SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rawpos (Back to overview)

RawPOS

There is no description at this point.

References
2017-04-19Trend MicroTrend Micro Cyber Safety Solutions Team
@online{team:20170419:rawpos:f271512, author = {Trend Micro Cyber Safety Solutions Team}, title = {{RawPOS: New Behavior Risks Identity Theft}}, date = {2017-04-19}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite}, language = {English}, urldate = {2019-12-24} } RawPOS: New Behavior Risks Identity Theft
RawPOS
2017-03-08CylanceThreat Research Team
@online{team:20170308:rawpos:d467b10, author = {Threat Research Team}, title = {{RawPOS Malware Rides Again}}, date = {2017-03-08}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/rawpos-malware.html}, language = {English}, urldate = {2020-01-09} } RawPOS Malware Rides Again
RawPOS
2016-10-07FireEyeMatt Bromiley, Preston Lewis
@online{bromiley:20161007:attacking:0d71422, author = {Matt Bromiley and Preston Lewis}, title = {{Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years}}, date = {2016-10-07}, organization = {FireEye}, url = {https://www.youtube.com/watch?v=fevGZs0EQu8}, language = {English}, urldate = {2020-04-17} } Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years
RawPOS
Yara Rules
[TLP:WHITE] win_rawpos_auto (20220808 | Detects win.rawpos.)
rule win_rawpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.rawpos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 59 50 8b450c 50 6a00 8b17 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   50                   | push                eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   8b17                 | mov                 edx, dword ptr [edi]

        $sequence_1 = { 83451804 8b4518 8b50fc 8b4dd8 890a 8b4ddc 894a04 }
            // n = 7, score = 100
            //   83451804             | add                 dword ptr [ebp + 0x18], 4
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   8b50fc               | mov                 edx, dword ptr [eax - 4]
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   890a                 | mov                 dword ptr [edx], ecx
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   894a04               | mov                 dword ptr [edx + 4], ecx

        $sequence_2 = { 894304 33c0 5e 5b 59 59 5d }
            // n = 7, score = 100
            //   894304               | mov                 dword ptr [ebx + 4], eax
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   5d                   | pop                 ebp

        $sequence_3 = { 24ff 8b16 c1f908 880a ff06 8b0e 8801 }
            // n = 7, score = 100
            //   24ff                 | and                 al, 0xff
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   c1f908               | sar                 ecx, 8
            //   880a                 | mov                 byte ptr [edx], cl
            //   ff06                 | inc                 dword ptr [esi]
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8801                 | mov                 byte ptr [ecx], al

        $sequence_4 = { 8b55c8 8bc2 8a10 8b4dac 0811 43 ff45ac }
            // n = 7, score = 100
            //   8b55c8               | mov                 edx, dword ptr [ebp - 0x38]
            //   8bc2                 | mov                 eax, edx
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   8b4dac               | mov                 ecx, dword ptr [ebp - 0x54]
            //   0811                 | or                  byte ptr [ecx], dl
            //   43                   | inc                 ebx
            //   ff45ac               | inc                 dword ptr [ebp - 0x54]

        $sequence_5 = { 8b55b0 8b4c9004 8b4304 8b55b0 2b0c90 }
            // n = 5, score = 100
            //   8b55b0               | mov                 edx, dword ptr [ebp - 0x50]
            //   8b4c9004             | mov                 ecx, dword ptr [eax + edx*4 + 4]
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]
            //   8b55b0               | mov                 edx, dword ptr [ebp - 0x50]
            //   2b0c90               | sub                 ecx, dword ptr [eax + edx*4]

        $sequence_6 = { 5d c3 8b149d64224300 52 e8???????? 83f802 0f94c0 }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b149d64224300       | mov                 edx, dword ptr [ebx*4 + 0x432264]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83f802               | cmp                 eax, 2
            //   0f94c0               | sete                al

        $sequence_7 = { 8b45f0 80bc053078feff00 7422 8b55f0 8a8c153078feff 8b85d0feffff 888c054403f8ff }
            // n = 7, score = 100
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   80bc053078feff00     | cmp                 byte ptr [ebp + eax - 0x187d0], 0
            //   7422                 | je                  0x24
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   8a8c153078feff       | mov                 cl, byte ptr [ebp + edx - 0x187d0]
            //   8b85d0feffff         | mov                 eax, dword ptr [ebp - 0x130]
            //   888c054403f8ff       | mov                 byte ptr [ebp + eax - 0x7fcbc], cl

        $sequence_8 = { ff45e0 33db 8b55e0 8b4520 8a1a 8b500c }
            // n = 6, score = 100
            //   ff45e0               | inc                 dword ptr [ebp - 0x20]
            //   33db                 | xor                 ebx, ebx
            //   8b55e0               | mov                 edx, dword ptr [ebp - 0x20]
            //   8b4520               | mov                 eax, dword ptr [ebp + 0x20]
            //   8a1a                 | mov                 bl, byte ptr [edx]
            //   8b500c               | mov                 edx, dword ptr [eax + 0xc]

        $sequence_9 = { 0375bc 43 3b5df8 7ce9 eb75 837df800 751a }
            // n = 7, score = 100
            //   0375bc               | add                 esi, dword ptr [ebp - 0x44]
            //   43                   | inc                 ebx
            //   3b5df8               | cmp                 ebx, dword ptr [ebp - 8]
            //   7ce9                 | jl                  0xffffffeb
            //   eb75                 | jmp                 0x77
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   751a                 | jne                 0x1c

    condition:
        7 of them and filesize < 466944
}
Download all Yara Rules