SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mirage (Back to overview)

Mirage

Actor(s): Mirage


There is no description at this point.

References
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:134ec2b, author = {SecureWorks}, title = {{BRONZE PALACE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-palace}, language = {English}, urldate = {2020-05-23} } BRONZE PALACE
BS2005 Enfal Mirage RoyalCli Royal DNS APT15
2019-10-16Jay Rosenberg
@online{rosenberg:20191016:apt15:d226ae8, author = {Jay Rosenberg}, title = {{APT15}}, date = {2019-10-16}, url = {https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/}, language = {English}, urldate = {2019-10-16} } APT15
Mirage MirageFox APT15
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
Yara Rules
[TLP:WHITE] win_mirage_auto (20221125 | Detects win.mirage.)
rule win_mirage_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.mirage."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6801000080 ff15???????? 85c0 7556 }
            // n = 4, score = 200
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7556                 | jne                 0x58

        $sequence_1 = { 66ab aa 8d4624 50 }
            // n = 4, score = 200
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   8d4624               | lea                 eax, [esi + 0x24]
            //   50                   | push                eax

        $sequence_2 = { 57 8db108010000 ffb514010000 894df8 68???????? }
            // n = 5, score = 200
            //   57                   | push                edi
            //   8db108010000         | lea                 esi, [ecx + 0x108]
            //   ffb514010000         | push                dword ptr [ebp + 0x114]
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   68????????           |                     

        $sequence_3 = { ff75fc ff15???????? 8d8508ffffff 50 ff15???????? ff75f8 }
            // n = 6, score = 200
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   8d8508ffffff         | lea                 eax, [ebp - 0xf8]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_4 = { 55 8bec 81eca0010000 56 57 8d8560feffff }
            // n = 6, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81eca0010000         | sub                 esp, 0x1a0
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d8560feffff         | lea                 eax, [ebp - 0x1a0]

        $sequence_5 = { 8bec b82c410000 e8???????? 53 }
            // n = 4, score = 200
            //   8bec                 | mov                 ebp, esp
            //   b82c410000           | mov                 eax, 0x412c
            //   e8????????           |                     
            //   53                   | push                ebx

        $sequence_6 = { ff7620 ff15???????? 83f8ff 7517 ff15???????? 3d33270000 }
            // n = 6, score = 200
            //   ff7620               | push                dword ptr [esi + 0x20]
            //   ff15????????         |                     
            //   83f8ff               | cmp                 eax, -1
            //   7517                 | jne                 0x19
            //   ff15????????         |                     
            //   3d33270000           | cmp                 eax, 0x2733

        $sequence_7 = { 33c0 807de601 0f95c0 83c005 ebda }
            // n = 5, score = 200
            //   33c0                 | xor                 eax, eax
            //   807de601             | cmp                 byte ptr [ebp - 0x1a], 1
            //   0f95c0               | setne               al
            //   83c005               | add                 eax, 5
            //   ebda                 | jmp                 0xffffffdc

        $sequence_8 = { 8d45f0 68???????? 50 e8???????? 83c420 57 }
            // n = 6, score = 200
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c420               | add                 esp, 0x20
            //   57                   | push                edi

        $sequence_9 = { 8d45f4 50 53 68???????? c745f804010000 ff75fc ff15???????? }
            // n = 7, score = 200
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   68????????           |                     
            //   c745f804010000       | mov                 dword ptr [ebp - 8], 0x104
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     

        $sequence_10 = { 83c410 85f6 7558 66218540ffffff }
            // n = 4, score = 100
            //   83c410               | add                 esp, 0x10
            //   85f6                 | test                esi, esi
            //   7558                 | jne                 0x5a
            //   66218540ffffff       | and                 word ptr [ebp - 0xc0], ax

        $sequence_11 = { 8d8520ffffff 50 895dfc 66a5 e8???????? 59 }
            // n = 6, score = 100
            //   8d8520ffffff         | lea                 eax, [ebp - 0xe0]
            //   50                   | push                eax
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_12 = { 8bd8 59 3bde 7505 83c8ff eb44 }
            // n = 6, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   59                   | pop                 ecx
            //   3bde                 | cmp                 ebx, esi
            //   7505                 | jne                 7
            //   83c8ff               | or                  eax, 0xffffffff
            //   eb44                 | jmp                 0x46

        $sequence_13 = { 8d855cfdffff 50 e8???????? 8d855cfdffff 68???????? 50 e8???????? }
            // n = 7, score = 100
            //   8d855cfdffff         | lea                 eax, [ebp - 0x2a4]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d855cfdffff         | lea                 eax, [ebp - 0x2a4]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_14 = { 56 e8???????? 2bc7 48 50 8d443701 50 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   e8????????           |                     
            //   2bc7                 | sub                 eax, edi
            //   48                   | dec                 eax
            //   50                   | push                eax
            //   8d443701             | lea                 eax, [edi + esi + 1]
            //   50                   | push                eax

        $sequence_15 = { 7553 8b45fc 53 85c0 56 7504 }
            // n = 6, score = 100
            //   7553                 | jne                 0x55
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   53                   | push                ebx
            //   85c0                 | test                eax, eax
            //   56                   | push                esi
            //   7504                 | jne                 6

    condition:
        7 of them and filesize < 1695744
}
Download all Yara Rules