SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sasfis (Back to overview)

Sasfis

aka: Oficla

Sasfis acts mostly as a downloader that has been observed to download Asprox and FakeAV. According to a VirusBulletin article from 2012, it is likely authored by the same group as SmokeLoader.

References
2012-11-01Virus BulletinMicky Pun
@online{pun:20121101:tracking:1ca7e96, author = {Micky Pun}, title = {{Tracking the 2012 Sasfis campaign}}, date = {2012-11-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign}, language = {English}, urldate = {2020-01-09} } Tracking the 2012 Sasfis campaign
Asprox Sasfis
2012-10-09Trend MicroDianne Lagrimas
@online{lagrimas:20121009:sasfis:5e95a5a, author = {Dianne Lagrimas}, title = {{SASFIS}}, date = {2012-10-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis}, language = {English}, urldate = {2020-01-08} } SASFIS
Sasfis
2011-04-16SophosSophos
@online{sophos:20110416:trojsasfiso:ffee6ab, author = {Sophos}, title = {{Troj/Sasfis-O}}, date = {2011-04-16}, organization = {Sophos}, url = {https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Sasfis-O/detailed-analysis.aspx}, language = {English}, urldate = {2019-12-19} } Troj/Sasfis-O
Sasfis
2010-05-31Trend MicroJoseph Cepe
@online{cepe:20100531:sasfis:7642314, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/}, language = {English}, urldate = {2020-01-09} } SASFIS Malware Uses a New Trick
Sasfis
2010-05-27SANS ISC InfoSec ForumsKevin Liston
@online{liston:20100527:sasfis:c963466, author = {Kevin Liston}, title = {{Sasfis Propagation}}, date = {2010-05-27}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/}, language = {English}, urldate = {2020-01-08} } Sasfis Propagation
Sasfis
2010-02-02SymantecÉamonn Young, Eoin Ward
@online{young:20100202:trojansasfis:e5f413f, author = {Éamonn Young and Eoin Ward}, title = {{Trojan.Sasfis}}, date = {2010-02-02}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2010-020210-5440-99}, language = {English}, urldate = {2019-10-23} } Trojan.Sasfis
Sasfis
2010-01-21Trend MicroLoucif Kharouni
@online{kharouni:20100121:sasfis:8634992, author = {Loucif Kharouni}, title = {{SASFIS Fizzles in the Background}}, date = {2010-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/}, language = {English}, urldate = {2019-12-18} } SASFIS Fizzles in the Background
Sasfis
Yara Rules
[TLP:WHITE] win_sasfis_auto (20211008 | Detects win.sasfis.)
rule win_sasfis_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.sasfis."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 261810 16 6e 6f }
            // n = 4, score = 100
            //   261810               | sbb                 byte ptr es:[eax], dl
            //   16                   | push                ss
            //   6e                   | outsb               dx, byte ptr [esi]
            //   6f                   | outsd               dx, dword ptr [esi]

        $sequence_1 = { 6e a6 8e03 6a1a d515 94 72a0 }
            // n = 7, score = 100
            //   6e                   | outsb               dx, byte ptr [esi]
            //   a6                   | cmpsb               byte ptr [esi], byte ptr es:[edi]
            //   8e03                 | mov                 es, word ptr [ebx]
            //   6a1a                 | push                0x1a
            //   d515                 | aad                 0x15
            //   94                   | xchg                eax, esp
            //   72a0                 | jb                  0xffffffa2

        $sequence_2 = { 880c24 8d642450 e9???????? 60 }
            // n = 4, score = 100
            //   880c24               | mov                 byte ptr [esp], cl
            //   8d642450             | lea                 esp, dword ptr [esp + 0x50]
            //   e9????????           |                     
            //   60                   | pushal              

        $sequence_3 = { 56 66c1f604 f9 d3e7 55 0fbee9 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   66c1f604             | sal                 si, 4
            //   f9                   | stc                 
            //   d3e7                 | shl                 edi, cl
            //   55                   | push                ebp
            //   0fbee9               | movsx               ebp, cl

        $sequence_4 = { 656c 65637a55 0c52 106f74 61 727a 7610 }
            // n = 7, score = 100
            //   656c                 | insb                byte ptr es:[edi], dx
            //   65637a55             | arpl                word ptr gs:[edx + 0x55], di
            //   0c52                 | or                  al, 0x52
            //   106f74               | adc                 byte ptr [edi + 0x74], ch
            //   61                   | popal               
            //   727a                 | jb                  0x7c
            //   7610                 | jbe                 0x12

        $sequence_5 = { 685d2cc711 9c 897c2404 660fb6f9 }
            // n = 4, score = 100
            //   685d2cc711           | push                0x11c72c5d
            //   9c                   | pushfd              
            //   897c2404             | mov                 dword ptr [esp + 4], edi
            //   660fb6f9             | movzx               di, cl

        $sequence_6 = { e9???????? 9c 882424 6841623191 894c2404 }
            // n = 5, score = 100
            //   e9????????           |                     
            //   9c                   | pushfd              
            //   882424               | mov                 byte ptr [esp], ah
            //   6841623191           | push                0x91316241
            //   894c2404             | mov                 dword ptr [esp + 4], ecx

        $sequence_7 = { 2b0416 6c 46 6c 61 }
            // n = 5, score = 100
            //   2b0416               | sub                 eax, dword ptr [esi + edx]
            //   6c                   | insb                byte ptr es:[edi], dx
            //   46                   | inc                 esi
            //   6c                   | insb                byte ptr es:[edi], dx
            //   61                   | popal               

        $sequence_8 = { 6553 260416 41 706f 7226 0330 }
            // n = 6, score = 100
            //   6553                 | push                ebx
            //   260416               | add                 al, 0x16
            //   41                   | inc                 ecx
            //   706f                 | jo                  0x71
            //   7226                 | jb                  0x28
            //   0330                 | add                 esi, dword ptr [eax]

        $sequence_9 = { 307c0b42 16 27 52 b3c6 727c 4e }
            // n = 7, score = 100
            //   307c0b42             | xor                 byte ptr [ebx + ecx + 0x42], bh
            //   16                   | push                ss
            //   27                   | daa                 
            //   52                   | push                edx
            //   b3c6                 | mov                 bl, 0xc6
            //   727c                 | jb                  0x7e
            //   4e                   | dec                 esi

    condition:
        7 of them and filesize < 8060928
}
Download all Yara Rules