SYMBOLCOMMON_NAMEaka. SYNONYMS
win.smac (Back to overview)

smac

aka: speccom

There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:fcb04ab, author = {SecureWorks}, title = {{BRONZE EXPRESS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-express}, language = {English}, urldate = {2020-05-23} } BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26
2015-08-10shadowserverNed Moran, Ben Koehl
@techreport{moran:20150810:italian:26b33c4, author = {Ned Moran and Ben Koehl}, title = {{The Italian Connection: An analysis of exploit supply chains and digital quartermasters}}, date = {2015-08-10}, institution = {shadowserver}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf}, language = {English}, urldate = {2020-01-07} } The Italian Connection: An analysis of exploit supply chains and digital quartermasters
smac Violin Panda
Yara Rules
[TLP:WHITE] win_smac_auto (20211008 | Detects win.smac.)
rule win_smac_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.smac."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f908 7229 f3a5 ff2495c08c4000 8bc7 ba03000000 }
            // n = 6, score = 200
            //   83f908               | cmp                 ecx, 8
            //   7229                 | jb                  0x2b
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff2495c08c4000       | jmp                 dword ptr [edx*4 + 0x408cc0]
            //   8bc7                 | mov                 eax, edi
            //   ba03000000           | mov                 edx, 3

        $sequence_1 = { 8d842464020000 50 8d8424c0040000 50 ffd7 83c40c 8d442410 }
            // n = 7, score = 200
            //   8d842464020000       | lea                 eax, dword ptr [esp + 0x264]
            //   50                   | push                eax
            //   8d8424c0040000       | lea                 eax, dword ptr [esp + 0x4c0]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   83c40c               | add                 esp, 0xc
            //   8d442410             | lea                 eax, dword ptr [esp + 0x10]

        $sequence_2 = { 5a 57 6689957effffff 5a 6a64 66895582 5a }
            // n = 7, score = 200
            //   5a                   | pop                 edx
            //   57                   | push                edi
            //   6689957effffff       | mov                 word ptr [ebp - 0x82], dx
            //   5a                   | pop                 edx
            //   6a64                 | push                0x64
            //   66895582             | mov                 word ptr [ebp - 0x7e], dx
            //   5a                   | pop                 edx

        $sequence_3 = { e8???????? 8ac3 e8???????? c3 40 50 e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8ac3                 | mov                 al, bl
            //   e8????????           |                     
            //   c3                   | ret                 
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_4 = { 59 8bf8 56 8d442434 e8???????? 83c370 }
            // n = 6, score = 200
            //   59                   | pop                 ecx
            //   8bf8                 | mov                 edi, eax
            //   56                   | push                esi
            //   8d442434             | lea                 eax, dword ptr [esp + 0x34]
            //   e8????????           |                     
            //   83c370               | add                 ebx, 0x70

        $sequence_5 = { ff75a0 ff15???????? 85c0 7514 8d45a0 50 }
            // n = 6, score = 200
            //   ff75a0               | push                dword ptr [ebp - 0x60]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7514                 | jne                 0x16
            //   8d45a0               | lea                 eax, dword ptr [ebp - 0x60]
            //   50                   | push                eax

        $sequence_6 = { 58 6a53 668945d0 58 6a75 668945d2 58 }
            // n = 7, score = 200
            //   58                   | pop                 eax
            //   6a53                 | push                0x53
            //   668945d0             | mov                 word ptr [ebp - 0x30], ax
            //   58                   | pop                 eax
            //   6a75                 | push                0x75
            //   668945d2             | mov                 word ptr [ebp - 0x2e], ax
            //   58                   | pop                 eax

        $sequence_7 = { ff75f0 ff15???????? 85c0 7511 68f4010000 ff15???????? 47 }
            // n = 7, score = 200
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7511                 | jne                 0x13
            //   68f4010000           | push                0x1f4
            //   ff15????????         |                     
            //   47                   | inc                 edi

        $sequence_8 = { 83bd54ffffff01 7309 8bf7 e8???????? }
            // n = 4, score = 200
            //   83bd54ffffff01       | cmp                 dword ptr [ebp - 0xac], 1
            //   7309                 | jae                 0xb
            //   8bf7                 | mov                 esi, edi
            //   e8????????           |                     

        $sequence_9 = { ffb56cf4ffff ff15???????? ffb56cf4ffff ff15???????? 83bdf4f4ffff08 8b85e0f4ffff 7306 }
            // n = 7, score = 200
            //   ffb56cf4ffff         | push                dword ptr [ebp - 0xb94]
            //   ff15????????         |                     
            //   ffb56cf4ffff         | push                dword ptr [ebp - 0xb94]
            //   ff15????????         |                     
            //   83bdf4f4ffff08       | cmp                 dword ptr [ebp - 0xb0c], 8
            //   8b85e0f4ffff         | mov                 eax, dword ptr [ebp - 0xb20]
            //   7306                 | jae                 8

    condition:
        7 of them and filesize < 212992
}
Download all Yara Rules