr                 edx, 3

        $sequence_6 = { 50 ff15???????? e9???????? 8364242800 ff15???????? 8b4c241c 83c105 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   e9????????           |                     
            //   8364242800           | and                 dword ptr [esp + 0x28], 0
            //   ff15????????         |                     
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   83c105               | add                 ecx, 5

        $sequence_7 = { 8bc7 e8???????? 85c0 755b 2187e0000000 2187e4000000 c7870c01000001000000 }
            // n = 7, score = 100
            //   8bc7                 | mov                 eax, edi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   755b                 | jne                 0x5d
            //   2187e0000000         | and                 dword ptr [edi + 0xe0], eax
            //   2187e4000000         | and                 dword ptr [edi + 0xe4], eax
            //   c7870c01000001000000     | mov    dword ptr [edi + 0x10c], 1

        $sequence_8 = { c1c70d 33c7 8b7dc4 c1ef0a 035db0 33c7 03c3 }
            // n = 7, score = 100
            //   c1c70d               | rol                 edi, 0xd
            //   33c7                 | xor                 eax, edi
            //   8b7dc4               | mov                 edi, dword ptr [ebp - 0x3c]
            //   c1ef0a               | shr                 edi, 0xa
            //   035db0               | add                 ebx, dword ptr [ebp - 0x50]
            //   33c7                 | xor                 eax, edi
            //   03c3                 | add                 eax, ebx

        $sequence_9 = { 40 3acb 75f9 8d4dac 2bc6 51 50 }
            // n = 7, score = 100
            //   40                   | inc                 eax
            //   3acb                 | cmp                 cl, bl
            //   75f9                 | jne                 0xfffffffb
            //   8d4dac               | lea                 ecx, dword ptr [ebp - 0x54]
            //   2bc6                 | sub                 eax, esi
            //   51                   | push                ecx
            //   50                   | push                eax

    condition:
        7 of them and filesize < 507904
}
[TLP:WHITE] win_jripbot_w0   (20180301 | No description)
rule win_jripbot_w0 {
	meta:
		author = "Florian Roth"
		reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$s0 = "LiveUpdater.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '25.00' */
		$s1 = "id-at-postalAddress" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.00' */
		$s2 = "%d -> %d (default)" fullword wide /* PEStudio Blacklist: strings */ /* score: '17.00' */
		$s3 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide /* score: '15.00' */
		$s8 = "id-ce-keyUsage" fullword ascii /* score: '12.00' */
		$s9 = "Key Usage" fullword ascii /* score: '12.00' */
		$s32 = "UPDATE_ID" fullword wide /* PEStudio Blacklist: strings */ /* score: '9.00' */
		$s37 = "id-at-commonName" fullword ascii /* score: '8.00' */
		$s38 = "2008R2" fullword wide /* PEStudio Blacklist: os */ /* score: '8.00' */
		$s39 = "RSA-alt" fullword ascii /* PEStudio Blacklist: strings */ /* score: '8.00' */
		$s40 = "%02d.%04d.%s" fullword wide /* score: '7.02' */
	condition:
		all of them
}
Download all Yara Rules