NoxPlayer (Malware Family)

NoxPlayer

There is no description at this point.
References

2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy
2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou
Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy Red Dev 17
Yara Rules

[TLP:WHITE] win_noxplayer_auto (20230125 | Detects win.noxplayer.)
rule win_noxplayer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.noxplayer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.noxplayer"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 448b35???????? 413bc6 7c06 448bdf 452bdd 4585db 0f8fd8000000 }
            // n = 7, score = 100
            //   448b35????????       |                     
            //   413bc6               | dec                 esp
            //   7c06                 | mov                 ecx, ebx
            //   448bdf               | dec                 esp
            //   452bdd               | mov                 eax, ebp
            //   4585db               | mov                 edx, dword ptr [esi]
            //   0f8fd8000000         | dec                 eax

        $sequence_1 = { 33d2 41b800020000 ffc6 e8???????? 2bfb 4863c3 ffcf }
            // n = 7, score = 100
            //   33d2                 | dec                 esp
            //   41b800020000         | mov                 ebx, dword ptr [edi + 0x200]
            //   ffc6                 | dec                 esp
            //   e8????????           |                     
            //   2bfb                 | add                 dword ptr [edi + 0x1e0], ebx
            //   4863c3               | dec                 eax
            //   ffcf                 | lea                 ecx, [edi + 0x1e8]

        $sequence_2 = { c7413810000000 48894108 488d4130 488911 48894110 488d4134 48895140 }
            // n = 7, score = 100
            //   c7413810000000       | dec                 eax
            //   48894108             | mov                 dword ptr [ebp + 0x38], eax
            //   488d4130             | dec                 eax
            //   488911               | mov                 dword ptr [eax], ebx
            //   48894110             | dec                 eax
            //   488d4134             | mov                 ecx, esi
            //   48895140             | inc                 ebp

        $sequence_3 = { 488b7550 488b5310 488bce e8???????? 488b1b 488bcf e8???????? }
            // n = 7, score = 100
            //   488b7550             | mov                 ecx, dword ptr [edx + esi*4 + 0xee50]
            //   488b5310             | dec                 eax
            //   488bce               | add                 ecx, edx
            //   e8????????           |                     
            //   488b1b               | nop                 
            //   488bcf               | mov                 eax, dword ptr [ebx]
            //   e8????????           |                     

        $sequence_4 = { c745bc01010000 ff15???????? 4885c0 7429 488d0d11400300 ff15???????? }
            // n = 6, score = 100
            //   c745bc01010000       | dec                 eax
            //   ff15????????         |                     
            //   4885c0               | mov                 ecx, dword ptr [esi]
            //   7429                 | mov                 ebx, dword ptr [esi + 0x24]
            //   488d0d11400300       | dec                 eax
            //   ff15????????         |                     

        $sequence_5 = { 85c0 7546 833b04 7521 8b4604 394304 }
            // n = 6, score = 100
            //   85c0                 | cmp                 dword ptr [ebx], edi
            //   7546                 | je                  0x6e2
            //   833b04               | dec                 eax
            //   7521                 | lea                 ecx, [0xf21d]
            //   8b4604               | inc                 ecx
            //   394304               | mov                 eax, 3

        $sequence_6 = { 48894618 44016f20 33c0 eb03 83c8ff 4883c448 415e }
            // n = 7, score = 100
            //   48894618             | dec                 eax
            //   44016f20             | mov                 eax, dword ptr [eax]
            //   33c0                 | cmp                 byte ptr [eax + 0x1d], 0
            //   eb03                 | jne                 0x1366
            //   83c8ff               | cmp                 byte ptr [eax + 0x1d], 0
            //   4883c448             | jne                 0x1359
            //   415e                 | dec                 eax

        $sequence_7 = { 7509 488907 48895010 eb10 48894118 488b4b18 488b4310 }
            // n = 7, score = 100
            //   7509                 | mov                 edx, eax
            //   488907               | dec                 eax
            //   48895010             | mov                 ecx, dword ptr [eax + 0x10]
            //   eb10                 | dec                 eax
            //   48894118             | mov                 eax, dword ptr [ecx]
            //   488b4b18             | inc                 ecx
            //   488b4310             | cmp                 byte ptr [eax + 0x41], 0

        $sequence_8 = { 488b08 48898e20020000 488b4808 48898e28020000 eb00 }
            // n = 5, score = 100
            //   488b08               | dec                 ecx
            //   48898e20020000       | mov                 ecx, dword ptr [esp]
            //   488b4808             | nop                 dword ptr [eax]
            //   48898e28020000       | dec                 eax
            //   eb00                 | mov                 eax, dword ptr [edi]

        $sequence_9 = { 488bcb ff15???????? 85c0 0f843d010000 488d9560010000 488d0d826d0300 4889bc24f0040000 }
            // n = 7, score = 100
            //   488bcb               | lea                 ecx, [esp + 0xc0]
            //   ff15????????         |                     
            //   85c0                 | int3                
            //   0f843d010000         | inc                 ebp
            //   488d9560010000       | xor                 ecx, ecx
            //   488d0d826d0300       | mov                 edx, 2
            //   4889bc24f0040000     | inc                 esp

    condition:
        7 of them and filesize < 742400
}
Download all Yara Rules
NoxPlayer Propose Change

References

Yara Rules

NoxPlayer
