soraya (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.soraya (Back to overview)
soraya

There is no description at this point.
References

2014-08-01 ⋅ Coding and Security ⋅ Coding, Security
Soraya Malware Analysis - Dropper
soraya
Yara Rules

[TLP:WHITE] win_soraya_auto (20230715 | Detects win.soraya.)
rule win_soraya_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.soraya."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8d48bf 80f919 77f2 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8d48bf               | lea                 ecx, [eax - 0x41]
            //   80f919               | cmp                 cl, 0x19
            //   77f2                 | ja                  0xfffffff4

        $sequence_1 = { 8365fc00 8d45fc 50 53 6a00 8d85ecfdffff }
            // n = 6, score = 100
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   8d85ecfdffff         | lea                 eax, [ebp - 0x214]

        $sequence_2 = { 488d0d37ddffff 4533c0 e8???????? eb02 }
            // n = 4, score = 100
            //   488d0d37ddffff       | dec                 esp
            //   4533c0               | lea                 eax, [esp + 0x50]
            //   e8????????           |                     
            //   eb02                 | inc                 ebp

        $sequence_3 = { 7424 56 6a00 683a040000 ff15???????? 8bf0 85f6 }
            // n = 7, score = 100
            //   7424                 | je                  0x26
            //   56                   | push                esi
            //   6a00                 | push                0
            //   683a040000           | push                0x43a
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi

        $sequence_4 = { 8bf0 56 ff15???????? 6800800000 6a00 56 }
            // n = 6, score = 100
            //   8bf0                 | mov                 esi, eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   6800800000           | push                0x8000
            //   6a00                 | push                0
            //   56                   | push                esi

        $sequence_5 = { 03cf 813950450000 894df4 0f8501010000 53 56 8b7178 }
            // n = 7, score = 100
            //   03cf                 | add                 ecx, edi
            //   813950450000         | cmp                 dword ptr [ecx], 0x4550
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   0f8501010000         | jne                 0x107
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b7178               | mov                 esi, dword ptr [ecx + 0x78]

        $sequence_6 = { 7703 8955f4 33d2 8955d0 c745cc0b000000 }
            // n = 5, score = 100
            //   7703                 | ja                  5
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   33d2                 | xor                 edx, edx
            //   8955d0               | mov                 dword ptr [ebp - 0x30], edx
            //   c745cc0b000000       | mov                 dword ptr [ebp - 0x34], 0xb

        $sequence_7 = { 03f9 280c07 41 ebdc 8b4dec 83c040 }
            // n = 6, score = 100
            //   03f9                 | add                 edi, ecx
            //   280c07               | sub                 byte ptr [edi + eax], cl
            //   41                   | inc                 ecx
            //   ebdc                 | jmp                 0xffffffde
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   83c040               | add                 eax, 0x40

        $sequence_8 = { 2bce 51 8b4df0 33cb 2bce }
            // n = 5, score = 100
            //   2bce                 | sub                 ecx, esi
            //   51                   | push                ecx
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   33cb                 | xor                 ecx, ebx
            //   2bce                 | sub                 ecx, esi

        $sequence_9 = { 746e 897dfc 8b07 03c3 50 ff55f0 8945f8 }
            // n = 7, score = 100
            //   746e                 | je                  0x70
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   03c3                 | add                 eax, ebx
            //   50                   | push                eax
            //   ff55f0               | call                dword ptr [ebp - 0x10]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_10 = { 2bc7 8945a8 8b45d0 8b8194010000 8b10 8b523c }
            // n = 6, score = 100
            //   2bc7                 | sub                 eax, edi
            //   8945a8               | mov                 dword ptr [ebp - 0x58], eax
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   8b8194010000         | mov                 eax, dword ptr [ecx + 0x194]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8b523c               | mov                 edx, dword ptr [edx + 0x3c]

        $sequence_11 = { 4983c028 410fb7c2 3bc2 7d14 b801000000 ebd2 }
            // n = 6, score = 100
            //   4983c028             | xor                 ecx, ecx
            //   410fb7c2             | inc                 ecx
            //   3bc2                 | mov                 eax, 0x8000
            //   7d14                 | dec                 eax
            //   b801000000           | mov                 ecx, ebx
            //   ebd2                 | dec                 eax

        $sequence_12 = { 488d0dfadfffff ff15???????? 488bc8 e8???????? 488d0df5dfffff }
            // n = 5, score = 100
            //   488d0dfadfffff       | dec                 eax
            //   ff15????????         |                     
            //   488bc8               | lea                 ecx, [0xffffdffa]
            //   e8????????           |                     
            //   488d0df5dfffff       | dec                 eax

        $sequence_13 = { 4803e9 817d0050450000 0f8589010000 448b8d88000000 4c03c9 4c894c2428 }
            // n = 6, score = 100
            //   4803e9               | add                 eax, 0x28
            //   817d0050450000       | inc                 ecx
            //   0f8589010000         | movzx               eax, dx
            //   448b8d88000000       | cmp                 eax, edx
            //   4c03c9               | jge                 0x1c
            //   4c894c2428           | mov                 eax, 1

        $sequence_14 = { ff15???????? 4863533c 448b6c1d20 898424b8020000 0fb74714 4883c218 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   4863533c             | lea                 ecx, [0xffffdd37]
            //   448b6c1d20           | inc                 ebp
            //   898424b8020000       | xor                 eax, eax
            //   0fb74714             | jmp                 7
            //   4883c218             | dec                 ecx

        $sequence_15 = { 85db 0f84ea010000 21442428 488364242000 4c8d442450 4533c9 }
            // n = 6, score = 100
            //   85db                 | mov                 ecx, eax
            //   0f84ea010000         | dec                 eax
            //   21442428             | lea                 ecx, [0xffffdff5]
            //   488364242000         | test                ebx, ebx
            //   4c8d442450           | je                  0x1f0
            //   4533c9               | and                 dword ptr [esp + 0x28], eax

        $sequence_16 = { 0fb7da 99 f7fb 668b45f0 }
            // n = 4, score = 100
            //   0fb7da               | movzx               ebx, dx
            //   99                   | cdq                 
            //   f7fb                 | idiv                ebx
            //   668b45f0             | mov                 ax, word ptr [ebp - 0x10]

        $sequence_17 = { 50 ff15???????? 8bf8 85ff 7416 8365f800 8d45f8 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   7416                 | je                  0x18
            //   8365f800             | and                 dword ptr [ebp - 8], 0
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_18 = { 8b4dec 8b4dfc 33ce 2bc8 }
            // n = 4, score = 100
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33ce                 | xor                 ecx, esi
            //   2bc8                 | sub                 ecx, eax

        $sequence_19 = { 41b800800000 488bcb ff15???????? e8???????? e8???????? }
            // n = 5, score = 100
            //   41b800800000         | dec                 eax
            //   488bcb               | and                 dword ptr [esp + 0x20], 0
            //   ff15????????         |                     
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_20 = { 51 50 8b45f4 8b80f4df8700 }
            // n = 4, score = 100
            //   51                   | push                ecx
            //   50                   | push                eax
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b80f4df8700         | mov                 eax, dword ptr [eax + 0x87dff4]

        $sequence_21 = { 8b4d18 0fbdc1 c1d30b 0fbdc1 }
            // n = 4, score = 100
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   0fbdc1               | bsr                 eax, ecx
            //   c1d30b               | rcl                 ebx, 0xb
            //   0fbdc1               | bsr                 eax, ecx

        $sequence_22 = { 8a0a 84c9 7417 0fb6d9 035dfc 8a0a }
            // n = 6, score = 100
            //   8a0a                 | mov                 cl, byte ptr [edx]
            //   84c9                 | test                cl, cl
            //   7417                 | je                  0x19
            //   0fb6d9               | movzx               ebx, cl
            //   035dfc               | add                 ebx, dword ptr [ebp - 4]
            //   8a0a                 | mov                 cl, byte ptr [edx]

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules
soraya Propose Change

References

Yara Rules

soraya
