SYMBOLCOMMON_NAMEaka. SYNONYMS
win.neutrino_pos (Back to overview)

Neutrino POS

There is no description at this point.

References
2017-06-27Kaspersky LabsSergey Yunakovsky
@online{yunakovsky:20170627:neutrino:ac891a9, author = {Sergey Yunakovsky}, title = {{Neutrino modification for POS-terminals}}, date = {2017-06-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/neutrino-modification-for-pos-terminals/78839/}, language = {English}, urldate = {2019-12-20} } Neutrino modification for POS-terminals
Neutrino POS
Yara Rules
[TLP:WHITE] win_neutrino_pos_auto (20230407 | Detects win.neutrino_pos.)
rule win_neutrino_pos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.neutrino_pos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 e8???????? 59 ff75f8 e8???????? 59 5f }
            // n = 7, score = 200
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi

        $sequence_1 = { 8bc1 66898568ffffff 58 6a74 6689856affffff }
            // n = 5, score = 200
            //   8bc1                 | mov                 eax, ecx
            //   66898568ffffff       | mov                 word ptr [ebp - 0x98], ax
            //   58                   | pop                 eax
            //   6a74                 | push                0x74
            //   6689856affffff       | mov                 word ptr [ebp - 0x96], ax

        $sequence_2 = { 58 6a71 668945b4 58 6a66 668945b6 }
            // n = 6, score = 200
            //   58                   | pop                 eax
            //   6a71                 | push                0x71
            //   668945b4             | mov                 word ptr [ebp - 0x4c], ax
            //   58                   | pop                 eax
            //   6a66                 | push                0x66
            //   668945b6             | mov                 word ptr [ebp - 0x4a], ax

        $sequence_3 = { 5b 6a74 66899d7cffffff 5b 66899d7effffff 6a44 8bda }
            // n = 7, score = 200
            //   5b                   | pop                 ebx
            //   6a74                 | push                0x74
            //   66899d7cffffff       | mov                 word ptr [ebp - 0x84], bx
            //   5b                   | pop                 ebx
            //   66899d7effffff       | mov                 word ptr [ebp - 0x82], bx
            //   6a44                 | push                0x44
            //   8bda                 | mov                 ebx, edx

        $sequence_4 = { 58 6a43 8bc8 66898d4effffff 59 6a65 }
            // n = 6, score = 200
            //   58                   | pop                 eax
            //   6a43                 | push                0x43
            //   8bc8                 | mov                 ecx, eax
            //   66898d4effffff       | mov                 word ptr [ebp - 0xb2], cx
            //   59                   | pop                 ecx
            //   6a65                 | push                0x65

        $sequence_5 = { 57 ff55f8 83c410 eb0f ff7508 68???????? 57 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   ff55f8               | call                dword ptr [ebp - 8]
            //   83c410               | add                 esp, 0x10
            //   eb0f                 | jmp                 0x11
            //   ff7508               | push                dword ptr [ebp + 8]
            //   68????????           |                     
            //   57                   | push                edi

        $sequence_6 = { 58 6a75 6689855affffff 58 6a4f 6689855cffffff 58 }
            // n = 7, score = 200
            //   58                   | pop                 eax
            //   6a75                 | push                0x75
            //   6689855affffff       | mov                 word ptr [ebp - 0xa6], ax
            //   58                   | pop                 eax
            //   6a4f                 | push                0x4f
            //   6689855cffffff       | mov                 word ptr [ebp - 0xa4], ax
            //   58                   | pop                 eax

        $sequence_7 = { 58 6a69 66898574ffffff 58 6a63 66898576ffffff }
            // n = 6, score = 200
            //   58                   | pop                 eax
            //   6a69                 | push                0x69
            //   66898574ffffff       | mov                 word ptr [ebp - 0x8c], ax
            //   58                   | pop                 eax
            //   6a63                 | push                0x63
            //   66898576ffffff       | mov                 word ptr [ebp - 0x8a], ax

        $sequence_8 = { 6a73 66898552ffffff 58 6a6e 66898554ffffff 58 6a61 }
            // n = 7, score = 200
            //   6a73                 | push                0x73
            //   66898552ffffff       | mov                 word ptr [ebp - 0xae], ax
            //   58                   | pop                 eax
            //   6a6e                 | push                0x6e
            //   66898554ffffff       | mov                 word ptr [ebp - 0xac], ax
            //   58                   | pop                 eax
            //   6a61                 | push                0x61

        $sequence_9 = { 6a72 668945a0 58 6a07 668945a2 58 66894d9a }
            // n = 7, score = 200
            //   6a72                 | push                0x72
            //   668945a0             | mov                 word ptr [ebp - 0x60], ax
            //   58                   | pop                 eax
            //   6a07                 | push                7
            //   668945a2             | mov                 word ptr [ebp - 0x5e], ax
            //   58                   | pop                 eax
            //   66894d9a             | mov                 word ptr [ebp - 0x66], cx

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules