Manjusaka (Malware Family)

Manjusaka

Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.
References

2022-08-19 ⋅ Github (Avast) ⋅ Avast
IOCs for Manjusaka
Manjusaka Manjusaka
2022-08-02 ⋅ Cisco Talos ⋅ Asheer Malhotra, Vitor Ventura
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Manjusaka Cobalt Strike Manjusaka
Yara Rules

[TLP:WHITE] win_manjusaka_auto (20230715 | Detects win.manjusaka.)
rule win_manjusaka_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.manjusaka."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.manjusaka"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7e14 488b8e88000000 488d1440 6683e32e 66895cd1ea 8bc5 488b5c2450 }
            // n = 7, score = 100
            //   7e14                 | mov                 ebp, ecx
            //   488b8e88000000       | dec                 eax
            //   488d1440             | mov                 dword ptr [esp + 0x20], eax
            //   6683e32e             | dec                 ecx
            //   66895cd1ea           | mov                 edi, ecx
            //   8bc5                 | mov                 dl, 0x7f
            //   488b5c2450           | dec                 esp

        $sequence_1 = { c3 488d05b4121b00 4889442420 488d0d70121b00 4c8d0db9051900 4c8d442430 ba37000000 }
            // n = 7, score = 100
            //   c3                   | xor                 edx, edx
            //   488d05b4121b00       | dec                 eax
            //   4889442420           | cmp                 dword ptr [edi + 0x38], 0
            //   488d0d70121b00       | je                  0x671
            //   4c8d0db9051900       | je                  0x673
            //   4c8d442430           | dec                 esp
            //   ba37000000           | mov                 eax, dword ptr [edi + 0x20]

        $sequence_2 = { 49894608 e9???????? 31c9 4885c9 488d2d3cf21300 480f45e9 480f44f1 }
            // n = 7, score = 100
            //   49894608             | cmp                 dword ptr [edi + 0x48], ebp
            //   e9????????           |                     
            //   31c9                 | jne                 0x3b4
            //   4885c9               | dec                 eax
            //   488d2d3cf21300       | mov                 edi, dword ptr [edi + 0x10]
            //   480f45e9             | dec                 eax
            //   480f44f1             | test                edi, edi

        $sequence_3 = { ffc3 498d4e50 e8???????? 4839d0 7426 4889c1 4989d7 }
            // n = 7, score = 100
            //   ffc3                 | mov                 byte ptr [eax + 0xb], cl
            //   498d4e50             | test                cl, cl
            //   e8????????           |                     
            //   4839d0               | jne                 0x871
            //   7426                 | dec                 eax
            //   4889c1               | mov                 eax, dword ptr [ebp - 0x20]
            //   4989d7               | mov                 byte ptr [eax + 0xc], 1

        $sequence_4 = { 7559 488b5710 4885d2 7450 e8???????? 85c0 7547 }
            // n = 7, score = 100
            //   7559                 | dec                 esp
            //   488b5710             | mov                 edx, dword ptr [esp + 0x70]
            //   4885d2               | dec                 esp
            //   7450                 | mov                 dword ptr [ebx + 0x50], edx
            //   e8????????           |                     
            //   85c0                 | dec                 esp
            //   7547                 | mov                 esi, dword ptr [esp + 0xd0]

        $sequence_5 = { ffc8 8b542470 488bcd 89442444 e8???????? 418b442438 448bc6 }
            // n = 7, score = 100
            //   ffc8                 | je                  0x190
            //   8b542470             | dec                 esp
            //   488bcd               | mov                 esi, dword ptr [edi + 0x20]
            //   89442444             | dec                 ebp
            //   e8????????           |                     
            //   418b442438           | test                esi, esi
            //   448bc6               | mov                 eax, dword ptr [ebx]

        $sequence_6 = { c1e012 c1e706 4183e63f 4109fe 4109c6 4181fe00001100 408a6c2433 }
            // n = 7, score = 100
            //   c1e012               | dec                 ebp
            //   c1e706               | test                edi, edi
            //   4183e63f             | je                  0x9d8
            //   4109fe               | je                  0x9cf
            //   4109c6               | dec                 eax
            //   4181fe00001100       | mov                 ecx, dword ptr [edi]
            //   408a6c2433           | dec                 ecx

        $sequence_7 = { e8???????? 450fbf4e46 41bd02000000 8b45c4 4503cd 488bce 89442420 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   450fbf4e46           | dec                 eax
            //   41bd02000000         | sar                 edi, 2
            //   8b45c4               | jne                 0x25a
            //   4503cd               | inc                 ecx
            //   488bce               | test                byte ptr [ebp], 0xdf
            //   89442420             | je                  0x268

        $sequence_8 = { 498d142f 410fb6c1 4c8d052ae80900 41c1e908 b90d000000 89442420 e8???????? }
            // n = 7, score = 100
            //   498d142f             | inc                 ebp
            //   410fb6c1             | xor                 eax, eax
            //   4c8d052ae80900       | inc                 ecx
            //   41c1e908             | lea                 edx, [eax + 0x48]
            //   b90d000000           | jmp                 0xdc9
            //   89442420             | dec                 eax
            //   e8????????           |                     

        $sequence_9 = { e9???????? 488d0d2aaf0f00 4c8d054baf0f00 ba21000000 e8???????? e9???????? c685d705000001 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d0d2aaf0f00       | inc                 ecx
            //   4c8d054baf0f00       | mov                 edi, eax
            //   ba21000000           | dec                 ecx
            //   e8????????           |                     
            //   e9????????           |                     
            //   c685d705000001       | shl                 edi, 0x20

    condition:
        7 of them and filesize < 4772864
}
Download all Yara Rules
Manjusaka Propose Change

References

Yara Rules

Manjusaka
