Actor(s): Gelsemium
A malicious IIS module that allows up/download of files, remote command execution, and using the compromised server as a hop into the network behind.
rule win_session_manager_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.session_manager." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.session_manager" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c60000 4533c0 488d1530dc0100 488bcb e8???????? 90 488b45ef } // n = 7, score = 100 // c60000 | dec eax // 4533c0 | mov dword ptr [esp + 0x1460], eax // 488d1530dc0100 | dec esp // 488bcb | arpl dx, dx // e8???????? | // 90 | dec eax // 488b45ef | mov ebx, ecx $sequence_1 = { 488d4de0 e8???????? 488bd8 498b16 498bce ff5220 488bd0 } // n = 7, score = 100 // 488d4de0 | dec esp // e8???????? | // 488bd8 | mov dword ptr [eax + 0x1878], edi // 498b16 | dec esp // 498bce | mov dword ptr [eax + 0x1880], edi // ff5220 | dec esp // 488bd0 | mov dword ptr [eax + 0x1888], edi $sequence_2 = { 44882b eb7b 488b9540070000 4c8d05975d0000 498bce e8???????? } // n = 6, score = 100 // 44882b | mov dword ptr [eax + 0x1150], edi // eb7b | dec esp // 488b9540070000 | mov dword ptr [eax + 0x1158], edi // 4c8d05975d0000 | dec esp // 498bce | mov dword ptr [eax + 0x1238], edi // e8???????? | $sequence_3 = { 41ff9280000000 ba09000000 498bcd e8???????? 4c8bf8 4885c0 } // n = 6, score = 100 // 41ff9280000000 | mov dword ptr [eax + 0x940], edi // ba09000000 | dec esp // 498bcd | mov dword ptr [eax + 0x948], edi // e8???????? | // 4c8bf8 | dec esp // 4885c0 | mov dword ptr [eax + 0x950], edi $sequence_4 = { 4883ec20 488bd9 488bc2 488d0d3d450100 } // n = 4, score = 100 // 4883ec20 | dec eax // 488bd9 | lea ecx, [ebp - 0x29] // 488bc2 | dec eax // 488d0d3d450100 | mov edi, eax $sequence_5 = { 488d154a2e0100 488bc1 83e13f 48c1f806 } // n = 4, score = 100 // 488d154a2e0100 | mov eax, dword ptr [ebx + 0x18] // 488bc1 | dec eax // 83e13f | cmp eax, 0x10 // 48c1f806 | jb 0x901 $sequence_6 = { eb5f 8bce e8???????? 83cbff 488d0586790100 } // n = 5, score = 100 // eb5f | dec esp // 8bce | mov dword ptr [eax + 0x2230], edi // e8???????? | // 83cbff | dec esp // 488d0586790100 | mov dword ptr [eax + 0x2310], edi $sequence_7 = { 33db 488d3d055c0100 488b0c3b 4885c9 740a } // n = 5, score = 100 // 33db | dec esp // 488d3d055c0100 | mov dword ptr [eax + 0x2488], edi // 488b0c3b | dec esp // 4885c9 | mov dword ptr [eax + 0x2490], edi // 740a | dec esp $sequence_8 = { 4c89b820010000 4c89b828010000 4c89b830010000 4c89b838010000 4c89b840010000 4c89b848010000 } // n = 6, score = 100 // 4c89b820010000 | dec esp // 4c89b828010000 | mov dword ptr [eax + 0x25c8], edi // 4c89b830010000 | dec esp // 4c89b838010000 | mov dword ptr [eax + 0x25d0], edi // 4c89b840010000 | dec esp // 4c89b848010000 | mov dword ptr [eax + 0x25d8], edi $sequence_9 = { 4c89b818230000 4c89b820230000 4c89b828230000 4c89b830230000 4c89b838230000 } // n = 5, score = 100 // 4c89b818230000 | dec eax // 4c89b820230000 | lea ecx, [0xf6fe] // 4c89b828230000 | mov dword ptr [ebx + 0x50], 6 // 4c89b830230000 | dec eax // 4c89b838230000 | mov dword ptr [ebx + 0x48], ecx condition: 7 of them and filesize < 372736 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY