Rover (Malware Family)

Rover

There is no description at this point.
References

2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2016-02-29 ⋅ Palo Alto Networks Unit 42 ⋅ Vicky Ray, Kaoru Hayashi
New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan
Rover
Yara Rules

[TLP:WHITE] win_rover_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_rover_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rover"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85ed 744f 8b7c243c 8b471c 85c0 7415 8b4e0c }
            // n = 7, score = 100
            //   85ed                 | test                ebp, ebp
            //   744f                 | je                  0x51
            //   8b7c243c             | mov                 edi, dword ptr [esp + 0x3c]
            //   8b471c               | mov                 eax, dword ptr [edi + 0x1c]
            //   85c0                 | test                eax, eax
            //   7415                 | je                  0x17
            //   8b4e0c               | mov                 ecx, dword ptr [esi + 0xc]

        $sequence_1 = { 8d8dc8feffff ff25???????? 8d8dacfeffff ff25???????? a1???????? 50 6a02 }
            // n = 7, score = 100
            //   8d8dc8feffff         | lea                 ecx, [ebp - 0x138]
            //   ff25????????         |                     
            //   8d8dacfeffff         | lea                 ecx, [ebp - 0x154]
            //   ff25????????         |                     
            //   a1????????           |                     
            //   50                   | push                eax
            //   6a02                 | push                2

        $sequence_2 = { eb61 3bfd 7531 c7865005000001000000 3bdd 744f 8b4c241c }
            // n = 7, score = 100
            //   eb61                 | jmp                 0x63
            //   3bfd                 | cmp                 edi, ebp
            //   7531                 | jne                 0x33
            //   c7865005000001000000     | mov    dword ptr [esi + 0x550], 1
            //   3bdd                 | cmp                 ebx, ebp
            //   744f                 | je                  0x51
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]

        $sequence_3 = { 668906 c744241801000000 803e3f 7527 8bc6 8d5001 90 }
            // n = 7, score = 100
            //   668906               | mov                 word ptr [esi], ax
            //   c744241801000000     | mov                 dword ptr [esp + 0x18], 1
            //   803e3f               | cmp                 byte ptr [esi], 0x3f
            //   7527                 | jne                 0x29
            //   8bc6                 | mov                 eax, esi
            //   8d5001               | lea                 edx, [eax + 1]
            //   90                   | nop                 

        $sequence_4 = { 51 ffd5 8bd8 83c408 85db 742e 8d5301 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   ffd5                 | call                ebp
            //   8bd8                 | mov                 ebx, eax
            //   83c408               | add                 esp, 8
            //   85db                 | test                ebx, ebx
            //   742e                 | je                  0x30
            //   8d5301               | lea                 edx, [ebx + 1]

        $sequence_5 = { 33ed 8a06 ff442424 8b54241c 84c0 0f858ffcffff 3bd3 }
            // n = 7, score = 100
            //   33ed                 | xor                 ebp, ebp
            //   8a06                 | mov                 al, byte ptr [esi]
            //   ff442424             | inc                 dword ptr [esp + 0x24]
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   84c0                 | test                al, al
            //   0f858ffcffff         | jne                 0xfffffc95
            //   3bd3                 | cmp                 edx, ebx

        $sequence_6 = { 83c404 c7460400000000 c70600000000 83f8ff 740a 50 ff15???????? }
            // n = 7, score = 100
            //   83c404               | add                 esp, 4
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   83f8ff               | cmp                 eax, -1
            //   740a                 | je                  0xc
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_7 = { 8bd8 83c40c 85db 742c 8d442434 50 e8???????? }
            // n = 7, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   83c40c               | add                 esp, 0xc
            //   85db                 | test                ebx, ebx
            //   742c                 | je                  0x2e
            //   8d442434             | lea                 eax, [esp + 0x34]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_8 = { e8???????? 8b5c2418 56 33ed 53 89aed8050000 c7460c11000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b5c2418             | mov                 ebx, dword ptr [esp + 0x18]
            //   56                   | push                esi
            //   33ed                 | xor                 ebp, ebp
            //   53                   | push                ebx
            //   89aed8050000         | mov                 dword ptr [esi + 0x5d8], ebp
            //   c7460c11000000       | mov                 dword ptr [esi + 0xc], 0x11

        $sequence_9 = { 8b8eb4010000 6a00 53 51 ffd0 8bf8 83c40c }
            // n = 7, score = 100
            //   8b8eb4010000         | mov                 ecx, dword ptr [esi + 0x1b4]
            //   6a00                 | push                0
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   ffd0                 | call                eax
            //   8bf8                 | mov                 edi, eax
            //   83c40c               | add                 esp, 0xc

    condition:
        7 of them and filesize < 704512
}
Download all Yara Rules
Rover Propose Change

References

Yara Rules

Rover
