SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sparrow_door (Back to overview)

SparrowDoor

aka: FamousSparrow

There is no description at this point.

References
2022-02-28NCSC UKNCSC UK
@techreport{uk:20220228:malware:0cbf8c2, author = {NCSC UK}, title = {{Malware Analysis Report: SparrowDoor}}, date = {2022-02-28}, institution = {NCSC UK}, url = {https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf}, language = {English}, urldate = {2022-05-17} } Malware Analysis Report: SparrowDoor
SparrowDoor
2021-09-23ESET ResearchTahseen Bin Taj, Matthieu Faou
@online{taj:20210923:famoussparrow:5f0d606, author = {Tahseen Bin Taj and Matthieu Faou}, title = {{FamousSparrow: A suspicious hotel guest}}, date = {2021-09-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/}, language = {English}, urldate = {2021-09-24} } FamousSparrow: A suspicious hotel guest
SparrowDoor
Yara Rules
[TLP:WHITE] win_sparrow_door_auto (20230125 | Detects win.sparrow_door.)
rule win_sparrow_door_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.sparrow_door."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparrow_door"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8b8c2458030000 83c428 5f }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8b8c2458030000       | mov                 ecx, dword ptr [esp + 0x358]
            //   83c428               | add                 esp, 0x28
            //   5f                   | pop                 edi

        $sequence_1 = { ffd6 8b15???????? 53 6a01 52 ffd7 6a40 }
            // n = 7, score = 100
            //   ffd6                 | call                esi
            //   8b15????????         |                     
            //   53                   | push                ebx
            //   6a01                 | push                1
            //   52                   | push                edx
            //   ffd7                 | call                edi
            //   6a40                 | push                0x40

        $sequence_2 = { 8d442450 50 8d8c24b4040000 51 ff15???????? 8bf8 897c2418 }
            // n = 7, score = 100
            //   8d442450             | lea                 eax, [esp + 0x50]
            //   50                   | push                eax
            //   8d8c24b4040000       | lea                 ecx, [esp + 0x4b4]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   897c2418             | mov                 dword ptr [esp + 0x18], edi

        $sequence_3 = { 6a00 57 51 ff15???????? 8b1424 }
            // n = 5, score = 100
            //   6a00                 | push                0
            //   57                   | push                edi
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b1424               | mov                 edx, dword ptr [esp]

        $sequence_4 = { e8???????? 57 e8???????? 8b442430 83c408 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     
            //   8b442430             | mov                 eax, dword ptr [esp + 0x30]
            //   83c408               | add                 esp, 8

        $sequence_5 = { f3a5 53 8d8c24b4030000 51 83c020 }
            // n = 5, score = 100
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   53                   | push                ebx
            //   8d8c24b4030000       | lea                 ecx, [esp + 0x3b4]
            //   51                   | push                ecx
            //   83c020               | add                 eax, 0x20

        $sequence_6 = { 56 c744241c40000000 ffd5 8b54240c }
            // n = 4, score = 100
            //   56                   | push                esi
            //   c744241c40000000     | mov                 dword ptr [esp + 0x1c], 0x40
            //   ffd5                 | call                ebp
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]

        $sequence_7 = { 33cc e8???????? 81c480010000 c3 81ec40030000 a1???????? 33c4 }
            // n = 7, score = 100
            //   33cc                 | xor                 ecx, esp
            //   e8????????           |                     
            //   81c480010000         | add                 esp, 0x180
            //   c3                   | ret                 
            //   81ec40030000         | sub                 esp, 0x340
            //   a1????????           |                     
            //   33c4                 | xor                 eax, esp

        $sequence_8 = { 2bc6 7419 8bc2 8d7001 8a08 }
            // n = 5, score = 100
            //   2bc6                 | sub                 eax, esi
            //   7419                 | je                  0x1b
            //   8bc2                 | mov                 eax, edx
            //   8d7001               | lea                 esi, [eax + 1]
            //   8a08                 | mov                 cl, byte ptr [eax]

        $sequence_9 = { 50 8d8c24a8020000 51 8d5708 52 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   8d8c24a8020000       | lea                 ecx, [esp + 0x2a8]
            //   51                   | push                ecx
            //   8d5708               | lea                 edx, [edi + 8]
            //   52                   | push                edx

    condition:
        7 of them and filesize < 155648
}
Download all Yara Rules