SYMBOLCOMMON_NAMEaka. SYNONYMS
win.puzzlemaker (Back to overview)

puzzlemaker

Actor(s): [Unnamed group]


The dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack.

References
2021-06-08KasperskyBoris Larin, Costin Raiu, Alexey Kulaev
@online{larin:20210608:puzzlemaker:43c7dfa, author = {Boris Larin and Costin Raiu and Alexey Kulaev}, title = {{PuzzleMaker attacks with Chrome zero-day exploit chain}}, date = {2021-06-08}, organization = {Kaspersky}, url = {https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/}, language = {English}, urldate = {2021-06-16} } PuzzleMaker attacks with Chrome zero-day exploit chain
Chainshot puzzlemaker
Yara Rules
[TLP:WHITE] win_puzzlemaker_auto (20220516 | Detects win.puzzlemaker.)
rule win_puzzlemaker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.puzzlemaker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.puzzlemaker"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883ec20 488b19 488bf9 4885db 744e b8ffffffff f00fc14310 }
            // n = 7, score = 100
            //   4883ec20             | lea                 edx, [ebx + 8]
            //   488b19               | dec                 eax
            //   488bf9               | lea                 ecx, [eax + 8]
            //   4885db               | movups              xmmword ptr [edx], xmm0
            //   744e                 | dec                 eax
            //   b8ffffffff           | lea                 ecx, [0x1fabe]
            //   f00fc14310           | test                eax, eax

        $sequence_1 = { 7473 e8???????? 488d0d2c0c0000 e8???????? e8???????? 8bc8 e8???????? }
            // n = 7, score = 100
            //   7473                 | dec                 eax
            //   e8????????           |                     
            //   488d0d2c0c0000       | sub                 esp, 0x20
            //   e8????????           |                     
            //   e8????????           |                     
            //   8bc8                 | dec                 eax
            //   e8????????           |                     

        $sequence_2 = { 488bd8 eb02 33db 4c8d35ed16ffff }
            // n = 4, score = 100
            //   488bd8               | dec                 eax
            //   eb02                 | mov                 ecx, dword ptr [ebx + edi]
            //   33db                 | dec                 eax
            //   4c8d35ed16ffff       | sub                 esp, 0x20

        $sequence_3 = { 4c8d05a4080100 83e23f 488d14d2 498b04c0 f644d03801 7424 e8???????? }
            // n = 7, score = 100
            //   4c8d05a4080100       | shr                 ax, 1
            //   83e23f               | cmp                 eax, 0x57
            //   488d14d2             | jne                 0x368
            //   498b04c0             | inc                 esp
            //   f644d03801           | lea                 eax, [ebx + 7]
            //   7424                 | dec                 ecx
            //   e8????????           |                     

        $sequence_4 = { bfffffffff 8bd7 33c9 ff15???????? }
            // n = 4, score = 100
            //   bfffffffff           | dec                 ecx
            //   8bd7                 | xor                 edi, edx
            //   33c9                 | dec                 ebx
            //   ff15????????         |                     

        $sequence_5 = { 4d8bbcf768730100 33d2 498bcf 41b800080000 }
            // n = 4, score = 100
            //   4d8bbcf768730100     | dec                 eax
            //   33d2                 | sub                 esp, 0x28
            //   498bcf               | dec                 eax
            //   41b800080000         | lea                 eax, [0xfd8f]

        $sequence_6 = { 428a8c19c8640100 482bd0 8b42fc d3e8 498911 }
            // n = 5, score = 100
            //   428a8c19c8640100     | inc                 eax
            //   482bd0               | dec                 ecx
            //   8b42fc               | add                 ecx, 2
            //   d3e8                 | nop                 word ptr [eax + eax]
            //   498911               | xor                 edx, edx

        $sequence_7 = { 4533c0 488b13 488b4dd7 ffd6 }
            // n = 4, score = 100
            //   4533c0               | mov                 ebp, ecx
            //   488b13               | dec                 eax
            //   488b4dd7             | sar                 eax, 6
            //   ffd6                 | dec                 eax

        $sequence_8 = { 488d3d65400100 eb07 488d3d44400100 4883a4248000000000 4584f6 }
            // n = 5, score = 100
            //   488d3d65400100       | mov                 eax, ebx
            //   eb07                 | movzx               esi, byte ptr [edx + eax*4 + 0x19743]
            //   488d3d44400100       | mov                 ebx, ecx
            //   4883a4248000000000     | mov    edi, eax
            //   4584f6               | xor                 edx, edx

        $sequence_9 = { 4983c102 4181f804010000 72e1 448bc0 4c8d0d1f0e0200 0f1f8000000000 }
            // n = 6, score = 100
            //   4983c102             | dec                 eax
            //   4181f804010000       | lea                 ecx, [0x1fabe]
            //   72e1                 | test                eax, eax
            //   448bc0               | test                edi, edi
            //   4c8d0d1f0e0200       | inc                 ecx
            //   0f1f8000000000       | lea                 eax, [edi + 1]

    condition:
        7 of them and filesize < 331776
}
Download all Yara Rules