SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sappycache (Back to overview)

SappyCache

VTCollection    

There is no description at this point.

References
2019-08-05Reversing LabsTomislav Pericin
Catching lateral movement in internal emails
SappyCache
2019-08-01ClearSkyClearSky Cyber Security
2019 H1 Cyber Events Summary Report
EVILNUM Cardinal RAT SappyCache
2019-03-27ESTsecurityAlyac
Lazarus Group APT Counterattack Against Israeli Military
SappyCache
2019-03-27Alyac
라자루스(Lazarus) 그룹, 이스라엘 군수업체 대상 APT 역습
SappyCache
2019-03-26FireEyeDileep Kumar Jallepalli
WinRAR Zero-day Abused in Multiple Campaigns
SappyCache
Yara Rules
[TLP:WHITE] win_sappycache_auto (20260504 | Detects win.sappycache.)
rule win_sappycache_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.sappycache."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f6c101 7412 b9c1000000 ff15???????? 33c0 e9???????? 410fb74614 }
            // n = 7, score = 200
            //   f6c101               | jne                 0x12
            //   7412                 | dec                 eax
            //   b9c1000000           | mov                 ecx, edi
            //   ff15????????         |                     
            //   33c0                 | dec                 eax
            //   e9????????           |                     
            //   410fb74614           | lea                 edx, [esp + 0x280]

        $sequence_1 = { 7509 418b4e38 f6c101 7412 b9c1000000 ff15???????? 33c0 }
            // n = 7, score = 200
            //   7509                 | test                eax, eax
            //   418b4e38             | je                  0xfc
            //   f6c101               | mov                 edx, 1
            //   7412                 | dec                 eax
            //   b9c1000000           | mov                 ecx, ebp
            //   ff15????????         |                     
            //   33c0                 | je                  0x116

        $sequence_2 = { 8bea 0f1f8000000000 e8???????? 448bf0 }
            // n = 4, score = 200
            //   8bea                 | lea                 eax, [0xda06]
            //   0f1f8000000000       | dec                 eax
            //   e8????????           |                     
            //   448bf0               | cmp                 dword ptr [edi - 0x10], eax

        $sequence_3 = { 488bcf ff15???????? 33c0 488bac2480000000 488b5c2478 488bbc2488000000 488b4c2450 }
            // n = 7, score = 200
            //   488bcf               | dec                 esp
            //   ff15????????         |                     
            //   33c0                 | mov                 ecx, ecx
            //   488bac2480000000     | test                eax, eax
            //   488b5c2478           | je                  0x114
            //   488bbc2488000000     | inc                 esp
            //   488b4c2450           | mov                 eax, eax

        $sequence_4 = { 33db 4c8bfa 4c8be1 4883fa40 7312 b90d000000 }
            // n = 6, score = 200
            //   33db                 | cmp                 eax, edi
            //   4c8bfa               | dec                 eax
            //   4c8be1               | cmova               edi, eax
            //   4883fa40             | dec                 eax
            //   7312                 | add                 edx, 0x28
            //   b90d000000           | dec                 ecx

        $sequence_5 = { 33d2 488d4d40 41b800010000 e8???????? 33d2 488d8d40010000 41b800010000 }
            // n = 7, score = 200
            //   33d2                 | dec                 eax
            //   488d4d40             | lea                 ecx, [0x14b90]
            //   41b800010000         | test                eax, eax
            //   e8????????           |                     
            //   33d2                 | je                  0x7aa
            //   488d8d40010000       | cmp                 dword ptr [esp + 0x40], 0x1400
            //   41b800010000         | jne                 0x7aa

        $sequence_6 = { e9???????? 4d3bc1 0f84a3000000 8b7500 498b9cf720860100 4885db 7407 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   4d3bc1               | dec                 eax
            //   0f84a3000000         | lea                 ecx, [ebp + 0x1220]
            //   8b7500               | inc                 ecx
            //   498b9cf720860100     | mov                 eax, 0x1000
            //   4885db               | xor                 edx, edx
            //   7407                 | dec                 eax

        $sequence_7 = { 754c 488d15131a0100 498bcc ff15???????? 488d15631a0100 488d0d4c610100 ff15???????? }
            // n = 7, score = 200
            //   754c                 | mov                 byte ptr [ecx + ebp + 2], al
            //   488d15131a0100       | inc                 ecx
            //   498bcc               | cmp                 ecx, 2
            //   ff15????????         |                     
            //   488d15631a0100       | jne                 0x1b9
            //   488d0d4c610100       | or                  eax, 0xffffffff
            //   ff15????????         |                     

        $sequence_8 = { 482be0 488b05???????? 4833c4 48898520620000 4c89442468 }
            // n = 5, score = 200
            //   482be0               | lea                 eax, [eax + 0x80]
            //   488b05????????       |                     
            //   4833c4               | movups              xmm0, xmmword ptr [ebx]
            //   48898520620000       | dec                 eax
            //   4c89442468           | lea                 ebx, [ebx + 0x80]

        $sequence_9 = { 488d05133c0100 ffcb 488d0c9b 488d0cc8 ff15???????? ff0d???????? 85db }
            // n = 7, score = 200
            //   488d05133c0100       | sub                 esp, 0x80
            //   ffcb                 | dec                 eax
            //   488d0c9b             | xor                 eax, esp
            //   488d0cc8             | dec                 eax
            //   ff15????????         |                     
            //   ff0d????????         |                     
            //   85db                 | mov                 dword ptr [ebp - 0x10], eax

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules