SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shifu (Back to overview)

Shifu


Shifu was originally discovered by Trusteer security researchers (Ilya Kolmanovich, Denis Laskov) in the middle of 2015. It is a banking trojan mostly focusing on Japanese banks and has rich features for remote data extraction and control.

References
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2017-01-06Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20170106:2016:f928ad2, author = {Dominik Reichel}, title = {{2016 Updates to Shifu Banking Trojan}}, date = {2017-01-06}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/}, language = {English}, urldate = {2019-12-20} } 2016 Updates to Shifu Banking Trojan
Shifu
2015-11-02Virus BulletinFloser Bacurio Jr., Wayne Low
@online{jr:20151102:shifu:700438c, author = {Floser Bacurio Jr. and Wayne Low}, title = {{Shifu – the rise of a self-destructive banking trojan}}, date = {2015-11-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan}, language = {English}, urldate = {2020-01-09} } Shifu – the rise of a self-destructive banking trojan
Shifu
2015-08-31SecurityIntelligenceLimor Kessem, Ilya Kolmanovich, Denis Laskov
@online{kessem:20150831:shifu:389070d, author = {Limor Kessem and Ilya Kolmanovich and Denis Laskov}, title = {{Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks}}, date = {2015-08-31}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/}, language = {English}, urldate = {2020-10-23} } Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks
Shifu
Yara Rules
[TLP:WHITE] win_shifu_auto (20210616 | Detects win.shifu.)
rule win_shifu_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.shifu."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b5de4 8d4dfc 51 6a04 33f6 46 56 }
            // n = 7, score = 100
            //   8b5de4               | mov                 ebx, dword ptr [ebp - 0x1c]
            //   8d4dfc               | lea                 ecx, dword ptr [ebp - 4]
            //   51                   | push                ecx
            //   6a04                 | push                4
            //   33f6                 | xor                 esi, esi
            //   46                   | inc                 esi
            //   56                   | push                esi

        $sequence_1 = { 50 e8???????? 8d8608010000 50 8d4604 50 e8???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8608010000         | lea                 eax, dword ptr [esi + 0x108]
            //   50                   | push                eax
            //   8d4604               | lea                 eax, dword ptr [esi + 4]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_2 = { e8???????? 8bf4 85f6 740f 57 6a02 8bc6 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf4                 | mov                 esi, esp
            //   85f6                 | test                esi, esi
            //   740f                 | je                  0x11
            //   57                   | push                edi
            //   6a02                 | push                2
            //   8bc6                 | mov                 eax, esi

        $sequence_3 = { 8d7001 8a10 40 84d2 75f9 2bc6 8db40808020000 }
            // n = 7, score = 100
            //   8d7001               | lea                 esi, dword ptr [eax + 1]
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   40                   | inc                 eax
            //   84d2                 | test                dl, dl
            //   75f9                 | jne                 0xfffffffb
            //   2bc6                 | sub                 eax, esi
            //   8db40808020000       | lea                 esi, dword ptr [eax + ecx + 0x208]

        $sequence_4 = { 43 3bde 7cd1 6aff 6a01 8d85e8fbffff 50 }
            // n = 7, score = 100
            //   43                   | inc                 ebx
            //   3bde                 | cmp                 ebx, esi
            //   7cd1                 | jl                  0xffffffd3
            //   6aff                 | push                -1
            //   6a01                 | push                1
            //   8d85e8fbffff         | lea                 eax, dword ptr [ebp - 0x418]
            //   50                   | push                eax

        $sequence_5 = { 83650c00 85f6 7405 e8???????? 6a2e 5e e8???????? }
            // n = 7, score = 100
            //   83650c00             | and                 dword ptr [ebp + 0xc], 0
            //   85f6                 | test                esi, esi
            //   7405                 | je                  7
            //   e8????????           |                     
            //   6a2e                 | push                0x2e
            //   5e                   | pop                 esi
            //   e8????????           |                     

        $sequence_6 = { c1e110 014808 8b471c ff07 895dfc c70004000000 8b4704 }
            // n = 7, score = 100
            //   c1e110               | shl                 ecx, 0x10
            //   014808               | add                 dword ptr [eax + 8], ecx
            //   8b471c               | mov                 eax, dword ptr [edi + 0x1c]
            //   ff07                 | inc                 dword ptr [edi]
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   c70004000000         | mov                 dword ptr [eax], 4
            //   8b4704               | mov                 eax, dword ptr [edi + 4]

        $sequence_7 = { 8b5d08 56 57 33ff bea8af0600 897d08 e8???????? }
            // n = 7, score = 100
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   bea8af0600           | mov                 esi, 0x6afa8
            //   897d08               | mov                 dword ptr [ebp + 8], edi
            //   e8????????           |                     

        $sequence_8 = { ff45f8 837df80f 0f8c11ffffff e9???????? a1???????? 83f8ff 740f }
            // n = 7, score = 100
            //   ff45f8               | inc                 dword ptr [ebp - 8]
            //   837df80f             | cmp                 dword ptr [ebp - 8], 0xf
            //   0f8c11ffffff         | jl                  0xffffff17
            //   e9????????           |                     
            //   a1????????           |                     
            //   83f8ff               | cmp                 eax, -1
            //   740f                 | je                  0x11

        $sequence_9 = { 33c0 56 57 33db 885dd4 8d7dd5 ab }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   56                   | push                esi
            //   57                   | push                edi
            //   33db                 | xor                 ebx, ebx
            //   885dd4               | mov                 byte ptr [ebp - 0x2c], bl
            //   8d7dd5               | lea                 edi, dword ptr [ebp - 0x2b]
            //   ab                   | stosd               dword ptr es:[edi], eax

    condition:
        7 of them and filesize < 344064
}
[TLP:WHITE] win_shifu_w0   (20170603 | Detects SHIFU Banking Trojan)
rule win_shifu_w0 {
	meta:
		description = "Detects SHIFU Banking Trojan"
		author = "Florian Roth"
		contribution = "Daniel Plohmann"
		reference = "http://goo.gl/52n8WE"
		date = "2015-10-31"
		score = 70
		hash = "0066d1c8053ff8b0c07418c7f8d20e5cd64007bb850944269f611febd0c1afe0"
		hash = "3956d32a870d81be34cafc867769b2a2f55a96360070f1cb3d9addc2918357d5"
		hash = "3fde1b2b50fcb36a695f1e6bc577cd930c2343066d98982cf982393e55bfce0d"
		hash = "457ad4a4d4e675fe09f63873ca3364434dc872dde7d9b64ce7db919eaff47485"
		hash = "51edba913e8b83d1388b1be975957e439015289d51d3d5774d501551f220df6f"
		hash = "6611a2b79a3acf0003b1197aa5bfe488a33db69b663c79c6c5b023e86818d38b"
		hash = "72e239924faebf8209f8e3d093f264f778a55efb56b619f26cea73b1c4feb7a4"
		hash = "7a29cb641b9ac33d1bb405d364bc6e9c7ce3e218a8ff295b75ca0922cf418290"
		hash = "92fe4f9a87c796e993820d1bda8040aced36e316de67c9c0c5fc71aadc41e0f8"
		hash = "93ecb6bd7c76e1b66f8c176418e73e274e2c705986d4ac9ede9d25db4091ab05"
		hash = "a0b7fac69a4eb32953c16597da753b15060f6eba452d150109ff8aabc2c56123"
		hash = "a8b6e798116ce0b268e2c9afac61536b8722e86b958bd2ee95c6ecdec86130c9"
		hash = "d6244c1177b679b3d67f6cec34fe0ae87fba21998d4f5024d8eeaf15ca242503"
		hash = "dcc9c38e695ffd121e793c91ca611a4025a116321443297f710a47ce06afb36d"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/shifu_trojan.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu"
        malpedia_version = "20170603"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$x1 = "\\Gather\\Dividerail.pdb" ascii

		$s0 = "\\payload\\payload.x86.pdb" ascii
		$s1 = "USER_PRIV_GUEST" fullword wide
		$s2 = "USER_PRIV_ADMIN" fullword wide
		$s3 = "USER_PRIV_USER" fullword wide
		$s4 = "%ws\\%ws" wide
	condition:
		($x1 or 5 of ($s*))
}
Download all Yara Rules