SYMBOLCOMMON_NAMEaka. SYNONYMS
win.puzzlemaker (Back to overview)

puzzlemaker

Actor(s): [Unnamed group]


The dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack.

References
2021-06-08KasperskyBoris Larin, Costin Raiu, Alexey Kulaev
@online{larin:20210608:puzzlemaker:43c7dfa, author = {Boris Larin and Costin Raiu and Alexey Kulaev}, title = {{PuzzleMaker attacks with Chrome zero-day exploit chain}}, date = {2021-06-08}, organization = {Kaspersky}, url = {https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/}, language = {English}, urldate = {2021-06-16} } PuzzleMaker attacks with Chrome zero-day exploit chain
Chainshot puzzlemaker
Yara Rules
[TLP:WHITE] win_puzzlemaker_auto (20230125 | Detects win.puzzlemaker.)
rule win_puzzlemaker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.puzzlemaker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.puzzlemaker"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6683e07f f30f6f05???????? 668905???????? 0fb705???????? 66d1e8 6683e07f 668905???????? }
            // n = 7, score = 100
            //   6683e07f             | mov                 edx, 0x184
            //   f30f6f05????????     |                     
            //   668905????????       |                     
            //   0fb705????????       |                     
            //   66d1e8               | dec                 eax
            //   6683e07f             | lea                 ecx, [ebp + 0x210]
            //   668905????????       |                     

        $sequence_1 = { 7425 488d1582e20100 8bc8 e8???????? 85c0 740e }
            // n = 6, score = 100
            //   7425                 | shr                 ax, 1
            //   488d1582e20100       | and                 ax, 0x7f
            //   8bc8                 | mov                 word ptr [ecx - 2], ax
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   740e                 | sub                 edx, 1

        $sequence_2 = { 5d c3 4c8d0500890000 eb10 4c8d05ef880000 }
            // n = 5, score = 100
            //   5d                   | add                 esp, 0x20
            //   c3                   | pop                 edi
            //   4c8d0500890000       | ret                 
            //   eb10                 | dec                 eax
            //   4c8d05ef880000       | mov                 dword ptr [esp + 8], edi

        $sequence_3 = { 4c8d0525cc0100 4c896c2458 488d15e1040200 4c896c2450 }
            // n = 4, score = 100
            //   4c8d0525cc0100       | dec                 eax
            //   4c896c2458           | mov                 ecx, edi
            //   488d15e1040200       | mov                 ebx, eax
            //   4c896c2450           | dec                 eax

        $sequence_4 = { 498bdd 48895db7 4885db 0f84ca000000 4c896c2428 4c896c2420 }
            // n = 6, score = 100
            //   498bdd               | vfmsub213sd         xmm5, xmm6, xmm1
            //   48895db7             | inc                 ecx
            //   4885db               | movups              xmm0, xmmword ptr [ecx + eax*8]
            //   0f84ca000000         | dec                 eax
            //   4c896c2428           | lea                 edx, [0x9d92]
            //   4c896c2420           | movsd               xmm2, qword ptr [edx + eax*8]

        $sequence_5 = { ff15???????? 488b4ddf 488b01 ff5010 488b4dcf }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   488b4ddf             | dec                 eax
            //   488b01               | mov                 dword ptr [esp + 8], ebx
            //   ff5010               | dec                 eax
            //   488b4dcf             | mov                 dword ptr [esp + 0x10], esi

        $sequence_6 = { e9???????? 498bc4 488d0d14fe0000 83e03f 4d8bec 49c1fd06 4c8d3cc0 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   498bc4               | sub                 esp, 0x20
            //   488d0d14fe0000       | mov                 ebx, ecx
            //   83e03f               | dec                 esp
            //   4d8bec               | lea                 ecx, [0x10efd]
            //   49c1fd06             | mov                 ecx, 1
            //   4c8d3cc0             | dec                 esp

        $sequence_7 = { 488d4808 0f1102 e8???????? 488d05183b0100 488903 488bc3 }
            // n = 6, score = 100
            //   488d4808             | mov                 edx, edi
            //   0f1102               | xor                 ecx, ecx
            //   e8????????           |                     
            //   488d05183b0100       | mov                 ebx, eax
            //   488903               | test                eax, eax
            //   488bc3               | mov                 ebx, eax

        $sequence_8 = { 4883f9fd 7706 ff15???????? 488364243000 488d0d349b0000 }
            // n = 5, score = 100
            //   4883f9fd             | dec                 eax
            //   7706                 | lea                 ecx, [0x9be3]
            //   ff15????????         |                     
            //   488364243000         | inc                 ebp
            //   488d0d349b0000       | xor                 ecx, ecx

        $sequence_9 = { e8???????? 90 488d1dde9a0100 488d3577800100 48895c2420 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   90                   | mov                 dword ptr [esp + 0x30], ebp
            //   488d1dde9a0100       | mov                 dword ptr [esp + 0x28], 2
            //   488d3577800100       | dec                 eax
            //   48895c2420           | mov                 ecx, edi

    condition:
        7 of them and filesize < 331776
}
Download all Yara Rules