SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shifu (Back to overview)

Shifu


There is no description at this point.

References
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2017-01-06Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20170106:2016:f928ad2, author = {Dominik Reichel}, title = {{2016 Updates to Shifu Banking Trojan}}, date = {2017-01-06}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/}, language = {English}, urldate = {2019-12-20} } 2016 Updates to Shifu Banking Trojan
Shifu
2015-11-02Virus BulletinFloser Bacurio Jr., Wayne Low
@online{jr:20151102:shifu:700438c, author = {Floser Bacurio Jr. and Wayne Low}, title = {{Shifu – the rise of a self-destructive banking trojan}}, date = {2015-11-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan}, language = {English}, urldate = {2020-01-09} } Shifu – the rise of a self-destructive banking trojan
Shifu
Yara Rules
[TLP:WHITE] win_shifu_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_shifu_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ba???????? e8???????? 50 8d85fcfeffff 50 e8???????? 8d85fcfeffff }
            // n = 7, score = 100
            //   ba????????           |                     
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]

        $sequence_1 = { a1???????? 83f8ff 740f 50 e8???????? 830d????????ff }
            // n = 6, score = 100
            //   a1????????           |                     
            //   83f8ff               | cmp                 eax, -1
            //   740f                 | je                  0x11
            //   50                   | push                eax
            //   e8????????           |                     
            //   830d????????ff       |                     

        $sequence_2 = { 5b 668918 03c7 66ff86f20f0000 49 75ee 8d865e0e0000 }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   668918               | mov                 word ptr [eax], bx
            //   03c7                 | add                 eax, edi
            //   66ff86f20f0000       | inc                 word ptr [esi + 0xff2]
            //   49                   | dec                 ecx
            //   75ee                 | jne                 0xfffffff0
            //   8d865e0e0000         | lea                 eax, [esi + 0xe5e]

        $sequence_3 = { 74f2 397518 7411 397520 740c ff7518 8b4520 }
            // n = 7, score = 100
            //   74f2                 | je                  0xfffffff4
            //   397518               | cmp                 dword ptr [ebp + 0x18], esi
            //   7411                 | je                  0x13
            //   397520               | cmp                 dword ptr [ebp + 0x20], esi
            //   740c                 | je                  0xe
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   8b4520               | mov                 eax, dword ptr [ebp + 0x20]

        $sequence_4 = { ff7508 03c8 51 e8???????? 83c40c 011e 8bc3 }
            // n = 7, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   03c8                 | add                 ecx, eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   011e                 | add                 dword ptr [esi], ebx
            //   8bc3                 | mov                 eax, ebx

        $sequence_5 = { 3b4508 751e 395e04 7404 8b06 eb03 8b4610 }
            // n = 7, score = 100
            //   3b4508               | cmp                 eax, dword ptr [ebp + 8]
            //   751e                 | jne                 0x20
            //   395e04               | cmp                 dword ptr [esi + 4], ebx
            //   7404                 | je                  6
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   eb03                 | jmp                 5
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]

        $sequence_6 = { 8bcb e8???????? 894658 8bc7 eb2a 8b465c 85c0 }
            // n = 7, score = 100
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   894658               | mov                 dword ptr [esi + 0x58], eax
            //   8bc7                 | mov                 eax, edi
            //   eb2a                 | jmp                 0x2c
            //   8b465c               | mov                 eax, dword ptr [esi + 0x5c]
            //   85c0                 | test                eax, eax

        $sequence_7 = { 895e44 894648 33c0 5b c9 c3 }
            // n = 6, score = 100
            //   895e44               | mov                 dword ptr [esi + 0x44], ebx
            //   894648               | mov                 dword ptr [esi + 0x48], eax
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_8 = { c20400 55 8bec 6a1c 6a01 ff7028 ff5020 }
            // n = 7, score = 100
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   6a1c                 | push                0x1c
            //   6a01                 | push                1
            //   ff7028               | push                dword ptr [eax + 0x28]
            //   ff5020               | call                dword ptr [eax + 0x20]

        $sequence_9 = { e8???????? 89830c010000 899310010000 807dfb00 7411 e8???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   89830c010000         | mov                 dword ptr [ebx + 0x10c], eax
            //   899310010000         | mov                 dword ptr [ebx + 0x110], edx
            //   807dfb00             | cmp                 byte ptr [ebp - 5], 0
            //   7411                 | je                  0x13
            //   e8????????           |                     

    condition:
        7 of them and filesize < 344064
}
[TLP:WHITE] win_shifu_w0   (20170603 | Detects SHIFU Banking Trojan)
rule win_shifu_w0 {
	meta:
		description = "Detects SHIFU Banking Trojan"
		author = "Florian Roth"
		contribution = "Daniel Plohmann"
		reference = "http://goo.gl/52n8WE"
		date = "2015-10-31"
		score = 70
		hash1 = "0066d1c8053ff8b0c07418c7f8d20e5cd64007bb850944269f611febd0c1afe0"
		hash2 = "3956d32a870d81be34cafc867769b2a2f55a96360070f1cb3d9addc2918357d5"
		hash3 = "3fde1b2b50fcb36a695f1e6bc577cd930c2343066d98982cf982393e55bfce0d"
		hash4 = "457ad4a4d4e675fe09f63873ca3364434dc872dde7d9b64ce7db919eaff47485"
		hash5 = "51edba913e8b83d1388b1be975957e439015289d51d3d5774d501551f220df6f"
		hash6 = "6611a2b79a3acf0003b1197aa5bfe488a33db69b663c79c6c5b023e86818d38b"
		hash7 = "72e239924faebf8209f8e3d093f264f778a55efb56b619f26cea73b1c4feb7a4"
		hash8 = "7a29cb641b9ac33d1bb405d364bc6e9c7ce3e218a8ff295b75ca0922cf418290"
		hash9 = "92fe4f9a87c796e993820d1bda8040aced36e316de67c9c0c5fc71aadc41e0f8"
		hash10 = "93ecb6bd7c76e1b66f8c176418e73e274e2c705986d4ac9ede9d25db4091ab05"
		hash11 = "a0b7fac69a4eb32953c16597da753b15060f6eba452d150109ff8aabc2c56123"
		hash12 = "a8b6e798116ce0b268e2c9afac61536b8722e86b958bd2ee95c6ecdec86130c9"
		hash13 = "d6244c1177b679b3d67f6cec34fe0ae87fba21998d4f5024d8eeaf15ca242503"
		hash14 = "dcc9c38e695ffd121e793c91ca611a4025a116321443297f710a47ce06afb36d"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/shifu_trojan.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_version = "20170603"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$x1 = "\\Gather\\Dividerail.pdb" ascii

		$s0 = "\\payload\\payload.x86.pdb" ascii
		$s1 = "USER_PRIV_GUEST" fullword wide
		$s2 = "USER_PRIV_ADMIN" fullword wide
		$s3 = "USER_PRIV_USER" fullword wide
		$s4 = "%ws\\%ws" wide
	condition:
		($x1 or 5 of ($s*))
}
Download all Yara Rules