SYMBOLCOMMON_NAMEaka. SYNONYMS
win.saigon (Back to overview)

SaiGon


FireEye reports SaiGon as a variant of ISFB v3 (versions documented are tagged 3.50.132) that is more a generic backdoor than being focused on enabling banking fraud.

References
2020-08-28CheckpointCheck Point Research
@online{research:20200828:gozi:944c005, author = {Check Point Research}, title = {{Gozi: The Malware with a Thousand Faces}}, date = {2020-08-28}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/}, language = {English}, urldate = {2020-09-01} } Gozi: The Malware with a Thousand Faces
DreamBot ISFB LOLSnif SaiGon
2020-01-09FireEyeSandor Nemes, Zander Work
@online{nemes:20200109:saigon:d0a0c27, author = {Sandor Nemes and Zander Work}, title = {{SAIGON, the Mysterious Ursnif Fork}}, date = {2020-01-09}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html}, language = {English}, urldate = {2020-01-13} } SAIGON, the Mysterious Ursnif Fork
SaiGon
Yara Rules
[TLP:WHITE] win_saigon_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_saigon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.saigon"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 418bd6 e8???????? 488d8c24d0050000 418bd6 8bf8 e8???????? }
            // n = 6, score = 200
            //   418bd6               | dec                 eax
            //   e8????????           |                     
            //   488d8c24d0050000     | lea                 ecx, [edi + 0x88]
            //   418bd6               | lock add            dword ptr [edi + 0xb0], 1
            //   8bf8                 | dec                 eax
            //   e8????????           |                     

        $sequence_1 = { 4d8bcc 8bd5 488bc8 4889742420 ff15???????? 33d2 488bcf }
            // n = 7, score = 200
            //   4d8bcc               | dec                 ecx
            //   8bd5                 | add                 ecx, esp
            //   488bc8               | inc                 ebp
            //   4889742420           | mov                 ebx, dword ptr [esi]
            //   ff15????????         |                     
            //   33d2                 | inc                 ecx
            //   488bcf               | mov                 ecx, dword ptr [esi]

        $sequence_2 = { 33ed 488bcb 85c0 0f496c2458 ff15???????? }
            // n = 5, score = 200
            //   33ed                 | mov                 esp, ebp
            //   488bcb               | inc                 sp
            //   85c0                 | mov                 dword ptr [edi + ebp*2], ebp
            //   0f496c2458           | shr                 ebx, 1
            //   ff15????????         |                     

        $sequence_3 = { 48896810 48897020 44894018 57 4154 4155 4883ec50 }
            // n = 7, score = 200
            //   48896810             | xor                 edx, edx
            //   48897020             | mov                 ecx, 0x410
            //   44894018             | inc                 esp
            //   57                   | mov                 eax, eax
            //   4154                 | mov                 dword ptr [esp + 0x80], 0x3300
            //   4155                 | jne                 0x193
            //   4883ec50             | inc                 esp

        $sequence_4 = { ff15???????? 488b842490000000 8b4b68 448b4b74 448b4370 33d2 48f7742460 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   488b842490000000     | mov                 ecx, ebx
            //   8b4b68               | inc                 ebp
            //   448b4b74             | xor                 eax, eax
            //   448b4370             | mov                 dword ptr [esp + 0x28], esi
            //   33d2                 | dec                 eax
            //   48f7742460           | mov                 dword ptr [esp + 0x20], eax

        $sequence_5 = { 33d2 ff15???????? eb03 418bdf 448b8c24e0000000 488bbc24e0000000 }
            // n = 6, score = 200
            //   33d2                 | jne                 0xa8e
            //   ff15????????         |                     
            //   eb03                 | lea                 edx, [ebx - 1]
            //   418bdf               | cmp                 edx, ecx
            //   448b8c24e0000000     | lea                 ecx, [eax + 2]
            //   488bbc24e0000000     | cmp                 byte ptr [esp + 0x31], cl

        $sequence_6 = { 488b15???????? 488bcf e8???????? 8b05???????? 8364242800 4c8d442460 }
            // n = 6, score = 200
            //   488b15????????       |                     
            //   488bcf               | cmp                 eax, edi
            //   e8????????           |                     
            //   8b05????????         |                     
            //   8364242800           | dec                 eax
            //   4c8d442460           | mov                 esi, eax

        $sequence_7 = { 448bcf 4c8bc6 894c2428 33c9 33d2 4889442420 }
            // n = 6, score = 200
            //   448bcf               | mov                 esi, eax
            //   4c8bc6               | dec                 eax
            //   894c2428             | test                eax, eax
            //   33c9                 | je                  0x1fb
            //   33d2                 | lea                 edx, [ebp + 3]
            //   4889442420           | dec                 eax

        $sequence_8 = { 41b930000000 33d2 488bcb 4889442420 }
            // n = 4, score = 200
            //   41b930000000         | cmp                 dh, 2
            //   33d2                 | ja                  0x2ee
            //   488bcb               | mov                 edx, ebx
            //   4889442420           | mov                 dword ptr [esp + 0x40], ebx

        $sequence_9 = { 7428 4c8d442450 488d542430 488bc8 e8???????? }
            // n = 5, score = 200
            //   7428                 | mov                 ebx, dword ptr [esp + 0x40]
            //   4c8d442450           | dec                 eax
            //   488d542430           | add                 esp, 0x30
            //   488bc8               | inc                 ecx
            //   e8????????           |                     

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules