Actor(s): APT34, Turla
There is no description at this point.
rule win_nautilus_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.nautilus." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b4b24 8b4320 83c1f8 d3e8 894b24 3c38 0f8581e5ffff } // n = 7, score = 100 // 8b4b24 | dec eax // 8b4320 | sub esp, 0x20 // 83c1f8 | dec eax // d3e8 | mov edi, ecx // 894b24 | dec eax // 3c38 | mov ecx, edx // 0f8581e5ffff | dec eax $sequence_1 = { 8b8fe8000000 2b8ff0000000 894810 488b87e8000000 488987f0000000 4c39ab10010000 7452 } // n = 7, score = 100 // 8b8fe8000000 | dec eax // 2b8ff0000000 | mov ebp, edx // 894810 | dec esp // 488b87e8000000 | mov esi, ecx // 488987f0000000 | dec eax // 4c39ab10010000 | mov dword ptr [eax + 0x18], esi // 7452 | dec eax $sequence_2 = { e8???????? 488d4d88 33d2 8bd8 e8???????? 3bd8 740e } // n = 7, score = 100 // e8???????? | // 488d4d88 | inc ebp // 33d2 | xor eax, eax // 8bd8 | dec eax // e8???????? | // 3bd8 | mov ecx, ebx // 740e | dec eax $sequence_3 = { 8b55fc 448b45f0 330b 335304 44334308 448b4df4 488b742448 } // n = 7, score = 100 // 8b55fc | dec eax // 448b45f0 | sub esp, 0x20 // 330b | dec eax // 335304 | mov esi, ecx // 44334308 | dec ecx // 448b4df4 | mov ecx, eax // 488b742448 | dec ecx $sequence_4 = { d3f8 4489742440 85c0 745d 8aca 418bc2 4002d6 } // n = 7, score = 100 // d3f8 | dec eax // 4489742440 | mov dword ptr [esp + 0x20], ebx // 85c0 | push ebp // 745d | push esi // 8aca | dec eax // 418bc2 | mov edi, dword ptr [esp + 0x48] // 4002d6 | dec eax $sequence_5 = { 488b4108 4889442460 4885c0 0f843d020000 33ed 4533f6 396828 } // n = 7, score = 100 // 488b4108 | jne 0x26 // 4889442460 | dec esp // 4885c0 | mov eax, esi // 0f843d020000 | dec eax // 33ed | mov edx, esi // 4533f6 | dec eax // 396828 | mov ecx, edi $sequence_6 = { 7d16 4863cf 8a841919010000 42888401800a0900 ffc7 ebde 488b0d???????? } // n = 7, score = 100 // 7d16 | inc esp // 4863cf | mov byte ptr [edx], bl // 8a841919010000 | jmp 0x1125 // 42888401800a0900 | inc esp // ffc7 | mov byte ptr [edx], cl // ebde | dec eax // 488b0d???????? | $sequence_7 = { 8b442408 3344240c 4123c3 458bdd 33442408 450bd8 03d0 } // n = 7, score = 100 // 8b442408 | push esi // 3344240c | push edi // 4123c3 | dec eax // 458bdd | sub esp, 0x60 // 33442408 | dec eax // 450bd8 | mov eax, dword ptr [ecx + 0x2a8] // 03d0 | dec eax $sequence_8 = { 773e 4983c002 4983ea02 3bcb 753a 4d3bc1 7547 } // n = 7, score = 100 // 773e | dec eax // 4983c002 | cmp dword ptr [eax], ecx // 4983ea02 | jne 0x1079 // 3bcb | dec ecx // 753a | inc ecx // 4d3bc1 | dec ecx // 7547 | add eax, 8 $sequence_9 = { e8???????? 8bc8 83f917 0f8f1b010000 7455 83f905 0f8431fdffff } // n = 7, score = 100 // e8???????? | // 8bc8 | mov ecx, esi // 83f917 | dec esp // 0f8f1b010000 | mov eax, eax // 7455 | dec eax // 83f905 | lea ecx, [ebp + 0x1a0] // 0f8431fdffff | dec esp condition: 7 of them and filesize < 1302528 }
rule win_nautilus_w0 { meta: description = "Rule for detection of Nautilus based on assembly code for a modified RC4 loop" author = "NCSC UK" hash = "a415ab193f6cd832a0de4fcc48d5f53d6f0b06d5e13b3c359878c6c31f3e7ec3" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus" malpedia_version = "20180226" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $rc4_loop = {42 0F B6 14 04 41 FF C0 03 D7 0F B6 CA 8A 14 0C 43 32 14 13 41 88 12 49 FF C2 49 FF C9} $rc4_key = {31 42 31 34 34 30 44 39 30 46 43 39 42 43 42 34 36 41 39 41 43 39 36 34 33 38 46 45 45 41 38 42} $string_0 = "nautilus-service.dll" ascii $string_1 = "oxygen.dll" ascii $string_2 = "config_listen.system" ascii $string_3 = "ctx.system" ascii $string_4 = "3FDA3998-BEF5-426D-82D8-1A71F29ADDC3" ascii $string_5 = "C:\\ProgramData\\Microsoft\\Windows\\Caches\\{%s}.2.ver0x0000000000000001.db" condition: ($rc4_loop and $rc4_key) or (all of ($string_*)) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY