SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kgh_spy (Back to overview)

KGH_SPY

There is no description at this point.

References
2021-07-14Microstep Online Research Response CenterMicrostep Online Research Response Center
@online{center:20210714:old:d9d32d2, author = {Microstep Online Research Response Center}, title = {{Old trees and new flowers: Analysis of the new version of KGH spy components used by Kimsuky}}, date = {2021-07-14}, organization = {Microstep Online Research Response Center}, url = {https://mp.weixin.qq.com/s/cbaePmZSk_Ob0r486RMXyw}, language = {Chinese}, urldate = {2021-07-20} } Old trees and new flowers: Analysis of the new version of KGH spy components used by Kimsuky
KGH_SPY
2020-11-02CybereasonAssaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
@online{dahan:20201102:back:64a6991, author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman}, title = {{Back to the Future: Inside the Kimsuky KGH Spyware Suite}}, date = {2020-11-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite}, language = {English}, urldate = {2020-11-02} } Back to the Future: Inside the Kimsuky KGH Spyware Suite
BabyShark GoldDragon KGH_SPY Kimsuky
Yara Rules
[TLP:WHITE] win_kgh_spy_auto (20230808 | Detects win.kgh_spy.)
rule win_kgh_spy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.kgh_spy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kgh_spy"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b442428 8b4c2430 894808 e9???????? 4883c458 5f }
            // n = 6, score = 100
            //   488b442428           | jne                 0x196
            //   8b4c2430             | xor                 al, al
            //   894808               | dec                 eax
            //   e9????????           |                     
            //   4883c458             | mov                 dword ptr [esp + 0x30], 0
            //   5f                   | movzx               eax, al

        $sequence_1 = { 75e2 488b842498000000 89442460 8b442468 8b4c2460 488b542470 4803d1 }
            // n = 7, score = 100
            //   75e2                 | dec                 eax
            //   488b842498000000     | add                 ecx, eax
            //   89442460             | dec                 eax
            //   8b442468             | lea                 eax, [0x7cea]
            //   8b4c2460             | inc                 esp
            //   488b542470           | movzx               ecx, byte ptr [ecx + eax]
            //   4803d1               | inc                 ecx

        $sequence_2 = { 488d8c24b0000000 ff15???????? 85c0 0f8547010000 0fb705???????? }
            // n = 5, score = 100
            //   488d8c24b0000000     | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | sub                 esp, 0x48
            //   0f8547010000         | dec                 eax
            //   0fb705????????       |                     

        $sequence_3 = { 488d8424300a0000 4889842488000000 48c7442450ffffffff 48ff442450 }
            // n = 4, score = 100
            //   488d8424300a0000     | dec                 eax
            //   4889842488000000     | mov                 eax, dword ptr [esp + 0xc0]
            //   48c7442450ffffffff     | dec    eax
            //   48ff442450           | lea                 eax, [esp + eax + 0x180]

        $sequence_4 = { 488b4c2468 803c0800 75e8 488b442468 488d8c24c0000000 48898c2498000000 48c7442470ffffffff }
            // n = 7, score = 100
            //   488b4c2468           | test                eax, eax
            //   803c0800             | jne                 0x48d
            //   75e8                 | xor                 al, al
            //   488b442468           | dec                 eax
            //   488d8c24c0000000     | xor                 eax, esp
            //   48898c2498000000     | dec                 eax
            //   48c7442470ffffffff     | mov    dword ptr [esp + 0x58], eax

        $sequence_5 = { f3aa 488d4c2428 ff15???????? 0fb7442428 83f809 740a 0fb7442428 }
            // n = 7, score = 100
            //   f3aa                 | movsx               eax, bh
            //   488d4c2428           | inc                 edx
            //   ff15????????         |                     
            //   0fb7442428           | movzx               ecx, byte ptr [eax + ecx + 0xe400]
            //   83f809               | test                edx, edx
            //   740a                 | js                  0xb20
            //   0fb7442428           | inc                 ecx

        $sequence_6 = { 488d8424f0030000 488bf8 33c0 b908020000 f3aa 4c8d0df7e30000 }
            // n = 6, score = 100
            //   488d8424f0030000     | lea                 eax, [0x1316d]
            //   488bf8               | dec                 eax
            //   33c0                 | mov                 edi, eax
            //   b908020000           | dec                 eax
            //   f3aa                 | cmp                 dword ptr [esp + 0xa0], -1
            //   4c8d0df7e30000       | jne                 0x9cc

        $sequence_7 = { 4885c0 7403 f0ff00 488d4128 41b806000000 488d15b4a30000 483950f0 }
            // n = 7, score = 100
            //   4885c0               | dec                 eax
            //   7403                 | add                 eax, ecx
            //   f0ff00               | dec                 eax
            //   488d4128             | mov                 dword ptr [esp + 0x58], eax
            //   41b806000000         | dec                 eax
            //   488d15b4a30000       | mov                 eax, dword ptr [esp + 0x58]
            //   483950f0             | mov                 eax, dword ptr [eax]

        $sequence_8 = { 8bc8 e8???????? 48898424d8000000 48c744242000000000 4c8d8c2470010000 448b442468 }
            // n = 6, score = 100
            //   8bc8                 | jne                 0x394
            //   e8????????           |                     
            //   48898424d8000000     | jmp                 0x396
            //   48c744242000000000     | dec    eax
            //   4c8d8c2470010000     | mov                 eax, ecx
            //   448b442468           | dec                 eax

        $sequence_9 = { 488d1dddab0000 483bcb 740c e8???????? }
            // n = 4, score = 100
            //   488d1dddab0000       | inc                 ecx
            //   483bcb               | mov                 ebx, 0x200
            //   740c                 | dec                 esp
            //   e8????????           |                     

    condition:
        7 of them and filesize < 207872
}
Download all Yara Rules