Actor(s): APT34, Turla Group
There is no description at this point.
rule win_nautilus_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.nautilus." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7606 4183c9ff eb2d 498b12 478d0c89 0fbe02 458d49e8 } // n = 7, score = 100 // 7606 | dec ecx // 4183c9ff | mov ecx, esi // eb2d | movzx edx, byte ptr [esi + eax] // 498b12 | dec ecx // 478d0c89 | mov ecx, esi // 0fbe02 | movzx edx, byte ptr [esi + eax] // 458d49e8 | inc esp $sequence_1 = { 750a b880b0ffff e9???????? 488b4d77 bb01000000 8bd3 e8???????? } // n = 7, score = 100 // 750a | cmp edx, eax // b880b0ffff | je 0x495 // e9???????? | // 488b4d77 | cmp byte ptr [edx], cl // bb01000000 | jne 0x495 // 8bd3 | dec eax // e8???????? | $sequence_2 = { eb02 8ada 301f ffc1 83f910 1bc0 48ffc7 } // n = 7, score = 100 // eb02 | jne 0x701 // 8ada | inc ecx // 301f | movzx eax, byte ptr [edx + 1] // ffc1 | movzx ecx, byte ptr [eax + esi + 0x870d0] // 83f910 | inc ebp // 1bc0 | movzx eax, al // 48ffc7 | sub eax, 2 $sequence_3 = { e8???????? 488d542420 41b808000000 488bcb e8???????? 8a4308 8807 } // n = 7, score = 100 // e8???????? | // 488d542420 | arpl ax, dx // 41b808000000 | mov dword ptr [ebx + 0x14], eax // 488bcb | dec eax // e8???????? | // 8a4308 | shl edx, 3 // 8807 | jne 0x93b $sequence_4 = { c7010c000000 894108 488bcb e8???????? 488bcf e8???????? 488b9c24d0000000 } // n = 7, score = 100 // c7010c000000 | jne 0x5a1 // 894108 | inc ebp // 488bcb | movzx eax, byte ptr [edx + 1] // e8???????? | // 488bcf | inc ecx // e8???????? | // 488b9c24d0000000 | movzx eax, byte ptr [eax + ebx + 0x90] $sequence_5 = { 803b20 74f8 488d0d48c90300 41b803000000 488bd3 e8???????? 85c0 } // n = 7, score = 100 // 803b20 | jg 0xb3d // 74f8 | dec ecx // 488d0d48c90300 | mov esi, ecx // 41b803000000 | dec ebp // 488bd3 | mov esp, eax // e8???????? | // 85c0 | dec eax $sequence_6 = { c744242020000000 e8???????? 44396d60 0f87e9000000 bafeffff7f 33c9 e8???????? } // n = 7, score = 100 // c744242020000000 | dec eax // e8???????? | // 44396d60 | mov ecx, eax // 0f87e9000000 | inc esp // bafeffff7f | movzx esp, al // 33c9 | dec eax // e8???????? | $sequence_7 = { 83ffe4 0f8d25010000 4885ed 0f851c010000 81ffcefbffff 7d1a 4885f6 } // n = 7, score = 100 // 83ffe4 | dec esp // 0f8d25010000 | mov eax, eax // 4885ed | dec eax // 0f851c010000 | mov dword ptr [esp + 0x40], eax // 81ffcefbffff | test eax, eax // 7d1a | jne 0x4da // 4885f6 | movzx ecx, byte ptr [ebx] $sequence_8 = { e8???????? 85c0 7404 33c0 eb6c 8b442478 85c0 } // n = 7, score = 100 // e8???????? | // 85c0 | jmp 0x388 // 7404 | inc ecx // 33c0 | mov eax, dword ptr [eax + 0xfa50] // eb6c | inc ecx // 8b442478 | mov edx, dword ptr [eax + 0x444] // 85c0 | inc esp $sequence_9 = { 488b4e10 488b5158 8b4a18 c645f900 894df4 488b4618 488945e8 } // n = 7, score = 100 // 488b4e10 | dec eax // 488b5158 | cmp ebx, 0x40 // 8b4a18 | jb 0x5e7 // c645f900 | dec eax // 894df4 | mov ebp, ebx // 488b4618 | dec eax // 488945e8 | shr ebp, 6 condition: 7 of them and filesize < 1302528 }
rule win_nautilus_w0 { meta: description = "Rule for detection of Nautilus based on assembly code for a modified RC4 loop" author = "NCSC UK" hash = "a415ab193f6cd832a0de4fcc48d5f53d6f0b06d5e13b3c359878c6c31f3e7ec3" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus" malpedia_version = "20180226" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $rc4_loop = {42 0F B6 14 04 41 FF C0 03 D7 0F B6 CA 8A 14 0C 43 32 14 13 41 88 12 49 FF C2 49 FF C9} $rc4_key = {31 42 31 34 34 30 44 39 30 46 43 39 42 43 42 34 36 41 39 41 43 39 36 34 33 38 46 45 45 41 38 42} $string_0 = "nautilus-service.dll" ascii $string_1 = "oxygen.dll" ascii $string_2 = "config_listen.system" ascii $string_3 = "ctx.system" ascii $string_4 = "3FDA3998-BEF5-426D-82D8-1A71F29ADDC3" ascii $string_5 = "C:\\ProgramData\\Microsoft\\Windows\\Caches\\{%s}.2.ver0x0000000000000001.db" condition: ($rc4_loop and $rc4_key) or (all of ($string_*)) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY