SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shapeshift (Back to overview)

SHAPESHIFT

Actor(s): APT33


There is no description at this point.

References
2017-09-20FireEyeJacqueline O’Leary, Josiah Kimble, Kelli Vanderlee, Nalani Fraser
@online{oleary:20170920:insights:27e8253, author = {Jacqueline O’Leary and Josiah Kimble and Kelli Vanderlee and Nalani Fraser}, title = {{Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware}}, date = {2017-09-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html}, language = {English}, urldate = {2019-12-20} } Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware
DROPSHOT Nanocore RAT NetWire RC SHAPESHIFT TURNEDUP APT33
Yara Rules
[TLP:WHITE] win_shapeshift_auto (20221125 | Detects win.shapeshift.)
rule win_shapeshift_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.shapeshift."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6b05????????0d 33d2 b985bf0d00 0587130000 f7f1 8915???????? 8bc2 }
            // n = 7, score = 100
            //   6b05????????0d       |                     
            //   33d2                 | xor                 edx, edx
            //   b985bf0d00           | mov                 ecx, 0xdbf85
            //   0587130000           | add                 eax, 0x1387
            //   f7f1                 | div                 ecx
            //   8915????????         |                     
            //   8bc2                 | mov                 eax, edx

        $sequence_1 = { b9???????? 8d85d0fdffff 0f1f440000 668b10 663b11 751e 6685d2 }
            // n = 7, score = 100
            //   b9????????           |                     
            //   8d85d0fdffff         | lea                 eax, [ebp - 0x230]
            //   0f1f440000           | nop                 dword ptr [eax + eax]
            //   668b10               | mov                 dx, word ptr [eax]
            //   663b11               | cmp                 dx, word ptr [ecx]
            //   751e                 | jne                 0x20
            //   6685d2               | test                dx, dx

        $sequence_2 = { e8???????? 83c408 6a00 ff750c 6800020000 ff75fc ff75f8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   6a00                 | push                0
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   6800020000           | push                0x200
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_3 = { 8d1c85e4014200 33c0 f00fb10b 8b15???????? 83cfff }
            // n = 5, score = 100
            //   8d1c85e4014200       | lea                 ebx, [eax*4 + 0x4201e4]
            //   33c0                 | xor                 eax, eax
            //   f00fb10b             | lock cmpxchg        dword ptr [ebx], ecx
            //   8b15????????         |                     
            //   83cfff               | or                  edi, 0xffffffff

        $sequence_4 = { 03c0 660f289890cc4100 660f2835???????? 660f59cf 660f58d1 660f70caee }
            // n = 6, score = 100
            //   03c0                 | add                 eax, eax
            //   660f289890cc4100     | movapd              xmm3, xmmword ptr [eax + 0x41cc90]
            //   660f2835????????     |                     
            //   660f59cf             | mulpd               xmm1, xmm7
            //   660f58d1             | addpd               xmm2, xmm1
            //   660f70caee           | pshufd              xmm1, xmm2, 0xee

        $sequence_5 = { e8???????? 83f802 0f848e000000 a1???????? }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83f802               | cmp                 eax, 2
            //   0f848e000000         | je                  0x94
            //   a1????????           |                     

        $sequence_6 = { 0f8580000000 8b4508 dd00 ebc6 c745e0c47e4100 e9???????? c745e0cc7e4100 }
            // n = 7, score = 100
            //   0f8580000000         | jne                 0x86
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   dd00                 | fld                 qword ptr [eax]
            //   ebc6                 | jmp                 0xffffffc8
            //   c745e0c47e4100       | mov                 dword ptr [ebp - 0x20], 0x417ec4
            //   e9????????           |                     
            //   c745e0cc7e4100       | mov                 dword ptr [ebp - 0x20], 0x417ecc

        $sequence_7 = { 884305 0fbf05???????? 0fb680589a4100 884306 0fbf05???????? 0fb680589a4100 }
            // n = 6, score = 100
            //   884305               | mov                 byte ptr [ebx + 5], al
            //   0fbf05????????       |                     
            //   0fb680589a4100       | movzx               eax, byte ptr [eax + 0x419a58]
            //   884306               | mov                 byte ptr [ebx + 6], al
            //   0fbf05????????       |                     
            //   0fb680589a4100       | movzx               eax, byte ptr [eax + 0x419a58]

    condition:
        7 of them and filesize < 303104
}
Download all Yara Rules