SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mirage (Back to overview)

Mirage

Actor(s): Mirage


There is no description at this point.

References
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:134ec2b, author = {SecureWorks}, title = {{BRONZE PALACE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-palace}, language = {English}, urldate = {2020-05-23} } BRONZE PALACE
BS2005 Enfal Mirage RoyalCli Royal DNS Mirage
2019-10-16Jay Rosenberg
@online{rosenberg:20191016:apt15:d226ae8, author = {Jay Rosenberg}, title = {{APT15}}, date = {2019-10-16}, url = {https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/}, language = {English}, urldate = {2019-10-16} } APT15
Mirage MirageFox Mirage
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
Yara Rules
[TLP:WHITE] win_mirage_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_mirage_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d85b47bffff 53 50 e8???????? 57 }
            // n = 5, score = 200
            //   8d85b47bffff         | lea                 eax, [ebp - 0x844c]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   e8????????           |                     
            //   57                   | push                edi

        $sequence_1 = { 6a3f 59 33c0 8dbd91fdffff 889590fdffff f3ab 66ab }
            // n = 7, score = 200
            //   6a3f                 | push                0x3f
            //   59                   | pop                 ecx
            //   33c0                 | xor                 eax, eax
            //   8dbd91fdffff         | lea                 edi, [ebp - 0x26f]
            //   889590fdffff         | mov                 byte ptr [ebp - 0x270], dl
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax

        $sequence_2 = { 80640dc800 8d45c8 50 e8???????? 8bf8 }
            // n = 5, score = 200
            //   80640dc800           | and                 byte ptr [ebp + ecx - 0x38], 0
            //   8d45c8               | lea                 eax, [ebp - 0x38]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_3 = { 894df0 c745fc04000000 881f 899948010000 ff15???????? 85c0 }
            // n = 6, score = 200
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   c745fc04000000       | mov                 dword ptr [ebp - 4], 4
            //   881f                 | mov                 byte ptr [edi], bl
            //   899948010000         | mov                 dword ptr [ecx + 0x148], ebx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_4 = { 64890d00000000 5b c9 c3 be0c010000 }
            // n = 5, score = 200
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c3                   | ret                 
            //   be0c010000           | mov                 esi, 0x10c

        $sequence_5 = { 83c414 8d45ec 53 50 8d857cbcffff 6800400000 }
            // n = 6, score = 200
            //   83c414               | add                 esp, 0x14
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   8d857cbcffff         | lea                 eax, [ebp - 0x4384]
            //   6800400000           | push                0x4000

        $sequence_6 = { 50 53 68???????? c745f804010000 ff75fc }
            // n = 5, score = 200
            //   50                   | push                eax
            //   53                   | push                ebx
            //   68????????           |                     
            //   c745f804010000       | mov                 dword ptr [ebp - 8], 0x104
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_7 = { c745f804010000 ff75fc ff15???????? ff75fc }
            // n = 4, score = 200
            //   c745f804010000       | mov                 dword ptr [ebp - 8], 0x104
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_8 = { 59 68???????? e8???????? bf???????? 8945ec 8bc7 59 }
            // n = 7, score = 200
            //   59                   | pop                 ecx
            //   68????????           |                     
            //   e8????????           |                     
            //   bf????????           |                     
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8bc7                 | mov                 eax, edi
            //   59                   | pop                 ecx

        $sequence_9 = { 6801000080 ff15???????? 85c0 7556 }
            // n = 4, score = 200
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7556                 | jne                 0x58

        $sequence_10 = { eb7e 83bd50ffffff05 7539 399d54ffffff 750c c705????????02000000 }
            // n = 6, score = 200
            //   eb7e                 | jmp                 0x80
            //   83bd50ffffff05       | cmp                 dword ptr [ebp - 0xb0], 5
            //   7539                 | jne                 0x3b
            //   399d54ffffff         | cmp                 dword ptr [ebp - 0xac], ebx
            //   750c                 | jne                 0xe
            //   c705????????02000000     |     

        $sequence_11 = { 8d4dfc 51 8d75ec 83ec10 66c745ec0300 8bfc }
            // n = 6, score = 100
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   51                   | push                ecx
            //   8d75ec               | lea                 esi, [ebp - 0x14]
            //   83ec10               | sub                 esp, 0x10
            //   66c745ec0300         | mov                 word ptr [ebp - 0x14], 3
            //   8bfc                 | mov                 edi, esp

        $sequence_12 = { ff15???????? 5e 33c0 c20400 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   33c0                 | xor                 eax, eax
            //   c20400               | ret                 4

        $sequence_13 = { 5b ff7508 ff15???????? 8bc7 5f c9 c20800 }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   c9                   | leave               
            //   c20800               | ret                 8

        $sequence_14 = { 8d85a0f7ffff 50 e8???????? 50 }
            // n = 4, score = 100
            //   8d85a0f7ffff         | lea                 eax, [ebp - 0x860]
            //   50                   | push                eax
            //   e8????????           |                     
            //   50                   | push                eax

        $sequence_15 = { 2bc7 48 50 8d443701 50 }
            // n = 5, score = 100
            //   2bc7                 | sub                 eax, edi
            //   48                   | dec                 eax
            //   50                   | push                eax
            //   8d443701             | lea                 eax, [edi + esi + 1]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 1695744
}
Download all Yara Rules