SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mokes (Back to overview)

Mokes

URLhaus    

There is no description at this point.

References
2020-03-05Kaspersky LabsAMR
@online{amr:20200305:mokes:698295f, author = {AMR}, title = {{Mokes and Buerak distributed under the guise of security certificates}}, date = {2020-03-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/}, language = {English}, urldate = {2020-03-09} } Mokes and Buerak distributed under the guise of security certificates
Buer Mokes
2016-01-29Kaspersky LabsStefan Ortloff
@online{ortloff:20160129:from:d5b48fa, author = {Stefan Ortloff}, title = {{From Linux to Windows – New Family of Cross-Platform Desktop Backdoors Discovered}}, date = {2016-01-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/}, language = {English}, urldate = {2019-12-20} } From Linux to Windows – New Family of Cross-Platform Desktop Backdoors Discovered
Mokes Mokes
Yara Rules
[TLP:WHITE] win_mokes_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_mokes_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff7730 e8???????? 83c404 c7473000000000 c7476400000000 8b3b 85ff }
            // n = 7, score = 400
            //   ff7730               | push                dword ptr [edi + 0x30]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   c7473000000000       | mov                 dword ptr [edi + 0x30], 0
            //   c7476400000000       | mov                 dword ptr [edi + 0x64], 0
            //   8b3b                 | mov                 edi, dword ptr [ebx]
            //   85ff                 | test                edi, edi

        $sequence_1 = { ffd0 8b10 8954245c 8b4004 8b7c241c 89442460 89442414 }
            // n = 7, score = 400
            //   ffd0                 | call                eax
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8954245c             | mov                 dword ptr [esp + 0x5c], edx
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   8b7c241c             | mov                 edi, dword ptr [esp + 0x1c]
            //   89442460             | mov                 dword ptr [esp + 0x60], eax
            //   89442414             | mov                 dword ptr [esp + 0x14], eax

        $sequence_2 = { f30fe6c0 f20f1101 660f6e4204 f30fe6c0 f20f114108 8b4208 2b02 }
            // n = 7, score = 400
            //   f30fe6c0             | cvtdq2pd            xmm0, xmm0
            //   f20f1101             | movsd               qword ptr [ecx], xmm0
            //   660f6e4204           | movd                xmm0, dword ptr [edx + 4]
            //   f30fe6c0             | cvtdq2pd            xmm0, xmm0
            //   f20f114108           | movsd               qword ptr [ecx + 8], xmm0
            //   8b4208               | mov                 eax, dword ptr [edx + 8]
            //   2b02                 | sub                 eax, dword ptr [edx]

        $sequence_3 = { f20f10442468 660f2f8700010000 0f8679020000 f20f118700010000 e9???????? 8b442428 8b4020 }
            // n = 7, score = 400
            //   f20f10442468         | movsd               xmm0, qword ptr [esp + 0x68]
            //   660f2f8700010000     | comisd              xmm0, xmmword ptr [edi + 0x100]
            //   0f8679020000         | jbe                 0x27f
            //   f20f118700010000     | movsd               qword ptr [edi + 0x100], xmm0
            //   e9????????           |                     
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   8b4020               | mov                 eax, dword ptr [eax + 0x20]

        $sequence_4 = { ff74ac44 53 53 e8???????? 83c414 85c0 7444 }
            // n = 7, score = 400
            //   ff74ac44             | push                dword ptr [esp + ebp*4 + 0x44]
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   85c0                 | test                eax, eax
            //   7444                 | je                  0x46

        $sequence_5 = { f30f7f49e0 f30f6f51f0 660f6fc2 660fdbc3 660f3840c6 660f6fc8 660fd2cc }
            // n = 7, score = 400
            //   f30f7f49e0           | movdqu              xmmword ptr [ecx - 0x20], xmm1
            //   f30f6f51f0           | movdqu              xmm2, xmmword ptr [ecx - 0x10]
            //   660f6fc2             | movdqa              xmm0, xmm2
            //   660fdbc3             | pand                xmm0, xmm3
            //   660f3840c6           | pmulld              xmm0, xmm6
            //   660f6fc8             | movdqa              xmm1, xmm0
            //   660fd2cc             | psrld               xmm1, xmm4

        $sequence_6 = { ff742428 83e980 ff742430 e8???????? 8b44242c 8bcf f00fc108 }
            // n = 7, score = 400
            //   ff742428             | push                dword ptr [esp + 0x28]
            //   83e980               | sub                 ecx, -0x80
            //   ff742430             | push                dword ptr [esp + 0x30]
            //   e8????????           |                     
            //   8b44242c             | mov                 eax, dword ptr [esp + 0x2c]
            //   8bcf                 | mov                 ecx, edi
            //   f00fc108             | lock xadd           dword ptr [eax], ecx

        $sequence_7 = { f7d8 8bcf 1bc0 83e0fe 40 50 6a00 }
            // n = 7, score = 400
            //   f7d8                 | neg                 eax
            //   8bcf                 | mov                 ecx, edi
            //   1bc0                 | sbb                 eax, eax
            //   83e0fe               | and                 eax, 0xfffffffe
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_8 = { ffd0 83c404 ff4f18 75cc 8b5618 8a4f20 fec1 }
            // n = 7, score = 400
            //   ffd0                 | call                eax
            //   83c404               | add                 esp, 4
            //   ff4f18               | dec                 dword ptr [edi + 0x18]
            //   75cc                 | jne                 0xffffffce
            //   8b5618               | mov                 edx, dword ptr [esi + 0x18]
            //   8a4f20               | mov                 cl, byte ptr [edi + 0x20]
            //   fec1                 | inc                 cl

        $sequence_9 = { e8???????? 8b7c2424 8b0b 8b01 83f801 7443 85c0 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8b7c2424             | mov                 edi, dword ptr [esp + 0x24]
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   83f801               | cmp                 eax, 1
            //   7443                 | je                  0x45
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 18505728
}
Download all Yara Rules