SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rikamanu (Back to overview)

Rikamanu

Actor(s): Thrip


There is no description at this point.

References
2018-06-19SymantecSecurity Response Attack Investigation Team
@online{team:20180619:thrip:4662184, author = {Security Response Attack Investigation Team}, title = {{Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies}}, date = {2018-06-19}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets}, language = {English}, urldate = {2020-01-09} } Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies
Catchamas Rikamanu Spedear WMI Ghost Thrip
Yara Rules
[TLP:WHITE] win_rikamanu_auto (20220411 | Detects win.rikamanu.)
rule win_rikamanu_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.rikamanu."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 6a14 ff15???????? a801 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   6a14                 | push                0x14
            //   ff15????????         |                     
            //   a801                 | test                al, 1

        $sequence_1 = { 50 ff15???????? 8b35???????? 3d80969800 }
            // n = 4, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   3d80969800           | cmp                 eax, 0x989680

        $sequence_2 = { 8b4de4 83c40c 6bc930 8975e0 8db120982400 8975e4 eb2b }
            // n = 7, score = 100
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   83c40c               | add                 esp, 0xc
            //   6bc930               | imul                ecx, ecx, 0x30
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   8db120982400         | lea                 esi, dword ptr [ecx + 0x249820]
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   eb2b                 | jmp                 0x2d

        $sequence_3 = { 8bc8 83e103 f3a4 ff15???????? 53 ff15???????? 8b35???????? }
            // n = 7, score = 100
            //   8bc8                 | mov                 ecx, eax
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8b35????????         |                     

        $sequence_4 = { 6a00 6803000010 53 ffd7 85c0 0f85ff020000 ffb5d0f8ffff }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   6803000010           | push                0x10000003
            //   53                   | push                ebx
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   0f85ff020000         | jne                 0x305
            //   ffb5d0f8ffff         | push                dword ptr [ebp - 0x730]

        $sequence_5 = { c1f905 8b0c8de0b84000 8a44c104 83e040 }
            // n = 4, score = 100
            //   c1f905               | sar                 ecx, 5
            //   8b0c8de0b84000       | mov                 ecx, dword ptr [ecx*4 + 0x40b8e0]
            //   8a44c104             | mov                 al, byte ptr [ecx + eax*8 + 4]
            //   83e040               | and                 eax, 0x40

        $sequence_6 = { 8d34f570902400 391e 7404 8bc7 }
            // n = 4, score = 100
            //   8d34f570902400       | lea                 esi, dword ptr [esi*8 + 0x249070]
            //   391e                 | cmp                 dword ptr [esi], ebx
            //   7404                 | je                  6
            //   8bc7                 | mov                 eax, edi

        $sequence_7 = { 6a01 83e103 6800000040 f3a4 8b35???????? 68???????? ffd6 }
            // n = 7, score = 100
            //   6a01                 | push                1
            //   83e103               | and                 ecx, 3
            //   6800000040           | push                0x40000000
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8b35????????         |                     
            //   68????????           |                     
            //   ffd6                 | call                esi

        $sequence_8 = { 6810270000 ff15???????? 8b85e4fdffff 8d8dccfdffff }
            // n = 4, score = 100
            //   6810270000           | push                0x2710
            //   ff15????????         |                     
            //   8b85e4fdffff         | mov                 eax, dword ptr [ebp - 0x21c]
            //   8d8dccfdffff         | lea                 ecx, dword ptr [ebp - 0x234]

        $sequence_9 = { ff35???????? ffd6 53 68???????? be???????? 56 e8???????? }
            // n = 7, score = 100
            //   ff35????????         |                     
            //   ffd6                 | call                esi
            //   53                   | push                ebx
            //   68????????           |                     
            //   be????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_10 = { 6803000010 57 ffd6 85c0 0f85b9040000 8b4c2410 }
            // n = 6, score = 100
            //   6803000010           | push                0x10000003
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f85b9040000         | jne                 0x4bf
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]

        $sequence_11 = { 6804010000 33db 8d85f8feffff 50 51 }
            // n = 5, score = 100
            //   6804010000           | push                0x104
            //   33db                 | xor                 ebx, ebx
            //   8d85f8feffff         | lea                 eax, dword ptr [ebp - 0x108]
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_12 = { 8bc7 c1f805 c1e606 033485e0a72400 }
            // n = 4, score = 100
            //   8bc7                 | mov                 eax, edi
            //   c1f805               | sar                 eax, 5
            //   c1e606               | shl                 esi, 6
            //   033485e0a72400       | add                 esi, dword ptr [eax*4 + 0x24a7e0]

        $sequence_13 = { 52 ffd7 8d44243c 50 ffd3 55 }
            // n = 6, score = 100
            //   52                   | push                edx
            //   ffd7                 | call                edi
            //   8d44243c             | lea                 eax, dword ptr [esp + 0x3c]
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   55                   | push                ebp

        $sequence_14 = { ffd6 8b95e8fdffff 52 ffd6 8b4dfc }
            // n = 5, score = 100
            //   ffd6                 | call                esi
            //   8b95e8fdffff         | mov                 edx, dword ptr [ebp - 0x218]
            //   52                   | push                edx
            //   ffd6                 | call                esi
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_15 = { 55 8bec a0???????? 33c9 84c0 }
            // n = 5, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   a0????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   84c0                 | test                al, al

        $sequence_16 = { 8bf0 c1ff05 83e61f c1e606 8b0cbd383f4100 }
            // n = 5, score = 100
            //   8bf0                 | mov                 esi, eax
            //   c1ff05               | sar                 edi, 5
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   8b0cbd383f4100       | mov                 ecx, dword ptr [edi*4 + 0x413f38]

        $sequence_17 = { c3 6a08 68???????? e8???????? 8b7508 c7465c18cd4000 }
            // n = 6, score = 100
            //   c3                   | ret                 
            //   6a08                 | push                8
            //   68????????           |                     
            //   e8????????           |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   c7465c18cd4000       | mov                 dword ptr [esi + 0x5c], 0x40cd18

        $sequence_18 = { a1???????? 85c0 74c9 33c9 33c0 }
            // n = 5, score = 100
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   74c9                 | je                  0xffffffcb
            //   33c9                 | xor                 ecx, ecx
            //   33c0                 | xor                 eax, eax

        $sequence_19 = { 5d c3 8bff 56 57 33ff ffb7709a2400 }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   56                   | push                esi
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   ffb7709a2400         | push                dword ptr [edi + 0x249a70]

        $sequence_20 = { 83c424 c21000 6a00 55 }
            // n = 4, score = 100
            //   83c424               | add                 esp, 0x24
            //   c21000               | ret                 0x10
            //   6a00                 | push                0
            //   55                   | push                ebp

        $sequence_21 = { ff15???????? 6820000100 68???????? 50 ff15???????? }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   6820000100           | push                0x10020
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_22 = { 833d????????01 0f8486000000 33c9 663d0100 }
            // n = 4, score = 100
            //   833d????????01       |                     
            //   0f8486000000         | je                  0x8c
            //   33c9                 | xor                 ecx, ecx
            //   663d0100             | cmp                 ax, 1

        $sequence_23 = { ff15???????? 8bd8 3bdd 7517 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   3bdd                 | cmp                 ebx, ebp
            //   7517                 | jne                 0x19

        $sequence_24 = { 8d95dcfdffff 52 6a01 53 }
            // n = 4, score = 100
            //   8d95dcfdffff         | lea                 edx, dword ptr [ebp - 0x224]
            //   52                   | push                edx
            //   6a01                 | push                1
            //   53                   | push                ebx

        $sequence_25 = { 8bd0 c1f905 83e21f 8b0c8de0b84000 }
            // n = 4, score = 100
            //   8bd0                 | mov                 edx, eax
            //   c1f905               | sar                 ecx, 5
            //   83e21f               | and                 edx, 0x1f
            //   8b0c8de0b84000       | mov                 ecx, dword ptr [ecx*4 + 0x40b8e0]

        $sequence_26 = { 7309 8b04c580ee4000 5d c3 33c0 5d c3 }
            // n = 7, score = 100
            //   7309                 | jae                 0xb
            //   8b04c580ee4000       | mov                 eax, dword ptr [eax*8 + 0x40ee80]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_27 = { c1f905 8b0c8de0b84000 f644c10401 8d04c1 7403 8b00 }
            // n = 6, score = 100
            //   c1f905               | sar                 ecx, 5
            //   8b0c8de0b84000       | mov                 ecx, dword ptr [ecx*4 + 0x40b8e0]
            //   f644c10401           | test                byte ptr [ecx + eax*8 + 4], 1
            //   8d04c1               | lea                 eax, dword ptr [ecx + eax*8]
            //   7403                 | je                  5
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_28 = { 6804010000 68???????? 6a00 50 e8???????? 85c0 7523 }
            // n = 7, score = 100
            //   6804010000           | push                0x104
            //   68????????           |                     
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7523                 | jne                 0x25

        $sequence_29 = { 8d4c2414 68???????? 51 c744241c6c714000 e8???????? 33d2 6a0c }
            // n = 7, score = 100
            //   8d4c2414             | lea                 ecx, dword ptr [esp + 0x14]
            //   68????????           |                     
            //   51                   | push                ecx
            //   c744241c6c714000     | mov                 dword ptr [esp + 0x1c], 0x40716c
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   6a0c                 | push                0xc

    condition:
        7 of them and filesize < 212992
}
Download all Yara Rules