SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lilith (Back to overview)

Lilith

Actor(s): Tick

There is no description at this point.

References
2019-11-29Trend MicroJoey Chen, Hiroyuki Kakara, Masaoki Shoji
@online{chen:20191129:operation:749d75d, author = {Joey Chen and Hiroyuki Kakara and Masaoki Shoji}, title = {{Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK}}, date = {2019-11-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/}, language = {English}, urldate = {2019-12-17} } Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK
Datper Lilith
2019-09-19GitHub (werkamsus)werkamsus
@online{werkamsus:20190919:lilith:686f3cb, author = {werkamsus}, title = {{Lilith}}, date = {2019-09-19}, organization = {GitHub (werkamsus)}, url = {https://github.com/werkamsus/Lilith}, language = {English}, urldate = {2021-02-24} } Lilith
Lilith
Yara Rules
[TLP:WHITE] win_lilith_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_lilith_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c7471407000000 c7471000000000 668907 663903 7415 8bc3 8d5002 }
            // n = 7, score = 200
            //   c7471407000000       | mov                 dword ptr [edi + 0x14], 7
            //   c7471000000000       | mov                 dword ptr [edi + 0x10], 0
            //   668907               | mov                 word ptr [edi], ax
            //   663903               | cmp                 word ptr [ebx], ax
            //   7415                 | je                  0x17
            //   8bc3                 | mov                 eax, ebx
            //   8d5002               | lea                 edx, [eax + 2]

        $sequence_1 = { e8???????? 8b404c 83b8a800000000 7512 8b04bda84b4300 807c302900 7504 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b404c               | mov                 eax, dword ptr [eax + 0x4c]
            //   83b8a800000000       | cmp                 dword ptr [eax + 0xa8], 0
            //   7512                 | jne                 0x14
            //   8b04bda84b4300       | mov                 eax, dword ptr [edi*4 + 0x434ba8]
            //   807c302900           | cmp                 byte ptr [eax + esi + 0x29], 0
            //   7504                 | jne                 6

        $sequence_2 = { e8???????? 83f8ff 7411 8b5518 8bce 42 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83f8ff               | cmp                 eax, -1
            //   7411                 | je                  0x13
            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]
            //   8bce                 | mov                 ecx, esi
            //   42                   | inc                 edx

        $sequence_3 = { 8bce c605????????00 e8???????? eb31 8d4508 }
            // n = 5, score = 200
            //   8bce                 | mov                 ecx, esi
            //   c605????????00       |                     
            //   e8????????           |                     
            //   eb31                 | jmp                 0x33
            //   8d4508               | lea                 eax, [ebp + 8]

        $sequence_4 = { 8d5e08 c7460400000000 50 8d7e04 c70300000000 }
            // n = 5, score = 200
            //   8d5e08               | lea                 ebx, [esi + 8]
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   50                   | push                eax
            //   8d7e04               | lea                 edi, [esi + 4]
            //   c70300000000         | mov                 dword ptr [ebx], 0

        $sequence_5 = { 8d7e90 8b4004 c744309048ef4200 8b07 8b4804 8d4190 }
            // n = 6, score = 200
            //   8d7e90               | lea                 edi, [esi - 0x70]
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   c744309048ef4200     | mov                 dword ptr [eax + esi - 0x70], 0x42ef48
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   8d4190               | lea                 eax, [ecx - 0x70]

        $sequence_6 = { 8b8540ffffff 6a00 6a00 6a00 ff7008 }
            // n = 5, score = 200
            //   8b8540ffffff         | mov                 eax, dword ptr [ebp - 0xc0]
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff7008               | push                dword ptr [eax + 8]

        $sequence_7 = { 0f434d08 51 8b4d18 83c102 51 53 e8???????? }
            // n = 7, score = 200
            //   0f434d08             | cmovae              ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   83c102               | add                 ecx, 2
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_8 = { 8b0485a84b4300 0fb6440828 83e040 5d }
            // n = 4, score = 200
            //   8b0485a84b4300       | mov                 eax, dword ptr [eax*4 + 0x434ba8]
            //   0fb6440828           | movzx               eax, byte ptr [eax + ecx + 0x28]
            //   83e040               | and                 eax, 0x40
            //   5d                   | pop                 ebp

        $sequence_9 = { 8d4508 03c6 50 ffb790210000 ffd3 83f8ff }
            // n = 6, score = 200
            //   8d4508               | lea                 eax, [ebp + 8]
            //   03c6                 | add                 eax, esi
            //   50                   | push                eax
            //   ffb790210000         | push                dword ptr [edi + 0x2190]
            //   ffd3                 | call                ebx
            //   83f8ff               | cmp                 eax, -1

    condition:
        7 of them and filesize < 499712
}
Download all Yara Rules