Actor(s): Hacking Team, APT-C-34
There is no description at this point.
rule win_rcs_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.rcs." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a00 6880000000 6a01 6a00 6a05 } // n = 5, score = 200 // 6a00 | push 0 // 6880000000 | push 0x80 // 6a01 | push 1 // 6a00 | push 0 // 6a05 | push 5 $sequence_1 = { 8944245e 89442462 89442466 8944246a } // n = 4, score = 200 // 8944245e | mov dword ptr [esp + 0x5e], eax // 89442462 | mov dword ptr [esp + 0x62], eax // 89442466 | mov dword ptr [esp + 0x66], eax // 8944246a | mov dword ptr [esp + 0x6a], eax $sequence_2 = { 85ff 0f84d4000000 57 e8???????? } // n = 4, score = 200 // 85ff | test edi, edi // 0f84d4000000 | je 0xda // 57 | push edi // e8???????? | $sequence_3 = { e8???????? 83c430 6aff 68???????? } // n = 4, score = 200 // e8???????? | // 83c430 | add esp, 0x30 // 6aff | push -1 // 68???????? | $sequence_4 = { ff15???????? 5f 5e 5d 5b 33c0 } // n = 6, score = 200 // ff15???????? | // 5f | pop edi // 5e | pop esi // 5d | pop ebp // 5b | pop ebx // 33c0 | xor eax, eax $sequence_5 = { 40 68???????? 50 e8???????? 83c40c eb0d } // n = 6, score = 200 // 40 | inc eax // 68???????? | // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc // eb0d | jmp 0xf $sequence_6 = { 81f1f3221c6a 41 f7c7073ed86f f8 f9 } // n = 5, score = 100 // 81f1f3221c6a | xor ecx, 0x6a1c22f3 // 41 | inc ecx // f7c7073ed86f | test edi, 0x6fd83e07 // f8 | clc // f9 | stc $sequence_7 = { 742d 8b7d08 8bbfdc000000 b81c010000 f765fc 8985c0feffff } // n = 6, score = 100 // 742d | je 0x2f // 8b7d08 | mov edi, dword ptr [ebp + 8] // 8bbfdc000000 | mov edi, dword ptr [edi + 0xdc] // b81c010000 | mov eax, 0x11c // f765fc | mul dword ptr [ebp - 4] // 8985c0feffff | mov dword ptr [ebp - 0x140], eax $sequence_8 = { 81f1ff2fe523 80f973 66f7c5db7a f5 } // n = 4, score = 100 // 81f1ff2fe523 | xor ecx, 0x23e52fff // 80f973 | cmp cl, 0x73 // 66f7c5db7a | test bp, 0x7adb // f5 | cmc $sequence_9 = { 83f907 773d ff248d6872f301 4f } // n = 4, score = 100 // 83f907 | cmp ecx, 7 // 773d | ja 0x3f // ff248d6872f301 | jmp dword ptr [ecx*4 + 0x1f37268] // 4f | dec edi $sequence_10 = { 8945f4 eb1c 8b86dc000000 8b9014120000 0fb7781c c1e704 8b3c17 } // n = 7, score = 100 // 8945f4 | mov dword ptr [ebp - 0xc], eax // eb1c | jmp 0x1e // 8b86dc000000 | mov eax, dword ptr [esi + 0xdc] // 8b9014120000 | mov edx, dword ptr [eax + 0x1214] // 0fb7781c | movzx edi, word ptr [eax + 0x1c] // c1e704 | shl edi, 4 // 8b3c17 | mov edi, dword ptr [edi + edx] $sequence_11 = { 83f906 775c ff248d602ef001 c705????????803e0000 } // n = 4, score = 100 // 83f906 | cmp ecx, 6 // 775c | ja 0x5e // ff248d602ef001 | jmp dword ptr [ecx*4 + 0x1f02e60] // c705????????803e0000 | $sequence_12 = { 6a0e 6a00 ff75dc e8???????? 83c40c } // n = 5, score = 100 // 6a0e | push 0xe // 6a00 | push 0 // ff75dc | push dword ptr [ebp - 0x24] // e8???????? | // 83c40c | add esp, 0xc $sequence_13 = { 0fb7b810120000 c1e704 8b8d48f4fbff 83c103 0fb78c8870020000 c1e104 8b0c11 } // n = 7, score = 100 // 0fb7b810120000 | movzx edi, word ptr [eax + 0x1210] // c1e704 | shl edi, 4 // 8b8d48f4fbff | mov ecx, dword ptr [ebp - 0x40bb8] // 83c103 | add ecx, 3 // 0fb78c8870020000 | movzx ecx, word ptr [eax + ecx*4 + 0x270] // c1e104 | shl ecx, 4 // 8b0c11 | mov ecx, dword ptr [ecx + edx] $sequence_14 = { 8b37 81c6c8020000 56 ff75fc ff5704 } // n = 5, score = 100 // 8b37 | mov esi, dword ptr [edi] // 81c6c8020000 | add esi, 0x2c8 // 56 | push esi // ff75fc | push dword ptr [ebp - 4] // ff5704 | call dword ptr [edi + 4] $sequence_15 = { 8b75ec 0375f8 8b5e0c 39df 7235 035e08 } // n = 6, score = 100 // 8b75ec | mov esi, dword ptr [ebp - 0x14] // 0375f8 | add esi, dword ptr [ebp - 8] // 8b5e0c | mov ebx, dword ptr [esi + 0xc] // 39df | cmp edi, ebx // 7235 | jb 0x37 // 035e08 | add ebx, dword ptr [esi + 8] $sequence_16 = { 8bbfdc000000 8b7730 897734 ff7518 } // n = 4, score = 100 // 8bbfdc000000 | mov edi, dword ptr [edi + 0xdc] // 8b7730 | mov esi, dword ptr [edi + 0x30] // 897734 | mov dword ptr [edi + 0x34], esi // ff7518 | push dword ptr [ebp + 0x18] $sequence_17 = { 8b55fc 8b45f8 52 50 8b7d08 ff97a0000000 } // n = 6, score = 100 // 8b55fc | mov edx, dword ptr [ebp - 4] // 8b45f8 | mov eax, dword ptr [ebp - 8] // 52 | push edx // 50 | push eax // 8b7d08 | mov edi, dword ptr [ebp + 8] // ff97a0000000 | call dword ptr [edi + 0xa0] condition: 7 of them and filesize < 11501568 }
rule win_rcs_w0 { meta: author = "Florian Roth" description = "Hacking Team Disclosure Sample - file elevator.exe" reference = "Hacking Team Disclosure elevator.c" date = "2015-07-07" hash = "40a10420b9d49f87527bc0396b19ec29e55e9109e80b52456891243791671c1c" hash = "92aec56a859679917dffa44bd4ffeb5a8b2ee2894c689abbbcbe07842ec56b8d" hash = "9261693b67b6e379ad0e57598602712b8508998c0cb012ca23139212ae0009a1" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "CRTDLL.DLL" fullword ascii $x2 = "\\sysnative\\CI.dll" fullword ascii $x3 = "\\SystemRoot\\system32\\CI.dll" fullword ascii $x4 = "C:\\\\Windows\\\\Sysnative\\\\ntoskrnl.exe" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "[*] traversing processes" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "_getkprocess" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "[*] LoaderConfig %p" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "loader.obj" fullword ascii /* PEStudio Blacklist: strings */ $s5 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3" ascii /* PEStudio Blacklist: strings */ $s6 = "[*] token restore" fullword ascii /* PEStudio Blacklist: strings */ $s7 = "elevator.obj" fullword ascii $s8 = "_getexport" fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 3000KB and all of ($x*) and 3 of ($s*) }
rule win_rcs_w1 { meta: description = "Hacking Team Disclosure Sample - file ndisk.sys" author = "Florian Roth" reference = "https://www.virustotal.com/en/file/a03a6ed90b89945a992a8c69f716ec3c743fa1d958426f4c50378cca5bef0a01/analysis/1436184181/" date = "2015-07-07" hash = "cf5089752ba51ae827971272a5b761a4ab0acd84" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "\\Registry\\Machine\\System\\ControlSet00%d\\services\\ndisk.sys" fullword wide $s2 = "\\Registry\\Machine\\System\\ControlSet00%d\\Enum\\Root\\LEGACY_NDISK.SYS" fullword wide $s3 = "\\Driver\\DeepFrz" fullword wide $s4 = "Microsoft Kernel Disk Manager" fullword wide $s5 = "ndisk.sys" fullword wide $s6 = "\\Device\\MSH4DEV1" fullword wide $s7 = "\\DosDevices\\MSH4DEV1" fullword wide $s8 = "built by: WinDDK" fullword wide condition: uint16(0) == 0x5a4d and filesize < 30KB and 6 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY