Actor(s): Mirage
Intezer found this family mid May 2020, which appears to be a merger of the family Ketrican and Okrum.
rule win_ketrum_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.ketrum." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrum" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 57 33ff ffb760314200 ff15???????? 898760314200 83c704 } // n = 6, score = 200 // 57 | push edi // 33ff | xor edi, edi // ffb760314200 | push dword ptr [edi + 0x423160] // ff15???????? | // 898760314200 | mov dword ptr [edi + 0x423160], eax // 83c704 | add edi, 4 $sequence_1 = { 03f2 f7d7 0bfe 33fa 037df0 8dbc0fa111084e c1cf0b } // n = 7, score = 200 // 03f2 | add esi, edx // f7d7 | not edi // 0bfe | or edi, esi // 33fa | xor edi, edx // 037df0 | add edi, dword ptr [ebp - 0x10] // 8dbc0fa111084e | lea edi, [edi + ecx + 0x4e0811a1] // c1cf0b | ror edi, 0xb $sequence_2 = { ffb5f0bfffff ff15???????? ffb5f0bfffff ff15???????? ffb5e4bfffff ffb5f4bfffff } // n = 6, score = 200 // ffb5f0bfffff | push dword ptr [ebp - 0x4010] // ff15???????? | // ffb5f0bfffff | push dword ptr [ebp - 0x4010] // ff15???????? | // ffb5e4bfffff | push dword ptr [ebp - 0x401c] // ffb5f4bfffff | push dword ptr [ebp - 0x400c] $sequence_3 = { 59 85c0 744d b9???????? 8bc1 } // n = 5, score = 200 // 59 | pop ecx // 85c0 | test eax, eax // 744d | je 0x4f // b9???????? | // 8bc1 | mov eax, ecx $sequence_4 = { ebcb 8b4de0 8b01 8b4004 03c1 } // n = 5, score = 200 // ebcb | jmp 0xffffffcd // 8b4de0 | mov ecx, dword ptr [ebp - 0x20] // 8b01 | mov eax, dword ptr [ecx] // 8b4004 | mov eax, dword ptr [eax + 4] // 03c1 | add eax, ecx $sequence_5 = { 50 e8???????? 83c448 ffb5f0cbffff e8???????? } // n = 5, score = 200 // 50 | push eax // e8???????? | // 83c448 | add esp, 0x48 // ffb5f0cbffff | push dword ptr [ebp - 0x3410] // e8???????? | $sequence_6 = { 56 33db 8d85fcfbffff 53 50 e8???????? } // n = 6, score = 200 // 56 | push esi // 33db | xor ebx, ebx // 8d85fcfbffff | lea eax, [ebp - 0x404] // 53 | push ebx // 50 | push eax // e8???????? | $sequence_7 = { b9???????? 8995e8cbffff 3bc6 7321 898de8cbffff 898df4cbffff 3935???????? } // n = 7, score = 200 // b9???????? | // 8995e8cbffff | mov dword ptr [ebp - 0x3418], edx // 3bc6 | cmp eax, esi // 7321 | jae 0x23 // 898de8cbffff | mov dword ptr [ebp - 0x3418], ecx // 898df4cbffff | mov dword ptr [ebp - 0x340c], ecx // 3935???????? | $sequence_8 = { 8b4004 8bd1 c1ea03 8d549a04 } // n = 4, score = 100 // 8b4004 | mov eax, dword ptr [eax + 4] // 8bd1 | mov edx, ecx // c1ea03 | shr edx, 3 // 8d549a04 | lea edx, [edx + ebx*4 + 4] $sequence_9 = { 720a b857000780 e8???????? 8b4e14 } // n = 4, score = 100 // 720a | jb 0xc // b857000780 | mov eax, 0x80070057 // e8???????? | // 8b4e14 | mov ecx, dword ptr [esi + 0x14] $sequence_10 = { 57 c785d4eeffff01000000 ff15???????? c68533efffff00 89b520efffff 8b8520efffff } // n = 6, score = 100 // 57 | push edi // c785d4eeffff01000000 | mov dword ptr [ebp - 0x112c], 1 // ff15???????? | // c68533efffff00 | mov byte ptr [ebp - 0x10cd], 0 // 89b520efffff | mov dword ptr [ebp - 0x10e0], esi // 8b8520efffff | mov eax, dword ptr [ebp - 0x10e0] $sequence_11 = { 50 6a26 ffb538efffff ff15???????? 85c0 } // n = 5, score = 100 // 50 | push eax // 6a26 | push 0x26 // ffb538efffff | push dword ptr [ebp - 0x10c8] // ff15???????? | // 85c0 | test eax, eax $sequence_12 = { eb0d 8b75bc 8bcf e8???????? 83c71c 3b7da8 } // n = 6, score = 100 // eb0d | jmp 0xf // 8b75bc | mov esi, dword ptr [ebp - 0x44] // 8bcf | mov ecx, edi // e8???????? | // 83c71c | add edi, 0x1c // 3b7da8 | cmp edi, dword ptr [ebp - 0x58] $sequence_13 = { 50 e8???????? 59 85c0 753b ff750c } // n = 6, score = 100 // 50 | push eax // e8???????? | // 59 | pop ecx // 85c0 | test eax, eax // 753b | jne 0x3d // ff750c | push dword ptr [ebp + 0xc] $sequence_14 = { e8???????? 83a7c801000000 b830750000 8987d0010000 8987d4010000 c787cc01000060ea0000 } // n = 6, score = 100 // e8???????? | // 83a7c801000000 | and dword ptr [edi + 0x1c8], 0 // b830750000 | mov eax, 0x7530 // 8987d0010000 | mov dword ptr [edi + 0x1d0], eax // 8987d4010000 | mov dword ptr [edi + 0x1d4], eax // c787cc01000060ea0000 | mov dword ptr [edi + 0x1cc], 0xea60 $sequence_15 = { 663b16 730e c70308000000 eb0f 668b06 668907 } // n = 6, score = 100 // 663b16 | cmp dx, word ptr [esi] // 730e | jae 0x10 // c70308000000 | mov dword ptr [ebx], 8 // eb0f | jmp 0x11 // 668b06 | mov ax, word ptr [esi] // 668907 | mov word ptr [edi], ax condition: 7 of them and filesize < 4599808 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY