Shifu (Malware Family)

Shifu

VTCollection

Shifu was originally discovered by Trusteer security researchers (Ilya Kolmanovich, Denis Laskov) in the middle of 2015. It is a banking trojan mostly focusing on Japanese banks and has rich features for remote data extraction and control.

References

2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader

2020-05-21 ⋅ Intel 471 ⋅ Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle

2017-01-06 ⋅ Palo Alto Networks Unit 42 ⋅ Dominik Reichel
2016 Updates to Shifu Banking Trojan
Shifu

2015-11-02 ⋅ Virus Bulletin ⋅ Floser Bacurio Jr., Wayne Low
Shifu – the rise of a self-destructive banking trojan
Shifu

2015-08-31 ⋅ SecurityIntelligence ⋅ Denis Laskov, Ilya Kolmanovich, Limor Kessem
Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks
Shifu

Yara Rules

[TLP:WHITE] win_shifu_auto (20260504 | Detects win.shifu.)

rule win_shifu_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.shifu."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf3 f3a5 8b4d08 898134010000 e9???????? b800000100 }
            // n = 6, score = 100
            //   8bf3                 | mov                 esi, ebx
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   898134010000         | mov                 dword ptr [ecx + 0x134], eax
            //   e9????????           |                     
            //   b800000100           | mov                 eax, 0x10000

        $sequence_1 = { e8???????? 85c0 7415 ff35???????? 68???????? 68???????? e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7415                 | je                  0x17
            //   ff35????????         |                     
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_2 = { 0fb65906 33d8 23da c1e808 33049df8ce3602 0fb65907 33d8 }
            // n = 7, score = 100
            //   0fb65906             | movzx               ebx, byte ptr [ecx + 6]
            //   33d8                 | xor                 ebx, eax
            //   23da                 | and                 ebx, edx
            //   c1e808               | shr                 eax, 8
            //   33049df8ce3602       | xor                 eax, dword ptr [ebx*4 + 0x236cef8]
            //   0fb65907             | movzx               ebx, byte ptr [ecx + 7]
            //   33d8                 | xor                 ebx, eax

        $sequence_3 = { 89430c 85c0 0f84b0030000 c16dfc0e 836d080e 83630800 c70304000000 }
            // n = 7, score = 100
            //   89430c               | mov                 dword ptr [ebx + 0xc], eax
            //   85c0                 | test                eax, eax
            //   0f84b0030000         | je                  0x3b6
            //   c16dfc0e             | shr                 dword ptr [ebp - 4], 0xe
            //   836d080e             | sub                 dword ptr [ebp + 8], 0xe
            //   83630800             | and                 dword ptr [ebx + 8], 0
            //   c70304000000         | mov                 dword ptr [ebx], 4

        $sequence_4 = { 72ee 85c9 0f84dc000000 8bdf 894df4 8b45ec 803c0302 }
            // n = 7, score = 100
            //   72ee                 | jb                  0xfffffff0
            //   85c9                 | test                ecx, ecx
            //   0f84dc000000         | je                  0xe2
            //   8bdf                 | mov                 ebx, edi
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   803c0302             | cmp                 byte ptr [ebx + eax], 2

        $sequence_5 = { ff15???????? 85c0 745d 8b75f8 e8???????? 8945fc 3bc7 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   745d                 | je                  0x5f
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   3bc7                 | cmp                 eax, edi

        $sequence_6 = { e8???????? 8b4d08 c1e110 03f1 85c0 751b 8d4508 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   c1e110               | shl                 ecx, 0x10
            //   03f1                 | add                 esi, ecx
            //   85c0                 | test                eax, eax
            //   751b                 | jne                 0x1d
            //   8d4508               | lea                 eax, [ebp + 8]

        $sequence_7 = { 6a03 53 53 ff75f0 ff75e4 50 ff15???????? }
            // n = 7, score = 100
            //   6a03                 | push                3
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { 33c0 5e c9 c20c00 55 8bec 85c9 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c20c00               | ret                 0xc
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   85c9                 | test                ecx, ecx

        $sequence_9 = { ff15???????? 895e08 a1???????? 8906 c74604???????? 897004 57 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   895e08               | mov                 dword ptr [esi + 8], ebx
            //   a1????????           |                     
            //   8906                 | mov                 dword ptr [esi], eax
            //   c74604????????       |                     
            //   897004               | mov                 dword ptr [eax + 4], esi
            //   57                   | push                edi

    condition:
        7 of them and filesize < 344064
}

[TLP:WHITE] win_shifu_w0 (20170603 | Detects SHIFU Banking Trojan)

rule win_shifu_w0 {
	meta:
		description = "Detects SHIFU Banking Trojan"
		author = "Florian Roth"
		contribution = "Daniel Plohmann"
		reference = "http://goo.gl/52n8WE"
		date = "2015-10-31"
		score = 70
		hash = "0066d1c8053ff8b0c07418c7f8d20e5cd64007bb850944269f611febd0c1afe0"
		hash = "3956d32a870d81be34cafc867769b2a2f55a96360070f1cb3d9addc2918357d5"
		hash = "3fde1b2b50fcb36a695f1e6bc577cd930c2343066d98982cf982393e55bfce0d"
		hash = "457ad4a4d4e675fe09f63873ca3364434dc872dde7d9b64ce7db919eaff47485"
		hash = "51edba913e8b83d1388b1be975957e439015289d51d3d5774d501551f220df6f"
		hash = "6611a2b79a3acf0003b1197aa5bfe488a33db69b663c79c6c5b023e86818d38b"
		hash = "72e239924faebf8209f8e3d093f264f778a55efb56b619f26cea73b1c4feb7a4"
		hash = "7a29cb641b9ac33d1bb405d364bc6e9c7ce3e218a8ff295b75ca0922cf418290"
		hash = "92fe4f9a87c796e993820d1bda8040aced36e316de67c9c0c5fc71aadc41e0f8"
		hash = "93ecb6bd7c76e1b66f8c176418e73e274e2c705986d4ac9ede9d25db4091ab05"
		hash = "a0b7fac69a4eb32953c16597da753b15060f6eba452d150109ff8aabc2c56123"
		hash = "a8b6e798116ce0b268e2c9afac61536b8722e86b958bd2ee95c6ecdec86130c9"
		hash = "d6244c1177b679b3d67f6cec34fe0ae87fba21998d4f5024d8eeaf15ca242503"
		hash = "dcc9c38e695ffd121e793c91ca611a4025a116321443297f710a47ce06afb36d"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/shifu_trojan.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_version = "20170603"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$x1 = "\\Gather\\Dividerail.pdb" ascii

		$s0 = "\\payload\\payload.x86.pdb" ascii
		$s1 = "USER_PRIV_GUEST" fullword wide
		$s2 = "USER_PRIV_ADMIN" fullword wide
		$s3 = "USER_PRIV_USER" fullword wide
		$s4 = "%ws\\%ws" wide
	condition:
		($x1 or 5 of ($s*))
}

Download all Yara Rules

Shifu Propose Change

References

Yara Rules

Shifu