SYMBOLCOMMON_NAMEaka. SYNONYMS
win.opachki (Back to overview)

Opachki


There is no description at this point.

References
2010-03-07Contagiodump BlogMila Parkour
@online{parkour:20100307:march:94846ca, author = {Mila Parkour}, title = {{March 2010 Opachki Trojan update and sample}}, date = {2010-03-07}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html}, language = {English}, urldate = {2019-12-20} } March 2010 Opachki Trojan update and sample
Opachki
2009-11-11MalekalMalekal Morte
@online{morte:20091111:trojanwin32opachki:14a1a8d, author = {Malekal Morte}, title = {{Trojan:Win32/Opachki : redirections Google}}, date = {2009-11-11}, organization = {Malekal}, url = {https://forum.malekal.com/viewtopic.php?t=21806}, language = {English}, urldate = {2020-01-09} } Trojan:Win32/Opachki : redirections Google
Opachki
2009-11-03InfoSec Handlers Diary BlogBojan Zdrnja
@online{zdrnja:20091103:opachki:96e78eb, author = {Bojan Zdrnja}, title = {{Opachki, from (and to) Russia with love}}, date = {2009-11-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519}, language = {English}, urldate = {2020-01-06} } Opachki, from (and to) Russia with love
Opachki
2009-11-02Contagio DumpMila Parkour
@online{parkour:20091102:win32opachkia:22466d3, author = {Mila Parkour}, title = {{Win32/Opachki.A - Trojan that removes Zeus (but it is not benign)}}, date = {2009-11-02}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html}, language = {English}, urldate = {2019-12-20} } Win32/Opachki.A - Trojan that removes Zeus (but it is not benign)
Opachki
Yara Rules
[TLP:WHITE] win_opachki_auto (20220808 | Detects win.opachki.)
rule win_opachki_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.opachki."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 55 8bec 81ec00010000 ff7508 }
            // n = 5, score = 300
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec00010000         | sub                 esp, 0x100
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_1 = { 40 3d00010000 72f1 57 }
            // n = 4, score = 300
            //   40                   | inc                 eax
            //   3d00010000           | cmp                 eax, 0x100
            //   72f1                 | jb                  0xfffffff3
            //   57                   | push                edi

        $sequence_2 = { ff7510 ff75fc ff15???????? 85c0 75e2 ff75fc }
            // n = 6, score = 300
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   75e2                 | jne                 0xffffffe4
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_3 = { 56 ff15???????? 8b450c 8b4808 3bcb 7617 }
            // n = 6, score = 300
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   3bcb                 | cmp                 ecx, ebx
            //   7617                 | jbe                 0x19

        $sequence_4 = { 75e5 837d0c00 7413 43 ff4dfc ff4d08 }
            // n = 6, score = 300
            //   75e5                 | jne                 0xffffffe7
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   7413                 | je                  0x15
            //   43                   | inc                 ebx
            //   ff4dfc               | dec                 dword ptr [ebp - 4]
            //   ff4d08               | dec                 dword ptr [ebp + 8]

        $sequence_5 = { 55 8bec 51 51 8b450c 56 8b7108 }
            // n = 7, score = 300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   56                   | push                esi
            //   8b7108               | mov                 esi, dword ptr [ecx + 8]

        $sequence_6 = { 56 ff15???????? 56 ff15???????? 6a08 68???????? 8d4de4 }
            // n = 7, score = 300
            // 
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   6a08                 | push                8
            //   68????????           |                     
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]

        $sequence_7 = { 8b4604 8b4e08 c6040800 6a28 }
            // n = 4, score = 300
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   c6040800             | mov                 byte ptr [eax + ecx], 0
            //   6a28                 | push                0x28

        $sequence_8 = { 014608 8b4608 c6040800 5f 8bc6 5e }
            // n = 6, score = 300
            //   014608               | add                 dword ptr [esi + 8], eax
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   c6040800             | mov                 byte ptr [eax + ecx], 0
            //   5f                   | pop                 edi
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi

        $sequence_9 = { b125 f3aa 83ef25 8b742424 ac 3cf3 7404 }
            // n = 7, score = 200
            //   b125                 | mov                 cl, 0x25
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   83ef25               | sub                 edi, 0x25
            //   8b742424             | mov                 esi, dword ptr [esp + 0x24]
            //   ac                   | lodsb               al, byte ptr [esi]
            //   3cf3                 | cmp                 al, 0xf3
            //   7404                 | je                  6

        $sequence_10 = { 7404 ac 88471e 96 2b442424 aa }
            // n = 6, score = 200
            //   7404                 | je                  6
            //   ac                   | lodsb               al, byte ptr [esi]
            //   88471e               | mov                 byte ptr [edi + 0x1e], al
            //   96                   | xchg                eax, esi
            //   2b442424             | sub                 eax, dword ptr [esp + 0x24]
            //   aa                   | stosb               byte ptr es:[edi], al

        $sequence_11 = { 898389838983 898389838983 898389838585 858585858585 878593859a9a 9a9aa089898985 85a785908583 }
            // n = 7, score = 200
            //   898389838983         | mov                 dword ptr [ebx - 0x7c767c77], eax
            //   898389838983         | mov                 dword ptr [ebx - 0x7c767c77], eax
            //   898389838585         | mov                 dword ptr [ebx - 0x7a7a7c77], eax
            //   858585858585         | test                dword ptr [ebp - 0x7a7a7a7b], eax
            //   878593859a9a         | xchg                dword ptr [ebp - 0x65657a6d], eax
            //   9a9aa089898985       | lcall               0x8589:0x8989a09a
            //   85a785908583         | test                dword ptr [edi - 0x7c7a6f7b], esp

        $sequence_12 = { 750b 08ed 7405 80fd02 7502 b704 }
            // n = 6, score = 200
            //   750b                 | jne                 0xd
            //   08ed                 | or                  ch, ch
            //   7405                 | je                  7
            //   80fd02               | cmp                 ch, 2
            //   7502                 | jne                 4
            //   b704                 | mov                 bh, 4

        $sequence_13 = { 80ff01 7504 ac 884717 80ff02 }
            // n = 5, score = 200
            //   80ff01               | cmp                 bh, 1
            //   7504                 | jne                 6
            //   ac                   | lodsb               al, byte ptr [esi]
            //   884717               | mov                 byte ptr [edi + 0x17], al
            //   80ff02               | cmp                 bh, 2

        $sequence_14 = { 7434 80fe04 752f 08db 752b 46 }
            // n = 6, score = 200
            //   7434                 | je                  0x36
            //   80fe04               | cmp                 dh, 4
            //   752f                 | jne                 0x31
            //   08db                 | or                  bl, bl
            //   752b                 | jne                 0x2d
            //   46                   | inc                 esi

        $sequence_15 = { 7503 80c902 80fff7 7503 80c910 30ff 08ed }
            // n = 7, score = 200
            //   7503                 | jne                 5
            //   80c902               | or                  cl, 2
            //   80fff7               | cmp                 bh, 0xf7
            //   7503                 | jne                 5
            //   80c910               | or                  cl, 0x10
            //   30ff                 | xor                 bh, bh
            //   08ed                 | or                  ch, ch

    condition:
        7 of them and filesize < 122880
}
Download all Yara Rules