SYMBOLCOMMON_NAMEaka. SYNONYMS
win.medusa (Back to overview)

Medusa


Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.

References
2017-12-18Arbor NetworksTJ Nelson
@online{nelson:20171218:medusahttp:6bf896f, author = {TJ Nelson}, title = {{MedusaHTTP DDoS Slithers Back into the Spotlight}}, date = {2017-12-18}, organization = {Arbor Networks}, url = {https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/}, language = {English}, urldate = {2019-12-18} } MedusaHTTP DDoS Slithers Back into the Spotlight
Medusa
2017-10-13Zerophage
@online{zerophage:20171013:rig:3a9c804, author = {Zerophage}, title = {{Rig EK via Malvertising drops a Smoke Loader leading to a Miner and AZORult}}, date = {2017-10-13}, url = {https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/}, language = {English}, urldate = {2020-01-07} } Rig EK via Malvertising drops a Smoke Loader leading to a Miner and AZORult
Medusa
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
Yara Rules
[TLP:WHITE] win_medusa_auto (20230808 | Detects win.medusa.)
rule win_medusa_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.medusa."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 680049ff69 004aff 6a00 4b ff6b00 4c ff6c004d }
            // n = 7, score = 100
            //   680049ff69           | push                0x69ff4900
            //   004aff               | add                 byte ptr [edx - 1], cl
            //   6a00                 | push                0
            //   4b                   | dec                 ebx
            //   ff6b00               | ljmp                [ebx]
            //   4c                   | dec                 esp
            //   ff6c004d             | ljmp                [eax + eax + 0x4d]

        $sequence_1 = { 1a03 69c421f3ef6a 2048b3 a5 }
            // n = 4, score = 100
            //   1a03                 | sbb                 al, byte ptr [ebx]
            //   69c421f3ef6a         | imul                eax, esp, 0x6aeff321
            //   2048b3               | and                 byte ptr [eax - 0x4d], cl
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]

        $sequence_2 = { 52 ff7200 53 ff7300 54 }
            // n = 5, score = 100
            //   52                   | push                edx
            //   ff7200               | push                dword ptr [edx]
            //   53                   | push                ebx
            //   ff7300               | push                dword ptr [ebx]
            //   54                   | push                esp

        $sequence_3 = { 317f52 56 5c ab 92 6f 0c48 }
            // n = 7, score = 100
            //   317f52               | xor                 dword ptr [edi + 0x52], edi
            //   56                   | push                esi
            //   5c                   | pop                 esp
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   92                   | xchg                eax, edx
            //   6f                   | outsd               dx, dword ptr [esi]
            //   0c48                 | or                  al, 0x48

        $sequence_4 = { 9e 45 334a54 98 56 39ec 51 }
            // n = 7, score = 100
            //   9e                   | sahf                
            //   45                   | inc                 ebp
            //   334a54               | xor                 ecx, dword ptr [edx + 0x54]
            //   98                   | cwde                
            //   56                   | push                esi
            //   39ec                 | cmp                 esp, ebp
            //   51                   | push                ecx

        $sequence_5 = { 9f c48b2addd977 7612 a5 ba3c533f71 }
            // n = 5, score = 100
            //   9f                   | lahf                
            //   c48b2addd977         | les                 ecx, ptr [ebx + 0x77d9dd2a]
            //   7612                 | jbe                 0x14
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   ba3c533f71           | mov                 edx, 0x713f533c

        $sequence_6 = { e60e 6c 7bbc 45 }
            // n = 4, score = 100
            //   e60e                 | out                 0xe, al
            //   6c                   | insb                byte ptr es:[edi], dx
            //   7bbc                 | jnp                 0xffffffbe
            //   45                   | inc                 ebp

        $sequence_7 = { 54 ff740055 ff7500 56 }
            // n = 4, score = 100
            //   54                   | push                esp
            //   ff740055             | push                dword ptr [eax + eax + 0x55]
            //   ff7500               | push                dword ptr [ebp]
            //   56                   | push                esi

        $sequence_8 = { 99 5f 68066e570a 4f bfdb4a7adc }
            // n = 5, score = 100
            //   99                   | cdq                 
            //   5f                   | pop                 edi
            //   68066e570a           | push                0xa576e06
            //   4f                   | dec                 edi
            //   bfdb4a7adc           | mov                 edi, 0xdc7a4adb

        $sequence_9 = { 1ddf859f31 e476 0c48 ce 74ec 1b826a013061 }
            // n = 6, score = 100
            //   1ddf859f31           | sbb                 eax, 0x319f85df
            //   e476                 | in                  al, 0x76
            //   0c48                 | or                  al, 0x48
            //   ce                   | into                
            //   74ec                 | je                  0xffffffee
            //   1b826a013061         | sbb                 eax, dword ptr [edx + 0x6130016a]

        $sequence_10 = { 2a18 ae 085ffb cf }
            // n = 4, score = 100
            //   2a18                 | sub                 bl, byte ptr [eax]
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   085ffb               | or                  byte ptr [edi - 5], bl
            //   cf                   | iretd               

        $sequence_11 = { b5f9 43 324dd5 1ddf859f31 e476 0c48 }
            // n = 6, score = 100
            //   b5f9                 | mov                 ch, 0xf9
            //   43                   | inc                 ebx
            //   324dd5               | xor                 cl, byte ptr [ebp - 0x2b]
            //   1ddf859f31           | sbb                 eax, 0x319f85df
            //   e476                 | in                  al, 0x76
            //   0c48                 | or                  al, 0x48

        $sequence_12 = { 5f e1fb 1cc9 3ca5 2c8e a1???????? d528 }
            // n = 7, score = 100
            //   5f                   | pop                 edi
            //   e1fb                 | loope               0xfffffffd
            //   1cc9                 | sbb                 al, 0xc9
            //   3ca5                 | cmp                 al, 0xa5
            //   2c8e                 | sub                 al, 0x8e
            //   a1????????           |                     
            //   d528                 | aad                 0x28

        $sequence_13 = { b051 9f 4a d7 b9533e507c }
            // n = 5, score = 100
            //   b051                 | mov                 al, 0x51
            //   9f                   | lahf                
            //   4a                   | dec                 edx
            //   d7                   | xlatb               
            //   b9533e507c           | mov                 ecx, 0x7c503e53

        $sequence_14 = { 6c 6f aa 97 691c85470859bab566c1a5 }
            // n = 5, score = 100
            //   6c                   | insb                byte ptr es:[edi], dx
            //   6f                   | outsd               dx, dword ptr [esi]
            //   aa                   | stosb               byte ptr es:[edi], al
            //   97                   | xchg                eax, edi
            //   691c85470859bab566c1a5     | imul    ebx, dword ptr [eax*4 - 0x45a6f7b9], 0xa5c166b5

        $sequence_15 = { 813bf80937dc 8b4c6386 8608 5f }
            // n = 4, score = 100
            //   813bf80937dc         | cmp                 dword ptr [ebx], 0xdc3709f8
            //   8b4c6386             | mov                 ecx, dword ptr [ebx - 0x7a]
            //   8608                 | xchg                byte ptr [eax], cl
            //   5f                   | pop                 edi

    condition:
        7 of them and filesize < 1720320
}
Download all Yara Rules