SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shifu (Back to overview)

Shifu


Shifu was originally discovered by Trusteer security researchers (Ilya Kolmanovich, Denis Laskov) in the middle of 2015. It is a banking trojan mostly focusing on Japanese banks and has rich features for remote data extraction and control.

References
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2017-01-06Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20170106:2016:f928ad2, author = {Dominik Reichel}, title = {{2016 Updates to Shifu Banking Trojan}}, date = {2017-01-06}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/}, language = {English}, urldate = {2019-12-20} } 2016 Updates to Shifu Banking Trojan
Shifu
2015-11-02Virus BulletinFloser Bacurio Jr., Wayne Low
@online{jr:20151102:shifu:700438c, author = {Floser Bacurio Jr. and Wayne Low}, title = {{Shifu – the rise of a self-destructive banking trojan}}, date = {2015-11-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan}, language = {English}, urldate = {2020-01-09} } Shifu – the rise of a self-destructive banking trojan
Shifu
2015-08-31SecurityIntelligenceLimor Kessem, Ilya Kolmanovich, Denis Laskov
@online{kessem:20150831:shifu:389070d, author = {Limor Kessem and Ilya Kolmanovich and Denis Laskov}, title = {{Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks}}, date = {2015-08-31}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/}, language = {English}, urldate = {2020-10-23} } Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks
Shifu
Yara Rules
[TLP:WHITE] win_shifu_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_shifu_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 2bd6 8a08 880c02 40 84c9 75f6 eb10 }
            // n = 7, score = 100
            //   2bd6                 | sub                 edx, esi
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   880c02               | mov                 byte ptr [edx + eax], cl
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl
            //   75f6                 | jne                 0xfffffff8
            //   eb10                 | jmp                 0x12

        $sequence_1 = { 0145f4 8b4608 53 53 50 ff15???????? 8945d4 }
            // n = 7, score = 100
            //   0145f4               | add                 dword ptr [ebp - 0xc], eax
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax

        $sequence_2 = { 57 56 ff7508 33ff 897e08 897e0c ff15???????? }
            // n = 7, score = 100
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   33ff                 | xor                 edi, edi
            //   897e08               | mov                 dword ptr [esi + 8], edi
            //   897e0c               | mov                 dword ptr [esi + 0xc], edi
            //   ff15????????         |                     

        $sequence_3 = { 6a0b ba???????? e8???????? 33ff 8d5f01 53 8d85fcfeffff }
            // n = 7, score = 100
            //   6a0b                 | push                0xb
            //   ba????????           |                     
            //   e8????????           |                     
            //   33ff                 | xor                 edi, edi
            //   8d5f01               | lea                 ebx, [edi + 1]
            //   53                   | push                ebx
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]

        $sequence_4 = { 3bc1 7703 8945f4 8bfb 2b7df4 8bc3 2bc7 }
            // n = 7, score = 100
            //   3bc1                 | cmp                 eax, ecx
            //   7703                 | ja                  5
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8bfb                 | mov                 edi, ebx
            //   2b7df4               | sub                 edi, dword ptr [ebp - 0xc]
            //   8bc3                 | mov                 eax, ebx
            //   2bc7                 | sub                 eax, edi

        $sequence_5 = { 8bd6 8d45e8 894de8 e8???????? f745ec0000ffff 8b4de8 7404 }
            // n = 7, score = 100
            //   8bd6                 | mov                 edx, esi
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   e8????????           |                     
            //   f745ec0000ffff       | test                dword ptr [ebp - 0x14], 0xffff0000
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   7404                 | je                  6

        $sequence_6 = { 57 895de0 895df8 895dfc 895de8 c745d804000000 895ddc }
            // n = 7, score = 100
            //   57                   | push                edi
            //   895de0               | mov                 dword ptr [ebp - 0x20], ebx
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx
            //   c745d804000000       | mov                 dword ptr [ebp - 0x28], 4
            //   895ddc               | mov                 dword ptr [ebp - 0x24], ebx

        $sequence_7 = { 7405 ff4d10 75de 5f 5b 5e 5d }
            // n = 7, score = 100
            //   7405                 | je                  7
            //   ff4d10               | dec                 dword ptr [ebp + 0x10]
            //   75de                 | jne                 0xffffffe0
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

        $sequence_8 = { 8b4f02 03ce 03cb 85c9 7412 3b4df4 730d }
            // n = 7, score = 100
            //   8b4f02               | mov                 ecx, dword ptr [edi + 2]
            //   03ce                 | add                 ecx, esi
            //   03cb                 | add                 ecx, ebx
            //   85c9                 | test                ecx, ecx
            //   7412                 | je                  0x14
            //   3b4df4               | cmp                 ecx, dword ptr [ebp - 0xc]
            //   730d                 | jae                 0xf

        $sequence_9 = { d16df8 85f6 759a ff75fc 8b4508 8bd7 }
            // n = 6, score = 100
            //   d16df8               | shr                 dword ptr [ebp - 8], 1
            //   85f6                 | test                esi, esi
            //   759a                 | jne                 0xffffff9c
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8bd7                 | mov                 edx, edi

    condition:
        7 of them and filesize < 344064
}
[TLP:WHITE] win_shifu_w0   (20170603 | Detects SHIFU Banking Trojan)
rule win_shifu_w0 {
	meta:
		description = "Detects SHIFU Banking Trojan"
		author = "Florian Roth"
		contribution = "Daniel Plohmann"
		reference = "http://goo.gl/52n8WE"
		date = "2015-10-31"
		score = 70
		hash = "0066d1c8053ff8b0c07418c7f8d20e5cd64007bb850944269f611febd0c1afe0"
		hash = "3956d32a870d81be34cafc867769b2a2f55a96360070f1cb3d9addc2918357d5"
		hash = "3fde1b2b50fcb36a695f1e6bc577cd930c2343066d98982cf982393e55bfce0d"
		hash = "457ad4a4d4e675fe09f63873ca3364434dc872dde7d9b64ce7db919eaff47485"
		hash = "51edba913e8b83d1388b1be975957e439015289d51d3d5774d501551f220df6f"
		hash = "6611a2b79a3acf0003b1197aa5bfe488a33db69b663c79c6c5b023e86818d38b"
		hash = "72e239924faebf8209f8e3d093f264f778a55efb56b619f26cea73b1c4feb7a4"
		hash = "7a29cb641b9ac33d1bb405d364bc6e9c7ce3e218a8ff295b75ca0922cf418290"
		hash = "92fe4f9a87c796e993820d1bda8040aced36e316de67c9c0c5fc71aadc41e0f8"
		hash = "93ecb6bd7c76e1b66f8c176418e73e274e2c705986d4ac9ede9d25db4091ab05"
		hash = "a0b7fac69a4eb32953c16597da753b15060f6eba452d150109ff8aabc2c56123"
		hash = "a8b6e798116ce0b268e2c9afac61536b8722e86b958bd2ee95c6ecdec86130c9"
		hash = "d6244c1177b679b3d67f6cec34fe0ae87fba21998d4f5024d8eeaf15ca242503"
		hash = "dcc9c38e695ffd121e793c91ca611a4025a116321443297f710a47ce06afb36d"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/shifu_trojan.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_version = "20170603"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$x1 = "\\Gather\\Dividerail.pdb" ascii

		$s0 = "\\payload\\payload.x86.pdb" ascii
		$s1 = "USER_PRIV_GUEST" fullword wide
		$s2 = "USER_PRIV_ADMIN" fullword wide
		$s3 = "USER_PRIV_USER" fullword wide
		$s4 = "%ws\\%ws" wide
	condition:
		($x1 or 5 of ($s*))
}
Download all Yara Rules