SYMBOLCOMMON_NAMEaka. SYNONYMS
win.poweliks (Back to overview)

Poweliks


There is no description at this point.

References
2015-03-11ZscalerChris Mannon
@online{mannon:20150311:malvertising:8a04865, author = {Chris Mannon}, title = {{Malvertising Targeting European Transit Users}}, date = {2015-03-11}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users}, language = {English}, urldate = {2019-10-14} } Malvertising Targeting European Transit Users
Poweliks
2014-08-20ThisIsSecurityBenkow
@online{benkow:20140820:command:ec27583, author = {Benkow}, title = {{Command Line Confusion}}, date = {2014-08-20}, organization = {ThisIsSecurity}, url = {https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/}, language = {English}, urldate = {2020-01-07} } Command Line Confusion
Poweliks
2014-07-31G DataG Data
@online{data:20140731:poweliks:250c05f, author = {G Data}, title = {{Poweliks: the persistent malware without a file}}, date = {2014-07-31}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file}, language = {English}, urldate = {2020-01-10} } Poweliks: the persistent malware without a file
Poweliks
Yara Rules
[TLP:WHITE] win_poweliks_auto (20221125 | Detects win.poweliks.)
rule win_poweliks_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.poweliks."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 2945f4 8b45fc 8b5df4 03d8 8a4405d0 3a441dd0 }
            // n = 6, score = 200
            //   2945f4               | sub                 dword ptr [ebp - 0xc], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]
            //   03d8                 | add                 ebx, eax
            //   8a4405d0             | mov                 al, byte ptr [ebp + eax - 0x30]
            //   3a441dd0             | cmp                 al, byte ptr [ebp + ebx - 0x30]

        $sequence_1 = { 03f2 2945f4 8b45fc 8b5df4 03d8 8a4405d0 3a441dd0 }
            // n = 7, score = 200
            //   03f2                 | add                 esi, edx
            //   2945f4               | sub                 dword ptr [ebp - 0xc], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]
            //   03d8                 | add                 ebx, eax
            //   8a4405d0             | mov                 al, byte ptr [ebp + eax - 0x30]
            //   3a441dd0             | cmp                 al, byte ptr [ebp + ebx - 0x30]

        $sequence_2 = { 8a0407 3245ff b108 2acb 8ad0 d2ea }
            // n = 6, score = 200
            //   8a0407               | mov                 al, byte ptr [edi + eax]
            //   3245ff               | xor                 al, byte ptr [ebp - 1]
            //   b108                 | mov                 cl, 8
            //   2acb                 | sub                 cl, bl
            //   8ad0                 | mov                 dl, al
            //   d2ea                 | shr                 dl, cl

        $sequence_3 = { ff45f8 fe45ff 8b45f8 fe45fe 3b450c 72c0 }
            // n = 6, score = 200
            //   ff45f8               | inc                 dword ptr [ebp - 8]
            //   fe45ff               | inc                 byte ptr [ebp - 1]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   fe45fe               | inc                 byte ptr [ebp - 2]
            //   3b450c               | cmp                 eax, dword ptr [ebp + 0xc]
            //   72c0                 | jb                  0xffffffc2

        $sequence_4 = { 58 6a6e 6689459c 58 6a65 6689459e }
            // n = 6, score = 200
            //   58                   | pop                 eax
            //   6a6e                 | push                0x6e
            //   6689459c             | mov                 word ptr [ebp - 0x64], ax
            //   58                   | pop                 eax
            //   6a65                 | push                0x65
            //   6689459e             | mov                 word ptr [ebp - 0x62], ax

        $sequence_5 = { 394df4 72cd 8b703c 03f0 8b8e80000000 }
            // n = 5, score = 200
            //   394df4               | cmp                 dword ptr [ebp - 0xc], ecx
            //   72cd                 | jb                  0xffffffcf
            //   8b703c               | mov                 esi, dword ptr [eax + 0x3c]
            //   03f0                 | add                 esi, eax
            //   8b8e80000000         | mov                 ecx, dword ptr [esi + 0x80]

        $sequence_6 = { b9ff000000 f7f1 8365f800 837d0c00 c645fe01 8855ff 8816 }
            // n = 7, score = 200
            //   b9ff000000           | mov                 ecx, 0xff
            //   f7f1                 | div                 ecx
            //   8365f800             | and                 dword ptr [ebp - 8], 0
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   c645fe01             | mov                 byte ptr [ebp - 2], 1
            //   8855ff               | mov                 byte ptr [ebp - 1], dl
            //   8816                 | mov                 byte ptr [esi], dl

        $sequence_7 = { 51 6aff ffd0 8b45fc c9 }
            // n = 5, score = 200
            //   51                   | push                ecx
            //   6aff                 | push                -1
            //   ffd0                 | call                eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   c9                   | leave               

        $sequence_8 = { 837d0800 53 56 57 750d 833d????????00 }
            // n = 6, score = 200
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   750d                 | jne                 0xf
            //   833d????????00       |                     

        $sequence_9 = { 83f80f 72eb 83f80f 7503 8975f0 ff45f8 }
            // n = 6, score = 200
            //   83f80f               | cmp                 eax, 0xf
            //   72eb                 | jb                  0xffffffed
            //   83f80f               | cmp                 eax, 0xf
            //   7503                 | jne                 5
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   ff45f8               | inc                 dword ptr [ebp - 8]

    condition:
        7 of them and filesize < 115712
}
Download all Yara Rules