SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sappycache (Back to overview)

SappyCache


There is no description at this point.

References
2019-08-05Reversing LabsTomislav Pericin
@online{pericin:20190805:catching:4aeb984, author = {Tomislav Pericin}, title = {{Catching lateral movement in internal emails}}, date = {2019-08-05}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/catching-lateral-movement-in-internal-emails}, language = {English}, urldate = {2020-07-15} } Catching lateral movement in internal emails
SappyCache
2019-08ClearSkyClearSky Cyber Security
@techreport{security:201908:2019:716d69e, author = {ClearSky Cyber Security}, title = {{2019 H1 Cyber Events Summary Report}}, date = {2019-08}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf}, language = {English}, urldate = {2020-06-29} } 2019 H1 Cyber Events Summary Report
EVILNUM Cardinal RAT SappyCache
2019-03-27ESTsecurityAlyac
@online{alyac:20190327:lazarus:df092d7, author = {Alyac}, title = {{Lazarus Group APT Counterattack Against Israeli Military}}, date = {2019-03-27}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2219}, language = {Korean}, urldate = {2020-06-29} } Lazarus Group APT Counterattack Against Israeli Military
SappyCache
2019-03-27Alyac
@online{alyac:20190327:lazarus:2172304, author = {Alyac}, title = {{라자루스(Lazarus) 그룹, 이스라엘 군수업체 대상 APT 역습}}, date = {2019-03-27}, url = {https://blog.alyac.co.kr/m/2219}, language = {Korean}, urldate = {2020-07-15} } 라자루스(Lazarus) 그룹, 이스라엘 군수업체 대상 APT 역습
SappyCache
2019-03-26FireEyeDileep Kumar Jallepalli
@online{jallepalli:20190326:winrar:dff4878, author = {Dileep Kumar Jallepalli}, title = {{WinRAR Zero-day Abused in Multiple Campaigns}}, date = {2019-03-26}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html}, language = {English}, urldate = {2019-12-20} } WinRAR Zero-day Abused in Multiple Campaigns
SappyCache
Yara Rules
[TLP:WHITE] win_sappycache_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_sappycache_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 418b4650 488d6aff 4803e8 488d4aff 4803cf }
            // n = 5, score = 200
            //   418b4650             | dec                 eax
            //   488d6aff             | lea                 ebp, [esp - 0x6248]
            //   4803e8               | push                esi
            //   488d4aff             | inc                 ecx
            //   4803cf               | push                ebp

        $sequence_1 = { b940000000 8bd8 ff15???????? 448bc3 488bd6 488bc8 }
            // n = 6, score = 200
            //   b940000000           | lea                 eax, [ecx + 4]
            //   8bd8                 | dec                 esp
            //   ff15????????         |                     
            //   448bc3               | mov                 eax, dword ptr [esp + 0x38]
            //   488bd6               | dec                 eax
            //   488bc8               | mov                 ecx, dword ptr [esp + 0x38]

        $sequence_2 = { 488d0c28 4923c5 4923cd 483bc1 }
            // n = 4, score = 200
            //   488d0c28             | cmp                 ecx, eax
            //   4923c5               | dec                 eax
            //   4923cd               | test                ecx, ecx
            //   483bc1               | je                  0x40

        $sequence_3 = { 488d2d98d60000 488d4d30 4533c0 baa00f0000 e8???????? 488b05???????? }
            // n = 6, score = 200
            //   488d2d98d60000       | inc                 ecx
            //   488d4d30             | setne               ch
            //   4533c0               | inc                 ecx
            //   baa00f0000           | mov                 eax, ebp
            //   e8????????           |                     
            //   488b05????????       |                     

        $sequence_4 = { 493bf6 0f8593000000 440fb6442458 0fb65c2459 410fb6d0 0fb67c245a 0fb6c3 }
            // n = 7, score = 200
            //   493bf6               | mov                 dword ptr [ebp + 0x20], 0xea60
            //   0f8593000000         | dec                 esp
            //   440fb6442458         | lea                 eax, [ebp + 0x20]
            //   0fb65c2459           | dec                 eax
            //   410fb6d0             | mov                 ecx, ebx
            //   0fb67c245a           | inc                 ecx
            //   0fb6c3               | lea                 edx, [ecx - 2]

        $sequence_5 = { 488b0b ff15???????? 85c0 7428 488bcd 488d1545f80000 83e13f }
            // n = 7, score = 200
            //   488b0b               | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 edx, ebx
            //   7428                 | xor                 ecx, ecx
            //   488bcd               | dec                 esp
            //   488d1545f80000       | lea                 esp, [0xf1ef]
            //   83e13f               | mov                 ebp, esi

        $sequence_6 = { 83fa48 7243 8b4b40 8b4344 894c2450 83c140 }
            // n = 6, score = 200
            //   83fa48               | dec                 eax
            //   7243                 | cmp                 eax, ecx
            //   8b4b40               | dec                 eax
            //   8b4344               | test                eax, eax
            //   894c2450             | je                  0x753
            //   83c140               | dec                 eax

        $sequence_7 = { 4c8d44246c ba00000200 488d8c24c0060000 e8???????? 4c8d0567240100 ba00000200 }
            // n = 6, score = 200
            //   4c8d44246c           | lea                 eax, [ebp + 0x60]
            //   ba00000200           | xor                 edx, edx
            //   488d8c24c0060000     | dec                 eax
            //   e8????????           |                     
            //   4c8d0567240100       | lea                 ecx, [ebp + 0x3a20]
            //   ba00000200           | inc                 ecx

        $sequence_8 = { ff15???????? 85c0 0f84d6000000 0f1f440000 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   85c0                 | dec                 esp
            //   0f84d6000000         | mov                 dword ptr [esp + 0x30], esi
            //   0f1f440000           | inc                 esp

        $sequence_9 = { 660f1f440000 48ffc2 6644392c50 75f6 4c8d4db0 4533c0 }
            // n = 6, score = 200
            //   660f1f440000         | sar                 eax, 6
            //   48ffc2               | dec                 esp
            //   6644392c50           | lea                 eax, [0xe120]
            //   75f6                 | and                 edx, 0x3f
            //   4c8d4db0             | dec                 eax
            //   4533c0               | arpl                word ptr [eax], cx

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules