Manjusaka (Malware Family)

Manjusaka

Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.
References

2022-08-19 ⋅ Github (Avast) ⋅ Avast
IOCs for Manjusaka
Manjusaka Manjusaka
2022-08-02 ⋅ Cisco Talos ⋅ Asheer Malhotra, Vitor Ventura
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Manjusaka Cobalt Strike Manjusaka
Yara Rules

[TLP:WHITE] win_manjusaka_auto (20230125 | Detects win.manjusaka.)
rule win_manjusaka_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.manjusaka."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.manjusaka"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f30f7f4f40 f30f7f6f50 f3440f7f4f60 f3440f7f7f70 b980000000 4881eb80000000 488db680000000 }
            // n = 7, score = 100
            //   f30f7f4f40           | lea                 ecx, [edi + 0x398]
            //   f30f7f6f50           | dec                 eax
            //   f3440f7f4f60         | inc                 eax
            //   f3440f7f7f70         | xor                 edx, edx
            //   b980000000           | dec                 esp
            //   4881eb80000000       | lea                 eax, [eax + eax*2]
            //   488db680000000       | dec                 ecx

        $sequence_1 = { e9???????? 4b8b442c28 488b4c2428 48894110 430f10442c18 0f1101 488b4c2420 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4b8b442c28           | add                 eax, 2
            //   488b4c2428           | dec                 ebp
            //   48894110             | lea                 ebx, [edx + 1]
            //   430f10442c18         | mov                 bl, byte ptr [ecx + eax - 1]
            //   0f1101               | add                 bl, 0xd0
            //   488b4c2420           | cmp                 bl, 0xa

        $sequence_2 = { 89461c 48c70601000000 488d4c2470 e8???????? 90 4881c4f8040000 5b }
            // n = 7, score = 100
            //   89461c               | add                 esp, 0x70
            //   48c70601000000       | inc                 ecx
            //   488d4c2470           | pop                 edi
            //   e8????????           |                     
            //   90                   | inc                 ecx
            //   4881c4f8040000       | pop                 esi
            //   5b                   | inc                 ecx

        $sequence_3 = { e8???????? 41bb01000000 85c0 750f 458d6301 e9???????? 4183fd03 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   41bb01000000         | dec                 esp
            //   85c0                 | lea                 eax, [0x9c259]
            //   750f                 | mov                 dword ptr [ebp - 0x45], edi
            //   458d6301             | inc                 esp
            //   e9????????           |                     
            //   4183fd03             | lea                 esi, [esi + 3]

        $sequence_4 = { 89442470 448d4238 e8???????? 488d45f0 4c897d78 48898588000000 418b4738 }
            // n = 7, score = 100
            //   89442470             | mov                 eax, esi
            //   448d4238             | neg                 eax
            //   e8????????           |                     
            //   488d45f0             | cmovs               eax, esi
            //   4c897d78             | cmp                 eax, ecx
            //   48898588000000       | jns                 0x15d
            //   418b4738             | inc                 esp

        $sequence_5 = { 660fefcb 0f57d2 f30f10d1 660f3a4415????????10 660f3a0ed0fc 48b8410671db01000000 66480f6ec0 }
            // n = 7, score = 100
            //   660fefcb             | dec                 eax
            //   0f57d2               | lea                 ebp, [edx + 0x80]
            //   f30f10d1             | movdqa              xmmword ptr [esp + 0x30], xmm7
            //   660f3a4415????????10     |     
            //   660f3a0ed0fc         | movaps              xmmword ptr [esp + 0x40], xmm6
            //   48b8410671db01000000     | dec    eax
            //   66480f6ec0           | lea                 ecx, [ebp + 0xd50]

        $sequence_6 = { 742c 48895820 4c8d0dd3e4e6ff 393b 0f84ac0d0000 488b4308 488b56a8 }
            // n = 7, score = 100
            //   742c                 | dec                 eax
            //   48895820             | lea                 edx, [eax + ecx*8]
            //   4c8d0dd3e4e6ff       | dec                 eax
            //   393b                 | add                 esp, 0x28
            //   0f84ac0d0000         | ret                 
            //   488b4308             | jb                  0xea
            //   488b56a8             | dec                 eax

        $sequence_7 = { e8???????? eb21 498bcc e8???????? eb05 bb07000000 4533e4 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb21                 | mov                 ebx, eax
            //   498bcc               | dec                 eax
            //   e8????????           |                     
            //   eb05                 | mov                 dword ptr [esp + 0x48], esi
            //   bb07000000           | dec                 eax
            //   4533e4               | add                 ebx, 0x4a000

        $sequence_8 = { f7400400010000 750c ffc9 4983e820 4883ea01 79e8 85c9 }
            // n = 7, score = 100
            //   f7400400010000       | jne                 0x63a
            //   750c                 | movzx               ecx, word ptr [eax]
            //   ffc9                 | cmp                 ecx, 0x2e2e
            //   4983e820             | dec                 eax
            //   4883ea01             | test                eax, eax
            //   79e8                 | je                  0xeb6
            //   85c9                 | dec                 eax

        $sequence_9 = { f7404000020000 7513 418d7001 c6430144 83c8ff 89742434 66894330 }
            // n = 7, score = 100
            //   f7404000020000       | lea                 eax, [0xfffef3a7]
            //   7513                 | dec                 eax
            //   418d7001             | mov                 dword ptr [edi], eax
            //   c6430144             | dec                 eax
            //   83c8ff               | lea                 eax, [0xfffef39d]
            //   89742434             | dec                 eax
            //   66894330             | test                eax, eax

    condition:
        7 of them and filesize < 4772864
}
Download all Yara Rules
Manjusaka Propose Change

References

Yara Rules

Manjusaka
