SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mykings_spreader (Back to overview)

MyKings Spreader


There is no description at this point.

References
2020-07-01Cisco TalosNick Biasini, Edmund Brumaghin, Mariano Graziano
@online{biasini:20200701:threat:a726b7e, author = {Nick Biasini and Edmund Brumaghin and Mariano Graziano}, title = {{Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks}}, date = {2020-07-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/valak-emerges.html}, language = {English}, urldate = {2020-08-18} } Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks
Valak IcedID ISFB MyKings Spreader
2020-03-02AhnLabAhnLab
@techreport{ahnlab:20200302:analysis:c0c47c3, author = {AhnLab}, title = {{Analysis Report: MyKings Botnet}}, date = {2020-03-02}, institution = {AhnLab}, url = {http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf}, language = {Korean}, urldate = {2020-03-04} } Analysis Report: MyKings Botnet
MyKings Spreader
2019-12-18SophosGabor Szappanos
@techreport{szappanos:20191218:mykings:7370b35, author = {Gabor Szappanos}, title = {{MyKings: The slow but steady growth of a relentless botnet}}, date = {2019-12-18}, institution = {Sophos}, url = {https://sophos.files.wordpress.com/2019/12/mykings_report_final.pdf}, language = {English}, urldate = {2020-01-13} } MyKings: The slow but steady growth of a relentless botnet
MyKings Spreader
2018-01-31ProofpointKafeine
@online{kafeine:20180131:smominru:5a6c554, author = {Kafeine}, title = {{Smominru Monero mining botnet making millions for operators}}, date = {2018-01-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators}, language = {English}, urldate = {2019-12-20} } Smominru Monero mining botnet making millions for operators
MyKings Spreader Smominru
2018-01-24JiaYu
@online{jiayu:20180124:mykings:63bef87, author = {JiaYu}, title = {{MyKings: A massively multiple botnet}}, date = {2018-01-24}, url = {http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/}, language = {Chinese}, urldate = {2019-11-20} } MyKings: A massively multiple botnet
MyKings Spreader Smominru
Yara Rules
[TLP:WHITE] win_mykings_spreader_auto (20210616 | Detects win.mykings_spreader.)
rule win_mykings_spreader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.mykings_spreader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b7510 8b5d14 8b4d08 8b7d0c 8955fc 53 }
            // n = 6, score = 100
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   8b5d14               | mov                 ebx, dword ptr [ebp + 0x14]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   53                   | push                ebx

        $sequence_1 = { 0fb645f7 83f82f 7e0f 0fb645f7 83f83a 7d06 8045f704 }
            // n = 7, score = 100
            //   0fb645f7             | movzx               eax, byte ptr [ebp - 9]
            //   83f82f               | cmp                 eax, 0x2f
            //   7e0f                 | jle                 0x11
            //   0fb645f7             | movzx               eax, byte ptr [ebp - 9]
            //   83f83a               | cmp                 eax, 0x3a
            //   7d06                 | jge                 8
            //   8045f704             | add                 byte ptr [ebp - 9], 4

        $sequence_2 = { b800000000 e8???????? 8b4dd4 29c1 89c8 89f9 }
            // n = 6, score = 100
            //   b800000000           | mov                 eax, 0
            //   e8????????           |                     
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   29c1                 | sub                 ecx, eax
            //   89c8                 | mov                 eax, ecx
            //   89f9                 | mov                 ecx, edi

        $sequence_3 = { 68ff0f1f00 ffd3 8bf0 ff15???????? 50 8d957cfeffff 56 }
            // n = 7, score = 100
            //   68ff0f1f00           | push                0x1f0fff
            //   ffd3                 | call                ebx
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   50                   | push                eax
            //   8d957cfeffff         | lea                 edx, dword ptr [ebp - 0x184]
            //   56                   | push                esi

        $sequence_4 = { 89cf 81e7ff000000 0fb6bf80a64500 c1e718 31fe 8b38 31fe }
            // n = 7, score = 100
            //   89cf                 | mov                 edi, ecx
            //   81e7ff000000         | and                 edi, 0xff
            //   0fb6bf80a64500       | movzx               edi, byte ptr [edi + 0x45a680]
            //   c1e718               | shl                 edi, 0x18
            //   31fe                 | xor                 esi, edi
            //   8b38                 | mov                 edi, dword ptr [eax]
            //   31fe                 | xor                 esi, edi

        $sequence_5 = { 8b55f4 895108 8b55f4 834a2002 8b55c8 89d0 e8???????? }
            // n = 7, score = 100
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   895108               | mov                 dword ptr [ecx + 8], edx
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   834a2002             | or                  dword ptr [edx + 0x20], 2
            //   8b55c8               | mov                 edx, dword ptr [ebp - 0x38]
            //   89d0                 | mov                 eax, edx
            //   e8????????           |                     

        $sequence_6 = { 668b7e02 0fb6f3 39ce 77c9 8955cc 8945c8 894dc4 }
            // n = 7, score = 100
            //   668b7e02             | mov                 di, word ptr [esi + 2]
            //   0fb6f3               | movzx               esi, bl
            //   39ce                 | cmp                 esi, ecx
            //   77c9                 | ja                  0xffffffcb
            //   8955cc               | mov                 dword ptr [ebp - 0x34], edx
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax
            //   894dc4               | mov                 dword ptr [ebp - 0x3c], ecx

        $sequence_7 = { 89c2 c1fa1f 89442414 89542410 8b442414 8b542410 8b5c2418 }
            // n = 7, score = 100
            //   89c2                 | mov                 edx, eax
            //   c1fa1f               | sar                 edx, 0x1f
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   89542410             | mov                 dword ptr [esp + 0x10], edx
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   8b5c2418             | mov                 ebx, dword ptr [esp + 0x18]

        $sequence_8 = { 897e04 8806 897e08 897e0c 8b0d???????? 51 57 }
            // n = 7, score = 100
            //   897e04               | mov                 dword ptr [esi + 4], edi
            //   8806                 | mov                 byte ptr [esi], al
            //   897e08               | mov                 dword ptr [esi + 8], edi
            //   897e0c               | mov                 dword ptr [esi + 0xc], edi
            //   8b0d????????         |                     
            //   51                   | push                ecx
            //   57                   | push                edi

        $sequence_9 = { 0f85d3000000 39c8 0f85cb000000 8b45c8 c1e810 25ffff0000 668945d4 }
            // n = 7, score = 100
            //   0f85d3000000         | jne                 0xd9
            //   39c8                 | cmp                 eax, ecx
            //   0f85cb000000         | jne                 0xd1
            //   8b45c8               | mov                 eax, dword ptr [ebp - 0x38]
            //   c1e810               | shr                 eax, 0x10
            //   25ffff0000           | and                 eax, 0xffff
            //   668945d4             | mov                 word ptr [ebp - 0x2c], ax

    condition:
        7 of them and filesize < 1581056
}
Download all Yara Rules