SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rikamanu (Back to overview)

Rikamanu

Actor(s): Thrip


There is no description at this point.

References
2018-06-19SymantecSecurity Response Attack Investigation Team
@online{team:20180619:thrip:4662184, author = {Security Response Attack Investigation Team}, title = {{Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies}}, date = {2018-06-19}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets}, language = {English}, urldate = {2020-01-09} } Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies
Catchamas Rikamanu Spedear WMI Ghost Thrip
Yara Rules
[TLP:WHITE] win_rikamanu_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_rikamanu_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { bf???????? f3a5 8bc8 33c0 83e103 f3a4 83c9ff }
            // n = 7, score = 200
            //   bf????????           |                     
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bc8                 | mov                 ecx, eax
            //   33c0                 | xor                 eax, eax
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   83c9ff               | or                  ecx, 0xffffffff

        $sequence_1 = { e8???????? 6a14 ff15???????? a801 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   6a14                 | push                0x14
            //   ff15????????         |                     
            //   a801                 | test                al, 1

        $sequence_2 = { 50 ff15???????? 8b35???????? 3d80969800 }
            // n = 4, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   3d80969800           | cmp                 eax, 0x989680

        $sequence_3 = { 896c2414 0f849e040000 8d542410 6a10 }
            // n = 4, score = 100
            //   896c2414             | mov                 dword ptr [esp + 0x14], ebp
            //   0f849e040000         | je                  0x4a4
            //   8d542410             | lea                 edx, [esp + 0x10]
            //   6a10                 | push                0x10

        $sequence_4 = { 6a00 ff15???????? 6820000100 68???????? }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   6820000100           | push                0x10020
            //   68????????           |                     

        $sequence_5 = { 40 002c5a 40 00505a 40 0023 }
            // n = 6, score = 100
            //   40                   | inc                 eax
            //   002c5a               | add                 byte ptr [edx + ebx*2], ch
            //   40                   | inc                 eax
            //   00505a               | add                 byte ptr [eax + 0x5a], dl
            //   40                   | inc                 eax
            //   0023                 | add                 byte ptr [ebx], ah

        $sequence_6 = { 894df8 ff15???????? 85c0 751d 8b45e8 50 }
            // n = 6, score = 100
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   751d                 | jne                 0x1f
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   50                   | push                eax

        $sequence_7 = { 8b95e8fdffff 52 ffd6 8b4dfc 5e 33cd }
            // n = 6, score = 100
            //   8b95e8fdffff         | mov                 edx, dword ptr [ebp - 0x218]
            //   52                   | push                edx
            //   ffd6                 | call                esi
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5e                   | pop                 esi
            //   33cd                 | xor                 ecx, ebp

        $sequence_8 = { 5f 85c0 753e 6810270000 }
            // n = 4, score = 100
            //   5f                   | pop                 edi
            //   85c0                 | test                eax, eax
            //   753e                 | jne                 0x40
            //   6810270000           | push                0x2710

        $sequence_9 = { 668b0d???????? 50 51 81e2ffff0000 33c0 33c9 }
            // n = 6, score = 100
            //   668b0d????????       |                     
            //   50                   | push                eax
            //   51                   | push                ecx
            //   81e2ffff0000         | and                 edx, 0xffff
            //   33c0                 | xor                 eax, eax
            //   33c9                 | xor                 ecx, ecx

        $sequence_10 = { 81fa00010000 7313 8a87d0314100 08441619 }
            // n = 4, score = 100
            //   81fa00010000         | cmp                 edx, 0x100
            //   7313                 | jae                 0x15
            //   8a87d0314100         | mov                 al, byte ptr [edi + 0x4131d0]
            //   08441619             | or                  byte ptr [esi + edx + 0x19], al

        $sequence_11 = { 1bc0 83d8ff 8b2d???????? 3bc3 753a }
            // n = 5, score = 100
            //   1bc0                 | sbb                 eax, eax
            //   83d8ff               | sbb                 eax, -1
            //   8b2d????????         |                     
            //   3bc3                 | cmp                 eax, ebx
            //   753a                 | jne                 0x3c

        $sequence_12 = { 6a5c 52 889c05f4feffff e8???????? 83c408 }
            // n = 5, score = 100
            //   6a5c                 | push                0x5c
            //   52                   | push                edx
            //   889c05f4feffff       | mov                 byte ptr [ebp + eax - 0x10c], bl
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_13 = { e8???????? 8d04452ca12400 8bc8 2bce 6a03 d1f9 68???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d04452ca12400       | lea                 eax, [eax*2 + 0x24a12c]
            //   8bc8                 | mov                 ecx, eax
            //   2bce                 | sub                 ecx, esi
            //   6a03                 | push                3
            //   d1f9                 | sar                 ecx, 1
            //   68????????           |                     

        $sequence_14 = { 8d442414 6a64 8d4c2414 50 }
            // n = 4, score = 100
            //   8d442414             | lea                 eax, [esp + 0x14]
            //   6a64                 | push                0x64
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   50                   | push                eax

        $sequence_15 = { 52 f3a4 ff15???????? 8b85f0fdffff 53 50 8d8de4fdffff }
            // n = 7, score = 100
            //   52                   | push                edx
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   ff15????????         |                     
            //   8b85f0fdffff         | mov                 eax, dword ptr [ebp - 0x210]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   8d8de4fdffff         | lea                 ecx, [ebp - 0x21c]

        $sequence_16 = { ebab c745e444612400 817de448612400 7311 8b45e4 8b00 }
            // n = 6, score = 100
            //   ebab                 | jmp                 0xffffffad
            //   c745e444612400       | mov                 dword ptr [ebp - 0x1c], 0x246144
            //   817de448612400       | cmp                 dword ptr [ebp - 0x1c], 0x246148
            //   7311                 | jae                 0x13
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_17 = { 59 59 8d85f4fdffff 50 68???????? e8???????? 8b3d???????? }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8d85f4fdffff         | lea                 eax, [ebp - 0x20c]
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     
            //   8b3d????????         |                     

        $sequence_18 = { 59 8d85f8feffff 50 8d85e4f8ffff 50 }
            // n = 5, score = 100
            //   59                   | pop                 ecx
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax
            //   8d85e4f8ffff         | lea                 eax, [ebp - 0x71c]
            //   50                   | push                eax

        $sequence_19 = { 8a800c982400 08443b1d 0fb64601 47 3bf8 76ea }
            // n = 6, score = 100
            //   8a800c982400         | mov                 al, byte ptr [eax + 0x24980c]
            //   08443b1d             | or                  byte ptr [ebx + edi + 0x1d], al
            //   0fb64601             | movzx               eax, byte ptr [esi + 1]
            //   47                   | inc                 edi
            //   3bf8                 | cmp                 edi, eax
            //   76ea                 | jbe                 0xffffffec

        $sequence_20 = { 837c240800 740e 0fb7044562754000 23442408 eb02 }
            // n = 5, score = 100
            //   837c240800           | cmp                 dword ptr [esp + 8], 0
            //   740e                 | je                  0x10
            //   0fb7044562754000     | movzx               eax, word ptr [eax*2 + 0x407562]
            //   23442408             | and                 eax, dword ptr [esp + 8]
            //   eb02                 | jmp                 4

        $sequence_21 = { 59 59 53 6882000000 6a04 53 6a01 }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   53                   | push                ebx
            //   6882000000           | push                0x82
            //   6a04                 | push                4
            //   53                   | push                ebx
            //   6a01                 | push                1

        $sequence_22 = { 85c0 7451 8a06 8885a0fdffff 8a4601 8885a1fdffff 8d4598 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   7451                 | je                  0x53
            //   8a06                 | mov                 al, byte ptr [esi]
            //   8885a0fdffff         | mov                 byte ptr [ebp - 0x260], al
            //   8a4601               | mov                 al, byte ptr [esi + 1]
            //   8885a1fdffff         | mov                 byte ptr [ebp - 0x25f], al
            //   8d4598               | lea                 eax, [ebp - 0x68]

        $sequence_23 = { 33c9 b8???????? 663b10 7415 83c008 41 }
            // n = 6, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   b8????????           |                     
            //   663b10               | cmp                 dx, word ptr [eax]
            //   7415                 | je                  0x17
            //   83c008               | add                 eax, 8
            //   41                   | inc                 ecx

        $sequence_24 = { 33c0 5d 83c424 c21000 }
            // n = 4, score = 100
            //   33c0                 | xor                 eax, eax
            //   5d                   | pop                 ebp
            //   83c424               | add                 esp, 0x24
            //   c21000               | ret                 0x10

        $sequence_25 = { 7432 8d4598 50 ff15???????? 50 }
            // n = 5, score = 100
            //   7432                 | je                  0x34
            //   8d4598               | lea                 eax, [ebp - 0x68]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_26 = { 83fbff 7416 8bc3 8bcb c1f805 83e11f 8b0485e0b84000 }
            // n = 7, score = 100
            //   83fbff               | cmp                 ebx, -1
            //   7416                 | je                  0x18
            //   8bc3                 | mov                 eax, ebx
            //   8bcb                 | mov                 ecx, ebx
            //   c1f805               | sar                 eax, 5
            //   83e11f               | and                 ecx, 0x1f
            //   8b0485e0b84000       | mov                 eax, dword ptr [eax*4 + 0x40b8e0]

        $sequence_27 = { 750b 68???????? ff15???????? 6800010000 68???????? 56 }
            // n = 6, score = 100
            //   750b                 | jne                 0xd
            //   68????????           |                     
            //   ff15????????         |                     
            //   6800010000           | push                0x100
            //   68????????           |                     
            //   56                   | push                esi

        $sequence_28 = { 8b742408 8a16 3ad0 740d 8a81a9704000 41 }
            // n = 6, score = 100
            //   8b742408             | mov                 esi, dword ptr [esp + 8]
            //   8a16                 | mov                 dl, byte ptr [esi]
            //   3ad0                 | cmp                 dl, al
            //   740d                 | je                  0xf
            //   8a81a9704000         | mov                 al, byte ptr [ecx + 0x4070a9]
            //   41                   | inc                 ecx

    condition:
        7 of them and filesize < 212992
}
Download all Yara Rules