SYMBOLCOMMON_NAMEaka. SYNONYMS
win.skip20 (Back to overview)

skip-2.0

Actor(s): APT41

A Microsoft SQL Server backdoor

References
2019-10-21ESET ResearchMathieu Tartare
@online{tartare:20191021:winnti:eb2c722, author = {Mathieu Tartare}, title = {{Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor}}, date = {2019-10-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/}, language = {English}, urldate = {2019-11-14} } Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor
LOWKEY skip-2.0
Yara Rules
[TLP:WHITE] win_skip20_auto (20230808 | Detects win.skip20.)
rule win_skip20_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.skip20."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skip20"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c9 7448 ffc9 7432 ffc9 0f85150a0000 }
            // n = 6, score = 200
            //   85c9                 | inc                 ecx
            //   7448                 | sete                al
            //   ffc9                 | add                 eax, -0x7b
            //   7432                 | cmp                 eax, 0xc4
            //   ffc9                 | ja                  0xaeb
            //   0f85150a0000         | dec                 eax

        $sequence_1 = { 782e 3b0d???????? 7326 4863c9 488d1504fe0400 488bc1 }
            // n = 6, score = 200
            //   782e                 | dec                 esp
            //   3b0d????????         |                     
            //   7326                 | mov                 edx, eax
            //   4863c9               | dec                 eax
            //   488d1504fe0400       | test                eax, eax
            //   488bc1               | je                  0x9f0

        $sequence_2 = { 0fb74c247a 0fb7542478 89442438 894c2430 89542428 488d15e62f0100 }
            // n = 6, score = 200
            //   0fb74c247a           | mov                 ecx, eax
            //   0fb7542478           | dec                 esp
            //   89442438             | mov                 eax, edx
            //   894c2430             | dec                 eax
            //   89542428             | mov                 edx, ecx
            //   488d15e62f0100       | dec                 eax

        $sequence_3 = { 741c 3d00010000 740e 3d00020000 7536 4180493347 eb2f }
            // n = 7, score = 200
            //   741c                 | mov                 word ptr [ebx + edi*4 + 0x24], ax
            //   3d00010000           | cmp                 word ptr [ebx + edi*4 + 0x24], 0
            //   740e                 | jae                 0xfe
            //   3d00020000           | movzx               eax, word ptr [ebp + 8]
            //   7536                 | mov                 eax, 0x200
            //   4180493347           | or                  word ptr [ebx + 0x18], ax
            //   eb2f                 | test                esi, 0x4010000

        $sequence_4 = { e9???????? 4883bc24e000000000 7409 83fa01 0f842cf9ffff 83fa05 }
            // n = 6, score = 200
            //   e9????????           |                     
            //   4883bc24e000000000     | cmp    edx, 3
            //   7409                 | dec                 eax
            //   83fa01               | movsx               ecx, word ptr [eax]
            //   0f842cf9ffff         | dec                 eax
            //   83fa05               | mov                 dword ptr [esi + 8], ecx

        $sequence_5 = { 488db424ec000000 0f1f00 413bfc 732a 448b06 8bd7 }
            // n = 6, score = 200
            //   488db424ec000000     | mov                 ecx, 0x1b
            //   0f1f00               | dec                 esp
            //   413bfc               | lea                 eax, [esp + 0x170]
            //   732a                 | mov                 dword ptr [esp + 0x284], 0x48574156
            //   448b06               | mov                 dword ptr [esp + 0x288], 0x180ec81
            //   8bd7                 | inc                 sp

        $sequence_6 = { 418bb482a08a0100 eb07 4c8d15b4b2ffff 8bd6 81e200004000 747e 41ff4c2418 }
            // n = 7, score = 200
            //   418bb482a08a0100     | dec                 eax
            //   eb07                 | mov                 dword ptr [esp + 0x60], eax
            //   4c8d15b4b2ffff       | movzx               eax, byte ptr [eax]
            //   8bd6                 | inc                 ecx
            //   81e200004000         | mov                 esi, dword ptr [edx + eax*4 + 0x18aa0]
            //   747e                 | dec                 esp
            //   41ff4c2418           | lea                 edx, [0xffff91e3]

        $sequence_7 = { 488d3d071f0500 ba58000000 488bcd e8???????? 4885c0 7468 }
            // n = 6, score = 200
            //   488d3d071f0500       | mov                 dword ptr [ebp - 0x30], 0x49186b8b
            //   ba58000000           | mov                 dword ptr [ebp - 0x3c], 0xa0249c8d
            //   488bcd               | mov                 dword ptr [ebp - 0x38], 0x49000000
            //   e8????????           |                     
            //   4885c0               | mov                 dword ptr [ebp - 0x34], 0x49105b8b
            //   7468                 | mov                 dword ptr [ebp - 0x30], 0x49186b8b

        $sequence_8 = { 89542428 488d15652f0100 440fb7442470 440fb74c2472 440fb7542476 4489542420 488d0db72f0100 }
            // n = 7, score = 200
            //   89542428             | dec                 ecx
            //   488d15652f0100       | mov                 ebx, eax
            //   440fb7442470         | dec                 eax
            //   440fb74c2472         | mov                 edi, edx
            //   440fb7542476         | inc                 ecx
            //   4489542420           | push                edi
            //   488d0db72f0100       | dec                 eax

        $sequence_9 = { 89442438 0fb74c247a 894c2430 0fb7542478 89542428 488d15ae290100 }
            // n = 6, score = 200
            //   89442438             | dec                 eax
            //   0fb74c247a           | lea                 edx, [0x4d387]
            //   894c2430             | dec                 eax
            //   0fb7542478           | mov                 ecx, dword ptr [edx + ecx*8]
            //   89542428             | dec                 ebp
            //   488d15ae290100       | imul                ebx, ebx, 0x58

    condition:
        7 of them and filesize < 794624
}
Download all Yara Rules