NoxPlayer (Malware Family)

NoxPlayer

There is no description at this point.
References

2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou
Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy
Yara Rules

[TLP:WHITE] win_noxplayer_auto (20211008 | Detects win.noxplayer.)
rule win_noxplayer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.noxplayer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.noxplayer"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883ec40 488b05???????? 4833c4 4889442438 418be8 4533c0 488bf2 }
            // n = 7, score = 100
            //   4883ec40             | je                  0x1a04
            //   488b05????????       |                     
            //   4833c4               | dec                 eax
            //   4889442438           | mov                 ecx, dword ptr [esp + 0x50]
            //   418be8               | dec                 eax
            //   4533c0               | and                 dword ptr [esp + 0x20], 0
            //   488bf2               | dec                 eax

        $sequence_1 = { 85c0 742b ff15???????? 448bc8 4533c0 8d5601 }
            // n = 6, score = 100
            //   85c0                 | mov                 ecx, dword ptr [ecx + 0x20]
            //   742b                 | inc                 dword ptr [edx]
            //   ff15????????         |                     
            //   448bc8               | mov                 eax, dword ptr [ecx + 0xc]
            //   4533c0               | and                 eax, 0x1fffffff
            //   8d5601               | cmp                 dword ptr [esi], eax

        $sequence_2 = { ff15???????? 83f8ff 743f 0f1f840000000000 b9e8030000 ff15???????? 488d942490020000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   83f8ff               | mov                 edx, dword ptr [ebx + 0x18]
            //   743f                 | dec                 eax
            //   0f1f840000000000     | mov                 ecx, dword ptr [eax + 0x18]
            //   b9e8030000           | dec                 eax
            //   ff15????????         |                     
            //   488d942490020000     | cmp                 dword ptr [edx + 0x18], ecx

        $sequence_3 = { c6411c00 488b4208 488b5008 e9???????? 483b10 754e 488b08 }
            // n = 7, score = 100
            //   c6411c00             | dec                 eax
            //   488b4208             | mov                 esi, edx
            //   488b5008             | dec                 eax
            //   e9????????           |                     
            //   483b10               | mov                 ebx, ecx
            //   754e                 | dec                 eax
            //   488b08               | lea                 edx, dword ptr [ecx + 0x10]

        $sequence_4 = { 488bc2 482bc2 48c1f803 488d3cc500000000 4c8bc7 488bcb }
            // n = 6, score = 100
            //   488bc2               | xor                 edx, edx
            //   482bc2               | xor                 ecx, ecx
            //   48c1f803             | dec                 eax
            //   488d3cc500000000     | mov                 dword ptr [esi + 0x60], eax
            //   4c8bc7               | inc                 ebp
            //   488bcb               | xor                 eax, eax

        $sequence_5 = { 482b442478 483b442430 7733 0fb64662 84c0 e9???????? 488b07 }
            // n = 7, score = 100
            //   482b442478           | mov                 ecx, dword ptr [ebx + 0x220]
            //   483b442430           | mov                 byte ptr [ebp + 0x38], 1
            //   7733                 | dec                 esp
            //   0fb64662             | lea                 eax, dword ptr [ebp + 0x38]
            //   84c0                 | dec                 eax
            //   e9????????           |                     
            //   488b07               | mov                 ecx, dword ptr [ecx + 8]

        $sequence_6 = { ff4b28 897b24 b001 eb18 488b4310 }
            // n = 5, score = 100
            //   ff4b28               | dec                 esp
            //   897b24               | lea                 edx, dword ptr [ebp + ebp*2]
            //   b001                 | dec                 esp
            //   eb18                 | lea                 ebx, dword ptr [0x25164]
            //   488b4310             | dec                 ecx

        $sequence_7 = { 458d4803 498bc8 4c8d150de10200 498bc0 48c1f805 83e11f 498b04c2 }
            // n = 7, score = 100
            //   458d4803             | cmp                 byte ptr [edi + 0x21], 0
            //   498bc8               | je                  0xded
            //   4c8d150de10200       | mov                 eax, dword ptr [ebx + 0x10]
            //   498bc0               | mov                 edx, dword ptr [ecx + 0x10]
            //   48c1f805             | cmp                 eax, edx
            //   83e11f               | jl                  0xdbd
            //   498b04c2             | mov                 dword ptr [ebx + 0x28], ebp

        $sequence_8 = { 443bc0 7504 33c9 eb04 418d4801 43890ca7 488b03 }
            // n = 7, score = 100
            //   443bc0               | dec                 eax
            //   7504                 | mov                 dword ptr [edx], ecx
            //   33c9                 | dec                 eax
            //   eb04                 | mov                 edx, dword ptr [esi + 8]
            //   418d4801             | dec                 eax
            //   43890ca7             | mov                 ecx, dword ptr [edx + 8]
            //   488b03               | dec                 eax

        $sequence_9 = { 0f846f010000 41be01000000 4c8d256e890100 498b0c24 4d8bc5 488bd3 e8???????? }
            // n = 7, score = 100
            //   0f846f010000         | dec                 esp
            //   41be01000000         | cmove               edx, ebp
            //   4c8d256e890100       | dec                 ecx
            //   498b0c24             | mov                 eax, dword ptr [edx]
            //   4d8bc5               | dec                 ecx
            //   488bd3               | mov                 ecx, dword ptr [esp]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 742400
}
Download all Yara Rules
NoxPlayer Propose Change

References

Yara Rules

NoxPlayer
