SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mirage (Back to overview)

Mirage

Actor(s): Mirage


There is no description at this point.

References
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:134ec2b, author = {SecureWorks}, title = {{BRONZE PALACE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-palace}, language = {English}, urldate = {2020-05-23} } BRONZE PALACE
BS2005 Enfal Mirage RoyalCli Royal DNS Mirage
2019-10-16Jay Rosenberg
@online{rosenberg:20191016:apt15:d226ae8, author = {Jay Rosenberg}, title = {{APT15}}, date = {2019-10-16}, url = {https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/}, language = {English}, urldate = {2019-10-16} } APT15
Mirage MirageFox Mirage
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
Yara Rules
[TLP:WHITE] win_mirage_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_mirage_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745f804010000 ff75fc ff15???????? ff75fc }
            // n = 4, score = 200
            //   c745f804010000       | mov                 dword ptr [ebp - 8], 0x104
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_1 = { 6801000080 ff15???????? 85c0 7556 }
            // n = 4, score = 200
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7556                 | jne                 0x58

        $sequence_2 = { 83fe04 0f856cfdffff 56 8d450c ff7508 50 }
            // n = 6, score = 200
            //   83fe04               | cmp                 esi, 4
            //   0f856cfdffff         | jne                 0xfffffd72
            //   56                   | push                esi
            //   8d450c               | lea                 eax, [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   50                   | push                eax

        $sequence_3 = { 6a00 57 e8???????? 6a07 68???????? 57 e8???????? }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   57                   | push                edi
            //   e8????????           |                     
            //   6a07                 | push                7
            //   68????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_4 = { 8bce 33c0 8dbd85fdffff 889d84fdffff 68???????? f3ab 66ab }
            // n = 7, score = 200
            //   8bce                 | mov                 ecx, esi
            //   33c0                 | xor                 eax, eax
            //   8dbd85fdffff         | lea                 edi, [ebp - 0x27b]
            //   889d84fdffff         | mov                 byte ptr [ebp - 0x27c], bl
            //   68????????           |                     
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax

        $sequence_5 = { c705????????03000000 eb4c 83bd54ffffff02 753d a3???????? eb3c 83bd50ffffff06 }
            // n = 7, score = 200
            //   c705????????03000000     |     
            //   eb4c                 | jmp                 0x4e
            //   83bd54ffffff02       | cmp                 dword ptr [ebp - 0xac], 2
            //   753d                 | jne                 0x3f
            //   a3????????           |                     
            //   eb3c                 | jmp                 0x3e
            //   83bd50ffffff06       | cmp                 dword ptr [ebp - 0xb0], 6

        $sequence_6 = { 50 53 68???????? c745f804010000 }
            // n = 4, score = 200
            //   50                   | push                eax
            //   53                   | push                ebx
            //   68????????           |                     
            //   c745f804010000       | mov                 dword ptr [ebp - 8], 0x104

        $sequence_7 = { 83f8ff 751b ff15???????? 3d33270000 0f8552010000 }
            // n = 5, score = 200
            //   83f8ff               | cmp                 eax, -1
            //   751b                 | jne                 0x1d
            //   ff15????????         |                     
            //   3d33270000           | cmp                 eax, 0x2733
            //   0f8552010000         | jne                 0x158

        $sequence_8 = { 33db 59 85ff 7e1e 6a00 57 }
            // n = 6, score = 200
            //   33db                 | xor                 ebx, ebx
            //   59                   | pop                 ecx
            //   85ff                 | test                edi, edi
            //   7e1e                 | jle                 0x20
            //   6a00                 | push                0
            //   57                   | push                edi

        $sequence_9 = { ff7508 8945f0 ff15???????? 85c0 742f 8d45ff }
            // n = 6, score = 200
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   742f                 | je                  0x31
            //   8d45ff               | lea                 eax, [ebp - 1]

        $sequence_10 = { 80a41dc4f6ffff00 f3ab 66ab aa bf???????? 8d85c4f6ffff 57 }
            // n = 7, score = 200
            //   80a41dc4f6ffff00     | and                 byte ptr [ebp + ebx - 0x93c], 0
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   bf????????           |                     
            //   8d85c4f6ffff         | lea                 eax, [ebp - 0x93c]
            //   57                   | push                edi

        $sequence_11 = { 6689b5f0fdffff 56 f3ab 66ab ff15???????? 8d45fc 50 }
            // n = 7, score = 100
            //   6689b5f0fdffff       | mov                 word ptr [ebp - 0x210], si
            //   56                   | push                esi
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   ff15????????         |                     
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax

        $sequence_12 = { ff75ec e8???????? 3bfe 59 8975ec 7535 }
            // n = 6, score = 100
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   e8????????           |                     
            //   3bfe                 | cmp                 edi, esi
            //   59                   | pop                 ecx
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   7535                 | jne                 0x37

        $sequence_13 = { 66ab 8d45b8 50 e8???????? 8d45b8 }
            // n = 5, score = 100
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   8d45b8               | lea                 eax, [ebp - 0x48]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d45b8               | lea                 eax, [ebp - 0x48]

        $sequence_14 = { 8945ec 0f84f8feffff 57 53 50 }
            // n = 5, score = 100
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   0f84f8feffff         | je                  0xfffffefe
            //   57                   | push                edi
            //   53                   | push                ebx
            //   50                   | push                eax

        $sequence_15 = { ff75fc ff15???????? 6a15 be???????? 59 8dbdd4f7ffff }
            // n = 6, score = 100
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   6a15                 | push                0x15
            //   be????????           |                     
            //   59                   | pop                 ecx
            //   8dbdd4f7ffff         | lea                 edi, [ebp - 0x82c]

    condition:
        7 of them and filesize < 1695744
}
Download all Yara Rules