SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sslmm (Back to overview)

SslMM

Actor(s): Naikon


There is no description at this point.

References
2015-05-14Kaspersky LabsKurt Baumgartner, Maxim Golovkin
@online{baumgartner:20150514:naikon:9edea2f, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{The Naikon APT}}, date = {2015-05-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/69953/the-naikon-apt/}, language = {English}, urldate = {2019-12-20} } The Naikon APT
Naikon SslMM Sys10 WinMM xsPlus APT30
2015-05Kaspersky LabsKurt Baumgartner, Maxim Golovkin
@techreport{baumgartner:201505:msnmm:13a9145, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{The MsnMM Campaigns - The Earliest Naikon APTCampaigns}}, date = {2015-05}, institution = {Kaspersky Labs}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf}, language = {English}, urldate = {2019-07-11} } The MsnMM Campaigns - The Earliest Naikon APTCampaigns
SslMM Sys10 WinMM xsPlus
2015-04FireEyeFireEye
@techreport{fireeye:201504:apt30:0129bf7, author = {FireEye}, title = {{APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION}}, date = {2015-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf}, language = {English}, urldate = {2020-01-07} } APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30
Yara Rules
[TLP:WHITE] win_sslmm_auto (20230125 | Detects win.sslmm.)
rule win_sslmm_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.sslmm."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c408 68???????? 56 ffd3 3bc7 750d 5f }
            // n = 7, score = 400
            //   83c408               | add                 esp, 8
            //   68????????           |                     
            //   56                   | push                esi
            //   ffd3                 | call                ebx
            //   3bc7                 | cmp                 eax, edi
            //   750d                 | jne                 0xf
            //   5f                   | pop                 edi

        $sequence_1 = { 51 89869c000000 e8???????? 8b9790000000 83c408 899690000000 8b878c000000 }
            // n = 7, score = 400
            //   51                   | push                ecx
            //   89869c000000         | mov                 dword ptr [esi + 0x9c], eax
            //   e8????????           |                     
            //   8b9790000000         | mov                 edx, dword ptr [edi + 0x90]
            //   83c408               | add                 esp, 8
            //   899690000000         | mov                 dword ptr [esi + 0x90], edx
            //   8b878c000000         | mov                 eax, dword ptr [edi + 0x8c]

        $sequence_2 = { 33db 57 8b85ac000000 53 }
            // n = 4, score = 400
            //   33db                 | xor                 ebx, ebx
            //   57                   | push                edi
            //   8b85ac000000         | mov                 eax, dword ptr [ebp + 0xac]
            //   53                   | push                ebx

        $sequence_3 = { 3bc6 7c7b 33d2 33c9 8d442454 be03000000 85d2 }
            // n = 7, score = 400
            //   3bc6                 | cmp                 eax, esi
            //   7c7b                 | jl                  0x7d
            //   33d2                 | xor                 edx, edx
            //   33c9                 | xor                 ecx, ecx
            //   8d442454             | lea                 eax, [esp + 0x54]
            //   be03000000           | mov                 esi, 3
            //   85d2                 | test                edx, edx

        $sequence_4 = { 85c0 7448 6681384d5a 7541 8b483c 03c8 813950450000 }
            // n = 7, score = 400
            //   85c0                 | test                eax, eax
            //   7448                 | je                  0x4a
            //   6681384d5a           | cmp                 word ptr [eax], 0x5a4d
            //   7541                 | jne                 0x43
            //   8b483c               | mov                 ecx, dword ptr [eax + 0x3c]
            //   03c8                 | add                 ecx, eax
            //   813950450000         | cmp                 dword ptr [ecx], 0x4550

        $sequence_5 = { 6801010000 ff15???????? 83f8ff 750d 5f }
            // n = 5, score = 400
            //   6801010000           | push                0x101
            //   ff15????????         |                     
            //   83f8ff               | cmp                 eax, -1
            //   750d                 | jne                 0xf
            //   5f                   | pop                 edi

        $sequence_6 = { 3bfb 7c4e 8b442428 3bc3 }
            // n = 4, score = 400
            //   3bfb                 | cmp                 edi, ebx
            //   7c4e                 | jl                  0x50
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   3bc3                 | cmp                 eax, ebx

        $sequence_7 = { e8???????? 85c0 7538 8b442434 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7538                 | jne                 0x3a
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]

        $sequence_8 = { 85c9 c70204000000 7410 c786a800000001000000 8986ac000000 }
            // n = 5, score = 400
            //   85c9                 | test                ecx, ecx
            //   c70204000000         | mov                 dword ptr [edx], 4
            //   7410                 | je                  0x12
            //   c786a800000001000000     | mov    dword ptr [esi + 0xa8], 1
            //   8986ac000000         | mov                 dword ptr [esi + 0xac], eax

        $sequence_9 = { 6a01 52 8d9e94000000 ff15???????? 57 8903 e8???????? }
            // n = 7, score = 400
            //   6a01                 | push                1
            //   52                   | push                edx
            //   8d9e94000000         | lea                 ebx, [esi + 0x94]
            //   ff15????????         |                     
            //   57                   | push                edi
            //   8903                 | mov                 dword ptr [ebx], eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules