SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shifu (Back to overview)

Shifu

VTCollection    

Shifu was originally discovered by Trusteer security researchers (Ilya Kolmanovich, Denis Laskov) in the middle of 2015. It is a banking trojan mostly focusing on Japanese banks and has rich features for remote data extraction and control.

References
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2020-05-21Intel 471Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2017-01-06Palo Alto Networks Unit 42Dominik Reichel
2016 Updates to Shifu Banking Trojan
Shifu
2015-11-02Virus BulletinFloser Bacurio Jr., Wayne Low
Shifu – the rise of a self-destructive banking trojan
Shifu
2015-08-31SecurityIntelligenceDenis Laskov, Ilya Kolmanovich, Limor Kessem
Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks
Shifu
Yara Rules
[TLP:WHITE] win_shifu_auto (20251219 | Detects win.shifu.)
rule win_shifu_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.shifu."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 895dfc 6a08 58 e8???????? 8bc4 85c0 7411 }
            // n = 7, score = 100
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   6a08                 | push                8
            //   58                   | pop                 eax
            //   e8????????           |                     
            //   8bc4                 | mov                 eax, esp
            //   85c0                 | test                eax, eax
            //   7411                 | je                  0x13

        $sequence_1 = { 56 e8???????? 85c0 0f848d010000 ff7508 683a041000 e8???????? }
            // n = 7, score = 100
            //   56                   | push                esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f848d010000         | je                  0x193
            //   ff7508               | push                dword ptr [ebp + 8]
            //   683a041000           | push                0x10043a
            //   e8????????           |                     

        $sequence_2 = { 83c420 f644242010 741c 6a04 6a00 ff742418 e8???????? }
            // n = 7, score = 100
            //   83c420               | add                 esp, 0x20
            //   f644242010           | test                byte ptr [esp + 0x20], 0x10
            //   741c                 | je                  0x1e
            //   6a04                 | push                4
            //   6a00                 | push                0
            //   ff742418             | push                dword ptr [esp + 0x18]
            //   e8????????           |                     

        $sequence_3 = { 83c604 833e00 75a3 83c714 8b470c 85c0 0f8573ffffff }
            // n = 7, score = 100
            //   83c604               | add                 esi, 4
            //   833e00               | cmp                 dword ptr [esi], 0
            //   75a3                 | jne                 0xffffffa5
            //   83c714               | add                 edi, 0x14
            //   8b470c               | mov                 eax, dword ptr [edi + 0xc]
            //   85c0                 | test                eax, eax
            //   0f8573ffffff         | jne                 0xffffff79

        $sequence_4 = { 6800200000 57 57 6a02 ff15???????? 8bd8 3bdf }
            // n = 7, score = 100
            //   6800200000           | push                0x2000
            //   57                   | push                edi
            //   57                   | push                edi
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   3bdf                 | cmp                 ebx, edi

        $sequence_5 = { 7516 6aff 53 ff15???????? 83f8ff 7408 53 }
            // n = 7, score = 100
            //   7516                 | jne                 0x18
            //   6aff                 | push                -1
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   83f8ff               | cmp                 eax, -1
            //   7408                 | je                  0xa
            //   53                   | push                ebx

        $sequence_6 = { 85c0 7540 3945f4 7447 ff15???????? 8b75f8 8365f400 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   7540                 | jne                 0x42
            //   3945f4               | cmp                 dword ptr [ebp - 0xc], eax
            //   7447                 | je                  0x49
            //   ff15????????         |                     
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]
            //   8365f400             | and                 dword ptr [ebp - 0xc], 0

        $sequence_7 = { 50 68060000c8 56 c7442430b907a225 c744243660468ee9 c744243a76e58c74 66c744243e063e }
            // n = 7, score = 100
            //   50                   | push                eax
            //   68060000c8           | push                0xc8000006
            //   56                   | push                esi
            //   c7442430b907a225     | mov                 dword ptr [esp + 0x30], 0x25a207b9
            //   c744243660468ee9     | mov                 dword ptr [esp + 0x36], 0xe98e4660
            //   c744243a76e58c74     | mov                 dword ptr [esp + 0x3a], 0x748ce576
            //   66c744243e063e       | mov                 word ptr [esp + 0x3e], 0x3e06

        $sequence_8 = { 50 ff15???????? 6a10 58 e8???????? 8bc4 3bc7 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6a10                 | push                0x10
            //   58                   | pop                 eax
            //   e8????????           |                     
            //   8bc4                 | mov                 eax, esp
            //   3bc7                 | cmp                 eax, edi

        $sequence_9 = { e8???????? 50 ffd6 893d???????? 3bc7 740a c705????????01000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   893d????????         |                     
            //   3bc7                 | cmp                 eax, edi
            //   740a                 | je                  0xc
            //   c705????????01000000     |     

    condition:
        7 of them and filesize < 344064
}
[TLP:WHITE] win_shifu_w0   (20170603 | Detects SHIFU Banking Trojan)
rule win_shifu_w0 {
	meta:
		description = "Detects SHIFU Banking Trojan"
		author = "Florian Roth"
		contribution = "Daniel Plohmann"
		reference = "http://goo.gl/52n8WE"
		date = "2015-10-31"
		score = 70
		hash = "0066d1c8053ff8b0c07418c7f8d20e5cd64007bb850944269f611febd0c1afe0"
		hash = "3956d32a870d81be34cafc867769b2a2f55a96360070f1cb3d9addc2918357d5"
		hash = "3fde1b2b50fcb36a695f1e6bc577cd930c2343066d98982cf982393e55bfce0d"
		hash = "457ad4a4d4e675fe09f63873ca3364434dc872dde7d9b64ce7db919eaff47485"
		hash = "51edba913e8b83d1388b1be975957e439015289d51d3d5774d501551f220df6f"
		hash = "6611a2b79a3acf0003b1197aa5bfe488a33db69b663c79c6c5b023e86818d38b"
		hash = "72e239924faebf8209f8e3d093f264f778a55efb56b619f26cea73b1c4feb7a4"
		hash = "7a29cb641b9ac33d1bb405d364bc6e9c7ce3e218a8ff295b75ca0922cf418290"
		hash = "92fe4f9a87c796e993820d1bda8040aced36e316de67c9c0c5fc71aadc41e0f8"
		hash = "93ecb6bd7c76e1b66f8c176418e73e274e2c705986d4ac9ede9d25db4091ab05"
		hash = "a0b7fac69a4eb32953c16597da753b15060f6eba452d150109ff8aabc2c56123"
		hash = "a8b6e798116ce0b268e2c9afac61536b8722e86b958bd2ee95c6ecdec86130c9"
		hash = "d6244c1177b679b3d67f6cec34fe0ae87fba21998d4f5024d8eeaf15ca242503"
		hash = "dcc9c38e695ffd121e793c91ca611a4025a116321443297f710a47ce06afb36d"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/shifu_trojan.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_version = "20170603"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$x1 = "\\Gather\\Dividerail.pdb" ascii

		$s0 = "\\payload\\payload.x86.pdb" ascii
		$s1 = "USER_PRIV_GUEST" fullword wide
		$s2 = "USER_PRIV_ADMIN" fullword wide
		$s3 = "USER_PRIV_USER" fullword wide
		$s4 = "%ws\\%ws" wide
	condition:
		($x1 or 5 of ($s*))
}
Download all Yara Rules