mim221 (Malware Family)

mim221

There is no description at this point.
References

2023-03-23 ⋅ SentinelOne ⋅ Aleksandar Milenkoski, Juan Andrés Guerrero-Saade, Joey Chen, QGroup
Operation Tainted Love | Chinese APTs Target Telcos in New Attacks
mim221
Yara Rules

[TLP:WHITE] win_mim221_auto (20230715 | Detects win.mim221.)
rule win_mim221_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.mim221."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mim221"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 66c785be0000006300 66c785c00000006100 66c785c20000007400 66c785c40000006300 66c785c60000006800 6689b5c8000000 66c785ca0000006500 }
            // n = 7, score = 100
            //   66c785be0000006300     | dec    eax
            //   66c785c00000006100     | shl    edi, 6
            //   66c785c20000007400     | dec    eax
            //   66c785c40000006300     | lea    esi, [eax + eax*2]
            //   66c785c60000006800     | dec    eax
            //   6689b5c8000000       | add                 esi, esi
            //   66c785ca0000006500     | dec    esp

        $sequence_1 = { c74128c0000000 c7412cc8000000 eb5d 48c701a0000000 c7412498000000 }
            // n = 5, score = 100
            //   c74128c0000000       | mov                 word ptr [esp + 0x142], 0x69
            //   c7412cc8000000       | mov                 word ptr [esp + 0x144], 0x6f
            //   eb5d                 | mov                 word ptr [esp + 0x13e], cx
            //   48c701a0000000       | mov                 word ptr [esp + 0x140], bp
            //   c7412498000000       | mov                 word ptr [esp + 0x142], bx

        $sequence_2 = { 8b5814 eb55 85ff 745e 8b4318 488d542450 488bce }
            // n = 7, score = 100
            //   8b5814               | add                 dh, al
            //   eb55                 | test                byte ptr [edx + eax*4], ah
            //   85ff                 | add                 byte ptr [eax], al
            //   745e                 | add                 byte ptr [esi - 0x3a], dh
            //   8b4318               | test                byte ptr [ebx + eax*4], ah
            //   488d542450           | add                 byte ptr [eax], al
            //   488bce               | add                 byte ptr [ecx + 0x49], ah

        $sequence_3 = { 4889442440 e8???????? 48396c2448 7515 448d4504 488d542430 488d4c2440 }
            // n = 7, score = 100
            //   4889442440           | mov                 dword ptr [esp + 0x414], edx
            //   e8????????           |                     
            //   48396c2448           | lea                 esi, [edi + 0x1b]
            //   7515                 | lea                 ebx, [edi - 9]
            //   448d4504             | dec                 eax
            //   488d542430           | lea                 ecx, [esp + 0x5e0]
            //   488d4c2440           | xor                 edx, edx

        $sequence_4 = { c6043300 488bc7 4883c428 5f 5e }
            // n = 5, score = 100
            //   c6043300             | cmp                 byte ptr [edx + 0x49], 0
            //   488bc7               | dec                 eax
            //   4883c428             | mov                 ebx, edx
            //   5f                   | push                esi
            //   5e                   | push                edi

        $sequence_5 = { 498d8b9cfeffff 4d8bc5 33d2 458be1 be250200c0 c644242083 c644242164 }
            // n = 7, score = 100
            //   498d8b9cfeffff       | push                esi
            //   4d8bc5               | inc                 ecx
            //   33d2                 | push                edi
            //   458be1               | dec                 eax
            //   be250200c0           | mov                 eax, esp
            //   c644242083           | dec                 eax
            //   c644242164           | sub                 esp, 0x168

        $sequence_6 = { 438b0426 89442428 4c896c2420 458b4f18 4d8b4710 }
            // n = 5, score = 100
            //   438b0426             | dec                 eax
            //   89442428             | lea                 eax, [esp + 0x20]
            //   4c896c2420           | mov                 byte ptr [esp + 0x4f], 0x55
            //   458b4f18             | mov                 byte ptr [esp + 0x50], 0x6e
            //   4d8b4710             | mov                 byte ptr [esp + 0x51], 0x69

        $sequence_7 = { 66c744243e2a00 6689442440 66c74424425300 66c74424444800 66c74424464100 66c74424483100 }
            // n = 6, score = 100
            //   66c744243e2a00       | mov                 dword ptr [esp + 0x628], ebx
            //   6689442440           | mov                 dword ptr [esp + 0x62c], 1
            //   66c74424425300       | lea                 ebx, [edi + 1]
            //   66c74424444800       | dec                 eax
            //   66c74424464100       | lea                 eax, [esp + 0x890]
            //   66c74424483100       | dec                 eax

        $sequence_8 = { 83fb11 0f8f4f010000 0f842f010000 83fb80 0f840c010000 85db 0f84d5000000 }
            // n = 7, score = 100
            //   83fb11               | mov                 byte ptr [esp + 0x118], bl
            //   0f8f4f010000         | xor                 eax, eax
            //   0f842f010000         | dec                 eax
            //   83fb80               | lea                 eax, [esp + 0x110]
            //   0f840c010000         | dec                 eax
            //   85db                 | mov                 dword ptr [esp + 0x210], eax
            //   0f84d5000000         | inc                 ecx

        $sequence_9 = { e8???????? eb07 4c8d25ec3e0100 4889beb8000000 f0830701 f686c800000002 0f8518010000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb07                 | mov                 word ptr [esp + 0x50], 0x6d
            //   4c8d25ec3e0100       | mov                 word ptr [esp + 0x52], bp
            //   4889beb8000000       | mov                 word ptr [esp + 0x54], 0x6e
            //   f0830701             | mov                 word ptr [esp + 0x56], 0x74
            //   f686c800000002       | mov                 word ptr [esp + 0x58], 0x61
            //   0f8518010000         | mov                 word ptr [esp + 0x5a], 0x6c

    condition:
        7 of them and filesize < 471040
}
Download all Yara Rules
mim221 Propose Change

References

Yara Rules

mim221
