SYMBOLCOMMON_NAMEaka. SYNONYMS
win.smac (Back to overview)

smac

aka: speccom

There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:fcb04ab, author = {SecureWorks}, title = {{BRONZE EXPRESS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-express}, language = {English}, urldate = {2020-05-23} } BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26
2015-08-10shadowserverNed Moran, Ben Koehl
@techreport{moran:20150810:italian:26b33c4, author = {Ned Moran and Ben Koehl}, title = {{The Italian Connection: An analysis of exploit supply chains and digital quartermasters}}, date = {2015-08-10}, institution = {shadowserver}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf}, language = {English}, urldate = {2020-01-07} } The Italian Connection: An analysis of exploit supply chains and digital quartermasters
smac APT20
Yara Rules
[TLP:WHITE] win_smac_auto (20230125 | Detects win.smac.)
rule win_smac_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.smac."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3b45e4 7627 56 57 8d4544 8d4dd4 e8???????? }
            // n = 7, score = 200
            //   3b45e4               | cmp                 eax, dword ptr [ebp - 0x1c]
            //   7627                 | jbe                 0x29
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d4544               | lea                 eax, [ebp + 0x44]
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   e8????????           |                     

        $sequence_1 = { 51 33c0 394508 7504 32c0 c9 }
            // n = 6, score = 200
            //   51                   | push                ecx
            //   33c0                 | xor                 eax, eax
            //   394508               | cmp                 dword ptr [ebp + 8], eax
            //   7504                 | jne                 6
            //   32c0                 | xor                 al, al
            //   c9                   | leave               

        $sequence_2 = { 389ec0000000 741a 397914 7202 8b09 8b5508 397d1c }
            // n = 7, score = 200
            //   389ec0000000         | cmp                 byte ptr [esi + 0xc0], bl
            //   741a                 | je                  0x1c
            //   397914               | cmp                 dword ptr [ecx + 0x14], edi
            //   7202                 | jb                  4
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   397d1c               | cmp                 dword ptr [ebp + 0x1c], edi

        $sequence_3 = { 59 d1e8 8bcf 8db5b4feffff e8???????? 57 e8???????? }
            // n = 7, score = 200
            //   59                   | pop                 ecx
            //   d1e8                 | shr                 eax, 1
            //   8bcf                 | mov                 ecx, edi
            //   8db5b4feffff         | lea                 esi, [ebp - 0x14c]
            //   e8????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_4 = { 83caff 8d853afbffff eb19 6683f930 723d 6683f939 7737 }
            // n = 7, score = 200
            //   83caff               | or                  edx, 0xffffffff
            //   8d853afbffff         | lea                 eax, [ebp - 0x4c6]
            //   eb19                 | jmp                 0x1b
            //   6683f930             | cmp                 cx, 0x30
            //   723d                 | jb                  0x3f
            //   6683f939             | cmp                 cx, 0x39
            //   7737                 | ja                  0x39

        $sequence_5 = { 668945f8 8d4dec 8bc4 8965e8 51 e8???????? 8bce }
            // n = 7, score = 200
            //   668945f8             | mov                 word ptr [ebp - 8], ax
            //   8d4dec               | lea                 ecx, [ebp - 0x14]
            //   8bc4                 | mov                 eax, esp
            //   8965e8               | mov                 dword ptr [ebp - 0x18], esp
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi

        $sequence_6 = { 6a50 8bd8 66899d34ffffff 5b 66899d36ffffff 6a72 5b }
            // n = 7, score = 200
            //   6a50                 | push                0x50
            //   8bd8                 | mov                 ebx, eax
            //   66899d34ffffff       | mov                 word ptr [ebp - 0xcc], bx
            //   5b                   | pop                 ebx
            //   66899d36ffffff       | mov                 word ptr [ebp - 0xca], bx
            //   6a72                 | push                0x72
            //   5b                   | pop                 ebx

        $sequence_7 = { 897010 6a07 59 894814 33d2 668910 894830 }
            // n = 7, score = 200
            //   897010               | mov                 dword ptr [eax + 0x10], esi
            //   6a07                 | push                7
            //   59                   | pop                 ecx
            //   894814               | mov                 dword ptr [eax + 0x14], ecx
            //   33d2                 | xor                 edx, edx
            //   668910               | mov                 word ptr [eax], dx
            //   894830               | mov                 dword ptr [eax + 0x30], ecx

        $sequence_8 = { 53 8d75b8 e8???????? 53 8d75d4 }
            // n = 5, score = 200
            //   53                   | push                ebx
            //   8d75b8               | lea                 esi, [ebp - 0x48]
            //   e8????????           |                     
            //   53                   | push                ebx
            //   8d75d4               | lea                 esi, [ebp - 0x2c]

        $sequence_9 = { ffb56cf4ffff ff15???????? ffb56cf4ffff ff15???????? 83bdf4f4ffff08 8b85e0f4ffff 7306 }
            // n = 7, score = 200
            //   ffb56cf4ffff         | push                dword ptr [ebp - 0xb94]
            //   ff15????????         |                     
            //   ffb56cf4ffff         | push                dword ptr [ebp - 0xb94]
            //   ff15????????         |                     
            //   83bdf4f4ffff08       | cmp                 dword ptr [ebp - 0xb0c], 8
            //   8b85e0f4ffff         | mov                 eax, dword ptr [ebp - 0xb20]
            //   7306                 | jae                 8

    condition:
        7 of them and filesize < 212992
}
Download all Yara Rules