SYMBOLCOMMON_NAMEaka. SYNONYMS
win.medusa (Back to overview)

Medusa


Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.

References
2017-12-18Arbor NetworksTJ Nelson
@online{nelson:20171218:medusahttp:6bf896f, author = {TJ Nelson}, title = {{MedusaHTTP DDoS Slithers Back into the Spotlight}}, date = {2017-12-18}, organization = {Arbor Networks}, url = {https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/}, language = {English}, urldate = {2019-12-18} } MedusaHTTP DDoS Slithers Back into the Spotlight
Medusa
2017-10-13Zerophage
@online{zerophage:20171013:rig:3a9c804, author = {Zerophage}, title = {{Rig EK via Malvertising drops a Smoke Loader leading to a Miner and AZORult}}, date = {2017-10-13}, url = {https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/}, language = {English}, urldate = {2020-01-07} } Rig EK via Malvertising drops a Smoke Loader leading to a Miner and AZORult
Medusa
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
Yara Rules
[TLP:WHITE] win_medusa_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_medusa_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 387cffff ff06 0e 057d2d0100 0411 0d209444bb }
            // n = 6, score = 100
            //   387cffff             | cmp                 byte ptr [edi + edi*8 - 1], bh
            //   ff06                 | inc                 dword ptr [esi]
            //   0e                   | push                cs
            //   057d2d0100           | add                 eax, 0x12d7d
            //   0411                 | add                 al, 0x11
            //   0d209444bb           | or                  eax, 0xbb449420

        $sequence_1 = { 8e9720009a63 a1???????? 7c30 5a 20e4 }
            // n = 5, score = 100
            //   8e9720009a63         | mov                 ss, word ptr [edi + 0x639a0020]
            //   a1????????           |                     
            //   7c30                 | jl                  0x32
            //   5a                   | pop                 edx
            //   20e4                 | and                 ah, ah

        $sequence_2 = { ff06 0e 057d2d0100 0411 0d209444bb }
            // n = 5, score = 100
            //   ff06                 | inc                 dword ptr [esi]
            //   0e                   | push                cs
            //   057d2d0100           | add                 eax, 0x12d7d
            //   0411                 | add                 al, 0x11
            //   0d209444bb           | or                  eax, 0xbb449420

        $sequence_3 = { 0820 7ddd 5a 8b25???????? }
            // n = 4, score = 100
            //   0820                 | or                  byte ptr [eax], ah
            //   7ddd                 | jge                 0xffffffdf
            //   5a                   | pop                 edx
            //   8b25????????         |                     

        $sequence_4 = { 057d2d0100 0411 0d209444bb be5a20826e 4d 96 }
            // n = 6, score = 100
            //   057d2d0100           | add                 eax, 0x12d7d
            //   0411                 | add                 al, 0x11
            //   0d209444bb           | or                  eax, 0xbb449420
            //   be5a20826e           | mov                 esi, 0x6e82205a
            //   4d                   | dec                 ebp
            //   96                   | xchg                eax, esi

        $sequence_5 = { 0e 04de 00443701 0000 }
            // n = 4, score = 100
            //   0e                   | push                cs
            //   04de                 | add                 al, 0xde
            //   00443701             | add                 byte ptr [edi + esi + 1], al
            //   0000                 | add                 byte ptr [eax], al

        $sequence_6 = { 5a 20af8f57e661 387cffff ff06 0e 057d2d0100 0411 }
            // n = 7, score = 100
            //   5a                   | pop                 edx
            //   20af8f57e661         | and                 byte ptr [edi + 0x61e6578f], ch
            //   387cffff             | cmp                 byte ptr [edi + edi*8 - 1], bh
            //   ff06                 | inc                 dword ptr [esi]
            //   0e                   | push                cs
            //   057d2d0100           | add                 eax, 0x12d7d
            //   0411                 | add                 al, 0x11

        $sequence_7 = { 20fc 36f5 ec 252b0620fc d6 bb61252611 0420 }
            // n = 7, score = 100
            //   20fc                 | and                 ah, bh
            //   36f5                 | cmc                 
            //   ec                   | in                  al, dx
            //   252b0620fc           | and                 eax, 0xfc20062b
            //   d6                   | salc                
            //   bb61252611           | mov                 ebx, 0x11262561
            //   0420                 | add                 al, 0x20

        $sequence_8 = { 15d4280c00 002b 2058e6 a2???????? 002b }
            // n = 5, score = 100
            //   15d4280c00           | adc                 eax, 0xc28d4
            //   002b                 | add                 byte ptr [ebx], ch
            //   2058e6               | and                 byte ptr [eax - 0x1a], bl
            //   a2????????           |                     
            //   002b                 | add                 byte ptr [ebx], ch

        $sequence_9 = { 0000 010c20 46 4c 15d4280c00 002b 2058e6 }
            // n = 7, score = 100
            //   0000                 | add                 byte ptr [eax], al
            //   010c20               | add                 dword ptr [eax], ecx
            //   46                   | inc                 esi
            //   4c                   | dec                 esp
            //   15d4280c00           | adc                 eax, 0xc28d4
            //   002b                 | add                 byte ptr [ebx], ch
            //   2058e6               | and                 byte ptr [eax - 0x1a], bl

    condition:
        7 of them and filesize < 443392
}
Download all Yara Rules