SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sasfis (Back to overview)

Sasfis

aka: Oficla

Sasfis acts mostly as a downloader that has been observed to download Asprox and FakeAV. According to a VirusBulletin article from 2012, it is likely authored by the same group as SmokeLoader.

References
2012-11-01Virus BulletinMicky Pun
@online{pun:20121101:tracking:1ca7e96, author = {Micky Pun}, title = {{Tracking the 2012 Sasfis campaign}}, date = {2012-11-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign}, language = {English}, urldate = {2020-01-09} } Tracking the 2012 Sasfis campaign
Asprox Sasfis
2012-10-09Trend MicroDianne Lagrimas
@online{lagrimas:20121009:sasfis:5e95a5a, author = {Dianne Lagrimas}, title = {{SASFIS}}, date = {2012-10-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis}, language = {English}, urldate = {2020-01-08} } SASFIS
Sasfis
2011-04-16SophosSophos
@online{sophos:20110416:trojsasfiso:ffee6ab, author = {Sophos}, title = {{Troj/Sasfis-O}}, date = {2011-04-16}, organization = {Sophos}, url = {https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Sasfis-O/detailed-analysis.aspx}, language = {English}, urldate = {2019-12-19} } Troj/Sasfis-O
Sasfis
2010-05-31Trend MicroJoseph Cepe
@online{cepe:20100531:sasfis:7642314, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/}, language = {English}, urldate = {2020-01-09} } SASFIS Malware Uses a New Trick
Sasfis
2010-05-27SANS ISC InfoSec ForumsKevin Liston
@online{liston:20100527:sasfis:c963466, author = {Kevin Liston}, title = {{Sasfis Propagation}}, date = {2010-05-27}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/}, language = {English}, urldate = {2020-01-08} } Sasfis Propagation
Sasfis
2010-02-02SymantecÉamonn Young, Eoin Ward
@online{young:20100202:trojansasfis:e5f413f, author = {Éamonn Young and Eoin Ward}, title = {{Trojan.Sasfis}}, date = {2010-02-02}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2010-020210-5440-99}, language = {English}, urldate = {2019-10-23} } Trojan.Sasfis
Sasfis
2010-01-21Trend MicroLoucif Kharouni
@online{kharouni:20100121:sasfis:8634992, author = {Loucif Kharouni}, title = {{SASFIS Fizzles in the Background}}, date = {2010-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/}, language = {English}, urldate = {2019-12-18} } SASFIS Fizzles in the Background
Sasfis
Yara Rules
[TLP:WHITE] win_sasfis_auto (20221125 | Detects win.sasfis.)
rule win_sasfis_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.sasfis."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 60 83ed04 9c 894500 c6442404fd 68b56b2af9 }
            // n = 6, score = 100
            //   60                   | pushal              
            //   83ed04               | sub                 ebp, 4
            //   9c                   | pushfd              
            //   894500               | mov                 dword ptr [ebp], eax
            //   c6442404fd           | mov                 byte ptr [esp + 4], 0xfd
            //   68b56b2af9           | push                0xf92a6bb5

        $sequence_1 = { 04ab 286572 7275 262808 }
            // n = 4, score = 100
            //   04ab                 | add                 al, 0xab
            //   286572               | sub                 byte ptr [ebp + 0x72], ah
            //   7275                 | jb                  0x77
            //   262808               | sub                 byte ptr es:[eax], cl

        $sequence_2 = { 660fbefb 895c2420 660fbef9 e8???????? 894c241c }
            // n = 5, score = 100
            //   660fbefb             | movsx               di, bl
            //   895c2420             | mov                 dword ptr [esp + 0x20], ebx
            //   660fbef9             | movsx               di, cl
            //   e8????????           |                     
            //   894c241c             | mov                 dword ptr [esp + 0x1c], ecx

        $sequence_3 = { 56 66c1f604 f9 d3e7 55 0fbee9 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   66c1f604             | sal                 si, 4
            //   f9                   | stc                 
            //   d3e7                 | shl                 edi, cl
            //   55                   | push                ebp
            //   0fbee9               | movsx               ebp, cl

        $sequence_4 = { f9 9c 6698 f9 9c f8 9c }
            // n = 7, score = 100
            //   f9                   | stc                 
            //   9c                   | pushfd              
            //   6698                 | cbw                 
            //   f9                   | stc                 
            //   9c                   | pushfd              
            //   f8                   | clc                 
            //   9c                   | pushfd              

        $sequence_5 = { 6685f5 e9???????? 66368b00 56 66894500 }
            // n = 5, score = 100
            //   6685f5               | test                bp, si
            //   e9????????           |                     
            //   66368b00             | mov                 ax, word ptr ss:[eax]
            //   56                   | push                esi
            //   66894500             | mov                 word ptr [ebp], ax

        $sequence_6 = { 894c2408 ff3424 883c24 897c2408 }
            // n = 4, score = 100
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   ff3424               | push                dword ptr [esp]
            //   883c24               | mov                 byte ptr [esp], bh
            //   897c2408             | mov                 dword ptr [esp + 8], edi

        $sequence_7 = { 55 890c24 9c 893c24 60 895c241c }
            // n = 6, score = 100
            //   55                   | push                ebp
            //   890c24               | mov                 dword ptr [esp], ecx
            //   9c                   | pushfd              
            //   893c24               | mov                 dword ptr [esp], edi
            //   60                   | pushal              
            //   895c241c             | mov                 dword ptr [esp + 0x1c], ebx

        $sequence_8 = { 66893c24 89442434 9c 660fbef8 9c 89542438 68d58c61ca }
            // n = 7, score = 100
            //   66893c24             | mov                 word ptr [esp], di
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   9c                   | pushfd              
            //   660fbef8             | movsx               di, al
            //   9c                   | pushfd              
            //   89542438             | mov                 dword ptr [esp + 0x38], edx
            //   68d58c61ca           | push                0xca618cd5

        $sequence_9 = { 0c4d 4e 49 57 }
            // n = 4, score = 100
            //   0c4d                 | or                  al, 0x4d
            //   4e                   | dec                 esi
            //   49                   | dec                 ecx
            //   57                   | push                edi

    condition:
        7 of them and filesize < 8060928
}
Download all Yara Rules