SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rawpos (Back to overview)

RawPOS

There is no description at this point.

References
2017-04-19Trend MicroTrend Micro Cyber Safety Solutions Team
@online{team:20170419:rawpos:f271512, author = {Trend Micro Cyber Safety Solutions Team}, title = {{RawPOS: New Behavior Risks Identity Theft}}, date = {2017-04-19}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite}, language = {English}, urldate = {2019-12-24} } RawPOS: New Behavior Risks Identity Theft
RawPOS
2017-03-08CylanceThreat Research Team
@online{team:20170308:rawpos:d467b10, author = {Threat Research Team}, title = {{RawPOS Malware Rides Again}}, date = {2017-03-08}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/rawpos-malware.html}, language = {English}, urldate = {2020-01-09} } RawPOS Malware Rides Again
RawPOS
2016-10-07FireEyeMatt Bromiley, Preston Lewis
@online{bromiley:20161007:attacking:0d71422, author = {Matt Bromiley and Preston Lewis}, title = {{Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years}}, date = {2016-10-07}, organization = {FireEye}, url = {https://www.youtube.com/watch?v=fevGZs0EQu8}, language = {English}, urldate = {2020-04-17} } Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years
RawPOS
Yara Rules
[TLP:WHITE] win_rawpos_auto (20211008 | Detects win.rawpos.)
rule win_rawpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.rawpos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 e8???????? 59 3d83f80f57 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   3d83f80f57           | cmp                 eax, 0x570ff883

        $sequence_1 = { 8b451c 8b55f8 0110 8b45e8 8b55ec 5f }
            // n = 6, score = 100
            //   8b451c               | mov                 eax, dword ptr [ebp + 0x1c]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   0110                 | add                 dword ptr [eax], edx
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   5f                   | pop                 edi

        $sequence_2 = { c705????????80294000 c705????????40274000 c705????????01000000 8b4508 a3???????? 5d c3 }
            // n = 7, score = 100
            //   c705????????80294000     |     
            //   c705????????40274000     |     
            //   c705????????01000000     |     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   a3????????           |                     
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_3 = { c7431801000000 eb2a 8b5308 2b55c0 8b4b04 ff3491 8b5304 }
            // n = 7, score = 100
            //   c7431801000000       | mov                 dword ptr [ebx + 0x18], 1
            //   eb2a                 | jmp                 0x2c
            //   8b5308               | mov                 edx, dword ptr [ebx + 8]
            //   2b55c0               | sub                 edx, dword ptr [ebp - 0x40]
            //   8b4b04               | mov                 ecx, dword ptr [ebx + 4]
            //   ff3491               | push                dword ptr [ecx + edx*4]
            //   8b5304               | mov                 edx, dword ptr [ebx + 4]

        $sequence_4 = { 7f1e 8a0e 33c0 8ac1 }
            // n = 4, score = 100
            //   7f1e                 | jg                  0x20
            //   8a0e                 | mov                 cl, byte ptr [esi]
            //   33c0                 | xor                 eax, eax
            //   8ac1                 | mov                 al, cl

        $sequence_5 = { 8a55f4 80e2ff 8816 46 881e 46 e9???????? }
            // n = 7, score = 100
            //   8a55f4               | mov                 dl, byte ptr [ebp - 0xc]
            //   80e2ff               | and                 dl, 0xff
            //   8816                 | mov                 byte ptr [esi], dl
            //   46                   | inc                 esi
            //   881e                 | mov                 byte ptr [esi], bl
            //   46                   | inc                 esi
            //   e9????????           |                     

        $sequence_6 = { 8bd0 c1e202 8d1452 8d1492 8915???????? 8b0d???????? }
            // n = 6, score = 100
            //   8bd0                 | mov                 edx, eax
            //   c1e202               | shl                 edx, 2
            //   8d1452               | lea                 edx, dword ptr [edx + edx*2]
            //   8d1492               | lea                 edx, dword ptr [edx + edx*4]
            //   8915????????         |                     
            //   8b0d????????         |                     

        $sequence_7 = { e8???????? 83c414 8945e0 833e00 0f85c2060000 837ddc00 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   833e00               | cmp                 dword ptr [esi], 0
            //   0f85c2060000         | jne                 0x6c8
            //   837ddc00             | cmp                 dword ptr [ebp - 0x24], 0

        $sequence_8 = { e9???????? ff45ec ebb4 897590 8b55f8 8955ec 8b4dec }
            // n = 7, score = 100
            //   e9????????           |                     
            //   ff45ec               | inc                 dword ptr [ebp - 0x14]
            //   ebb4                 | jmp                 0xffffffb6
            //   897590               | mov                 dword ptr [ebp - 0x70], esi
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]

        $sequence_9 = { 5b 5d c3 33d2 33c9 8a5301 8a4b02 }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   33d2                 | xor                 edx, edx
            //   33c9                 | xor                 ecx, ecx
            //   8a5301               | mov                 dl, byte ptr [ebx + 1]
            //   8a4b02               | mov                 cl, byte ptr [ebx + 2]

    condition:
        7 of them and filesize < 466944
}
Download all Yara Rules