NoxPlayer (Malware Family)

NoxPlayer

There is no description at this point.
References

2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy
2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou
Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy Red Dev 17
Yara Rules

[TLP:WHITE] win_noxplayer_auto (20221125 | Detects win.noxplayer.)
rule win_noxplayer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.noxplayer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.noxplayer"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 468d840081f67187 41c1c00b 4403c2 418bc8 418bc0 4133c2 }
            // n = 6, score = 100
            //   468d840081f67187     | dec                 eax
            //   41c1c00b             | lea                 ecx, [ebp - 0x60]
            //   4403c2               | dec                 eax
            //   418bc8               | lea                 edx, [0x35bab]
            //   418bc0               | mov                 edx, 2
            //   4133c2               | inc                 esp

        $sequence_1 = { 4c89a424b0020000 4c89ac2470020000 8d7841 4533ed 8d581a 0f1f00 488d4c2458 }
            // n = 7, score = 100
            //   4c89a424b0020000     | xor                 ecx, ecx
            //   4c89ac2470020000     | dec                 eax
            //   8d7841               | mov                 ebx, eax
            //   4533ed               | dec                 esp
            //   8d581a               | lea                 ecx, [esp + 0x34]
            //   0f1f00               | dec                 esp
            //   488d4c2458           | lea                 eax, [esp + 0x30]

        $sequence_2 = { 90 488d4c2428 e8???????? 83c8ff e9???????? 4c6305???????? 488b5320 }
            // n = 7, score = 100
            //   90                   | inc                 ebp
            //   488d4c2428           | mov                 ebp, edx
            //   e8????????           |                     
            //   83c8ff               | inc                 esp
            //   e9????????           |                     
            //   4c6305????????       |                     
            //   488b5320             | mov                 dword ptr [ebx + 0x24], ebp

        $sequence_3 = { 41c1c00b 4403c2 418bc8 418bc0 4133c2 33c2 4103432c }
            // n = 7, score = 100
            //   41c1c00b             | dec                 esp
            //   4403c2               | lea                 ecx, [ebp + 0x28]
            //   418bc8               | inc                 ecx
            //   418bc0               | mov                 eax, 1
            //   4133c2               | or                  edx, 0xffffffff
            //   33c2                 | call                dword ptr [eax + 0x20]
            //   4103432c             | cmp                 dword ptr [ebp + 0x10], 0

        $sequence_4 = { 48898708020000 488b8708020000 483bc1 7315 488b87d0010000 4869c0a0860100 48898708020000 }
            // n = 7, score = 100
            //   48898708020000       | test                dword ptr [edx + 0x14], eax
            //   488b8708020000       | jne                 0x298
            //   483bc1               | dec                 eax
            //   7315                 | lea                 eax, [0xfffe3f3d]
            //   488b87d0010000       | jmp                 0x2a2
            //   4869c0a0860100       | and                 eax, 0x17
            //   48898708020000       | mov                 dword ptr [edx + 0x10], eax

        $sequence_5 = { e8???????? 4533e4 e9???????? 0f8e97000000 4c8b4640 418bc1 99 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4533e4               | dec                 eax
            //   e9????????           |                     
            //   0f8e97000000         | arpl                word ptr [eax + 4], cx
            //   4c8b4640             | dec                 eax
            //   418bc1               | lea                 eax, [0x31e0a]
            //   99                   | dec                 eax

        $sequence_6 = { 0fb64340 884140 c6434001 488b01 c6404001 488bd3 488bce }
            // n = 7, score = 100
            //   0fb64340             | add                 esp, 4
            //   884140               | dec                 eax
            //   c6434001             | cmp                 ebx, dword ptr [ebp - 0x21]
            //   488b01               | jl                  0x886
            //   c6404001             | dec                 eax
            //   488bd3               | mov                 ecx, dword ptr [edi + 0x88]
            //   488bce               | dec                 esp

        $sequence_7 = { 488d8c2460030000 e8???????? 90 8b4808 898c2408010000 8b480c 898c240c010000 }
            // n = 7, score = 100
            //   488d8c2460030000     | jne                 0x3a2
            //   e8????????           |                     
            //   90                   | nop                 word ptr [eax + eax]
            //   8b4808               | nop                 
            //   898c2408010000       | movzx               eax, byte ptr [ebx + 0x61]
            //   8b480c               | test                al, al
            //   898c240c010000       | jne                 0x2a3

        $sequence_8 = { 03e8 0f1f840000000000 488bd7 488bcb e8???????? 4883c740 48ffce }
            // n = 7, score = 100
            //   03e8                 | mov                 ecx, dword ptr [ebp]
            //   0f1f840000000000     | dec                 eax
            //   488bd7               | lea                 ebx, [esi + 0x70]
            //   488bcb               | dec                 eax
            //   e8????????           |                     
            //   4883c740             | mov                 dword ptr [esp + 0x28], edi
            //   48ffce               | dec                 eax

        $sequence_9 = { 488d055c4f0200 4c3bd0 7405 e8???????? 488bc3 eb02 }
            // n = 6, score = 100
            //   488d055c4f0200       | movzx               ecx, sp
            //   4c3bd0               | mov                 word ptr [ebp + 0x8a], ax
            //   7405                 | dec                 eax
            //   e8????????           |                     
            //   488bc3               | mov                 ecx, edi
            //   eb02                 | mov                 dword ptr [ebp + 0x8c], eax

    condition:
        7 of them and filesize < 742400
}
Download all Yara Rules
NoxPlayer Propose Change

References

Yara Rules

NoxPlayer
