SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mirage (Back to overview)

Mirage

Actor(s): Mirage


There is no description at this point.

References
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:134ec2b, author = {SecureWorks}, title = {{BRONZE PALACE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-palace}, language = {English}, urldate = {2020-05-23} } BRONZE PALACE
BS2005 Enfal Mirage RoyalCli Royal DNS Mirage
2019-10-16Jay Rosenberg
@online{rosenberg:20191016:apt15:d226ae8, author = {Jay Rosenberg}, title = {{APT15}}, date = {2019-10-16}, url = {https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/}, language = {English}, urldate = {2019-10-16} } APT15
Mirage MirageFox Mirage
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
Yara Rules
[TLP:WHITE] win_mirage_auto (20210616 | Detects win.mirage.)
rule win_mirage_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.mirage."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3bf8 740a 8a17 88540dc8 41 }
            // n = 5, score = 200
            //   3bf8                 | cmp                 edi, eax
            //   740a                 | je                  0xc
            //   8a17                 | mov                 dl, byte ptr [edi]
            //   88540dc8             | mov                 byte ptr [ebp + ecx - 0x38], dl
            //   41                   | inc                 ecx

        $sequence_1 = { 8bd8 ffd6 2bc7 bf???????? 85db }
            // n = 5, score = 200
            //   8bd8                 | mov                 ebx, eax
            //   ffd6                 | call                esi
            //   2bc7                 | sub                 eax, edi
            //   bf????????           |                     
            //   85db                 | test                ebx, ebx

        $sequence_2 = { 6801000080 ff15???????? 85c0 7556 }
            // n = 4, score = 200
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7556                 | jne                 0x58

        $sequence_3 = { 834dfcff 8d8dd0fcffff e8???????? e9???????? bf1c810000 3bf7 }
            // n = 6, score = 200
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   8d8dd0fcffff         | lea                 ecx, dword ptr [ebp - 0x330]
            //   e8????????           |                     
            //   e9????????           |                     
            //   bf1c810000           | mov                 edi, 0x811c
            //   3bf7                 | cmp                 esi, edi

        $sequence_4 = { ff15???????? e9???????? 834e20ff 8d7e04 6a19 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   e9????????           |                     
            //   834e20ff             | or                  dword ptr [esi + 0x20], 0xffffffff
            //   8d7e04               | lea                 edi, dword ptr [esi + 4]
            //   6a19                 | push                0x19

        $sequence_5 = { 2b4514 894518 57 e8???????? 59 c605????????03 c6450805 }
            // n = 7, score = 200
            //   2b4514               | sub                 eax, dword ptr [ebp + 0x14]
            //   894518               | mov                 dword ptr [ebp + 0x18], eax
            //   57                   | push                edi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   c605????????03       |                     
            //   c6450805             | mov                 byte ptr [ebp + 8], 5

        $sequence_6 = { 81ec3c090000 53 56 8bf1 }
            // n = 4, score = 200
            //   81ec3c090000         | sub                 esp, 0x93c
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx

        $sequence_7 = { c1e814 40 5b a3???????? c9 }
            // n = 5, score = 200
            //   c1e814               | shr                 eax, 0x14
            //   40                   | inc                 eax
            //   5b                   | pop                 ebx
            //   a3????????           |                     
            //   c9                   | leave               

        $sequence_8 = { 6a07 50 68???????? e8???????? 83c418 }
            // n = 5, score = 200
            //   6a07                 | push                7
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_9 = { 50 53 68???????? c745f804010000 ff75fc ff15???????? ff75fc }
            // n = 7, score = 200
            //   50                   | push                eax
            //   53                   | push                ebx
            //   68????????           |                     
            //   c745f804010000       | mov                 dword ptr [ebp - 8], 0x104
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_10 = { ff15???????? 668365c000 6a09 59 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   668365c000           | and                 word ptr [ebp - 0x40], 0
            //   6a09                 | push                9
            //   59                   | pop                 ecx

        $sequence_11 = { 50 6800000080 c745cc0c000000 ff7508 8975d0 8945d4 ff15???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   6800000080           | push                0x80000000
            //   c745cc0c000000       | mov                 dword ptr [ebp - 0x34], 0xc
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8975d0               | mov                 dword ptr [ebp - 0x30], esi
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   ff15????????         |                     

        $sequence_12 = { 85c0 a3???????? 747a 68???????? 56 }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   747a                 | je                  0x7c
            //   68????????           |                     
            //   56                   | push                esi

        $sequence_13 = { 7413 f685f8f5ffff10 740a 53 56 ff15???????? eb07 }
            // n = 7, score = 100
            //   7413                 | je                  0x15
            //   f685f8f5ffff10       | test                byte ptr [ebp - 0xa08], 0x10
            //   740a                 | je                  0xc
            //   53                   | push                ebx
            //   56                   | push                esi
            //   ff15????????         |                     
            //   eb07                 | jmp                 9

        $sequence_14 = { ff15???????? 8d55f0 8365e800 52 8365f800 8d55f0 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8d55f0               | lea                 edx, dword ptr [ebp - 0x10]
            //   8365e800             | and                 dword ptr [ebp - 0x18], 0
            //   52                   | push                edx
            //   8365f800             | and                 dword ptr [ebp - 8], 0
            //   8d55f0               | lea                 edx, dword ptr [ebp - 0x10]

        $sequence_15 = { 8d85f0e6ffff 57 50 8d8514f3ffff 6aff 50 53 }
            // n = 7, score = 100
            //   8d85f0e6ffff         | lea                 eax, dword ptr [ebp - 0x1910]
            //   57                   | push                edi
            //   50                   | push                eax
            //   8d8514f3ffff         | lea                 eax, dword ptr [ebp - 0xcec]
            //   6aff                 | push                -1
            //   50                   | push                eax
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 1695744
}
Download all Yara Rules