SYMBOLCOMMON_NAMEaka. SYNONYMS
win.saigon (Back to overview)

SaiGon


FireEye reports SaiGon as a variant of ISFB v3 (versions documented are tagged 3.50.132) that is more a generic backdoor than being focused on enabling banking fraud.

References
2020-08-28CheckpointCheck Point Research
@online{research:20200828:gozi:944c005, author = {Check Point Research}, title = {{Gozi: The Malware with a Thousand Faces}}, date = {2020-08-28}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/}, language = {English}, urldate = {2020-09-01} } Gozi: The Malware with a Thousand Faces
DreamBot ISFB LOLSnif SaiGon
2020-01-09FireEyeSandor Nemes, Zander Work
@online{nemes:20200109:saigon:d0a0c27, author = {Sandor Nemes and Zander Work}, title = {{SAIGON, the Mysterious Ursnif Fork}}, date = {2020-01-09}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html}, language = {English}, urldate = {2020-01-13} } SAIGON, the Mysterious Ursnif Fork
SaiGon
Yara Rules
[TLP:WHITE] win_saigon_auto (20230125 | Detects win.saigon.)
rule win_saigon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.saigon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.saigon"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4080fe02 7708 8bd3 895c2440 }
            // n = 4, score = 200
            //   4080fe02             | xor                 ebx, ebx
            //   7708                 | dec                 eax
            //   8bd3                 | mov                 ebp, eax
            //   895c2440             | dec                 eax

        $sequence_1 = { ff15???????? 488b0d???????? 448d441801 33d2 ff15???????? }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   448d441801           | and                 dword ptr [esp + 0x28], eax
            //   33d2                 | mov                 ebx, eax
            //   ff15????????         |                     

        $sequence_2 = { 746f 4533c0 33d2 488bc8 488bfb ff15???????? }
            // n = 6, score = 200
            //   746f                 | lea                 ecx, [ebx + 7]
            //   4533c0               | dec                 eax
            //   33d2                 | mov                 ecx, ebx
            //   488bc8               | xor                 edx, edx
            //   488bfb               | inc                 esp
            //   ff15????????         |                     

        $sequence_3 = { 488bd1 498bcf 0fb77314 0fb76b06 448b6b3c 448b441e2c 4533e4 }
            // n = 7, score = 200
            //   488bd1               | dec                 eax
            //   498bcf               | mov                 eax, dword ptr [ecx]
            //   0fb77314             | call                dword ptr [eax + 0x10]
            //   0fb76b06             | inc                 ebp
            //   448b6b3c             | xor                 eax, eax
            //   448b441e2c           | dec                 eax
            //   4533e4               | xlatb               

        $sequence_4 = { 488b0d???????? 4d8bc4 33d2 8bd8 ff15???????? 4c8bc5 eb03 }
            // n = 7, score = 200
            //   488b0d????????       |                     
            //   4d8bc4               | dec                 eax
            //   33d2                 | add                 esi, 4
            //   8bd8                 | dec                 eax
            //   ff15????????         |                     
            //   4c8bc5               | add                 edi, 4
            //   eb03                 | inc                 ebp

        $sequence_5 = { 4883ec38 8b442468 4533d2 413bc2 741f 3d04010000 7418 }
            // n = 7, score = 200
            //   4883ec38             | mov                 byte ptr [ebx + edi], 0
            //   8b442468             | mov                 dword ptr [ebp], ebx
            //   4533d2               | dec                 ecx
            //   413bc2               | mov                 dword ptr [esp], edi
            //   741f                 | cmp                 eax, ecx
            //   3d04010000           | je                  0xf73
            //   7418                 | cmp                 eax, 1

        $sequence_6 = { 8bd8 488bcf ff15???????? eb08 ff15???????? 8bd8 4c8d9c2480010000 }
            // n = 7, score = 200
            //   8bd8                 | lea                 eax, [esp + 0x58]
            //   488bcf               | dec                 esp
            //   ff15????????         |                     
            //   eb08                 | mov                 ecx, edi
            //   ff15????????         |                     
            //   8bd8                 | inc                 ebp
            //   4c8d9c2480010000     | xor                 eax, eax

        $sequence_7 = { 4155 4156 4157 4883ec40 488b05???????? 4983632000 4983631800 }
            // n = 7, score = 200
            //   4155                 | dec                 eax
            //   4156                 | mov                 ecx, ebx
            //   4157                 | call                dword ptr [eax + 0x78]
            //   4883ec40             | dec                 eax
            //   488b05????????       |                     
            //   4983632000           | lea                 ecx, [esp + 0xd0]
            //   4983631800           | dec                 esp

        $sequence_8 = { 897010 8a4128 488bee 384166 7207 }
            // n = 5, score = 200
            //   897010               | mov                 ebx, edx
            //   8a4128               | xor                 edx, edx
            //   488bee               | dec                 eax
            //   384166               | mov                 edi, ecx
            //   7207                 | inc                 esp

        $sequence_9 = { 488b8c2490000000 488b01 ff5010 488b8c2498000000 488b01 }
            // n = 5, score = 200
            //   488b8c2490000000     | je                  0x6b0
            //   488b01               | xor                 edx, edx
            //   ff5010               | dec                 eax
            //   488b8c2498000000     | mov                 edi, eax
            //   488b01               | dec                 eax

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules