SYMBOLCOMMON_NAMEaka. SYNONYMS
win.maudi (Back to overview)

Maudi


Specialized PoisonIvy Sideloader.

References
2013-12-11Norman SharkSnorre Fagerland
@techreport{fagerland:20131211:chinese:b7bb523, author = {Snorre Fagerland}, title = {{The Chinese Malware Complexes: The Maudi Surveillance Operation}}, date = {2013-12-11}, institution = {Norman Shark}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf}, language = {English}, urldate = {2020-01-27} } The Chinese Malware Complexes: The Maudi Surveillance Operation
Maudi
2010-05-28ContagioDumpMila Parkour
@online{parkour:20100528:cve20093129:6e71df9, author = {Mila Parkour}, title = {{CVE-2009-3129 XLS for office 2002-2007 with fud keylogger EIDHR from david@humanright-watch.org}}, date = {2010-05-28}, organization = {ContagioDump}, url = {https://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html}, language = {English}, urldate = {2020-01-27} } CVE-2009-3129 XLS for office 2002-2007 with fud keylogger EIDHR from david@humanright-watch.org
Maudi
Yara Rules
[TLP:WHITE] win_maudi_auto (20230407 | Detects win.maudi.)
rule win_maudi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.maudi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maudi"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 51 51 59 59 59 }
            // n = 6, score = 400
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_1 = { 5d a3???????? 6804010000 56 68???????? }
            // n = 5, score = 400
            //   5d                   | pop                 ebp
            //   a3????????           |                     
            //   6804010000           | push                0x104
            //   56                   | push                esi
            //   68????????           |                     

        $sequence_2 = { 89e0 50 68???????? 87d1 87ca 51 51 }
            // n = 7, score = 400
            //   89e0                 | mov                 eax, esp
            //   50                   | push                eax
            //   68????????           |                     
            //   87d1                 | xchg                ecx, edx
            //   87ca                 | xchg                edx, ecx
            //   51                   | push                ecx
            //   51                   | push                ecx

        $sequence_3 = { 8b80a4000000 83f806 7546 68???????? 87d1 }
            // n = 5, score = 400
            //   8b80a4000000         | mov                 eax, dword ptr [eax + 0xa4]
            //   83f806               | cmp                 eax, 6
            //   7546                 | jne                 0x48
            //   68????????           |                     
            //   87d1                 | xchg                ecx, edx

        $sequence_4 = { 59 ff25???????? 83c408 85c0 0f8581010000 8dbdf8fdffff }
            // n = 6, score = 400
            //   59                   | pop                 ecx
            //   ff25????????         |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   0f8581010000         | jne                 0x187
            //   8dbdf8fdffff         | lea                 edi, [ebp - 0x208]

        $sequence_5 = { 83f806 7548 68???????? 87d1 }
            // n = 4, score = 400
            //   83f806               | cmp                 eax, 6
            //   7548                 | jne                 0x4a
            //   68????????           |                     
            //   87d1                 | xchg                ecx, edx

        $sequence_6 = { 89e5 60 6a3c 68???????? 68???????? 87d1 }
            // n = 6, score = 400
            //   89e5                 | mov                 ebp, esp
            //   60                   | pushal              
            //   6a3c                 | push                0x3c
            //   68????????           |                     
            //   68????????           |                     
            //   87d1                 | xchg                ecx, edx

        $sequence_7 = { 5d 89e0 50 68???????? 87d1 }
            // n = 5, score = 400
            //   5d                   | pop                 ebp
            //   89e0                 | mov                 eax, esp
            //   50                   | push                eax
            //   68????????           |                     
            //   87d1                 | xchg                ecx, edx

        $sequence_8 = { 89e5 5d 8b542404 80740aff32 }
            // n = 4, score = 400
            //   89e5                 | mov                 ebp, esp
            //   5d                   | pop                 ebp
            //   8b542404             | mov                 edx, dword ptr [esp + 4]
            //   80740aff32           | xor                 byte ptr [edx + ecx - 1], 0x32

        $sequence_9 = { 29d2 52 52 52 }
            // n = 4, score = 400
            //   29d2                 | sub                 edx, edx
            //   52                   | push                edx
            //   52                   | push                edx
            //   52                   | push                edx

    condition:
        7 of them and filesize < 40960
}
Download all Yara Rules