SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sasfis (Back to overview)

Sasfis

aka: Oficla

Sasfis acts mostly as a downloader that has been observed to download Asprox and FakeAV. According to a VirusBulletin article from 2012, it is likely authored by the same group as SmokeLoader.

References
2012-11-01Virus BulletinMicky Pun
@online{pun:20121101:tracking:1ca7e96, author = {Micky Pun}, title = {{Tracking the 2012 Sasfis campaign}}, date = {2012-11-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign}, language = {English}, urldate = {2020-01-09} } Tracking the 2012 Sasfis campaign
Asprox Sasfis
2012-10-09Trend MicroDianne Lagrimas
@online{lagrimas:20121009:sasfis:5e95a5a, author = {Dianne Lagrimas}, title = {{SASFIS}}, date = {2012-10-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis}, language = {English}, urldate = {2020-01-08} } SASFIS
Sasfis
2011-04-16SophosSophos
@online{sophos:20110416:trojsasfiso:ffee6ab, author = {Sophos}, title = {{Troj/Sasfis-O}}, date = {2011-04-16}, organization = {Sophos}, url = {https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Sasfis-O/detailed-analysis.aspx}, language = {English}, urldate = {2019-12-19} } Troj/Sasfis-O
Sasfis
2010-05-31Trend MicroJoseph Cepe
@online{cepe:20100531:sasfis:7642314, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/}, language = {English}, urldate = {2020-01-09} } SASFIS Malware Uses a New Trick
Sasfis
2010-05-27SANS ISC InfoSec ForumsKevin Liston
@online{liston:20100527:sasfis:c963466, author = {Kevin Liston}, title = {{Sasfis Propagation}}, date = {2010-05-27}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/}, language = {English}, urldate = {2020-01-08} } Sasfis Propagation
Sasfis
2010-02-02SymantecÉamonn Young, Eoin Ward
@online{young:20100202:trojansasfis:e5f413f, author = {Éamonn Young and Eoin Ward}, title = {{Trojan.Sasfis}}, date = {2010-02-02}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2010-020210-5440-99}, language = {English}, urldate = {2019-10-23} } Trojan.Sasfis
Sasfis
2010-01-21Trend MicroLoucif Kharouni
@online{kharouni:20100121:sasfis:8634992, author = {Loucif Kharouni}, title = {{SASFIS Fizzles in the Background}}, date = {2010-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/}, language = {English}, urldate = {2019-12-18} } SASFIS Fizzles in the Background
Sasfis
Yara Rules
[TLP:WHITE] win_sasfis_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_sasfis_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 66ffc7 c744241400000000 660facff03 660fcf 8b742440 660fbae30a 660fbafd04 }
            // n = 7, score = 100
            //   66ffc7               | inc                 di
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   660facff03           | shrd                di, di, 3
            //   660fcf               | bswap               di
            //   8b742440             | mov                 esi, dword ptr [esp + 0x40]
            //   660fbae30a           | bt                  bx, 0xa
            //   660fbafd04           | btc                 bp, 4

        $sequence_1 = { 8d642428 e9???????? e8???????? ff74240c 8f4500 55 66c70424c279 }
            // n = 7, score = 100
            //   8d642428             | lea                 esp, [esp + 0x28]
            //   e9????????           |                     
            //   e8????????           |                     
            //   ff74240c             | push                dword ptr [esp + 0xc]
            //   8f4500               | pop                 dword ptr [ebp]
            //   55                   | push                ebp
            //   66c70424c279         | mov                 word ptr [esp], 0x79c2

        $sequence_2 = { 8d6c2424 ff742408 80fd7b 81cf73a6238d 81ec98000000 }
            // n = 5, score = 100
            //   8d6c2424             | lea                 ebp, [esp + 0x24]
            //   ff742408             | push                dword ptr [esp + 8]
            //   80fd7b               | cmp                 ch, 0x7b
            //   81cf73a6238d         | or                  edi, 0x8d23a673
            //   81ec98000000         | sub                 esp, 0x98

        $sequence_3 = { c41f 2b6855 b96420a46d b260 d3648c9a }
            // n = 5, score = 100
            //   c41f                 | les                 ebx, ptr [edi]
            //   2b6855               | sub                 ebp, dword ptr [eax + 0x55]
            //   b96420a46d           | mov                 ecx, 0x6da42064
            //   b260                 | mov                 dl, 0x60
            //   d3648c9a             | shl                 dword ptr [esp + ecx*4 - 0x66], cl

        $sequence_4 = { 8c26 10142d1d012139 1535193d0d 0511600038 1030 0800 3c20 }
            // n = 7, score = 100
            //   8c26                 | mov                 word ptr [esi], fs
            //   10142d1d012139       | adc                 byte ptr [ebp + 0x3921011d], dl
            //   1535193d0d           | adc                 eax, 0xd3d1935
            //   0511600038           | add                 eax, 0x38006011
            //   1030                 | adc                 byte ptr [eax], dh
            //   0800                 | or                  byte ptr [eax], al
            //   3c20                 | cmp                 al, 0x20

        $sequence_5 = { ea???????????? c9 63fc 3e5a }
            // n = 4, score = 100
            //   ea????????????       |                     
            //   c9                   | leave               
            //   63fc                 | arpl                sp, di
            //   3e5a                 | pop                 edx

        $sequence_6 = { 9c 66ffc9 8a2c24 0fb6c0 }
            // n = 4, score = 100
            //   9c                   | pushfd              
            //   66ffc9               | dec                 cx
            //   8a2c24               | mov                 ch, byte ptr [esp]
            //   0fb6c0               | movzx               eax, al

        $sequence_7 = { 0011 006188 c52b 3903 3c00 7d3f }
            // n = 6, score = 100
            //   0011                 | add                 byte ptr [ecx], dl
            //   006188               | add                 byte ptr [ecx - 0x78], ah
            //   c52b                 | lds                 ebp, ptr [ebx]
            //   3903                 | cmp                 dword ptr [ebx], eax
            //   3c00                 | cmp                 al, 0
            //   7d3f                 | jge                 0x41

        $sequence_8 = { 692667724f77 260330 0c16 7845 b320 3c10 }
            // n = 6, score = 100
            //   692667724f77         | imul                esp, dword ptr [esi], 0x774f7267
            //   260330               | add                 esi, dword ptr es:[eax]
            //   0c16                 | or                  al, 0x16
            //   7845                 | js                  0x47
            //   b320                 | mov                 bl, 0x20
            //   3c10                 | cmp                 al, 0x10

        $sequence_9 = { 652661 54 676c 260c52 }
            // n = 4, score = 100
            //   652661               | popal               
            //   54                   | push                esp
            //   676c                 | insb                byte ptr es:[di], dx
            //   260c52               | or                  al, 0x52

    condition:
        7 of them and filesize < 8060928
}
Download all Yara Rules