SYMBOLCOMMON_NAMEaka. SYNONYMS
win.poohmilk (Back to overview)

PoohMilk Loader

Actor(s): APT37


There is no description at this point.

References
2018-01-16Cisco TalosWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20180116:korea:f462331, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-01-06} } Korea In The Crosshairs
Freenki Loader PoohMilk Loader RokRAT APT37
2017-10-05Palo Alto Networks Unit 42Juan Cortes, Esmid Idrizovic
@online{cortes:20171005:freemilk:a929f1b, author = {Juan Cortes and Esmid Idrizovic}, title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}}, date = {2017-10-05}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/}, language = {English}, urldate = {2019-12-20} } FreeMilk: A Highly Targeted Spear Phishing Campaign
Freenki Loader PoohMilk Loader
Yara Rules
[TLP:WHITE] win_poohmilk_auto (20220808 | Detects win.poohmilk.)
rule win_poohmilk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.poohmilk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 898d58ffffff 894dbc 894db8 898d48ffffff 898d54ffffff }
            // n = 5, score = 200
            //   898d58ffffff         | mov                 dword ptr [ebp - 0xa8], ecx
            //   894dbc               | mov                 dword ptr [ebp - 0x44], ecx
            //   894db8               | mov                 dword ptr [ebp - 0x48], ecx
            //   898d48ffffff         | mov                 dword ptr [ebp - 0xb8], ecx
            //   898d54ffffff         | mov                 dword ptr [ebp - 0xac], ecx

        $sequence_1 = { a1???????? 33c4 89842434080000 56 57 }
            // n = 5, score = 200
            //   a1????????           |                     
            //   33c4                 | xor                 eax, esp
            //   89842434080000       | mov                 dword ptr [esp + 0x834], eax
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_2 = { 85c0 7811 c1f809 85c0 }
            // n = 4, score = 200
            //   85c0                 | test                eax, eax
            //   7811                 | js                  0x13
            //   c1f809               | sar                 eax, 9
            //   85c0                 | test                eax, eax

        $sequence_3 = { ffd3 8d85a0f3ffff 50 8d8decfdffff 51 }
            // n = 5, score = 200
            //   ffd3                 | call                ebx
            //   8d85a0f3ffff         | lea                 eax, [ebp - 0xc60]
            //   50                   | push                eax
            //   8d8decfdffff         | lea                 ecx, [ebp - 0x214]
            //   51                   | push                ecx

        $sequence_4 = { c3 8b8574ffffff c78568ffffff01000000 c70019000000 e9???????? }
            // n = 5, score = 200
            //   c3                   | ret                 
            //   8b8574ffffff         | mov                 eax, dword ptr [ebp - 0x8c]
            //   c78568ffffff01000000     | mov    dword ptr [ebp - 0x98], 1
            //   c70019000000         | mov                 dword ptr [eax], 0x19
            //   e9????????           |                     

        $sequence_5 = { eb2b 83fe0a 7626 b90a000000 8bff 8bd3 }
            // n = 6, score = 200
            //   eb2b                 | jmp                 0x2d
            //   83fe0a               | cmp                 esi, 0xa
            //   7626                 | jbe                 0x28
            //   b90a000000           | mov                 ecx, 0xa
            //   8bff                 | mov                 edi, edi
            //   8bd3                 | mov                 edx, ebx

        $sequence_6 = { 03ca b871800780 f7e3 c1ea0f 69d20f00ffff 03da 29bd54ffffff }
            // n = 7, score = 200
            //   03ca                 | add                 ecx, edx
            //   b871800780           | mov                 eax, 0x80078071
            //   f7e3                 | mul                 ebx
            //   c1ea0f               | shr                 edx, 0xf
            //   69d20f00ffff         | imul                edx, edx, 0xffff000f
            //   03da                 | add                 ebx, edx
            //   29bd54ffffff         | sub                 dword ptr [ebp - 0xac], edi

        $sequence_7 = { 0f85ae000000 8b9570d2ffff 8b5238 837a3400 0f859b000000 8bbd90d2ffff }
            // n = 6, score = 200
            //   0f85ae000000         | jne                 0xb4
            //   8b9570d2ffff         | mov                 edx, dword ptr [ebp - 0x2d90]
            //   8b5238               | mov                 edx, dword ptr [edx + 0x38]
            //   837a3400             | cmp                 dword ptr [edx + 0x34], 0
            //   0f859b000000         | jne                 0xa1
            //   8bbd90d2ffff         | mov                 edi, dword ptr [ebp - 0x2d70]

        $sequence_8 = { d3e0 83c608 0bd8 83fe0f 0f8269ffffff eb26 8b8570ffffff }
            // n = 7, score = 200
            //   d3e0                 | shl                 eax, cl
            //   83c608               | add                 esi, 8
            //   0bd8                 | or                  ebx, eax
            //   83fe0f               | cmp                 esi, 0xf
            //   0f8269ffffff         | jb                  0xffffff6f
            //   eb26                 | jmp                 0x28
            //   8b8570ffffff         | mov                 eax, dword ptr [ebp - 0x90]

        $sequence_9 = { 8b4508 53 56 8bd9 33c9 57 8bfa }
            // n = 7, score = 200
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bd9                 | mov                 ebx, ecx
            //   33c9                 | xor                 ecx, ecx
            //   57                   | push                edi
            //   8bfa                 | mov                 edi, edx

    condition:
        7 of them and filesize < 245760
}
Download all Yara Rules