SYMBOLCOMMON_NAMEaka. SYNONYMS
win.skip20 (Back to overview)

skip-2.0

Actor(s): APT41

A Microsoft SQL Server backdoor

References
2019-10-21ESET ResearchMathieu Tartare
@online{tartare:20191021:winnti:eb2c722, author = {Mathieu Tartare}, title = {{Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor}}, date = {2019-10-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/}, language = {English}, urldate = {2019-11-14} } Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor
LOWKEY skip-2.0
Yara Rules
[TLP:WHITE] win_skip20_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_skip20_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skip20"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c894c2428 4c89742430 884332 4183fb03 0f85a5000000 488b4dcf 418b4220 }
            // n = 7, score = 200
            //   4c894c2428           | mov                 dword ptr [esp + 0x2ec], 0xc74850ec
            //   4c89742430           | mov                 dword ptr [esp + 0x2f0], 0xfe202444
            //   884332               | mov                 dword ptr [esp + 0x2f4], 0x48ffffff
            //   4183fb03             | mov                 dword ptr [esp + 0x2f8], 0x60245c89
            //   0f85a5000000         | mov                 dword ptr [esp + 0x2fc], 0x246c8948
            //   488b4dcf             | mov                 dword ptr [esp + 0xec], 0x48185889
            //   418b4220             | mov                 word ptr [esp + 0xf0], 0x7089

        $sequence_1 = { 44895c2428 894c2420 488d154b2b0100 488d0da4150100 e8???????? e9???????? 0fb744247c }
            // n = 7, score = 200
            //   44895c2428           | xor                 edx, edx
            //   894c2420             | inc                 ecx
            //   488d154b2b0100       | mov                 eax, edx
            //   488d0da4150100       | jmp                 0x1b96
            //   e8????????           |                     
            //   e9????????           |                     
            //   0fb744247c           | cmp                 byte ptr [eax], 0xc0

        $sequence_2 = { 42c644b62206 420fb68402708a0100 428844b623 4183fc01 751f c6463608 ff4918 }
            // n = 7, score = 200
            //   42c644b62206         | dec                 eax
            //   420fb68402708a0100     | add    esp, 0x28
            //   428844b623           | ret                 
            //   4183fc01             | jne                 0xf00
            //   751f                 | dec                 eax
            //   c6463608             | lea                 eax, [0x1584b]
            //   ff4918               | jmp                 0xf04

        $sequence_3 = { c745d48b732049 c745d88b7b2849 c745dc8be3415e c745e0c3909090 c745e490909090 }
            // n = 5, score = 200
            //   c745d48b732049       | lea                 eax, [edx + 0x32]
            //   c745d88b7b2849       | dec                 eax
            //   c745dc8be3415e       | mov                 ecx, ebx
            //   c745e0c3909090       | mov                 dword ptr [esp + 0x44], esi
            //   c745e490909090       | dec                 esp

        $sequence_4 = { 4889742410 48897c2418 8b742428 458b5038 4c8bd9 4863ca }
            // n = 6, score = 200
            //   4889742410           | jmp                 0x14f3
            //   48897c2418           | dec                 eax
            //   8b742428             | lea                 ecx, [eax + eax*2]
            //   458b5038             | dec                 esp
            //   4c8bd9               | lea                 ecx, [0x1fdec]
            //   4863ca               | dec                 ebp

        $sequence_5 = { c1ea03 83e607 83e703 83e207 418bd9 498bc0 }
            // n = 6, score = 200
            //   c1ea03               | mov                 eax, dword ptr [esp + 0x58]
            //   83e607               | dec                 ebp
            //   83e703               | mov                 ecx, esp
            //   83e207               | dec                 esp
            //   418bd9               | mov                 eax, edi
            //   498bc0               | dec                 eax

        $sequence_6 = { b840000000 4502db c644bb2201 668944bb24 }
            // n = 4, score = 200
            //   b840000000           | lea                 esi, [0x4e8a6]
            //   4502db               | and                 ebx, 0x1f
            //   c644bb2201           | dec                 eax
            //   668944bb24           | imul                ebx, ebx, 0x58

        $sequence_7 = { 6623cb 25ff1f0000 4898 66413bcb 750a 498d9481408c0100 eb0c }
            // n = 7, score = 200
            //   6623cb               | mov                 dl, 0x42
            //   25ff1f0000           | dec                 eax
            //   4898                 | mov                 ecx, esi
            //   66413bcb             | xor                 esi, esi
            //   750a                 | mov                 dl, 0x44
            //   498d9481408c0100     | dec                 eax
            //   eb0c                 | mov                 ecx, esi

        $sequence_8 = { 89542428 488d15652f0100 440fb7442470 440fb74c2472 440fb7542476 4489542420 488d0db72f0100 }
            // n = 7, score = 200
            //   89542428             | test                dword ptr [esp + 0xa0], 0x2000000
            //   488d15652f0100       | je                  0x1d
            //   440fb7442470         | or                  dword ptr [ebx + 4], 0x2000000
            //   440fb74c2472         | mov                 ecx, dword ptr [esp + 0x98]
            //   440fb7542476         | inc                 ecx
            //   4489542420           | cmp                 esp, 1
            //   488d0db72f0100       | jne                 0x49

        $sequence_9 = { 85c0 7450 0fb7c6 0fb74c247c 0fb754247a 440fb7542478 }
            // n = 6, score = 200
            //   85c0                 | dec                 esp
            //   7450                 | lea                 ecx, [0xffff86c2]
            //   0fb7c6               | inc                 ecx
            //   0fb74c247c           | and                 eax, 0x1fff
            //   0fb754247a           | dec                 esp
            //   440fb7542478         | add                 eax, eax

    condition:
        7 of them and filesize < 794624
}
Download all Yara Rules