SYMBOLCOMMON_NAMEaka. SYNONYMS
win.smac (Back to overview)

smac

aka: speccom

There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:fcb04ab, author = {SecureWorks}, title = {{BRONZE EXPRESS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-express}, language = {English}, urldate = {2020-05-23} } BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26
2015-08-10shadowserverNed Moran, Ben Koehl
@techreport{moran:20150810:italian:26b33c4, author = {Ned Moran and Ben Koehl}, title = {{The Italian Connection: An analysis of exploit supply chains and digital quartermasters}}, date = {2015-08-10}, institution = {shadowserver}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf}, language = {English}, urldate = {2020-01-07} } The Italian Connection: An analysis of exploit supply chains and digital quartermasters
smac APT20
Yara Rules
[TLP:WHITE] win_smac_auto (20230715 | Detects win.smac.)
rule win_smac_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.smac."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb645fa 8a8070214100 8ad0 c0e104 c0ea02 0ad1 0fb64dfb }
            // n = 7, score = 200
            //   0fb645fa             | movzx               eax, byte ptr [ebp - 6]
            //   8a8070214100         | mov                 al, byte ptr [eax + 0x412170]
            //   8ad0                 | mov                 dl, al
            //   c0e104               | shl                 cl, 4
            //   c0ea02               | shr                 dl, 2
            //   0ad1                 | or                  dl, cl
            //   0fb64dfb             | movzx               ecx, byte ptr [ebp - 5]

        $sequence_1 = { 03f6 56 ff74241c 8bf8 57 e8???????? }
            // n = 6, score = 200
            //   03f6                 | add                 esi, esi
            //   56                   | push                esi
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   8bf8                 | mov                 edi, eax
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_2 = { c785f080ffff907e0000 ffd0 8bc8 33c0 c645f400 8d7df5 ab }
            // n = 7, score = 200
            //   c785f080ffff907e0000     | mov    dword ptr [ebp - 0x7f10], 0x7e90
            //   ffd0                 | call                eax
            //   8bc8                 | mov                 ecx, eax
            //   33c0                 | xor                 eax, eax
            //   c645f400             | mov                 byte ptr [ebp - 0xc], 0
            //   8d7df5               | lea                 edi, [ebp - 0xb]
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_3 = { 8b7c2450 83ec1c c68424ac01000012 8d471c 8bf4 }
            // n = 5, score = 200
            //   8b7c2450             | mov                 edi, dword ptr [esp + 0x50]
            //   83ec1c               | sub                 esp, 0x1c
            //   c68424ac01000012     | mov                 byte ptr [esp + 0x1ac], 0x12
            //   8d471c               | lea                 eax, [edi + 0x1c]
            //   8bf4                 | mov                 esi, esp

        $sequence_4 = { 668945ac 58 668945ae 33c0 218534fbffff 668945b0 8d8534fbffff }
            // n = 7, score = 200
            //   668945ac             | mov                 word ptr [ebp - 0x54], ax
            //   58                   | pop                 eax
            //   668945ae             | mov                 word ptr [ebp - 0x52], ax
            //   33c0                 | xor                 eax, eax
            //   218534fbffff         | and                 dword ptr [ebp - 0x4cc], eax
            //   668945b0             | mov                 word ptr [ebp - 0x50], ax
            //   8d8534fbffff         | lea                 eax, [ebp - 0x4cc]

        $sequence_5 = { aa 85c9 0f851d010000 53 6a25 5e 6a30 }
            // n = 7, score = 200
            //   aa                   | stosb               byte ptr es:[edi], al
            //   85c9                 | test                ecx, ecx
            //   0f851d010000         | jne                 0x123
            //   53                   | push                ebx
            //   6a25                 | push                0x25
            //   5e                   | pop                 esi
            //   6a30                 | push                0x30

        $sequence_6 = { 66899d6affffff 5b 6a43 66899d6cffffff 5b 6a75 66899d6effffff }
            // n = 7, score = 200
            //   66899d6affffff       | mov                 word ptr [ebp - 0x96], bx
            //   5b                   | pop                 ebx
            //   6a43                 | push                0x43
            //   66899d6cffffff       | mov                 word ptr [ebp - 0x94], bx
            //   5b                   | pop                 ebx
            //   6a75                 | push                0x75
            //   66899d6effffff       | mov                 word ptr [ebp - 0x92], bx

        $sequence_7 = { 84c0 740e 68d0070000 ff760c ff15???????? ff7604 8b3d???????? }
            // n = 7, score = 200
            //   84c0                 | test                al, al
            //   740e                 | je                  0x10
            //   68d0070000           | push                0x7d0
            //   ff760c               | push                dword ptr [esi + 0xc]
            //   ff15????????         |                     
            //   ff7604               | push                dword ptr [esi + 4]
            //   8b3d????????         |                     

        $sequence_8 = { c68424ac0100000f 8bf4 89642468 57 e8???????? 57 8d8c2468010000 }
            // n = 7, score = 200
            //   c68424ac0100000f     | mov                 byte ptr [esp + 0x1ac], 0xf
            //   8bf4                 | mov                 esi, esp
            //   89642468             | mov                 dword ptr [esp + 0x68], esp
            //   57                   | push                edi
            //   e8????????           |                     
            //   57                   | push                edi
            //   8d8c2468010000       | lea                 ecx, [esp + 0x168]

        $sequence_9 = { ffb56cf4ffff ff15???????? ffb56cf4ffff ff15???????? 83bdf4f4ffff08 8b85e0f4ffff 7306 }
            // n = 7, score = 200
            //   ffb56cf4ffff         | push                dword ptr [ebp - 0xb94]
            //   ff15????????         |                     
            //   ffb56cf4ffff         | push                dword ptr [ebp - 0xb94]
            //   ff15????????         |                     
            //   83bdf4f4ffff08       | cmp                 dword ptr [ebp - 0xb0c], 8
            //   8b85e0f4ffff         | mov                 eax, dword ptr [ebp - 0xb20]
            //   7306                 | jae                 8

    condition:
        7 of them and filesize < 212992
}
Download all Yara Rules