NoxPlayer (Malware Family)

NoxPlayer

There is no description at this point.
References

2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy
2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou
Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy
Yara Rules

[TLP:WHITE] win_noxplayer_auto (20220516 | Detects win.noxplayer.)
rule win_noxplayer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.noxplayer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.noxplayer"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48c7442420feffffff 48895c2448 488bda 4c8bd1 488b4110 48b96566666666666606 483bc1 }
            // n = 7, score = 100
            //   48c7442420feffffff     | mov    ebp, dword ptr [esp + 0x20]
            //   48895c2448           | dec                 eax
            //   488bda               | add                 esp, 0x28
            //   4c8bd1               | pop                 esi
            //   488b4110             | xor                 al, al
            //   48b96566666666666606     | test    al, al
            //   483bc1               | inc                 ecx

        $sequence_1 = { 488bcf e8???????? 488d0d65390200 e8???????? cc 48ffc0 49894210 }
            // n = 7, score = 100
            //   488bcf               | dec                 eax
            //   e8????????           |                     
            //   488d0d65390200       | mov                 ecx, ebx
            //   e8????????           |                     
            //   cc                   | dec                 eax
            //   48ffc0               | mov                 edx, ebx
            //   49894210             | jmp                 0x11f9

        $sequence_2 = { 488b0f 80792900 751a 418b01 3b4118 7d08 488bf9 }
            // n = 7, score = 100
            //   488b0f               | dec                 eax
            //   80792900             | xor                 eax, esp
            //   751a                 | dec                 eax
            //   418b01               | mov                 dword ptr [ebp + 0xf00], eax
            //   3b4118               | mov                 eax, 0x814
            //   7d08                 | cmp                 word ptr [ebp], ax
            //   488bf9               | jne                 0x7e

        $sequence_3 = { 4533c9 418d5105 458d4101 488d8da0010000 e8???????? 488d1543650300 488d8da0010000 }
            // n = 7, score = 100
            //   4533c9               | jne                 0xd7c
            //   418d5105             | mov                 edx, ebp
            //   458d4101             | dec                 eax
            //   488d8da0010000       | lea                 ecx, [0xf21b]
            //   e8????????           |                     
            //   488d1543650300       | cmp                 bx, word ptr [ecx]
            //   488d8da0010000       | je                  0xd7c

        $sequence_4 = { 4103c1 4c8b4c2410 c1c90b 4103490c 41894108 418b4110 03c2 }
            // n = 7, score = 100
            //   4103c1               | lea                 edi, [esp + 0x80]
            //   4c8b4c2410           | dec                 eax
            //   c1c90b               | lea                 ebx, [esp + 0x90]
            //   4103490c             | dec                 esp
            //   41894108             | lea                 eax, [esp + 0x20]
            //   418b4110             | dec                 ecx
            //   03c2                 | mov                 edx, esi

        $sequence_5 = { 48894500 4885c0 7526 8d5003 448d4001 488d4c2440 458bcc }
            // n = 7, score = 100
            //   48894500             | mov                 dword ptr [ebp - 0x2d], ecx
            //   4885c0               | test                ecx, ecx
            //   7526                 | jg                  0x1f86
            //   8d5003               | dec                 eax
            //   448d4001             | mov                 ecx, dword ptr [edi + 0x138]
            //   488d4c2440           | mov                 dword ptr [ebp - 0x28], ecx
            //   458bcc               | inc                 esp

        $sequence_6 = { 4057 4883ec40 4c8d4c2458 4c8d442450 33d2 33c9 }
            // n = 6, score = 100
            //   4057                 | dec                 eax
            //   4883ec40             | lea                 eax, [0x8d1f]
            //   4c8d4c2458           | dec                 eax
            //   4c8d442450           | mov                 ebx, ecx
            //   33d2                 | mov                 edi, edx
            //   33c9                 | push                edi

        $sequence_7 = { 33d2 33c9 ff15???????? 488905???????? 4883c428 c3 4883ec28 }
            // n = 7, score = 100
            //   33d2                 | mov                 ebx, dword ptr [ebx + 0x200]
            //   33c9                 | dec                 eax
            //   ff15????????         |                     
            //   488905????????       |                     
            //   4883c428             | mov                 edx, dword ptr [ebp - 0x30]
            //   c3                   | dec                 esp
            //   4883ec28             | add                 ebx, edx

        $sequence_8 = { 440f4cc8 44894c2478 8b542470 899618010000 8996f0000000 899600010000 8d4aff }
            // n = 7, score = 100
            //   440f4cc8             | je                  0x53e
            //   44894c2478           | xor                 eax, eax
            //   8b542470             | jmp                 0x584
            //   899618010000         | dec                 eax
            //   8996f0000000         | mov                 eax, dword ptr [esp + 0x30]
            //   899600010000         | mov                 ecx, dword ptr [eax + 0x20]
            //   8d4aff               | je                  0x54c

        $sequence_9 = { 415d 415c 5f c3 83f801 7536 4885db }
            // n = 7, score = 100
            //   415d                 | mov                 ecx, ebx
            //   415c                 | nop                 
            //   5f                   | dec                 ebp
            //   c3                   | mov                 ecx, eax
            //   83f801               | dec                 ebp
            //   7536                 | mov                 eax, dword ptr [eax]
            //   4885db               | dec                 eax

    condition:
        7 of them and filesize < 742400
}
Download all Yara Rules
NoxPlayer Propose Change

References

Yara Rules

NoxPlayer
