SYMBOLCOMMON_NAMEaka. SYNONYMS
win.skinnyboy (Back to overview)

SkinnyBoy

There is no description at this point.

References
2021-08-03Cyber GeeksCyberMasterV
@online{cybermasterv:20210803:stepbystep:2c73656, author = {CyberMasterV}, title = {{A step-by-step analysis of the new malware used by APT28/Sofacy called SkinnyBoy}}, date = {2021-08-03}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/skinnyboy-apt28/}, language = {English}, urldate = {2021-08-06} } A step-by-step analysis of the new malware used by APT28/Sofacy called SkinnyBoy
SkinnyBoy
2021-05Cluster25Cluster25
@techreport{cluster25:202105:not:0bf7be8, author = {Cluster25}, title = {{A Not So Fancy Game: Exploring the New SkinnyBoy Bear's Backdoor}}, date = {2021-05}, institution = {Cluster25}, url = {https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf}, language = {English}, urldate = {2021-06-07} } A Not So Fancy Game: Exploring the New SkinnyBoy Bear's Backdoor
SkinnyBoy
Yara Rules
[TLP:WHITE] win_skinnyboy_auto (20230808 | Detects win.skinnyboy.)
rule win_skinnyboy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.skinnyboy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skinnyboy"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a03 6a00 6a00 68bb010000 ffb5ccfeffff 56 ff15???????? }
            // n = 7, score = 100
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68bb010000           | push                0x1bb
            //   ffb5ccfeffff         | push                dword ptr [ebp - 0x134]
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_1 = { ff30 8945f0 ff36 8975f4 }
            // n = 4, score = 100
            //   ff30                 | push                dword ptr [eax]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   ff36                 | push                dword ptr [esi]
            //   8975f4               | mov                 dword ptr [ebp - 0xc], esi

        $sequence_2 = { 660fd68564feffff f30f7e05???????? 8d8576feffff 6a00 50 660fd6856cfeffff e8???????? }
            // n = 7, score = 100
            //   660fd68564feffff     | movq                qword ptr [ebp - 0x19c], xmm0
            //   f30f7e05????????     |                     
            //   8d8576feffff         | lea                 eax, [ebp - 0x18a]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   660fd6856cfeffff     | movq                qword ptr [ebp - 0x194], xmm0
            //   e8????????           |                     

        $sequence_3 = { ffd7 ffd3 6a00 6a00 }
            // n = 4, score = 100
            //   ffd7                 | call                edi
            //   ffd3                 | call                ebx
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_4 = { c7856cffffff464b1153 c78570ffffff05170610 c78574ffffff035d591e c78578ffffff01591244 }
            // n = 4, score = 100
            //   c7856cffffff464b1153     | mov    dword ptr [ebp - 0x94], 0x53114b46
            //   c78570ffffff05170610     | mov    dword ptr [ebp - 0x90], 0x10061705
            //   c78574ffffff035d591e     | mov    dword ptr [ebp - 0x8c], 0x1e595d03
            //   c78578ffffff01591244     | mov    dword ptr [ebp - 0x88], 0x44125901

        $sequence_5 = { c1fb05 8bfe 83e71f c1e706 8b049d10110110 }
            // n = 5, score = 100
            //   c1fb05               | sar                 ebx, 5
            //   8bfe                 | mov                 edi, esi
            //   83e71f               | and                 edi, 0x1f
            //   c1e706               | shl                 edi, 6
            //   8b049d10110110       | mov                 eax, dword ptr [ebx*4 + 0x10011110]

        $sequence_6 = { ff15???????? 8bf0 89b5d8feffff ffd3 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   89b5d8feffff         | mov                 dword ptr [ebp - 0x128], esi
            //   ffd3                 | call                ebx

        $sequence_7 = { c745bc79000000 660fd645c0 660fd645c8 c745e457000000 660fd645e8 660fd645f0 }
            // n = 6, score = 100
            //   c745bc79000000       | mov                 dword ptr [ebp - 0x44], 0x79
            //   660fd645c0           | movq                qword ptr [ebp - 0x40], xmm0
            //   660fd645c8           | movq                qword ptr [ebp - 0x38], xmm0
            //   c745e457000000       | mov                 dword ptr [ebp - 0x1c], 0x57
            //   660fd645e8           | movq                qword ptr [ebp - 0x18], xmm0
            //   660fd645f0           | movq                qword ptr [ebp - 0x10], xmm0

        $sequence_8 = { 85d2 740f 668b444de4 6631444dd0 41 3bca }
            // n = 6, score = 100
            //   85d2                 | test                edx, edx
            //   740f                 | je                  0x11
            //   668b444de4           | mov                 ax, word ptr [ebp + ecx*2 - 0x1c]
            //   6631444dd0           | xor                 word ptr [ebp + ecx*2 - 0x30], ax
            //   41                   | inc                 ecx
            //   3bca                 | cmp                 ecx, edx

        $sequence_9 = { 8d45f4 50 ff7308 ff15???????? 8b15???????? 85c0 }
            // n = 6, score = 100
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   ff7308               | push                dword ptr [ebx + 8]
            //   ff15????????         |                     
            //   8b15????????         |                     
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 176128
}
Download all Yara Rules