SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sasfis (Back to overview)

Sasfis

aka: Oficla

Sasfis acts mostly as a downloader that has been observed to download Asprox and FakeAV. According to a VirusBulletin article from 2012, it is likely authored by the same group as SmokeLoader.

References
2012-11-01Virus BulletinMicky Pun
@online{pun:20121101:tracking:1ca7e96, author = {Micky Pun}, title = {{Tracking the 2012 Sasfis campaign}}, date = {2012-11-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign}, language = {English}, urldate = {2020-01-09} } Tracking the 2012 Sasfis campaign
Asprox Sasfis
2012-10-09Trend MicroDianne Lagrimas
@online{lagrimas:20121009:sasfis:5e95a5a, author = {Dianne Lagrimas}, title = {{SASFIS}}, date = {2012-10-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis}, language = {English}, urldate = {2020-01-08} } SASFIS
Sasfis
2011-04-16SophosSophos
@online{sophos:20110416:trojsasfiso:ffee6ab, author = {Sophos}, title = {{Troj/Sasfis-O}}, date = {2011-04-16}, organization = {Sophos}, url = {https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Sasfis-O/detailed-analysis.aspx}, language = {English}, urldate = {2019-12-19} } Troj/Sasfis-O
Sasfis
2010-05-31Trend MicroJoseph Cepe
@online{cepe:20100531:sasfis:7642314, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/}, language = {English}, urldate = {2020-01-09} } SASFIS Malware Uses a New Trick
Sasfis
2010-05-27SANS ISC InfoSec ForumsKevin Liston
@online{liston:20100527:sasfis:c963466, author = {Kevin Liston}, title = {{Sasfis Propagation}}, date = {2010-05-27}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/}, language = {English}, urldate = {2020-01-08} } Sasfis Propagation
Sasfis
2010-02-02SymantecÉamonn Young, Eoin Ward
@online{young:20100202:trojansasfis:e5f413f, author = {Éamonn Young and Eoin Ward}, title = {{Trojan.Sasfis}}, date = {2010-02-02}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2010-020210-5440-99}, language = {English}, urldate = {2019-10-23} } Trojan.Sasfis
Sasfis
2010-01-21Trend MicroLoucif Kharouni
@online{kharouni:20100121:sasfis:8634992, author = {Loucif Kharouni}, title = {{SASFIS Fizzles in the Background}}, date = {2010-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/}, language = {English}, urldate = {2019-12-18} } SASFIS Fizzles in the Background
Sasfis
Yara Rules
[TLP:WHITE] win_sasfis_auto (20230715 | Detects win.sasfis.)
rule win_sasfis_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.sasfis."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8433 a6 0d60ca8b0c 646b1a5c }
            // n = 4, score = 100
            //   8433                 | test                byte ptr [ebx], dh
            //   a6                   | cmpsb               byte ptr [esi], byte ptr es:[edi]
            //   0d60ca8b0c           | or                  eax, 0xc8bca60
            //   646b1a5c             | imul                ebx, dword ptr fs:[edx], 0x5c

        $sequence_1 = { d7 4b 7ca9 bc74460651 130d???????? 37 d502 }
            // n = 7, score = 100
            //   d7                   | xlatb               
            //   4b                   | dec                 ebx
            //   7ca9                 | jl                  0xffffffab
            //   bc74460651           | mov                 esp, 0x51064674
            //   130d????????         |                     
            //   37                   | aaa                 
            //   d502                 | aad                 2

        $sequence_2 = { 157e2808b7 0016 2038 2410 }
            // n = 4, score = 100
            //   157e2808b7           | adc                 eax, 0xb708287e
            //   0016                 | add                 byte ptr [esi], dl
            //   2038                 | and                 byte ptr [eax], bh
            //   2410                 | and                 al, 0x10

        $sequence_3 = { 60 0c1c 0430 00242c 1838 3c00 3808 }
            // n = 7, score = 100
            //   60                   | pushal              
            //   0c1c                 | or                  al, 0x1c
            //   0430                 | add                 al, 0x30
            //   00242c               | add                 byte ptr [esp + ebp], ah
            //   1838                 | sbb                 byte ptr [eax], bh
            //   3c00                 | cmp                 al, 0
            //   3808                 | cmp                 byte ptr [eax], cl

        $sequence_4 = { 84df 66ffc5 8b742448 66f7df }
            // n = 4, score = 100
            //   84df                 | test                bh, bl
            //   66ffc5               | inc                 bp
            //   8b742448             | mov                 esi, dword ptr [esp + 0x48]
            //   66f7df               | neg                 di

        $sequence_5 = { f9 f6c77d 660fbae10b 83c504 }
            // n = 4, score = 100
            //   f9                   | stc                 
            //   f6c77d               | test                bh, 0x7d
            //   660fbae10b           | bt                  cx, 0xb
            //   83c504               | add                 ebp, 4

        $sequence_6 = { 657326 6e 346f 6f 68432b3501 }
            // n = 5, score = 100
            //   657326               | jae                 0x29
            //   6e                   | outsb               dx, byte ptr [esi]
            //   346f                 | xor                 al, 0x6f
            //   6f                   | outsd               dx, dword ptr [esi]
            //   68432b3501           | push                0x1352b43

        $sequence_7 = { 6681cf5b01 81ec9c000000 57 60 5f }
            // n = 5, score = 100
            //   6681cf5b01           | or                  di, 0x15b
            //   81ec9c000000         | sub                 esp, 0x9c
            //   57                   | push                edi
            //   60                   | pushal              
            //   5f                   | pop                 edi

        $sequence_8 = { 2909 26df6883 95 7800 e8???????? 15afb28a60 38342c }
            // n = 7, score = 100
            //   2909                 | sub                 dword ptr [ecx], ecx
            //   26df6883             | fild                qword ptr es:[eax - 0x7d]
            //   95                   | xchg                eax, ebp
            //   7800                 | js                  2
            //   e8????????           |                     
            //   15afb28a60           | adc                 eax, 0x608ab2af
            //   38342c               | cmp                 byte ptr [esp + ebp], dh

        $sequence_9 = { 260c16 005220 0410 1400 }
            // n = 4, score = 100
            //   260c16               | or                  al, 0x16
            //   005220               | add                 byte ptr [edx + 0x20], dl
            //   0410                 | add                 al, 0x10
            //   1400                 | adc                 al, 0

    condition:
        7 of them and filesize < 8060928
}
Download all Yara Rules