SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shifu (Back to overview)

Shifu

VTCollection    

Shifu was originally discovered by Trusteer security researchers (Ilya Kolmanovich, Denis Laskov) in the middle of 2015. It is a banking trojan mostly focusing on Japanese banks and has rich features for remote data extraction and control.

References
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2020-05-21Intel 471Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2017-01-06Palo Alto Networks Unit 42Dominik Reichel
2016 Updates to Shifu Banking Trojan
Shifu
2015-11-02Virus BulletinFloser Bacurio Jr., Wayne Low
Shifu – the rise of a self-destructive banking trojan
Shifu
2015-08-31SecurityIntelligenceDenis Laskov, Ilya Kolmanovich, Limor Kessem
Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks
Shifu
Yara Rules
[TLP:WHITE] win_shifu_auto (20230808 | Detects win.shifu.)
rule win_shifu_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.shifu."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 740d 57 6a1b ba???????? }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   57                   | push                edi
            //   6a1b                 | push                0x1b
            //   ba????????           |                     

        $sequence_1 = { 6a24 ff7508 ffd6 53 8d45f0 50 }
            // n = 6, score = 100
            //   6a24                 | push                0x24
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd6                 | call                esi
            //   53                   | push                ebx
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax

        $sequence_2 = { 83651800 8d941a00010000 895508 8b5510 0fbe1410 89550c 85c9 }
            // n = 7, score = 100
            //   83651800             | and                 dword ptr [ebp + 0x18], 0
            //   8d941a00010000       | lea                 edx, [edx + ebx + 0x100]
            //   895508               | mov                 dword ptr [ebp + 8], edx
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   0fbe1410             | movsx               edx, byte ptr [eax + edx]
            //   89550c               | mov                 dword ptr [ebp + 0xc], edx
            //   85c9                 | test                ecx, ecx

        $sequence_3 = { 740c e8???????? 8325????????00 8d85fcfeffff e8???????? }
            // n = 5, score = 100
            //   740c                 | je                  0xe
            //   e8????????           |                     
            //   8325????????00       |                     
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]
            //   e8????????           |                     

        $sequence_4 = { 50 ff75f4 ff15???????? 85c0 7511 ff75f0 8d443701 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7511                 | jne                 0x13
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   8d443701             | lea                 eax, [edi + esi + 1]

        $sequence_5 = { 668985a2fcffff b8170b0000 66898578fcffff 6a14 58 6689857afcffff 8b4348 }
            // n = 7, score = 100
            //   668985a2fcffff       | mov                 word ptr [ebp - 0x35e], ax
            //   b8170b0000           | mov                 eax, 0xb17
            //   66898578fcffff       | mov                 word ptr [ebp - 0x388], ax
            //   6a14                 | push                0x14
            //   58                   | pop                 eax
            //   6689857afcffff       | mov                 word ptr [ebp - 0x386], ax
            //   8b4348               | mov                 eax, dword ptr [ebx + 0x48]

        $sequence_6 = { 83c102 836d0c02 eb2d 8bd9 8b4f2c 2bd8 035de8 }
            // n = 7, score = 100
            //   83c102               | add                 ecx, 2
            //   836d0c02             | sub                 dword ptr [ebp + 0xc], 2
            //   eb2d                 | jmp                 0x2f
            //   8bd9                 | mov                 ebx, ecx
            //   8b4f2c               | mov                 ecx, dword ptr [edi + 0x2c]
            //   2bd8                 | sub                 ebx, eax
            //   035de8               | add                 ebx, dword ptr [ebp - 0x18]

        $sequence_7 = { 8975e4 6a0c 58 e8???????? 8965e8 8bfc 3bfe }
            // n = 7, score = 100
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   6a0c                 | push                0xc
            //   58                   | pop                 eax
            //   e8????????           |                     
            //   8965e8               | mov                 dword ptr [ebp - 0x18], esp
            //   8bfc                 | mov                 edi, esp
            //   3bfe                 | cmp                 edi, esi

        $sequence_8 = { 33c0 5e c9 c20c00 55 8bec 85c9 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c20c00               | ret                 0xc
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   85c9                 | test                ecx, ecx

        $sequence_9 = { 56 8d85e8feffff 53 50 ff15???????? 8d85e8feffff 83c410 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   8d85e8feffff         | lea                 eax, [ebp - 0x118]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85e8feffff         | lea                 eax, [ebp - 0x118]
            //   83c410               | add                 esp, 0x10

    condition:
        7 of them and filesize < 344064
}
[TLP:WHITE] win_shifu_w0   (20170603 | Detects SHIFU Banking Trojan)
rule win_shifu_w0 {
	meta:
		description = "Detects SHIFU Banking Trojan"
		author = "Florian Roth"
		contribution = "Daniel Plohmann"
		reference = "http://goo.gl/52n8WE"
		date = "2015-10-31"
		score = 70
		hash = "0066d1c8053ff8b0c07418c7f8d20e5cd64007bb850944269f611febd0c1afe0"
		hash = "3956d32a870d81be34cafc867769b2a2f55a96360070f1cb3d9addc2918357d5"
		hash = "3fde1b2b50fcb36a695f1e6bc577cd930c2343066d98982cf982393e55bfce0d"
		hash = "457ad4a4d4e675fe09f63873ca3364434dc872dde7d9b64ce7db919eaff47485"
		hash = "51edba913e8b83d1388b1be975957e439015289d51d3d5774d501551f220df6f"
		hash = "6611a2b79a3acf0003b1197aa5bfe488a33db69b663c79c6c5b023e86818d38b"
		hash = "72e239924faebf8209f8e3d093f264f778a55efb56b619f26cea73b1c4feb7a4"
		hash = "7a29cb641b9ac33d1bb405d364bc6e9c7ce3e218a8ff295b75ca0922cf418290"
		hash = "92fe4f9a87c796e993820d1bda8040aced36e316de67c9c0c5fc71aadc41e0f8"
		hash = "93ecb6bd7c76e1b66f8c176418e73e274e2c705986d4ac9ede9d25db4091ab05"
		hash = "a0b7fac69a4eb32953c16597da753b15060f6eba452d150109ff8aabc2c56123"
		hash = "a8b6e798116ce0b268e2c9afac61536b8722e86b958bd2ee95c6ecdec86130c9"
		hash = "d6244c1177b679b3d67f6cec34fe0ae87fba21998d4f5024d8eeaf15ca242503"
		hash = "dcc9c38e695ffd121e793c91ca611a4025a116321443297f710a47ce06afb36d"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/shifu_trojan.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_version = "20170603"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$x1 = "\\Gather\\Dividerail.pdb" ascii

		$s0 = "\\payload\\payload.x86.pdb" ascii
		$s1 = "USER_PRIV_GUEST" fullword wide
		$s2 = "USER_PRIV_ADMIN" fullword wide
		$s3 = "USER_PRIV_USER" fullword wide
		$s4 = "%ws\\%ws" wide
	condition:
		($x1 or 5 of ($s*))
}
Download all Yara Rules