SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shifu (Back to overview)

Shifu


Shifu was originally discovered by Trusteer security researchers (Ilya Kolmanovich, Denis Laskov) in the middle of 2015. It is a banking trojan mostly focusing on Japanese banks and has rich features for remote data extraction and control.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://intel471.com/blog/a-brief-history-of-ta505}, language = {English}, urldate = {2022-02-14} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2017-01-06Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20170106:2016:f928ad2, author = {Dominik Reichel}, title = {{2016 Updates to Shifu Banking Trojan}}, date = {2017-01-06}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/}, language = {English}, urldate = {2019-12-20} } 2016 Updates to Shifu Banking Trojan
Shifu
2015-11-02Virus BulletinFloser Bacurio Jr., Wayne Low
@online{jr:20151102:shifu:700438c, author = {Floser Bacurio Jr. and Wayne Low}, title = {{Shifu – the rise of a self-destructive banking trojan}}, date = {2015-11-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan}, language = {English}, urldate = {2020-01-09} } Shifu – the rise of a self-destructive banking trojan
Shifu
2015-08-31SecurityIntelligenceLimor Kessem, Ilya Kolmanovich, Denis Laskov
@online{kessem:20150831:shifu:389070d, author = {Limor Kessem and Ilya Kolmanovich and Denis Laskov}, title = {{Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks}}, date = {2015-08-31}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/}, language = {English}, urldate = {2020-10-23} } Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks
Shifu
Yara Rules
[TLP:WHITE] win_shifu_auto (20230715 | Detects win.shifu.)
rule win_shifu_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.shifu."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33ff 8b1d???????? 397df8 7405 ff75f8 ffd3 397dfc }
            // n = 7, score = 100
            //   33ff                 | xor                 edi, edi
            //   8b1d????????         |                     
            //   397df8               | cmp                 dword ptr [ebp - 8], edi
            //   7405                 | je                  7
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ffd3                 | call                ebx
            //   397dfc               | cmp                 dword ptr [ebp - 4], edi

        $sequence_1 = { e8???????? 85c0 7509 e8???????? 85c0 740a e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7509                 | jne                 0xb
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   740a                 | je                  0xc
            //   e8????????           |                     

        $sequence_2 = { 881c11 ff07 8b0f 8b8660af0100 8a9659af0100 8b5d08 881401 }
            // n = 7, score = 100
            //   881c11               | mov                 byte ptr [ecx + edx], bl
            //   ff07                 | inc                 dword ptr [edi]
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   8b8660af0100         | mov                 eax, dword ptr [esi + 0x1af60]
            //   8a9659af0100         | mov                 dl, byte ptr [esi + 0x1af59]
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   881401               | mov                 byte ptr [ecx + eax], dl

        $sequence_3 = { ff75f8 e8???????? 85c0 7532 395d0c 7478 ffd7 }
            // n = 7, score = 100
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7532                 | jne                 0x34
            //   395d0c               | cmp                 dword ptr [ebp + 0xc], ebx
            //   7478                 | je                  0x7a
            //   ffd7                 | call                edi

        $sequence_4 = { 57 8b7818 8b4014 03d6 03ce 03de }
            // n = 6, score = 100
            //   57                   | push                edi
            //   8b7818               | mov                 edi, dword ptr [eax + 0x18]
            //   8b4014               | mov                 eax, dword ptr [eax + 0x14]
            //   03d6                 | add                 edx, esi
            //   03ce                 | add                 ecx, esi
            //   03de                 | add                 ebx, esi

        $sequence_5 = { 58 e8???????? 8bc4 bf8c000000 85c0 740d 57 }
            // n = 7, score = 100
            //   58                   | pop                 eax
            //   e8????????           |                     
            //   8bc4                 | mov                 eax, esp
            //   bf8c000000           | mov                 edi, 0x8c
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   57                   | push                edi

        $sequence_6 = { f7da 897de0 89bd48ffffff 8945f8 89bd0cffffff 897dd8 897dec }
            // n = 7, score = 100
            //   f7da                 | neg                 edx
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi
            //   89bd48ffffff         | mov                 dword ptr [ebp - 0xb8], edi
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   89bd0cffffff         | mov                 dword ptr [ebp - 0xf4], edi
            //   897dd8               | mov                 dword ptr [ebp - 0x28], edi
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi

        $sequence_7 = { 740d ff35???????? 56 57 e8???????? c705????????01000000 }
            // n = 6, score = 100
            //   740d                 | je                  0xf
            //   ff35????????         |                     
            //   56                   | push                esi
            //   57                   | push                edi
            //   e8????????           |                     
            //   c705????????01000000     |     

        $sequence_8 = { 85db 7401 4b 83fb01 734a 837de800 7417 }
            // n = 7, score = 100
            //   85db                 | test                ebx, ebx
            //   7401                 | je                  3
            //   4b                   | dec                 ebx
            //   83fb01               | cmp                 ebx, 1
            //   734a                 | jae                 0x4c
            //   837de800             | cmp                 dword ptr [ebp - 0x18], 0
            //   7417                 | je                  0x19

        $sequence_9 = { 7405 80fbef 7506 097e1b 09461f b900004000 }
            // n = 6, score = 100
            //   7405                 | je                  7
            //   80fbef               | cmp                 bl, 0xef
            //   7506                 | jne                 8
            //   097e1b               | or                  dword ptr [esi + 0x1b], edi
            //   09461f               | or                  dword ptr [esi + 0x1f], eax
            //   b900004000           | mov                 ecx, 0x400000

    condition:
        7 of them and filesize < 344064
}
[TLP:WHITE] win_shifu_w0   (20170603 | Detects SHIFU Banking Trojan)
rule win_shifu_w0 {
	meta:
		description = "Detects SHIFU Banking Trojan"
		author = "Florian Roth"
		contribution = "Daniel Plohmann"
		reference = "http://goo.gl/52n8WE"
		date = "2015-10-31"
		score = 70
		hash = "0066d1c8053ff8b0c07418c7f8d20e5cd64007bb850944269f611febd0c1afe0"
		hash = "3956d32a870d81be34cafc867769b2a2f55a96360070f1cb3d9addc2918357d5"
		hash = "3fde1b2b50fcb36a695f1e6bc577cd930c2343066d98982cf982393e55bfce0d"
		hash = "457ad4a4d4e675fe09f63873ca3364434dc872dde7d9b64ce7db919eaff47485"
		hash = "51edba913e8b83d1388b1be975957e439015289d51d3d5774d501551f220df6f"
		hash = "6611a2b79a3acf0003b1197aa5bfe488a33db69b663c79c6c5b023e86818d38b"
		hash = "72e239924faebf8209f8e3d093f264f778a55efb56b619f26cea73b1c4feb7a4"
		hash = "7a29cb641b9ac33d1bb405d364bc6e9c7ce3e218a8ff295b75ca0922cf418290"
		hash = "92fe4f9a87c796e993820d1bda8040aced36e316de67c9c0c5fc71aadc41e0f8"
		hash = "93ecb6bd7c76e1b66f8c176418e73e274e2c705986d4ac9ede9d25db4091ab05"
		hash = "a0b7fac69a4eb32953c16597da753b15060f6eba452d150109ff8aabc2c56123"
		hash = "a8b6e798116ce0b268e2c9afac61536b8722e86b958bd2ee95c6ecdec86130c9"
		hash = "d6244c1177b679b3d67f6cec34fe0ae87fba21998d4f5024d8eeaf15ca242503"
		hash = "dcc9c38e695ffd121e793c91ca611a4025a116321443297f710a47ce06afb36d"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/shifu_trojan.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_version = "20170603"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$x1 = "\\Gather\\Dividerail.pdb" ascii

		$s0 = "\\payload\\payload.x86.pdb" ascii
		$s1 = "USER_PRIV_GUEST" fullword wide
		$s2 = "USER_PRIV_ADMIN" fullword wide
		$s3 = "USER_PRIV_USER" fullword wide
		$s4 = "%ws\\%ws" wide
	condition:
		($x1 or 5 of ($s*))
}
Download all Yara Rules