SYMBOLCOMMON_NAMEaka. SYNONYMS
win.skip20 (Back to overview)

skip-2.0

Actor(s): APT41

A Microsoft SQL Server backdoor

References
2019-10-21ESET ResearchMathieu Tartare
@online{tartare:20191021:winnti:eb2c722, author = {Mathieu Tartare}, title = {{Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor}}, date = {2019-10-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/}, language = {English}, urldate = {2019-11-14} } Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor
LOWKEY skip-2.0
Yara Rules
[TLP:WHITE] win_skip20_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_skip20_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skip20"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 418d46ff 83f857 0f87d3fdffff 4c8d15959cffff 4898 410fb68402c0720000 418b8c82f0710000 }
            // n = 7, score = 200
            //   418d46ff             | and                 ax, cx
            //   83f857               | mov                 ecx, 0xc000
            //   0f87d3fdffff         | cmp                 ax, cx
            //   4c8d15959cffff       | jne                 0xb91
            //   4898                 | mov                 edx, edi
            //   410fb68402c0720000     | movzx    ecx, bx
            //   418b8c82f0710000     | and                 ax, bx

        $sequence_1 = { 448ba424c0000000 488bb424c8000000 448bb424b0000000 448b5e38 4863bc24b8000000 488bda }
            // n = 6, score = 200
            //   448ba424c0000000     | not                 eax
            //   488bb424c8000000     | cmp                 esi, -2
            //   448bb424b0000000     | je                  0x8f4
            //   448b5e38             | dec                 eax
            //   4863bc24b8000000     | mov                 ecx, esi
            //   488bda               | dec                 eax

        $sequence_2 = { 833d????????00 7505 e8???????? 488d3d98590100 41b804010000 33c9 488bd7 }
            // n = 7, score = 200
            //   833d????????00       |                     
            //   7505                 | dec                 eax
            //   e8????????           |                     
            //   488d3d98590100       | lea                 edx, [0x1315b]
            //   41b804010000         | dec                 esp
            //   33c9                 | mov                 dword ptr [esp + 0x50], ebp
            //   488bd7               | movzx               edx, word ptr [esp + 0x78]

        $sequence_3 = { 488d15302f0100 488d0d29280100 e8???????? e9???????? 0fb744247c 0fb74c247a }
            // n = 6, score = 200
            //   488d15302f0100       | lea                 ecx, [0xffffdf18]
            //   488d0d29280100       | dec                 eax
            //   e8????????           |                     
            //   e9????????           |                     
            //   0fb744247c           | lea                 ecx, [0xffffde8c]
            //   0fb74c247a           | dec                 eax

        $sequence_4 = { 488bac2440420000 488b9c2438420000 498bc7 4c8bbc2400420000 488bb42448420000 488b8c24f0410000 4833cc }
            // n = 7, score = 200
            //   488bac2440420000     | inc                 esp
            //   488b9c2438420000     | mov                 dword ptr [esp + 0x20], ebx
            //   498bc7               | dec                 eax
            //   4c8bbc2400420000     | lea                 edx, [0x12fb9]
            //   488bb42448420000     | mov                 dword ptr [esp + 0x40], eax
            //   488b8c24f0410000     | mov                 dword ptr [esp + 0x38], ecx
            //   4833cc               | mov                 dword ptr [esp + 0x30], edx

        $sequence_5 = { 4c89b424b0000000 41be02000000 48894c2438 4889542448 4489442450 }
            // n = 5, score = 200
            //   4c89b424b0000000     | inc                 edx
            //   41be02000000         | mov                 byte ptr [ecx + edx + 2], al
            //   48894c2438           | inc                 ecx
            //   4889542448           | inc                 eax
            //   4489442450           | add                 dword ptr [ebx], edi

        $sequence_6 = { 740d ffc9 75bf 0fb705???????? eb10 0fb705???????? eb07 }
            // n = 7, score = 200
            //   740d                 | cmp                 eax, eax
            //   ffc9                 | jb                  0x196
            //   75bf                 | nop                 dword ptr [eax]
            //   0fb705????????       |                     
            //   eb10                 | dec                 esp
            //   0fb705????????       |                     
            //   eb07                 | cmp                 dword ptr [ecx], ecx

        $sequence_7 = { b840000000 668944bb24 834518f8 0f881bfdffff 488b4510 488b08 48890b }
            // n = 7, score = 200
            //   b840000000           | lea                 ecx, [ecx + 0x40]
            //   668944bb24           | dec                 eax
            //   834518f8             | lea                 esi, [0x1d5a6]
            //   0f881bfdffff         | test                edx, edx
            //   488b4510             | inc                 ecx
            //   488b08               | mov                 eax, 1
            //   48890b               | inc                 ecx

        $sequence_8 = { 4c8bc2 4c8d0d5263ffff 41f640387f 7529 413bc6 741e 83f8fe }
            // n = 7, score = 200
            //   4c8bc2               | dec                 esp
            //   4c8d0d5263ffff       | lea                 eax, [esp + 0x240]
            //   41f640387f           | mov                 dword ptr [esp + 0x15c], 0x48564157
            //   7529                 | mov                 dword ptr [esp + 0x160], 0x1c0ec81
            //   413bc6               | mov                 dword ptr [esp + 0x164], 0xc7480000
            //   741e                 | mov                 dword ptr [esp + 0x168], 0xfe382444
            //   83f8fe               | mov                 word ptr [esp + 0x16c], 0xffff

        $sequence_9 = { 668944bb24 66837cbb2400 c644bb2205 7530 8b8c24d0000000 85c9 741b }
            // n = 7, score = 200
            //   668944bb24           | mov                 dword ptr [esp + 0x1fc], 0xc35f20c4
            //   66837cbb2400         | dec                 esp
            //   c644bb2205           | mov                 edi, ebx
            //   7530                 | dec                 esp
            //   8b8c24d0000000       | mov                 esp, ebx
            //   85c9                 | dec                 eax
            //   741b                 | lea                 eax, [0x50642]

    condition:
        7 of them and filesize < 794624
}
Download all Yara Rules