Actor(s): Ghostwriter
Open-source lightweight backdoor for C2 communication.GitHub: https://github.com/Cr4sh/MicroBackdoor
rule win_microbackdoor_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.microbackdoor." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4533c9 488d542430 458d4103 488bcb 66c74424300501 } // n = 5, score = 100 // 4533c9 | dec eax // 488d542430 | mov ecx, 0x80000002 // 458d4103 | dec eax // 488bcb | mov dword ptr [esp + 0x20], eax // 66c74424300501 | mov ebx, eax $sequence_1 = { 0f832f010000 ff15???????? e9???????? 8b5d0c 8d4dec } // n = 5, score = 100 // 0f832f010000 | cmp dword ptr [ebp - 0x94], 2 // ff15???????? | // e9???????? | // 8b5d0c | jne 0xbe // 8d4dec | cmp dword ptr [ebp - 0xa0], 5 $sequence_2 = { ff15???????? 488905???????? 4885c0 742f ff15???????? 3db7000000 7522 } // n = 7, score = 100 // ff15???????? | // 488905???????? | // 4885c0 | dec eax // 742f | test eax, eax // ff15???????? | // 3db7000000 | je 0x31 // 7522 | cmp eax, 0xb7 $sequence_3 = { ff15???????? eb06 ff15???????? 5b 5f } // n = 5, score = 100 // ff15???????? | // eb06 | test eax, eax // ff15???????? | // 5b | jne 0x11 // 5f | or eax, 0xffffffff $sequence_4 = { ff15???????? 33c0 e9???????? 83bd6cffffff02 0f85b1000000 83bd60ffffff05 0f86a4000000 } // n = 7, score = 100 // ff15???????? | // 33c0 | jne 0xc6 // e9???????? | // 83bd6cffffff02 | dec ebp // 0f85b1000000 | mov eax, esi // 83bd60ffffff05 | dec eax // 0f86a4000000 | mov eax, ebx $sequence_5 = { 8bf0 85f6 7504 33c0 eb79 8b3d???????? } // n = 6, score = 100 // 8bf0 | push esi // 85f6 | push dword ptr [ebp + 8] // 7504 | xor esi, esi // 33c0 | test eax, eax // eb79 | xor eax, eax // 8b3d???????? | $sequence_6 = { 85c0 0f8ea0000000 8d85f0feffff 50 53 e8???????? 85c0 } // n = 7, score = 100 // 85c0 | nop dword ptr [eax] // 0f8ea0000000 | cmp byte ptr [ebx + eax + 1], 0 // 8d85f0feffff | dec eax // 50 | lea eax, [eax + 1] // 53 | jne 0xd // e8???????? | // 85c0 | lea edx, [eax + 1] $sequence_7 = { ff15???????? 8bd8 85c0 7514 ff15???????? 488d0d2f6c0000 } // n = 6, score = 100 // ff15???????? | // 8bd8 | inc esp // 85c0 | mov ecx, edi // 7514 | inc ebp // ff15???????? | // 488d0d2f6c0000 | xor eax, eax $sequence_8 = { 8b5d0c 40 56 33f6 } // n = 4, score = 100 // 8b5d0c | jbe 0xbe // 40 | mov eax, dword ptr [ebp - 0x234] // 56 | pop ecx // 33f6 | pop ecx $sequence_9 = { e8???????? 8b85ccfdffff 59 59 85c0 7505 83c8ff } // n = 7, score = 100 // e8???????? | // 8b85ccfdffff | dec esp // 59 | sub eax, ebx // 59 | nop word ptr [eax + eax] // 85c0 | je 0x6d // 7505 | dec eax // 83c8ff | or eax, 0xffffffff $sequence_10 = { 4439a5a8000000 0f85b9000000 4d8bc6 488bc3 4c2bc3 66660f1f840000000000 } // n = 6, score = 100 // 4439a5a8000000 | inc ebp // 0f85b9000000 | xor ecx, ecx // 4d8bc6 | dec eax // 488bc3 | lea edx, [esp + 0x30] // 4c2bc3 | inc ebp // 66660f1f840000000000 | lea eax, [ecx + 3] $sequence_11 = { 7514 8d4201 488b9c24f0000000 4881c4e0000000 } // n = 4, score = 100 // 7514 | test eax, eax // 8d4201 | jne 0x1a // 488b9c24f0000000 | dec eax // 4881c4e0000000 | lea ecx, [0x6c2f] $sequence_12 = { 488d1543520000 448bcf 4533c0 48c7c102000080 4889442420 } // n = 5, score = 100 // 488d1543520000 | mov dword ptr [esp + 0x28], 0x7ff // 448bcf | dec esp // 4533c0 | mov dword ptr [esp + 0x20], esi // 48c7c102000080 | dec eax // 4889442420 | lea edx, [0x5243] $sequence_13 = { 56 ff7508 ff15???????? a1???????? 33f6 8b1d???????? 85c0 } // n = 7, score = 100 // 56 | dec eax // ff7508 | add esp, 0xe0 // ff15???????? | // a1???????? | // 33f6 | inc esp // 8b1d???????? | // 85c0 | cmp dword ptr [ebp + 0xa8], esp $sequence_14 = { b9e9fd0000 c7442428ff070000 4c89742420 ff15???????? } // n = 4, score = 100 // b9e9fd0000 | dec eax // c7442428ff070000 | lea ecx, [0x640e] // 4c89742420 | mov ecx, 0xfde9 // ff15???????? | $sequence_15 = { 8bd0 e8???????? 8b542468 488d0d0e640000 e8???????? } // n = 5, score = 100 // 8bd0 | jne 0x24 // e8???????? | // 8b542468 | mov edx, eax // 488d0d0e640000 | mov edx, dword ptr [esp + 0x68] // e8???????? | condition: 7 of them and filesize < 123904 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY