SYMBOLCOMMON_NAMEaka. SYNONYMS
win.project_wood (Back to overview)

ProjectWood

VTCollection    

There is no description at this point.

References
2024-01-25ESET ResearchFacundo Muñoz
NSPX30: A sophisticated AitM-enabled implant evolving since 2005
NSPX30 ProjectWood Blackwood TheWizards
2024-01-25JSAC 2024Facundo Muñoz
NSPX30: A sophisticated AitM-enabled implant evolving since 2005
NSPX30 ProjectWood
2014-10-31G DataG Data
OPERATION “TOOHASH”: HOW TARGETED ATTACKS WORK
Cohhoc ProjectWood Gelsemium
2011-10-14SANSFrankie Fu Kay Li
A Detailed Analysis of an Advanced Persistent Threat Malware
ProjectWood
Yara Rules
[TLP:WHITE] win_project_wood_auto (20260504 | Detects win.project_wood.)
rule win_project_wood_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.project_wood."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.project_wood"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8dbead000000 68???????? 57 e8???????? 80bd25ffffff43 59 59 }
            // n = 7, score = 100
            //   8dbead000000         | lea                 edi, [esi + 0xad]
            //   68????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     
            //   80bd25ffffff43       | cmp                 byte ptr [ebp - 0xdb], 0x43
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_1 = { 83c002 8945e4 50 8d8598ebffff 50 8d85e4feffff 50 }
            // n = 7, score = 100
            //   83c002               | add                 eax, 2
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   50                   | push                eax
            //   8d8598ebffff         | lea                 eax, [ebp - 0x1468]
            //   50                   | push                eax
            //   8d85e4feffff         | lea                 eax, [ebp - 0x11c]
            //   50                   | push                eax

        $sequence_2 = { 6a40 33c0 59 8dbd95fdffff f3ab 66ab aa }
            // n = 7, score = 100
            //   6a40                 | push                0x40
            //   33c0                 | xor                 eax, eax
            //   59                   | pop                 ecx
            //   8dbd95fdffff         | lea                 edi, [ebp - 0x26b]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al

        $sequence_3 = { 33c0 e9???????? 8bc1 53 99 2bc2 57 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   8bc1                 | mov                 eax, ecx
            //   53                   | push                ebx
            //   99                   | cdq                 
            //   2bc2                 | sub                 eax, edx
            //   57                   | push                edi

        $sequence_4 = { e8???????? 81ec2c0a0000 53 56 8b7508 57 8965f0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   81ec2c0a0000         | sub                 esp, 0xa2c
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8965f0               | mov                 dword ptr [ebp - 0x10], esp

        $sequence_5 = { 7538 ff35???????? e8???????? 8d8500ffffff c70424???????? 50 e8???????? }
            // n = 7, score = 100
            //   7538                 | jne                 0x3a
            //   ff35????????         |                     
            //   e8????????           |                     
            //   8d8500ffffff         | lea                 eax, [ebp - 0x100]
            //   c70424????????       |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_6 = { 3c08 7508 ff8e20090000 eb1b ff8620090000 8a09 }
            // n = 6, score = 100
            //   3c08                 | cmp                 al, 8
            //   7508                 | jne                 0xa
            //   ff8e20090000         | dec                 dword ptr [esi + 0x920]
            //   eb1b                 | jmp                 0x1d
            //   ff8620090000         | inc                 dword ptr [esi + 0x920]
            //   8a09                 | mov                 cl, byte ptr [ecx]

        $sequence_7 = { 8bf1 6a3f 59 33c0 8dbdf9fdffff 80a5f8feffff00 f3ab }
            // n = 7, score = 100
            //   8bf1                 | mov                 esi, ecx
            //   6a3f                 | push                0x3f
            //   59                   | pop                 ecx
            //   33c0                 | xor                 eax, eax
            //   8dbdf9fdffff         | lea                 edi, [ebp - 0x207]
            //   80a5f8feffff00       | and                 byte ptr [ebp - 0x108], 0
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax

        $sequence_8 = { 50 8d85e0f5ffff 50 c745f828010100 e8???????? 8b45fc 83c418 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d85e0f5ffff         | lea                 eax, [ebp - 0xa20]
            //   50                   | push                eax
            //   c745f828010100       | mov                 dword ptr [ebp - 8], 0x10128
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c418               | add                 esp, 0x18

        $sequence_9 = { 42 ebf0 803a00 7504 85f6 750b 8b550c }
            // n = 7, score = 100
            //   42                   | inc                 edx
            //   ebf0                 | jmp                 0xfffffff2
            //   803a00               | cmp                 byte ptr [edx], 0
            //   7504                 | jne                 6
            //   85f6                 | test                esi, esi
            //   750b                 | jne                 0xd
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]

    condition:
        7 of them and filesize < 31137792
}
Download all Yara Rules