MECHANICAL (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.mechanical (Back to overview)

MECHANICAL

aka: GoldStamp

Actor(s): Kimsuky

There is no description at this point.

References

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER

2018-12-05 ⋅ NetScout ⋅ ASERT Team
STOLEN PENCIL Campaign Targets Academia
GREASE MECHANICAL

Yara Rules

[TLP:WHITE] win_mechanical_auto (20201014 | autogenerated rule brought to you by yara-signator)

rule win_mechanical_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 448928 4c896c2420 4533c9 4533c0 33d2 33c9 }
            // n = 6, score = 200
            //   448928               | inc                 esp
            //   4c896c2420           | mov                 dword ptr [eax], ebp
            //   4533c9               | dec                 esp
            //   4533c0               | mov                 dword ptr [esp + 0x20], ebp
            //   33d2                 | inc                 ebp
            //   33c9                 | xor                 ecx, ecx

        $sequence_1 = { 75ed 488d8c2470330000 4d8bc4 6690 0fb601 4883c101 84c0 }
            // n = 7, score = 200
            //   75ed                 | inc                 ebp
            //   488d8c2470330000     | xor                 eax, eax
            //   4d8bc4               | xor                 edx, edx
            //   6690                 | xor                 ecx, ecx
            //   0fb601               | jne                 0xffffffef
            //   4883c101             | dec                 eax
            //   84c0                 | lea                 ecx, [esp + 0x3370]

        $sequence_2 = { 7e17 430fb60c10 e8???????? 85c0 7413 4983c001 }
            // n = 6, score = 200
            //   7e17                 | lea                 edx, [0xf729]
            //   430fb60c10           | mov                 dword ptr [ebx + 4], ebp
            //   e8????????           |                     
            //   85c0                 | mov                 dword ptr [ebx + 8], ebp
            //   7413                 | mov                 dword ptr [ebx + 0xc], ebp
            //   4983c001             | dec                 eax

        $sequence_3 = { 3bc3 0f47cb 482bf9 4c03f1 3bc3 }
            // n = 5, score = 200
            //   3bc3                 | dec                 ebp
            //   0f47cb               | mov                 eax, esp
            //   482bf9               | nop                 
            //   4c03f1               | movzx               eax, byte ptr [ecx]
            //   3bc3                 | dec                 eax

        $sequence_4 = { 488d8c24c15a0000 33d2 41b803010000 4489642430 4488a424c05a0000 e8???????? 4c8d1d6e510200 }
            // n = 7, score = 200
            //   488d8c24c15a0000     | sub                 edi, ecx
            //   33d2                 | dec                 esp
            //   41b803010000         | add                 esi, ecx
            //   4489642430           | cmp                 eax, ebx
            //   4488a424c05a0000     | xor                 ebp, ebp
            //   e8????????           |                     
            //   4c8d1d6e510200       | dec                 eax

        $sequence_5 = { 740e e8???????? eb07 4c8d258cf20000 4889beb8000000 f0830701 }
            // n = 6, score = 200
            //   740e                 | inc                 esp
            //   e8????????           |                     
            //   eb07                 | mov                 byte ptr [esp + 0x5ac0], ah
            //   4c8d258cf20000       | dec                 esp
            //   4889beb8000000       | lea                 ebx, [0x2516e]
            //   f0830701             | jle                 0x19

        $sequence_6 = { 41b800010000 8b4104 8b5114 498bcc }
            // n = 4, score = 200
            //   41b800010000         | inc                 ebx
            //   8b4104               | movzx               ecx, byte ptr [eax + edx]
            //   8b5114               | test                eax, eax
            //   498bcc               | je                  0x17

        $sequence_7 = { 33ed 488d1529f70000 896b04 896b08 896b0c }
            // n = 5, score = 200
            //   33ed                 | add                 ecx, 1
            //   488d1529f70000       | test                al, al
            //   896b04               | cmp                 eax, ebx
            //   896b08               | cmova               ecx, ebx
            //   896b0c               | dec                 eax

        $sequence_8 = { e9???????? c68414c424000066 e9???????? c68414c424000068 e9???????? c68414c424000078 e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   c68414c424000066     | dec                 eax
            //   e9????????           |                     
            //   c68414c424000068     | mov                 dword ptr [esi + 0xb8], edi
            //   e9????????           |                     
            //   c68414c424000078     | lock add            dword ptr [edi], 1
            //   e9????????           |                     

        $sequence_9 = { c684144c06000075 e9???????? c684144c0600006e e9???????? c684144c0600002d e9???????? }
            // n = 6, score = 100
            //   c684144c06000075     | dec                 eax
            //   e9????????           |                     
            //   c684144c0600006e     | lea                 ecx, [esp + 0x59b0]
            //   e9????????           |                     
            //   c684144c0600002d     | dec                 ebp
            //   e9????????           |                     

        $sequence_10 = { 0420 b901000000 88841470500000 0fb6841470500000 }
            // n = 4, score = 100
            //   0420                 | mov                 dword ptr [esp + 0x30], ebx
            //   b901000000           | dec                 eax
            //   88841470500000       | mov                 dword ptr [esp + 0x38], ebp
            //   0fb6841470500000     | dec                 eax

        $sequence_11 = { e9???????? c68414881500002a e9???????? c684148815000026 e9???????? c68414881500005b }
            // n = 6, score = 100
            //   e9????????           |                     
            //   c68414881500002a     | mov                 eax, dword ptr [ecx + 4]
            //   e9????????           |                     
            //   c684148815000026     | mov                 edx, dword ptr [ecx + 0x14]
            //   e9????????           |                     
            //   c68414881500005b     | dec                 ecx

        $sequence_12 = { 0fb680a08a4100 ff2485cc894100 c68414d82900006d e9???????? c68414d829000071 }
            // n = 5, score = 100
            //   0fb680a08a4100       | mov                 ecx, esp
            //   ff2485cc894100       | dec                 eax
            //   c68414d82900006d     | sub                 esp, 0x28
            //   e9????????           |                     
            //   c68414d829000071     | dec                 eax

        $sequence_13 = { c68414845500003b e9???????? c68414845500002b e9???????? }
            // n = 4, score = 100
            //   c68414845500003b     | inc                 ecx
            //   e9????????           |                     
            //   c68414845500002b     | mov                 eax, 0x100
            //   e9????????           |                     

        $sequence_14 = { 8d8c243a010000 8db4242c060000 bf05000000 8d9b00000000 b822000000 8a5406ff }
            // n = 6, score = 100
            //   8d8c243a010000       | mov                 eax, esp
            //   8db4242c060000       | nop                 
            //   bf05000000           | je                  0x10
            //   8d9b00000000         | jmp                 0xb
            //   b822000000           | dec                 esp
            //   8a5406ff             | lea                 esp, [0xf28c]

        $sequence_15 = { 83e11f 6bc928 8b0485c0e54200 c644080401 57 e8???????? 59 }
            // n = 7, score = 100
            //   83e11f               | mov                 ebp, edx
            //   6bc928               | dec                 ecx
            //   8b0485c0e54200       | arpl                ax, bx
            //   c644080401           | test                eax, eax
            //   57                   | mov                 byte ptr [esp + edx + 0x64c], 0x75
            //   e8????????           |                     
            //   59                   | mov                 byte ptr [esp + edx + 0x64c], 0x6e

    condition:
        7 of them and filesize < 434176
}

Download all Yara Rules

MECHANICAL Propose Change

References

Yara Rules

MECHANICAL