SYMBOLCOMMON_NAMEaka. SYNONYMS
win.newbounce (Back to overview)

NewBounce


There is no description at this point.

References
2021-10-18NortonLifeLockNorton Labs
@techreport{labs:20211018:operation:9612cbf, author = {Norton Labs}, title = {{Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church}}, date = {2021-10-18}, institution = {NortonLifeLock}, url = {https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf}, language = {English}, urldate = {2021-12-15} } Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church
NewBounce PlugX Zupdax
Yara Rules
[TLP:WHITE] win_newbounce_auto (20220808 | Detects win.newbounce.)
rule win_newbounce_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.newbounce."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newbounce"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83e00f 7e05 2bf0 83c610 }
            // n = 4, score = 300
            //   83e00f               | and                 eax, 0xf
            //   7e05                 | jle                 7
            //   2bf0                 | sub                 esi, eax
            //   83c610               | add                 esi, 0x10

        $sequence_1 = { 7562 488d9550010000 4533c9 41b800200000 }
            // n = 4, score = 200
            //   7562                 | mov                 edx, 0x5c
            //   488d9550010000       | dec                 eax
            //   4533c9               | mov                 ecx, ebx
            //   41b800200000         | dec                 eax

        $sequence_2 = { 755f 488d5f01 ba5c000000 488bcb }
            // n = 4, score = 200
            //   755f                 | lea                 eax, [ebx + 0x40]
            //   488d5f01             | cmp                 byte ptr [eax], 0
            //   ba5c000000           | je                  0x22
            //   488bcb               | dec                 esp

        $sequence_3 = { 7561 83b9ec01000002 7458 39b918020000 }
            // n = 4, score = 200
            //   7561                 | dec                 esp
            //   83b9ec01000002       | lea                 ecx, [0x13943]
            //   7458                 | inc                 ecx
            //   39b918020000         | mov                 eax, 2

        $sequence_4 = { 755b 488d4c2431 33d2 41b803010000 }
            // n = 4, score = 200
            //   755b                 | dec                 eax
            //   488d4c2431           | lea                 ebx, [0x1901b]
            //   33d2                 | dec                 eax
            //   41b803010000         | lea                 edi, [0x1907c]

        $sequence_5 = { 755c 81fdf4010000 7d54 8b8704020000 }
            // n = 4, score = 200
            //   755c                 | jne                 0x5d
            //   81fdf4010000         | dec                 eax
            //   7d54                 | lea                 ecx, [esp + 0x31]
            //   8b8704020000         | xor                 edx, edx

        $sequence_6 = { 755f 488d4340 803800 741d 4c8d0d43390100 }
            // n = 5, score = 200
            //   755f                 | jge                 0x5c
            //   488d4340             | mov                 eax, dword ptr [edi + 0x204]
            //   803800               | test                eax, eax
            //   741d                 | jne                 0x5e
            //   4c8d0d43390100       | cmp                 ebp, 0x1f4

        $sequence_7 = { 755a 488d0d839e0000 e8???????? 488d1d1b900100 488d3d7c900100 eb0e }
            // n = 6, score = 200
            //   755a                 | jne                 0x5c
            //   488d0d839e0000       | dec                 eax
            //   e8????????           |                     
            //   488d1d1b900100       | lea                 ecx, [0x9e83]
            //   488d3d7c900100       | dec                 eax
            //   eb0e                 | lea                 ebx, [0x1901b]

        $sequence_8 = { 81c398000000 6a01 8bcb e8???????? }
            // n = 4, score = 100
            //   81c398000000         | lea                 edi, [ebp - 0x35c]
            //   6a01                 | add                 ebx, 0x334
            //   8bcb                 | mov                 ecx, eax
            //   e8????????           |                     

        $sequence_9 = { 81c30c010000 8bf0 8a08 40 }
            // n = 4, score = 100
            //   81c30c010000         | dec                 eax
            //   8bf0                 | mov                 ecx, edi
            //   8a08                 | jne                 0x64
            //   40                   | dec                 eax

        $sequence_10 = { 81c310ea0000 53 6a01 8bce }
            // n = 4, score = 100
            //   81c310ea0000         | xor                 edx, edx
            //   53                   | dec                 eax
            //   6a01                 | mov                 ecx, esi
            //   8bce                 | and                 eax, 0xf

        $sequence_11 = { 81c334030000 8bc8 8bd3 c645fc02 }
            // n = 4, score = 100
            //   81c334030000         | mov                 cl, byte ptr [eax]
            //   8bc8                 | inc                 eax
            //   8bd3                 | add                 ebx, 0x10c
            //   c645fc02             | mov                 esi, eax

        $sequence_12 = { 81c300ea0000 53 8bce e8???????? }
            // n = 4, score = 100
            //   81c300ea0000         | cmp                 dword ptr [ecx + 0x218], edi
            //   53                   | jne                 0x61
            //   8bce                 | dec                 eax
            //   e8????????           |                     

        $sequence_13 = { 81c394010000 8b43fc 85c0 0f841d010000 }
            // n = 4, score = 100
            //   81c394010000         | mov                 edx, dword ptr [ebx + 4]
            //   8b43fc               | push                edx
            //   85c0                 | lea                 eax, [ebp + 0x10]
            //   0f841d010000         | push                eax

        $sequence_14 = { 81c328010000 3bda 7403 8b5304 52 8d4510 }
            // n = 6, score = 100
            //   81c328010000         | add                 ebx, 0xea00
            //   3bda                 | push                ebx
            //   7403                 | mov                 ecx, esi
            //   8b5304               | mov                 edx, dword ptr [eax]
            //   52                   | mov                 ecx, eax
            //   8d4510               | add                 ebx, 0xea00

    condition:
        7 of them and filesize < 8637440
}
Download all Yara Rules