SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shifu (Back to overview)

Shifu


Shifu was originally discovered by Trusteer security researchers (Ilya Kolmanovich, Denis Laskov) in the middle of 2015. It is a banking trojan mostly focusing on Japanese banks and has rich features for remote data extraction and control.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2017-01-06Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20170106:2016:f928ad2, author = {Dominik Reichel}, title = {{2016 Updates to Shifu Banking Trojan}}, date = {2017-01-06}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/}, language = {English}, urldate = {2019-12-20} } 2016 Updates to Shifu Banking Trojan
Shifu
2015-11-02Virus BulletinFloser Bacurio Jr., Wayne Low
@online{jr:20151102:shifu:700438c, author = {Floser Bacurio Jr. and Wayne Low}, title = {{Shifu – the rise of a self-destructive banking trojan}}, date = {2015-11-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan}, language = {English}, urldate = {2020-01-09} } Shifu – the rise of a self-destructive banking trojan
Shifu
2015-08-31SecurityIntelligenceLimor Kessem, Ilya Kolmanovich, Denis Laskov
@online{kessem:20150831:shifu:389070d, author = {Limor Kessem and Ilya Kolmanovich and Denis Laskov}, title = {{Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks}}, date = {2015-08-31}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/}, language = {English}, urldate = {2020-10-23} } Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks
Shifu
Yara Rules
[TLP:WHITE] win_shifu_auto (20211008 | Detects win.shifu.)
rule win_shifu_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.shifu."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3bd6 7cea ff750c 8b5510 ff750c 8d85fcfeffff e8???????? }
            // n = 7, score = 100
            //   3bd6                 | cmp                 edx, esi
            //   7cea                 | jl                  0xffffffec
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8d85fcfeffff         | lea                 eax, dword ptr [ebp - 0x104]
            //   e8????????           |                     

        $sequence_1 = { 8bc4 85c0 7411 6886000000 6a08 ba???????? e8???????? }
            // n = 7, score = 100
            //   8bc4                 | mov                 eax, esp
            //   85c0                 | test                eax, eax
            //   7411                 | je                  0x13
            //   6886000000           | push                0x86
            //   6a08                 | push                8
            //   ba????????           |                     
            //   e8????????           |                     

        $sequence_2 = { 85db 7413 688d000000 6a08 8bc3 ba???????? e8???????? }
            // n = 7, score = 100
            //   85db                 | test                ebx, ebx
            //   7413                 | je                  0x15
            //   688d000000           | push                0x8d
            //   6a08                 | push                8
            //   8bc3                 | mov                 eax, ebx
            //   ba????????           |                     
            //   e8????????           |                     

        $sequence_3 = { 74f2 397518 7411 397520 740c ff7518 8b4520 }
            // n = 7, score = 100
            //   74f2                 | je                  0xfffffff4
            //   397518               | cmp                 dword ptr [ebp + 0x18], esi
            //   7411                 | je                  0x13
            //   397520               | cmp                 dword ptr [ebp + 0x20], esi
            //   740c                 | je                  0xe
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   8b4520               | mov                 eax, dword ptr [ebp + 0x20]

        $sequence_4 = { 7535 ff15???????? 6a28 5e 8945f8 895dfc e8???????? }
            // n = 7, score = 100
            //   7535                 | jne                 0x37
            //   ff15????????         |                     
            //   6a28                 | push                0x28
            //   5e                   | pop                 esi
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   e8????????           |                     

        $sequence_5 = { c745f804010000 8d4801 8a10 40 84d2 75f9 2bc1 }
            // n = 7, score = 100
            //   c745f804010000       | mov                 dword ptr [ebp - 8], 0x104
            //   8d4801               | lea                 ecx, dword ptr [eax + 1]
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   40                   | inc                 eax
            //   84d2                 | test                dl, dl
            //   75f9                 | jne                 0xfffffffb
            //   2bc1                 | sub                 eax, ecx

        $sequence_6 = { 7503 8d45fc 53 50 8d85b0feffff 50 ff15???????? }
            // n = 7, score = 100
            //   7503                 | jne                 5
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   8d85b0feffff         | lea                 eax, dword ptr [ebp - 0x150]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_7 = { 83c708 59 8bf3 f3a5 8b4d08 898134010000 e9???????? }
            // n = 7, score = 100
            //   83c708               | add                 edi, 8
            //   59                   | pop                 ecx
            //   8bf3                 | mov                 esi, ebx
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   898134010000         | mov                 dword ptr [ecx + 0x134], eax
            //   e9????????           |                     

        $sequence_8 = { 750f e8???????? c705????????01000000 b8???????? 59 c3 }
            // n = 6, score = 100
            //   750f                 | jne                 0x11
            //   e8????????           |                     
            //   c705????????01000000     |     
            //   b8????????           |                     
            //   59                   | pop                 ecx
            //   c3                   | ret                 

        $sequence_9 = { 56 ff75fc ff7508 50 e8???????? 85f6 7405 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   85f6                 | test                esi, esi
            //   7405                 | je                  7

    condition:
        7 of them and filesize < 344064
}
[TLP:WHITE] win_shifu_w0   (20170603 | Detects SHIFU Banking Trojan)
rule win_shifu_w0 {
	meta:
		description = "Detects SHIFU Banking Trojan"
		author = "Florian Roth"
		contribution = "Daniel Plohmann"
		reference = "http://goo.gl/52n8WE"
		date = "2015-10-31"
		score = 70
		hash = "0066d1c8053ff8b0c07418c7f8d20e5cd64007bb850944269f611febd0c1afe0"
		hash = "3956d32a870d81be34cafc867769b2a2f55a96360070f1cb3d9addc2918357d5"
		hash = "3fde1b2b50fcb36a695f1e6bc577cd930c2343066d98982cf982393e55bfce0d"
		hash = "457ad4a4d4e675fe09f63873ca3364434dc872dde7d9b64ce7db919eaff47485"
		hash = "51edba913e8b83d1388b1be975957e439015289d51d3d5774d501551f220df6f"
		hash = "6611a2b79a3acf0003b1197aa5bfe488a33db69b663c79c6c5b023e86818d38b"
		hash = "72e239924faebf8209f8e3d093f264f778a55efb56b619f26cea73b1c4feb7a4"
		hash = "7a29cb641b9ac33d1bb405d364bc6e9c7ce3e218a8ff295b75ca0922cf418290"
		hash = "92fe4f9a87c796e993820d1bda8040aced36e316de67c9c0c5fc71aadc41e0f8"
		hash = "93ecb6bd7c76e1b66f8c176418e73e274e2c705986d4ac9ede9d25db4091ab05"
		hash = "a0b7fac69a4eb32953c16597da753b15060f6eba452d150109ff8aabc2c56123"
		hash = "a8b6e798116ce0b268e2c9afac61536b8722e86b958bd2ee95c6ecdec86130c9"
		hash = "d6244c1177b679b3d67f6cec34fe0ae87fba21998d4f5024d8eeaf15ca242503"
		hash = "dcc9c38e695ffd121e793c91ca611a4025a116321443297f710a47ce06afb36d"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/shifu_trojan.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_version = "20170603"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$x1 = "\\Gather\\Dividerail.pdb" ascii

		$s0 = "\\payload\\payload.x86.pdb" ascii
		$s1 = "USER_PRIV_GUEST" fullword wide
		$s2 = "USER_PRIV_ADMIN" fullword wide
		$s3 = "USER_PRIV_USER" fullword wide
		$s4 = "%ws\\%ws" wide
	condition:
		($x1 or 5 of ($s*))
}
Download all Yara Rules