SYMBOLCOMMON_NAMEaka. SYNONYMS
win.saigon (Back to overview)

SaiGon


FireEye reports SaiGon as a variant of ISFB v3 (versions documented are tagged 3.50.132) that is more a generic backdoor than being focused on enabling banking fraud.

References
2020-08-28CheckpointCheck Point Research
@online{research:20200828:gozi:944c005, author = {Check Point Research}, title = {{Gozi: The Malware with a Thousand Faces}}, date = {2020-08-28}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/}, language = {English}, urldate = {2020-09-01} } Gozi: The Malware with a Thousand Faces
DreamBot ISFB LOLSnif SaiGon
2020-01-09FireEyeSandor Nemes, Zander Work
@online{nemes:20200109:saigon:d0a0c27, author = {Sandor Nemes and Zander Work}, title = {{SAIGON, the Mysterious Ursnif Fork}}, date = {2020-01-09}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html}, language = {English}, urldate = {2020-01-13} } SAIGON, the Mysterious Ursnif Fork
SaiGon
Yara Rules
[TLP:WHITE] win_saigon_auto (20230407 | Detects win.saigon.)
rule win_saigon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.saigon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.saigon"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4885c0 740f 488d4c2478 488bd0 e8???????? eb06 ff15???????? }
            // n = 7, score = 200
            //   4885c0               | mov                 edi, ebx
            //   740f                 | mov                 ebp, eax
            //   488d4c2478           | cmp                 eax, ebx
            //   488bd0               | je                  0xc4
            //   e8????????           |                     
            //   eb06                 | xor                 edx, edx
            //   ff15????????         |                     

        $sequence_1 = { 33c0 eb05 b86f000000 41891c24 4c8d9c2450020000 498b5b10 498b6b18 }
            // n = 7, score = 200
            //   33c0                 | dec                 esp
            //   eb05                 | lea                 eax, [esp + 0x28]
            //   b86f000000           | dec                 eax
            //   41891c24             | lea                 edx, [0x7e31]
            //   4c8d9c2450020000     | dec                 ecx
            //   498b5b10             | add                 ecx, esp
            //   498b6b18             | dec                 ebp

        $sequence_2 = { 8b05???????? 8364242800 4c8d442460 35d633ff78 }
            // n = 4, score = 200
            //   8b05????????         |                     
            //   8364242800           | dec                 eax
            //   4c8d442460           | lea                 eax, [esp + 0x70]
            //   35d633ff78           | dec                 eax

        $sequence_3 = { 33d2 ff15???????? 488b0d???????? 4d8bc6 33d2 ff15???????? 488b8c2498000000 }
            // n = 7, score = 200
            //   33d2                 | dec                 esp
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   4d8bc6               | mov                 ecx, ecx
            //   33d2                 | dec                 esp
            //   ff15????????         |                     
            //   488b8c2498000000     | arpl                ax, ax

        $sequence_4 = { 7430 80f97e 742b 80f95f }
            // n = 4, score = 200
            //   7430                 | test                eax, eax
            //   80f97e               | je                  0x1478
            //   742b                 | mov                 ecx, dword ptr [esp + 0x50]
            //   80f95f               | dec                 eax

        $sequence_5 = { 4154 4883ec30 33db 4c8be2 488be9 215c2460 ff15???????? }
            // n = 7, score = 200
            //   4154                 | mov                 dword ptr [esp + 0x238], esi
            //   4883ec30             | mov                 ebx, eax
            //   33db                 | cmp                 eax, 0xb7
            //   4c8be2               | jne                 0x646
            //   488be9               | mov                 edx, edi
            //   215c2460             | dec                 eax
            //   ff15????????         |                     

        $sequence_6 = { 33d2 488d4c2440 448d4260 e8???????? 8b8424f8000000 4c8b8c24d0000000 }
            // n = 6, score = 200
            //   33d2                 | jne                 0x908
            //   488d4c2440           | mov                 edx, dword ptr [esp + 0x80]
            //   448d4260             | inc                 esp
            //   e8????????           |                     
            //   8b8424f8000000       | and                 dword ptr [esp + 0x28], ebp
            //   4c8b8c24d0000000     | mov                 edi, eax

        $sequence_7 = { 488d4c2470 48894210 488b01 488d542450 488902 488b4108 }
            // n = 6, score = 200
            //   488d4c2470           | dec                 eax
            //   48894210             | mov                 ebx, edx
            //   488b01               | dec                 eax
            //   488d542450           | mov                 edi, ecx
            //   488902               | mov                 dword ptr [eax + 0x18], 0xea60
            //   488b4108             | dec                 eax

        $sequence_8 = { ffd0 85c0 790e 8bc8 }
            // n = 4, score = 200
            //   ffd0                 | test                ebx, ebx
            //   85c0                 | je                  0x8cd
            //   790e                 | je                  0x8da
            //   8bc8                 | cmp                 eax, 0xb7

        $sequence_9 = { ff5038 85c0 781c 488b4c2430 4533c0 }
            // n = 5, score = 200
            //   ff5038               | dec                 eax
            //   85c0                 | mov                 ebp, ecx
            //   781c                 | test                eax, eax
            //   488b4c2430           | dec                 eax
            //   4533c0               | mov                 esi, dword ptr [esp + 0x90]

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules