SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mechanical (Back to overview)

MECHANICAL

aka: GoldStamp

Actor(s): Kimsuky


There is no description at this point.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2018-12-05NetScoutASERT Team
@online{team:20181205:stolen:bc9dd60, author = {ASERT Team}, title = {{STOLEN PENCIL Campaign Targets Academia}}, date = {2018-12-05}, organization = {NetScout}, url = {https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/}, language = {English}, urldate = {2020-01-08} } STOLEN PENCIL Campaign Targets Academia
GREASE MECHANICAL
Yara Rules
[TLP:WHITE] win_mechanical_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_mechanical_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8d9c2490020000 488d8c24a5020000 33d2 498903 }
            // n = 4, score = 200
            //   4c8d9c2490020000     | jne                 0xfffffff2
            //   488d8c24a5020000     | inc                 ecx
            //   33d2                 | mov                 byte ptr [ebx], 0
            //   498903               | dec                 esp

        $sequence_1 = { 84c0 0f8409000000 4983c101 4d85db 75e7 488d942480010000 41ba0b000000 }
            // n = 7, score = 200
            //   84c0                 | bts                 edi, 0x12
            //   0f8409000000         | jmp                 0x46
            //   4983c101             | dec                 eax
            //   4d85db               | lea                 edx, [0xd2d9]
            //   75e7                 | dec                 eax
            //   488d942480010000     | add                 edx, 1
            //   41ba0b000000         | dec                 ecx

        $sequence_2 = { 0f86df020000 8d9b00000000 8a8414243d0000 33c9 3c41 7212 }
            // n = 6, score = 200
            //   0f86df020000         | test                al, al
            //   8d9b00000000         | je                  0x11
            //   8a8414243d0000       | dec                 ecx
            //   33c9                 | add                 ecx, 1
            //   3c41                 | dec                 ebp
            //   7212                 | test                ebx, ebx

        $sequence_3 = { c68414243d00003f eb12 c68414243d00002e eb08 c68414243d00002c 3bcd 7408 }
            // n = 7, score = 200
            //   c68414243d00003f     | inc                 ecx
            //   eb12                 | mov                 edx, 0xb
            //   c68414243d00002e     | dec                 ecx
            //   eb08                 | add                 eax, 1
            //   c68414243d00002c     | dec                 eax
            //   3bcd                 | test                ecx, ecx
            //   7408                 | jne                 0xffffffed

        $sequence_4 = { e8???????? 85c0 750a 4883c30a 0fbaef12 eb3c 488d15d9d20000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   85c0                 | dec                 esp
            //   750a                 | lea                 ebx, [0x1f635]
            //   4883c30a             | dec                 ecx
            //   0fbaef12             | mov                 ecx, esp
            //   eb3c                 | inc                 ecx
            //   488d15d9d20000       | mov                 eax, 6

        $sequence_5 = { 0f8766010000 4898 0fb68428a4110100 8b8c85d0100100 }
            // n = 4, score = 200
            //   0f8766010000         | test                eax, eax
            //   4898                 | jne                 0xe
            //   0fb68428a4110100     | dec                 eax
            //   8b8c85d0100100       | add                 ebx, 0xa

        $sequence_6 = { 41b806000000 4c8d0d38f40000 4c3948f0 740c }
            // n = 4, score = 200
            //   41b806000000         | lea                 ecx, [esp + 0x2a5]
            //   4c8d0d38f40000       | xor                 edx, edx
            //   4c3948f0             | dec                 ecx
            //   740c                 | mov                 dword ptr [ebx], eax

        $sequence_7 = { e9???????? c68414400300003b e9???????? c68414400300002b e9???????? c68414400300003e }
            // n = 6, score = 200
            //   e9????????           |                     
            //   c68414400300003b     | jbe                 0x2e5
            //   e9????????           |                     
            //   c68414400300002b     | lea                 ebx, [ebx]
            //   e9????????           |                     
            //   c68414400300003e     | mov                 al, byte ptr [esp + edx + 0x3d24]

        $sequence_8 = { c68414584a000075 e9???????? c68414584a00006e e9???????? c68414584a00002d }
            // n = 5, score = 200
            //   c68414584a000075     | dec                 eax
            //   e9????????           |                     
            //   c68414584a00006e     | lea                 edx, [esp + 0x1f40]
            //   e9????????           |                     
            //   c68414584a00002d     | jmp                 0x28

        $sequence_9 = { 488905???????? e8???????? 4c8d1d35f60100 498bcc }
            // n = 4, score = 200
            //   488905????????       |                     
            //   e8????????           |                     
            //   4c8d1d35f60100       | lea                 ebx, [esp + 0x290]
            //   498bcc               | dec                 eax

        $sequence_10 = { c68414741000006c e9???????? c684147410000064 e9???????? c684147410000070 e9???????? }
            // n = 6, score = 200
            //   c68414741000006c     | inc                 ebp
            //   e9????????           |                     
            //   c684147410000064     | test                eax, eax
            //   e9????????           |                     
            //   c684147410000070     | je                  0x1de
            //   e9????????           |                     

        $sequence_11 = { c684143c43000025 e9???????? c684143c4300002a e9???????? c684143c43000026 }
            // n = 5, score = 200
            //   c684143c43000025     | jne                 0xfffffff0
            //   e9????????           |                     
            //   c684143c4300002a     | dec                 eax
            //   e9????????           |                     
            //   c684143c43000026     | lea                 edx, [esp + 0x180]

        $sequence_12 = { eb26 c684141c3b00002f eb1c c684141c3b00003f eb12 }
            // n = 5, score = 200
            //   eb26                 | ja                  0x16c
            //   c684141c3b00002f     | dec                 eax
            //   eb1c                 | cwde                
            //   c684141c3b00003f     | movzx               eax, byte ptr [eax + ebp + 0x111a4]
            //   eb12                 | mov                 ecx, dword ptr [ebp + eax*4 + 0x110d0]

        $sequence_13 = { 4883e901 4188440bde 75f0 41c60300 }
            // n = 4, score = 200
            //   4883e901             | dec                 eax
            //   4188440bde           | sub                 ecx, 1
            //   75f0                 | inc                 ecx
            //   41c60300             | mov                 byte ptr [ebx + ecx - 0x22], al

        $sequence_14 = { 4883c201 4983e901 0f853ffeffff 488d942490130000 488bcf ff15???????? }
            // n = 6, score = 200
            //   4883c201             | dec                 esp
            //   4983e901             | lea                 ecx, [0xf438]
            //   0f853ffeffff         | dec                 esp
            //   488d942490130000     | cmp                 dword ptr [eax - 0x10], ecx
            //   488bcf               | je                  0x12
            //   ff15????????         |                     

        $sequence_15 = { c68414203c00003a e9???????? c68414203c000023 e9???????? c68414203c000021 e9???????? c68414203c000025 }
            // n = 7, score = 200
            //   c68414203c00003a     | mov                 byte ptr [esp + edx + 0x3b1c], 0x2f
            //   e9????????           |                     
            //   c68414203c000023     | jmp                 0x26
            //   e9????????           |                     
            //   c68414203c000021     | mov                 byte ptr [esp + edx + 0x3b1c], 0x3f
            //   e9????????           |                     
            //   c68414203c000025     | jmp                 0x26

    condition:
        7 of them and filesize < 434176
}
Download all Yara Rules