puzzlemaker (Malware Family)

puzzlemaker

VTCollection

The dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack.

References

2021-06-08 ⋅ Kaspersky ⋅ Alexey Kulaev, Boris Larin, Costin Raiu
PuzzleMaker attacks with Chrome zero-day exploit chain
Chainshot puzzlemaker

Yara Rules

[TLP:WHITE] win_puzzlemaker_auto (20260504 | Detects win.puzzlemaker.)

rule win_puzzlemaker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.puzzlemaker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.puzzlemaker"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f857e010000 4c8d3deddafeff 418bd2 4d8b8cc7f02b0200 498bfa 4b8d04f1 443854383e }
            // n = 7, score = 100
            //   0f857e010000         | dec                 eax
            //   4c8d3deddafeff       | lea                 ecx, [0x13bf7]
            //   418bd2               | dec                 eax
            //   4d8b8cc7f02b0200     | add                 esp, 0x5b0
            //   498bfa               | pop                 ebp
            //   4b8d04f1             | ret                 
            //   443854383e           | dec                 esp

        $sequence_1 = { 4181f880000000 72e1 448bc0 4c8d0d470c0200 0f1f8000000000 410fb6d0 }
            // n = 6, score = 100
            //   4181f880000000       | lea                 ecx, [esp + 0x30]
            //   72e1                 | movups              xmm1, xmmword ptr [eax + 0x10]
            //   448bc0               | dec                 eax
            //   4c8d0d470c0200       | lea                 eax, [0xfdba]
            //   0f1f8000000000       | dec                 edx
            //   410fb6d0             | mov                 eax, dword ptr [eax + ebp*8]

        $sequence_2 = { 7e1f 4c8d0538dafeff 4b8b8ce0f02b0200 4803ca }
            // n = 4, score = 100
            //   7e1f                 | inc                 ebp
            //   4c8d0538dafeff       | xor                 eax, eax
            //   4b8b8ce0f02b0200     | dec                 eax
            //   4803ca               | lea                 ecx, [ebx + ebx*4]

        $sequence_3 = { 0f1103 48894310 4c896b08 c7431001000000 488bce ff15???????? }
            // n = 6, score = 100
            //   0f1103               | lock xadd           dword ptr [ebx + 0x10], edi
            //   48894310             | dec                 eax
            //   4c896b08             | mov                 eax, dword ptr [ebx + 8]
            //   c7431001000000       | dec                 eax
            //   488bce               | mov                 ecx, dword ptr [eax]
            //   ff15????????         |                     

        $sequence_4 = { 498bc2 458bf1 48c1f806 488d0d80000100 4183e23f }
            // n = 5, score = 100
            //   498bc2               | mov                 dword ptr [ebp + 0x200], eax
            //   458bf1               | dec                 eax
            //   48c1f806             | test                eax, eax
            //   488d0d80000100       | xor                 edx, edx
            //   4183e23f             | mov                 dword ptr [ebp - 0x70], 0x238

        $sequence_5 = { c3 48897c2408 488d3dac420100 488d05b5430100 483bc7 488b05???????? 481bc9 }
            // n = 7, score = 100
            //   c3                   | movsx               eax, byte ptr [ecx + eax + 0x164b8]
            //   48897c2408           | shr                 eax, cl
            //   488d3dac420100       | dec                 ecx
            //   488d05b5430100       | mov                 dword ptr [ecx + 8], edx
            //   483bc7               | inc                 ecx
            //   488b05????????       |                     
            //   481bc9               | mov                 dword ptr [ecx + 0x1c], eax

        $sequence_6 = { eb19 488d3d5e400100 eb10 488d3d65400100 eb07 488d3d44400100 }
            // n = 6, score = 100
            //   eb19                 | mov                 edx, edi
            //   488d3d5e400100       | xor                 ecx, ecx
            //   eb10                 | inc                 esp
            //   488d3d65400100       | mov                 dword ptr [esp + 0x20], ebp
            //   eb07                 | dec                 esp
            //   488d3d44400100       | lea                 ecx, [ebp - 0x11]

        $sequence_7 = { 7479 488d0d86330100 483bc1 746d }
            // n = 4, score = 100
            //   7479                 | dec                 eax
            //   488d0d86330100       | mov                 dword ptr [ebx], ecx
            //   483bc1               | dec                 eax
            //   746d                 | lea                 edx, [ebx + 8]

        $sequence_8 = { 4883ec20 488bd9 488bc2 488d0d053b0100 0f57c0 }
            // n = 5, score = 100
            //   4883ec20             | xor                 ecx, ecx
            //   488bd9               | cmp                 eax, 1
            //   488bc2               | jne                 0x879
            //   488d0d053b0100       | dec                 eax
            //   0f57c0               | lea                 eax, [0x16976]

        $sequence_9 = { 3bf0 7c36 4c8d3d454e0100 49393cdf 7402 }
            // n = 5, score = 100
            //   3bf0                 | inc                 edx
            //   7c36                 | movzx               ecx, byte ptr [edx + edx]
            //   4c8d3d454e0100       | dec                 esp
            //   49393cdf             | lea                 ecx, [0xffffb024]
            //   7402                 | dec                 ecx

    condition:
        7 of them and filesize < 331776
}

Download all Yara Rules

puzzlemaker Propose Change

References

Yara Rules

puzzlemaker