SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sasfis (Back to overview)

Sasfis

aka: Oficla
VTCollection    

Sasfis acts mostly as a downloader that has been observed to download Asprox and FakeAV. According to a VirusBulletin article from 2012, it is likely authored by the same group as SmokeLoader.

References
2012-11-01Virus BulletinMicky Pun
Tracking the 2012 Sasfis campaign
Asprox Sasfis
2012-10-09Trend MicroDianne Lagrimas
SASFIS
Sasfis
2011-04-16SophosSophos
Troj/Sasfis-O
Sasfis
2010-05-31Trend MicroJoseph Cepe
SASFIS Malware Uses a New Trick
Sasfis
2010-05-27SANS ISC InfoSec ForumsKevin Liston
Sasfis Propagation
Sasfis
2010-02-02SymantecÉamonn Young, Eoin Ward
Trojan.Sasfis
Sasfis
2010-01-21Trend MicroLoucif Kharouni
SASFIS Fizzles in the Background
Sasfis
Yara Rules
[TLP:WHITE] win_sasfis_auto (20230808 | Detects win.sasfis.)
rule win_sasfis_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.sasfis."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8433 a6 0d60ca8b0c 646b1a5c }
            // n = 4, score = 100
            //   8433                 | test                byte ptr [ebx], dh
            //   a6                   | cmpsb               byte ptr [esi], byte ptr es:[edi]
            //   0d60ca8b0c           | or                  eax, 0xc8bca60
            //   646b1a5c             | imul                ebx, dword ptr fs:[edx], 0x5c

        $sequence_1 = { d7 4b 7ca9 bc74460651 130d???????? 37 d502 }
            // n = 7, score = 100
            //   d7                   | xlatb               
            //   4b                   | dec                 ebx
            //   7ca9                 | jl                  0xffffffab
            //   bc74460651           | mov                 esp, 0x51064674
            //   130d????????         |                     
            //   37                   | aaa                 
            //   d502                 | aad                 2

        $sequence_2 = { 157e2808b7 0016 2038 2410 }
            // n = 4, score = 100
            //   157e2808b7           | adc                 eax, 0xb708287e
            //   0016                 | add                 byte ptr [esi], dl
            //   2038                 | and                 byte ptr [eax], bh
            //   2410                 | and                 al, 0x10

        $sequence_3 = { 60 0c1c 0430 00242c 1838 3c00 3808 }
            // n = 7, score = 100
            //   60                   | pushal              
            //   0c1c                 | or                  al, 0x1c
            //   0430                 | add                 al, 0x30
            //   00242c               | add                 byte ptr [esp + ebp], ah
            //   1838                 | sbb                 byte ptr [eax], bh
            //   3c00                 | cmp                 al, 0
            //   3808                 | cmp                 byte ptr [eax], cl

        $sequence_4 = { 84df 66ffc5 8b742448 66f7df }
            // n = 4, score = 100
            //   84df                 | test                bh, bl
            //   66ffc5               | inc                 bp
            //   8b742448             | mov                 esi, dword ptr [esp + 0x48]
            //   66f7df               | neg                 di

        $sequence_5 = { f9 f6c77d 660fbae10b 83c504 }
            // n = 4, score = 100
            //   f9                   | stc                 
            //   f6c77d               | test                bh, 0x7d
            //   660fbae10b           | bt                  cx, 0xb
            //   83c504               | add                 ebp, 4

        $sequence_6 = { 657326 6e 346f 6f 68432b3501 }
            // n = 5, score = 100
            //   657326               | jae                 0x29
            //   6e                   | outsb               dx, byte ptr [esi]
            //   346f                 | xor                 al, 0x6f
            //   6f                   | outsd               dx, dword ptr [esi]
            //   68432b3501           | push                0x1352b43

        $sequence_7 = { 6681cf5b01 81ec9c000000 57 60 5f }
            // n = 5, score = 100
            //   6681cf5b01           | or                  di, 0x15b
            //   81ec9c000000         | sub                 esp, 0x9c
            //   57                   | push                edi
            //   60                   | pushal              
            //   5f                   | pop                 edi

        $sequence_8 = { 2909 26df6883 95 7800 e8???????? 15afb28a60 38342c }
            // n = 7, score = 100
            //   2909                 | sub                 dword ptr [ecx], ecx
            //   26df6883             | fild                qword ptr es:[eax - 0x7d]
            //   95                   | xchg                eax, ebp
            //   7800                 | js                  2
            //   e8????????           |                     
            //   15afb28a60           | adc                 eax, 0x608ab2af
            //   38342c               | cmp                 byte ptr [esp + ebp], dh

        $sequence_9 = { 260c16 005220 0410 1400 }
            // n = 4, score = 100
            //   260c16               | or                  al, 0x16
            //   005220               | add                 byte ptr [edx + 0x20], dl
            //   0410                 | add                 al, 0x10
            //   1400                 | adc                 al, 0

    condition:
        7 of them and filesize < 8060928
}
Download all Yara Rules