SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shifu (Back to overview)

Shifu

VTCollection    

Shifu was originally discovered by Trusteer security researchers (Ilya Kolmanovich, Denis Laskov) in the middle of 2015. It is a banking trojan mostly focusing on Japanese banks and has rich features for remote data extraction and control.

References
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2020-05-21Intel 471Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2017-01-06Palo Alto Networks Unit 42Dominik Reichel
2016 Updates to Shifu Banking Trojan
Shifu
2015-11-02Virus BulletinFloser Bacurio Jr., Wayne Low
Shifu – the rise of a self-destructive banking trojan
Shifu
2015-08-31SecurityIntelligenceDenis Laskov, Ilya Kolmanovich, Limor Kessem
Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks
Shifu
Yara Rules
[TLP:WHITE] win_shifu_auto (20241030 | Detects win.shifu.)
rule win_shifu_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.shifu."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 59 32c0 8d7d9c 6a08 f3aa 58 e8???????? }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   32c0                 | xor                 al, al
            //   8d7d9c               | lea                 edi, [ebp - 0x64]
            //   6a08                 | push                8
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   58                   | pop                 eax
            //   e8????????           |                     

        $sequence_1 = { 50 8b470c 6a00 83c030 50 6a01 ffd3 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8b470c               | mov                 eax, dword ptr [edi + 0xc]
            //   6a00                 | push                0
            //   83c030               | add                 eax, 0x30
            //   50                   | push                eax
            //   6a01                 | push                1
            //   ffd3                 | call                ebx

        $sequence_2 = { 83c8ff ebf0 55 8bec eb0a 8b4d08 48 }
            // n = 7, score = 100
            //   83c8ff               | or                  eax, 0xffffffff
            //   ebf0                 | jmp                 0xfffffff2
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   eb0a                 | jmp                 0xc
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   48                   | dec                 eax

        $sequence_3 = { 8bc4 85c0 7411 6894000000 6a0b ba???????? e8???????? }
            // n = 7, score = 100
            //   8bc4                 | mov                 eax, esp
            //   85c0                 | test                eax, eax
            //   7411                 | je                  0x13
            //   6894000000           | push                0x94
            //   6a0b                 | push                0xb
            //   ba????????           |                     
            //   e8????????           |                     

        $sequence_4 = { 6a0c 5e e8???????? 8945f8 3bc7 0f847d030000 897808 }
            // n = 7, score = 100
            //   6a0c                 | push                0xc
            //   5e                   | pop                 esi
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   3bc7                 | cmp                 eax, edi
            //   0f847d030000         | je                  0x383
            //   897808               | mov                 dword ptr [eax + 8], edi

        $sequence_5 = { 83e203 c1e204 c1eb04 0bd3 8a1402 885601 }
            // n = 6, score = 100
            //   83e203               | and                 edx, 3
            //   c1e204               | shl                 edx, 4
            //   c1eb04               | shr                 ebx, 4
            //   0bd3                 | or                  edx, ebx
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   885601               | mov                 byte ptr [esi + 1], dl

        $sequence_6 = { e8???????? 8bc4 85c0 7411 6889000000 6a0a }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8bc4                 | mov                 eax, esp
            //   85c0                 | test                eax, eax
            //   7411                 | je                  0x13
            //   6889000000           | push                0x89
            //   6a0a                 | push                0xa

        $sequence_7 = { c645ff01 eb4a 807dff00 740f 8bf3 e8???????? 85c0 }
            // n = 7, score = 100
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1
            //   eb4a                 | jmp                 0x4c
            //   807dff00             | cmp                 byte ptr [ebp - 1], 0
            //   740f                 | je                  0x11
            //   8bf3                 | mov                 esi, ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_8 = { 8bc4 85c0 7411 6882000000 6a0b ba???????? e8???????? }
            // n = 7, score = 100
            //   8bc4                 | mov                 eax, esp
            //   85c0                 | test                eax, eax
            //   7411                 | je                  0x13
            //   6882000000           | push                0x82
            //   6a0b                 | push                0xb
            //   ba????????           |                     
            //   e8????????           |                     

        $sequence_9 = { d1e8 8bf0 eb05 85db 7401 4b 83fb01 }
            // n = 7, score = 100
            //   d1e8                 | shr                 eax, 1
            //   8bf0                 | mov                 esi, eax
            //   eb05                 | jmp                 7
            //   85db                 | test                ebx, ebx
            //   7401                 | je                  3
            //   4b                   | dec                 ebx
            //   83fb01               | cmp                 ebx, 1

    condition:
        7 of them and filesize < 344064
}
[TLP:WHITE] win_shifu_w0   (20170603 | Detects SHIFU Banking Trojan)
rule win_shifu_w0 {
	meta:
		description = "Detects SHIFU Banking Trojan"
		author = "Florian Roth"
		contribution = "Daniel Plohmann"
		reference = "http://goo.gl/52n8WE"
		date = "2015-10-31"
		score = 70
		hash = "0066d1c8053ff8b0c07418c7f8d20e5cd64007bb850944269f611febd0c1afe0"
		hash = "3956d32a870d81be34cafc867769b2a2f55a96360070f1cb3d9addc2918357d5"
		hash = "3fde1b2b50fcb36a695f1e6bc577cd930c2343066d98982cf982393e55bfce0d"
		hash = "457ad4a4d4e675fe09f63873ca3364434dc872dde7d9b64ce7db919eaff47485"
		hash = "51edba913e8b83d1388b1be975957e439015289d51d3d5774d501551f220df6f"
		hash = "6611a2b79a3acf0003b1197aa5bfe488a33db69b663c79c6c5b023e86818d38b"
		hash = "72e239924faebf8209f8e3d093f264f778a55efb56b619f26cea73b1c4feb7a4"
		hash = "7a29cb641b9ac33d1bb405d364bc6e9c7ce3e218a8ff295b75ca0922cf418290"
		hash = "92fe4f9a87c796e993820d1bda8040aced36e316de67c9c0c5fc71aadc41e0f8"
		hash = "93ecb6bd7c76e1b66f8c176418e73e274e2c705986d4ac9ede9d25db4091ab05"
		hash = "a0b7fac69a4eb32953c16597da753b15060f6eba452d150109ff8aabc2c56123"
		hash = "a8b6e798116ce0b268e2c9afac61536b8722e86b958bd2ee95c6ecdec86130c9"
		hash = "d6244c1177b679b3d67f6cec34fe0ae87fba21998d4f5024d8eeaf15ca242503"
		hash = "dcc9c38e695ffd121e793c91ca611a4025a116321443297f710a47ce06afb36d"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/shifu_trojan.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_version = "20170603"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$x1 = "\\Gather\\Dividerail.pdb" ascii

		$s0 = "\\payload\\payload.x86.pdb" ascii
		$s1 = "USER_PRIV_GUEST" fullword wide
		$s2 = "USER_PRIV_ADMIN" fullword wide
		$s3 = "USER_PRIV_USER" fullword wide
		$s4 = "%ws\\%ws" wide
	condition:
		($x1 or 5 of ($s*))
}
Download all Yara Rules