SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pykspa (Back to overview)

Pykspa

VTCollection    

According to Akamai, Pykspa is a worm that spreads via Skype by sending messages to other Skype users with download links. Once downloaded, Pykspa extracts personal information and communicates with its command and control servers (C2) using a domain generation algorithm (DGA).

References
2019-07-11AkamaiLior Lahav
Pykspa V2 DHA Updated to Become Selective
Pykspa
2018-01-11Youtube (OALabs)Sergei Frankoff
Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1
Pykspa
2015-07-19Johannes Bader BlogJohannes Bader
The Faulty Precursor of Pykspa's DGA
Pykspa
2015-03-10Johannes Bader BlogJohannes Bader
The DGA of Pykspa
Pykspa
Yara Rules
[TLP:WHITE] win_pykspa_auto (20230808 | Detects win.pykspa.)
rule win_pykspa_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.pykspa."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b5c240c 57 8b7c240c 3bfb 7513 57 8b7c2418 }
            // n = 7, score = 100
            //   8b5c240c             | mov                 ebx, dword ptr [esp + 0xc]
            //   57                   | push                edi
            //   8b7c240c             | mov                 edi, dword ptr [esp + 0xc]
            //   3bfb                 | cmp                 edi, ebx
            //   7513                 | jne                 0x15
            //   57                   | push                edi
            //   8b7c2418             | mov                 edi, dword ptr [esp + 0x18]

        $sequence_1 = { 6a00 c6400e01 ff15???????? cc 55 8bec b89c110000 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   c6400e01             | mov                 byte ptr [eax + 0xe], 1
            //   ff15????????         |                     
            //   cc                   | int3                
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   b89c110000           | mov                 eax, 0x119c

        $sequence_2 = { c3 a1???????? 85c0 7501 c3 8b4818 85c9 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   7501                 | jne                 3
            //   c3                   | ret                 
            //   8b4818               | mov                 ecx, dword ptr [eax + 0x18]
            //   85c9                 | test                ecx, ecx

        $sequence_3 = { 381d???????? 8b2d???????? 744f 8d442418 68???????? 50 e8???????? }
            // n = 7, score = 100
            //   381d????????         |                     
            //   8b2d????????         |                     
            //   744f                 | je                  0x51
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_4 = { c60000 807d0000 0f843b010000 57 ff742414 e8???????? 50 }
            // n = 7, score = 100
            //   c60000               | mov                 byte ptr [eax], 0
            //   807d0000             | cmp                 byte ptr [ebp], 0
            //   0f843b010000         | je                  0x141
            //   57                   | push                edi
            //   ff742414             | push                dword ptr [esp + 0x14]
            //   e8????????           |                     
            //   50                   | push                eax

        $sequence_5 = { 0f95c0 5e c3 55 8bec 83ec54 53 }
            // n = 7, score = 100
            //   0f95c0               | setne               al
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec54               | sub                 esp, 0x54
            //   53                   | push                ebx

        $sequence_6 = { ff15???????? 8b35???????? 53 ffd6 8b3d???????? 53 ffd7 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   53                   | push                ebx
            //   ffd6                 | call                esi
            //   8b3d????????         |                     
            //   53                   | push                ebx
            //   ffd7                 | call                edi

        $sequence_7 = { 381d???????? 7508 381d???????? 743e 56 ff15???????? 83f805 }
            // n = 7, score = 100
            //   381d????????         |                     
            //   7508                 | jne                 0xa
            //   381d????????         |                     
            //   743e                 | je                  0x40
            //   56                   | push                esi
            //   ff15????????         |                     
            //   83f805               | cmp                 eax, 5

        $sequence_8 = { 8d85acfeffff 68???????? 50 e8???????? 85c0 59 59 }
            // n = 7, score = 100
            //   8d85acfeffff         | lea                 eax, [ebp - 0x154]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_9 = { 6a05 8bca 33d2 f7f3 8bc7 bb40e20100 03ca }
            // n = 7, score = 100
            //   6a05                 | push                5
            //   8bca                 | mov                 ecx, edx
            //   33d2                 | xor                 edx, edx
            //   f7f3                 | div                 ebx
            //   8bc7                 | mov                 eax, edi
            //   bb40e20100           | mov                 ebx, 0x1e240
            //   03ca                 | add                 ecx, edx

    condition:
        7 of them and filesize < 835584
}
Download all Yara Rules