SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kgh_spy (Back to overview)

KGH_SPY

There is no description at this point.

References
2021-07-14Microstep Online Research Response CenterMicrostep Online Research Response Center
@online{center:20210714:old:d9d32d2, author = {Microstep Online Research Response Center}, title = {{Old trees and new flowers: Analysis of the new version of KGH spy components used by Kimsuky}}, date = {2021-07-14}, organization = {Microstep Online Research Response Center}, url = {https://mp.weixin.qq.com/s/cbaePmZSk_Ob0r486RMXyw}, language = {Chinese}, urldate = {2021-07-20} } Old trees and new flowers: Analysis of the new version of KGH spy components used by Kimsuky
KGH_SPY
2020-11-02CybereasonAssaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
@online{dahan:20201102:back:64a6991, author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman}, title = {{Back to the Future: Inside the Kimsuky KGH Spyware Suite}}, date = {2020-11-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite}, language = {English}, urldate = {2020-11-02} } Back to the Future: Inside the Kimsuky KGH Spyware Suite
BabyShark GoldDragon KGH_SPY Kimsuky
Yara Rules
[TLP:WHITE] win_kgh_spy_auto (20230125 | Detects win.kgh_spy.)
rule win_kgh_spy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.kgh_spy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kgh_spy"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 03442478 488b4c2428 8901 eb2a }
            // n = 4, score = 100
            //   03442478             | dec                 eax
            //   488b4c2428           | mov                 esi, dword ptr [esp + 0x40]
            //   8901                 | add                 eax, dword ptr [esp + 0x78]
            //   eb2a                 | dec                 eax

        $sequence_1 = { 75e1 488b8c2490000000 48c744243800000000 48c744243000000000 89442428 488d8424a0030000 4889442420 }
            // n = 7, score = 100
            //   75e1                 | dec                 eax
            //   488b8c2490000000     | lea                 edx, [0xc748]
            //   48c744243800000000     | dec    eax
            //   48c744243000000000     | mov    ecx, eax
            //   89442428             | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   488d8424a0030000     | dec                 eax
            //   4889442420           | lea                 eax, [esp + 0x58]

        $sequence_2 = { 488bd0 488b4c2468 e8???????? 85c0 750e }
            // n = 5, score = 100
            //   488bd0               | dec                 eax
            //   488b4c2468           | lea                 edx, [esp + 0x5c]
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   750e                 | mov                 ecx, dword ptr [eax + 0xc0]

        $sequence_3 = { 33c0 b904010000 f3aa 488d058a320100 488bf8 }
            // n = 5, score = 100
            //   33c0                 | mov                 ecx, dword ptr [esp + 0x20]
            //   b904010000           | dec                 eax
            //   f3aa                 | add                 ecx, eax
            //   488d058a320100       | jbe                 0x1522
            //   488bf8               | mov                 eax, dword ptr [esp + 0x64]

        $sequence_4 = { 488b8c24b0000000 ff15???????? 488b8c24b8000000 ff15???????? 488b8c24f0230000 ff15???????? }
            // n = 6, score = 100
            //   488b8c24b0000000     | or                  ecx, edx
            //   ff15????????         |                     
            //   488b8c24b8000000     | add                 eax, ecx
            //   ff15????????         |                     
            //   488b8c24f0230000     | mov                 ecx, dword ptr [esp + 4]
            //   ff15????????         |                     

        $sequence_5 = { 4889442420 4c8b4c2420 4c8b442448 ba04000000 488b4c2440 }
            // n = 5, score = 100
            //   4889442420           | dec                 eax
            //   4c8b4c2420           | lea                 ecx, [0xbf4e]
            //   4c8b442448           | mov                 eax, 1
            //   ba04000000           | mov                 dword ptr [esp + 0x28], 0
            //   488b4c2440           | dec                 eax

        $sequence_6 = { 4885c0 7509 488d0577bd0000 eb04 4883c014 }
            // n = 5, score = 100
            //   4885c0               | add                 eax, ecx
            //   7509                 | dec                 eax
            //   488d0577bd0000       | mov                 dword ptr [esp + 0x58], eax
            //   eb04                 | shl                 ecx, 2
            //   4883c014             | mov                 ecx, ecx

        $sequence_7 = { 89442428 488d8424300e0000 4889442420 448bc9 4c8d8424300a0000 }
            // n = 5, score = 100
            //   89442428             | mov                 ecx, 0x208
            //   488d8424300e0000     | dec                 eax
            //   4889442420           | mov                 eax, dword ptr [esp + 0x30]
            //   448bc9               | dec                 eax
            //   4c8d8424300a0000     | cmp                 dword ptr [eax], 0

        $sequence_8 = { 488d8c2460010000 ff15???????? 0fb605???????? 888424a0030000 488d8424a1030000 488bf8 33c0 }
            // n = 7, score = 100
            //   488d8c2460010000     | mov                 eax, dword ptr [esp + 0x4c]
            //   ff15????????         |                     
            //   0fb605????????       |                     
            //   888424a0030000       | inc                 eax
            //   488d8424a1030000     | mov                 ecx, 0x400
            //   488bf8               | rep stosb           byte ptr es:[edi], al
            //   33c0                 | dec                 eax

        $sequence_9 = { c744242000000000 e9???????? 488b442470 48634018 488b4c2470 488b4910 488b542448 }
            // n = 7, score = 100
            //   c744242000000000     | lea                 edx, [0xbc8c]
            //   e9????????           |                     
            //   488b442470           | inc                 edi
            //   48634018             | inc                 ecx
            //   488b4c2470           | cmp                 eax, edi
            //   488b4910             | jae                 0xe73
            //   488b542448           | mov                 al, byte ptr [ebx]

    condition:
        7 of them and filesize < 207872
}
Download all Yara Rules