SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sslmm (Back to overview)

SslMM

Actor(s): Naikon


There is no description at this point.

References
2015-05-14Kaspersky LabsKurt Baumgartner, Maxim Golovkin
@online{baumgartner:20150514:naikon:9edea2f, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{The Naikon APT}}, date = {2015-05-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/69953/the-naikon-apt/}, language = {English}, urldate = {2019-12-20} } The Naikon APT
Naikon SslMM Sys10 WinMM xsPlus APT30 Naikon
2015-05Kaspersky LabsKurt Baumgartner, Maxim Golovkin
@techreport{baumgartner:201505:msnmm:13a9145, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{The MsnMM Campaigns - The Earliest Naikon APTCampaigns}}, date = {2015-05}, institution = {Kaspersky Labs}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf}, language = {English}, urldate = {2019-07-11} } The MsnMM Campaigns - The Earliest Naikon APTCampaigns
SslMM Sys10 WinMM xsPlus
2015-04FireEyeFireEye
@techreport{fireeye:201504:apt30:0129bf7, author = {FireEye}, title = {{APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION}}, date = {2015-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf}, language = {English}, urldate = {2020-01-07} } APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30
Yara Rules
[TLP:WHITE] win_sslmm_auto (20230715 | Detects win.sslmm.)
rule win_sslmm_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.sslmm."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6a01 6a0a ff15???????? }
            // n = 4, score = 400
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   6a0a                 | push                0xa
            //   ff15????????         |                     

        $sequence_1 = { 8bf1 6805100000 c7442414c0d40100 e8???????? }
            // n = 4, score = 400
            //   8bf1                 | mov                 esi, ecx
            //   6805100000           | push                0x1005
            //   c7442414c0d40100     | mov                 dword ptr [esp + 0x14], 0x1d4c0
            //   e8????????           |                     

        $sequence_2 = { 8d44240c 68???????? 50 e8???????? 83c40c 85c0 7419 }
            // n = 7, score = 400
            //   8d44240c             | lea                 eax, [esp + 0xc]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   7419                 | je                  0x1b

        $sequence_3 = { 3bc6 0f85a0010000 8b54243c 8b442438 8b6c2434 }
            // n = 5, score = 400
            //   3bc6                 | cmp                 eax, esi
            //   0f85a0010000         | jne                 0x1a6
            //   8b54243c             | mov                 edx, dword ptr [esp + 0x3c]
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   8b6c2434             | mov                 ebp, dword ptr [esp + 0x34]

        $sequence_4 = { 8b442410 51 52 50 ffd7 5f }
            // n = 6, score = 400
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   5f                   | pop                 edi

        $sequence_5 = { 49 85c9 7e3a 8d41ff 85c0 7c33 803c105c }
            // n = 7, score = 400
            //   49                   | dec                 ecx
            //   85c9                 | test                ecx, ecx
            //   7e3a                 | jle                 0x3c
            //   8d41ff               | lea                 eax, [ecx - 1]
            //   85c0                 | test                eax, eax
            //   7c33                 | jl                  0x35
            //   803c105c             | cmp                 byte ptr [eax + edx], 0x5c

        $sequence_6 = { 3bfb 7c4e 8b442428 3bc3 }
            // n = 4, score = 400
            //   3bfb                 | cmp                 edi, ebx
            //   7c4e                 | jl                  0x50
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   3bc3                 | cmp                 eax, ebx

        $sequence_7 = { c20800 ff15???????? 8bf8 57 }
            // n = 4, score = 400
            //   c20800               | ret                 8
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   57                   | push                edi

        $sequence_8 = { 85c9 c70204000000 7410 c786a800000001000000 8986ac000000 }
            // n = 5, score = 400
            //   85c9                 | test                ecx, ecx
            //   c70204000000         | mov                 dword ptr [edx], 4
            //   7410                 | je                  0x12
            //   c786a800000001000000     | mov    dword ptr [esi + 0xa8], 1
            //   8986ac000000         | mov                 dword ptr [esi + 0xac], eax

        $sequence_9 = { e8???????? 8b542414 8bcf 89442428 8bf8 8bc1 }
            // n = 6, score = 400
            //   e8????????           |                     
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   8bcf                 | mov                 ecx, edi
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   8bf8                 | mov                 edi, eax
            //   8bc1                 | mov                 eax, ecx

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules