SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shifu (Back to overview)

Shifu


There is no description at this point.

References
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2017-01-06Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20170106:2016:f928ad2, author = {Dominik Reichel}, title = {{2016 Updates to Shifu Banking Trojan}}, date = {2017-01-06}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/}, language = {English}, urldate = {2019-12-20} } 2016 Updates to Shifu Banking Trojan
Shifu
2015-11-02Virus BulletinFloser Bacurio Jr., Wayne Low
@online{jr:20151102:shifu:700438c, author = {Floser Bacurio Jr. and Wayne Low}, title = {{Shifu – the rise of a self-destructive banking trojan}}, date = {2015-11-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan}, language = {English}, urldate = {2020-01-09} } Shifu – the rise of a self-destructive banking trojan
Shifu
Yara Rules
[TLP:WHITE] win_shifu_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_shifu_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4801 8a10 40 3ad3 75f9 2bc1 7514 }
            // n = 7, score = 100
            //   8d4801               | lea                 ecx, [eax + 1]
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   40                   | inc                 eax
            //   3ad3                 | cmp                 dl, bl
            //   75f9                 | jne                 0xfffffffb
            //   2bc1                 | sub                 eax, ecx
            //   7514                 | jne                 0x16

        $sequence_1 = { 8d4dfc 51 6a04 53 56 ff7508 50 }
            // n = 7, score = 100
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   51                   | push                ecx
            //   6a04                 | push                4
            //   53                   | push                ebx
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   50                   | push                eax

        $sequence_2 = { 8bec 83ec10 8365f800 53 56 57 8bf8 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10
            //   8365f800             | and                 dword ptr [ebp - 8], 0
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf8                 | mov                 edi, eax

        $sequence_3 = { 6800000080 ff7508 8d4df8 8945e8 894dec ff15???????? }
            // n = 6, score = 100
            //   6800000080           | push                0x80000000
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8d4df8               | lea                 ecx, [ebp - 8]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   ff15????????         |                     

        $sequence_4 = { 85c9 7433 8b45c4 3b4518 7308 c6040800 }
            // n = 6, score = 100
            //   85c9                 | test                ecx, ecx
            //   7433                 | je                  0x35
            //   8b45c4               | mov                 eax, dword ptr [ebp - 0x3c]
            //   3b4518               | cmp                 eax, dword ptr [ebp + 0x18]
            //   7308                 | jae                 0xa
            //   c6040800             | mov                 byte ptr [eax + ecx], 0

        $sequence_5 = { e9???????? 8b45ec c70009000000 c74318bcd43602 6afd e9???????? ff750c }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   c70009000000         | mov                 dword ptr [eax], 9
            //   c74318bcd43602       | mov                 dword ptr [ebx + 0x18], 0x236d4bc
            //   6afd                 | push                -3
            //   e9????????           |                     
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_6 = { 5f 5e c9 c20400 55 8bec 8325????????00 }
            // n = 7, score = 100
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8325????????00       |                     

        $sequence_7 = { 50 8bce c6450f00 e8???????? 5f 33c0 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   c6450f00             | mov                 byte ptr [ebp + 0xf], 0
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   33c0                 | xor                 eax, eax

        $sequence_8 = { 8d85f8feffff 57 50 ffd3 83c410 8d85f8feffff 50 }
            // n = 7, score = 100
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   57                   | push                edi
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   83c410               | add                 esp, 0x10
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax

        $sequence_9 = { eb70 3bc1 7504 6a06 eb68 3bc2 }
            // n = 6, score = 100
            //   eb70                 | jmp                 0x72
            //   3bc1                 | cmp                 eax, ecx
            //   7504                 | jne                 6
            //   6a06                 | push                6
            //   eb68                 | jmp                 0x6a
            //   3bc2                 | cmp                 eax, edx

    condition:
        7 of them and filesize < 344064
}
[TLP:WHITE] win_shifu_w0   (20170603 | Detects SHIFU Banking Trojan)
rule win_shifu_w0 {
	meta:
		description = "Detects SHIFU Banking Trojan"
		author = "Florian Roth"
		contribution = "Daniel Plohmann"
		reference = "http://goo.gl/52n8WE"
		date = "2015-10-31"
		score = 70
		hash1 = "0066d1c8053ff8b0c07418c7f8d20e5cd64007bb850944269f611febd0c1afe0"
		hash2 = "3956d32a870d81be34cafc867769b2a2f55a96360070f1cb3d9addc2918357d5"
		hash3 = "3fde1b2b50fcb36a695f1e6bc577cd930c2343066d98982cf982393e55bfce0d"
		hash4 = "457ad4a4d4e675fe09f63873ca3364434dc872dde7d9b64ce7db919eaff47485"
		hash5 = "51edba913e8b83d1388b1be975957e439015289d51d3d5774d501551f220df6f"
		hash6 = "6611a2b79a3acf0003b1197aa5bfe488a33db69b663c79c6c5b023e86818d38b"
		hash7 = "72e239924faebf8209f8e3d093f264f778a55efb56b619f26cea73b1c4feb7a4"
		hash8 = "7a29cb641b9ac33d1bb405d364bc6e9c7ce3e218a8ff295b75ca0922cf418290"
		hash9 = "92fe4f9a87c796e993820d1bda8040aced36e316de67c9c0c5fc71aadc41e0f8"
		hash10 = "93ecb6bd7c76e1b66f8c176418e73e274e2c705986d4ac9ede9d25db4091ab05"
		hash11 = "a0b7fac69a4eb32953c16597da753b15060f6eba452d150109ff8aabc2c56123"
		hash12 = "a8b6e798116ce0b268e2c9afac61536b8722e86b958bd2ee95c6ecdec86130c9"
		hash13 = "d6244c1177b679b3d67f6cec34fe0ae87fba21998d4f5024d8eeaf15ca242503"
		hash14 = "dcc9c38e695ffd121e793c91ca611a4025a116321443297f710a47ce06afb36d"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/shifu_trojan.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_version = "20170603"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$x1 = "\\Gather\\Dividerail.pdb" ascii

		$s0 = "\\payload\\payload.x86.pdb" ascii
		$s1 = "USER_PRIV_GUEST" fullword wide
		$s2 = "USER_PRIV_ADMIN" fullword wide
		$s3 = "USER_PRIV_USER" fullword wide
		$s4 = "%ws\\%ws" wide
	condition:
		($x1 or 5 of ($s*))
}
Download all Yara Rules