SYMBOLCOMMON_NAMEaka. SYNONYMS
win.saigon (Back to overview)

SaiGon


FireEye reports SaiGon as a variant of ISFB v3 (versions documented are tagged 3.50.132) that is more a generic backdoor than being focused on enabling banking fraud.

References
2020-08-28CheckpointCheck Point Research
@online{research:20200828:gozi:944c005, author = {Check Point Research}, title = {{Gozi: The Malware with a Thousand Faces}}, date = {2020-08-28}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/}, language = {English}, urldate = {2020-09-01} } Gozi: The Malware with a Thousand Faces
DreamBot ISFB LOLSnif SaiGon
2020-01-09FireEyeSandor Nemes, Zander Work
@online{nemes:20200109:saigon:d0a0c27, author = {Sandor Nemes and Zander Work}, title = {{SAIGON, the Mysterious Ursnif Fork}}, date = {2020-01-09}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html}, language = {English}, urldate = {2020-01-13} } SAIGON, the Mysterious Ursnif Fork
SaiGon
Yara Rules
[TLP:WHITE] win_saigon_auto (20220516 | Detects win.saigon.)
rule win_saigon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.saigon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.saigon"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883ec30 488bf1 4881c188000000 e8???????? 488b8eb8000000 408a6e66 4885c9 }
            // n = 7, score = 200
            //   4883ec30             | dec                 eax
            //   488bf1               | lea                 edx, [0xa619]
            //   4881c188000000       | dec                 esp
            //   e8????????           |                     
            //   488b8eb8000000       | mov                 eax, ebp
            //   408a6e66             | xor                 edx, edx
            //   4885c9               | dec                 eax

        $sequence_1 = { 3bc6 0f8497010000 488bcf ff15???????? 488b0d???????? }
            // n = 5, score = 200
            //   3bc6                 | mov                 dword ptr [esp + 0x30], esi
            //   0f8497010000         | dec                 esp
            //   488bcf               | lea                 ecx, [esp + 0x68]
            //   ff15????????         |                     
            //   488b0d????????       |                     

        $sequence_2 = { 4d8bc4 33d2 ff15???????? eb0a 4c8b742460 4c8b7c2468 488b0d???????? }
            // n = 7, score = 200
            //   4d8bc4               | inc                 ebp
            //   33d2                 | xor                 ecx, ecx
            //   ff15????????         |                     
            //   eb0a                 | xor                 ebx, ebx
            //   4c8b742460           | test                ebx, ebx
            //   4c8b7c2468           | je                  0x73f
            //   488b0d????????       |                     

        $sequence_3 = { 7459 f60301 742c 418bcf 488bd0 4903cc e8???????? }
            // n = 7, score = 200
            //   7459                 | dec                 eax
            //   f60301               | mov                 ecx, eax
            //   742c                 | dec                 eax
            //   418bcf               | mov                 dword ptr [esp + 0x20], edi
            //   488bd0               | je                  0x183
            //   4903cc               | dec                 eax
            //   e8????????           |                     

        $sequence_4 = { ff15???????? 8bd8 4885ff 7416 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8bd8                 | pop                 esi
            //   4885ff               | ret                 
            //   7416                 | dec                 eax

        $sequence_5 = { 488d542430 488902 488b4108 48894208 488b4110 488b8c24e8000000 48894210 }
            // n = 7, score = 200
            //   488d542430           | xor                 ebx, ebx
            //   488902               | dec                 eax
            //   488b4108             | cmp                 eax, ebx
            //   48894208             | dec                 eax
            //   488b4110             | mov                 ebp, eax
            //   488b8c24e8000000     | je                  0x9b1
            //   48894210             | mov                 esi, eax

        $sequence_6 = { 488d8e88000000 ff15???????? 488b06 4c8d8c24e0000000 4c8bc7 8bd5 498bcd }
            // n = 7, score = 200
            //   488d8e88000000       | lea                 eax, [edi + edi + 2]
            //   ff15????????         |                     
            //   488b06               | dec                 eax
            //   4c8d8c24e0000000     | mov                 ebx, eax
            //   4c8bc7               | dec                 eax
            //   8bd5                 | test                eax, eax
            //   498bcd               | lea                 edi, [eax + 8]

        $sequence_7 = { 418bd6 e8???????? 488d8c24e0010000 418bd6 e8???????? 488d8c24d0050000 }
            // n = 6, score = 200
            //   418bd6               | mov                 dword ptr [esp + 0x20], esi
            //   e8????????           |                     
            //   488d8c24e0010000     | shl                 ebx, 2
            //   418bd6               | dec                 esp
            //   e8????????           |                     
            //   488d8c24d0050000     | lea                 eax, [esp + 0x300]

        $sequence_8 = { 4c3bc0 740f 488b0d???????? 33d2 ff15???????? 4c8bc6 e9???????? }
            // n = 7, score = 200
            //   4c3bc0               | mov                 dword ptr [esp + 0x20], esp
            //   740f                 | inc                 esp
            //   488b0d????????       |                     
            //   33d2                 | mov                 ebx, dword ptr [esp + 0x60]
            //   ff15????????         |                     
            //   4c8bc6               | inc                 edi
            //   e9????????           |                     

        $sequence_9 = { 488b5c2450 488b6c2458 488b742460 418bc4 4883c420 415f }
            // n = 6, score = 200
            //   488b5c2450           | call                dword ptr [eax + 0x10]
            //   488b6c2458           | mov                 ebx, eax
            //   488b742460           | jl                  0x44c
            //   418bc4               | dec                 eax
            //   4883c420             | mov                 ecx, dword ptr [esp + 0xa8]
            //   415f                 | dec                 eax

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules