SYMBOLCOMMON_NAMEaka. SYNONYMS
win.poohmilk (Back to overview)

PoohMilk Loader

Actor(s): APT37


There is no description at this point.

References
2018-01-16Cisco TalosWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20180116:korea:f462331, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-01-06} } Korea In The Crosshairs
Freenki Loader PoohMilk Loader RokRAT APT37
2017-10-05Palo Alto Networks Unit 42Juan Cortes, Esmid Idrizovic
@online{cortes:20171005:freemilk:a929f1b, author = {Juan Cortes and Esmid Idrizovic}, title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}}, date = {2017-10-05}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/}, language = {English}, urldate = {2019-12-20} } FreeMilk: A Highly Targeted Spear Phishing Campaign
Freenki Loader PoohMilk Loader
Yara Rules
[TLP:WHITE] win_poohmilk_auto (20230125 | Detects win.poohmilk.)
rule win_poohmilk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.poohmilk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 ff15???????? 8bf8 83ffff 7430 8b8df0fdffff 6a00 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83ffff               | cmp                 edi, -1
            //   7430                 | je                  0x32
            //   8b8df0fdffff         | mov                 ecx, dword ptr [ebp - 0x210]
            //   6a00                 | push                0

        $sequence_1 = { 3bf1 72c2 8b8574ffffff 8bce 83e107 d3eb }
            // n = 6, score = 200
            //   3bf1                 | cmp                 esi, ecx
            //   72c2                 | jb                  0xffffffc4
            //   8b8574ffffff         | mov                 eax, dword ptr [ebp - 0x8c]
            //   8bce                 | mov                 ecx, esi
            //   83e107               | and                 ecx, 7
            //   d3eb                 | shr                 ebx, cl

        $sequence_2 = { eb19 c7858cd2ffff00000100 898d90d2ffff e9???????? 8bf0 }
            // n = 5, score = 200
            //   eb19                 | jmp                 0x1b
            //   c7858cd2ffff00000100     | mov    dword ptr [ebp - 0x2d74], 0x10000
            //   898d90d2ffff         | mov                 dword ptr [ebp - 0x2d70], ecx
            //   e9????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_3 = { 8bd3 d3ea f7d0 47 83e201 03d0 }
            // n = 6, score = 200
            //   8bd3                 | mov                 edx, ebx
            //   d3ea                 | shr                 edx, cl
            //   f7d0                 | not                 eax
            //   47                   | inc                 edi
            //   83e201               | and                 edx, 1
            //   03d0                 | add                 edx, eax

        $sequence_4 = { 3bca 0f831f020000 83fe0f 0f83d1000000 8b8d64ffffff 8b8570ffffff 2bc8 }
            // n = 7, score = 200
            //   3bca                 | cmp                 ecx, edx
            //   0f831f020000         | jae                 0x225
            //   83fe0f               | cmp                 esi, 0xf
            //   0f83d1000000         | jae                 0xd7
            //   8b8d64ffffff         | mov                 ecx, dword ptr [ebp - 0x9c]
            //   8b8570ffffff         | mov                 eax, dword ptr [ebp - 0x90]
            //   2bc8                 | sub                 ecx, eax

        $sequence_5 = { 7508 3bca 0f85a6000000 85c9 7408 85d2 }
            // n = 6, score = 200
            //   7508                 | jne                 0xa
            //   3bca                 | cmp                 ecx, edx
            //   0f85a6000000         | jne                 0xac
            //   85c9                 | test                ecx, ecx
            //   7408                 | je                  0xa
            //   85d2                 | test                edx, edx

        $sequence_6 = { 8a80fc7b4100 08443b1d 0fb64601 47 }
            // n = 4, score = 200
            //   8a80fc7b4100         | mov                 al, byte ptr [eax + 0x417bfc]
            //   08443b1d             | or                  byte ptr [ebx + edi + 0x1d], al
            //   0fb64601             | movzx               eax, byte ptr [esi + 1]
            //   47                   | inc                 edi

        $sequence_7 = { 8d7940 8981f40d0000 6a08 8981f80d0000 57 }
            // n = 5, score = 200
            //   8d7940               | lea                 edi, [ecx + 0x40]
            //   8981f40d0000         | mov                 dword ptr [ecx + 0xdf4], eax
            //   6a08                 | push                8
            //   8981f80d0000         | mov                 dword ptr [ecx + 0xdf8], eax
            //   57                   | push                edi

        $sequence_8 = { 40 80b9b075410000 74e8 8a13 0fb6ca 0fbe89b0754100 }
            // n = 6, score = 200
            //   40                   | inc                 eax
            //   80b9b075410000       | cmp                 byte ptr [ecx + 0x4175b0], 0
            //   74e8                 | je                  0xffffffea
            //   8a13                 | mov                 dl, byte ptr [ebx]
            //   0fb6ca               | movzx               ecx, dl
            //   0fbe89b0754100       | movsx               ecx, byte ptr [ecx + 0x4175b0]

        $sequence_9 = { 8b8570ffffff 0fb65001 0fb638 8d4e08 }
            // n = 4, score = 200
            //   8b8570ffffff         | mov                 eax, dword ptr [ebp - 0x90]
            //   0fb65001             | movzx               edx, byte ptr [eax + 1]
            //   0fb638               | movzx               edi, byte ptr [eax]
            //   8d4e08               | lea                 ecx, [esi + 8]

    condition:
        7 of them and filesize < 245760
}
Download all Yara Rules