SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mokes (Back to overview)

Mokes

URLhaus    

There is no description at this point.

References
2020-03-05Kaspersky LabsAMR
@online{amr:20200305:mokes:698295f, author = {AMR}, title = {{Mokes and Buerak distributed under the guise of security certificates}}, date = {2020-03-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/}, language = {English}, urldate = {2020-03-09} } Mokes and Buerak distributed under the guise of security certificates
Buer Mokes
2016-01-29Kaspersky LabsStefan Ortloff
@online{ortloff:20160129:from:d5b48fa, author = {Stefan Ortloff}, title = {{From Linux to Windows – New Family of Cross-Platform Desktop Backdoors Discovered}}, date = {2016-01-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/}, language = {English}, urldate = {2019-12-20} } From Linux to Windows – New Family of Cross-Platform Desktop Backdoors Discovered
Mokes Mokes
Yara Rules
[TLP:WHITE] win_mokes_auto (20221125 | Detects win.mokes.)
rule win_mokes_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.mokes."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff742424 ff15???????? 8bf8 885e11 85ff 7442 0fb7742418 }
            // n = 7, score = 400
            //   ff742424             | push                dword ptr [esp + 0x24]
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   885e11               | mov                 byte ptr [esi + 0x11], bl
            //   85ff                 | test                edi, edi
            //   7442                 | je                  0x44
            //   0fb7742418           | movzx               esi, word ptr [esp + 0x18]

        $sequence_1 = { ff5014 85c0 741d 8b06 8d4c2404 51 56 }
            // n = 7, score = 400
            //   ff5014               | call                dword ptr [eax + 0x14]
            //   85c0                 | test                eax, eax
            //   741d                 | je                  0x1f
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8d4c2404             | lea                 ecx, [esp + 4]
            //   51                   | push                ecx
            //   56                   | push                esi

        $sequence_2 = { f6c310 741b 8b44243c 83e3ef 8bcf f00fc108 750c }
            // n = 7, score = 400
            //   f6c310               | test                bl, 0x10
            //   741b                 | je                  0x1d
            //   8b44243c             | mov                 eax, dword ptr [esp + 0x3c]
            //   83e3ef               | and                 ebx, 0xffffffef
            //   8bcf                 | mov                 ecx, edi
            //   f00fc108             | lock xadd           dword ptr [eax], ecx
            //   750c                 | jne                 0xe

        $sequence_3 = { f6460804 7445 8d442410 8bcb 50 e8???????? 8b0e }
            // n = 7, score = 400
            //   f6460804             | test                byte ptr [esi + 8], 4
            //   7445                 | je                  0x47
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   8bcb                 | mov                 ecx, ebx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b0e                 | mov                 ecx, dword ptr [esi]

        $sequence_4 = { ff5208 8b460c 43 8b4e08 2bc1 3bd8 7ce3 }
            // n = 7, score = 400
            //   ff5208               | call                dword ptr [edx + 8]
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   43                   | inc                 ebx
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   2bc1                 | sub                 eax, ecx
            //   3bd8                 | cmp                 ebx, eax
            //   7ce3                 | jl                  0xffffffe5

        $sequence_5 = { ff742410 e8???????? 8d4c2408 e8???????? 8bc7 5f 5e }
            // n = 7, score = 400
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   e8????????           |                     
            //   8d4c2408             | lea                 ecx, [esp + 8]
            //   e8????????           |                     
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_6 = { ff742418 8d44245c 50 8b422c ffd0 f30f6f00 f30f7f442420 }
            // n = 7, score = 400
            //   ff742418             | push                dword ptr [esp + 0x18]
            //   8d44245c             | lea                 eax, [esp + 0x5c]
            //   50                   | push                eax
            //   8b422c               | mov                 eax, dword ptr [edx + 0x2c]
            //   ffd0                 | call                eax
            //   f30f6f00             | movdqu              xmm0, xmmword ptr [eax]
            //   f30f7f442420         | movdqu              xmmword ptr [esp + 0x20], xmm0

        $sequence_7 = { f6c201 7424 83e2fe 89542424 85ff 7419 83c8ff }
            // n = 7, score = 400
            //   f6c201               | test                dl, 1
            //   7424                 | je                  0x26
            //   83e2fe               | and                 edx, 0xfffffffe
            //   89542424             | mov                 dword ptr [esp + 0x24], edx
            //   85ff                 | test                edi, edi
            //   7419                 | je                  0x1b
            //   83c8ff               | or                  eax, 0xffffffff

        $sequence_8 = { f20f11442418 f20f104310 f20f11442420 f20f104308 f20f11442428 e8???????? f20f104c2428 }
            // n = 7, score = 400
            //   f20f11442418         | movsd               qword ptr [esp + 0x18], xmm0
            //   f20f104310           | movsd               xmm0, qword ptr [ebx + 0x10]
            //   f20f11442420         | movsd               qword ptr [esp + 0x20], xmm0
            //   f20f104308           | movsd               xmm0, qword ptr [ebx + 8]
            //   f20f11442428         | movsd               qword ptr [esp + 0x28], xmm0
            //   e8????????           |                     
            //   f20f104c2428         | movsd               xmm1, qword ptr [esp + 0x28]

        $sequence_9 = { f60080 7543 8d4e08 c744243000000000 e8???????? 8b0d???????? 33d2 }
            // n = 7, score = 400
            //   f60080               | test                byte ptr [eax], 0x80
            //   7543                 | jne                 0x45
            //   8d4e08               | lea                 ecx, [esi + 8]
            //   c744243000000000     | mov                 dword ptr [esp + 0x30], 0
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   33d2                 | xor                 edx, edx

    condition:
        7 of them and filesize < 18505728
}
Download all Yara Rules