SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sslmm (Back to overview)

SslMM

Actor(s): Naikon

VTCollection    

There is no description at this point.

References
2015-05-14Kaspersky LabsKurt Baumgartner, Maxim Golovkin
The Naikon APT
Naikon SslMM Sys10 WinMM xsPlus APT30 Naikon
2015-05-01Kaspersky LabsKurt Baumgartner, Maxim Golovkin
The MsnMM Campaigns - The Earliest Naikon APTCampaigns
SslMM Sys10 WinMM xsPlus
2015-04-01FireEyeFireEye
APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30
Yara Rules
[TLP:WHITE] win_sslmm_auto (20260504 | Detects win.sslmm.)
rule win_sslmm_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.sslmm."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4c243c 8bc2 899374010000 8b9370010000 8944245c 8d44245c }
            // n = 6, score = 400
            //   8d4c243c             | lea                 ecx, [esp + 0x3c]
            //   8bc2                 | mov                 eax, edx
            //   899374010000         | mov                 dword ptr [ebx + 0x174], edx
            //   8b9370010000         | mov                 edx, dword ptr [ebx + 0x170]
            //   8944245c             | mov                 dword ptr [esp + 0x5c], eax
            //   8d44245c             | lea                 eax, [esp + 0x5c]

        $sequence_1 = { 8bce 895c2420 e8???????? 85c0 745e 399e9c000000 }
            // n = 6, score = 400
            //   8bce                 | mov                 ecx, esi
            //   895c2420             | mov                 dword ptr [esp + 0x20], ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   745e                 | je                  0x60
            //   399e9c000000         | cmp                 dword ptr [esi + 0x9c], ebx

        $sequence_2 = { 8b542434 57 6a01 55 52 8bce }
            // n = 6, score = 400
            //   8b542434             | mov                 edx, dword ptr [esp + 0x34]
            //   57                   | push                edi
            //   6a01                 | push                1
            //   55                   | push                ebp
            //   52                   | push                edx
            //   8bce                 | mov                 ecx, esi

        $sequence_3 = { 55 03d0 8d4c243c 8bc2 899374010000 8b9370010000 }
            // n = 6, score = 400
            //   55                   | push                ebp
            //   03d0                 | add                 edx, eax
            //   8d4c243c             | lea                 ecx, [esp + 0x3c]
            //   8bc2                 | mov                 eax, edx
            //   899374010000         | mov                 dword ptr [ebx + 0x174], edx
            //   8b9370010000         | mov                 edx, dword ptr [ebx + 0x170]

        $sequence_4 = { 8bd9 55 56 8b8360010000 33ed 33f6 3bc5 }
            // n = 7, score = 400
            //   8bd9                 | mov                 ebx, ecx
            //   55                   | push                ebp
            //   56                   | push                esi
            //   8b8360010000         | mov                 eax, dword ptr [ebx + 0x160]
            //   33ed                 | xor                 ebp, ebp
            //   33f6                 | xor                 esi, esi
            //   3bc5                 | cmp                 eax, ebp

        $sequence_5 = { 7538 8b442434 85c0 7430 8b4c242c 8b9370010000 51 }
            // n = 7, score = 400
            //   7538                 | jne                 0x3a
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]
            //   85c0                 | test                eax, eax
            //   7430                 | je                  0x32
            //   8b4c242c             | mov                 ecx, dword ptr [esp + 0x2c]
            //   8b9370010000         | mov                 edx, dword ptr [ebx + 0x170]
            //   51                   | push                ecx

        $sequence_6 = { 33c9 8d542408 894c2428 52 894c2430 }
            // n = 5, score = 400
            //   33c9                 | xor                 ecx, ecx
            //   8d542408             | lea                 edx, [esp + 8]
            //   894c2428             | mov                 dword ptr [esp + 0x28], ecx
            //   52                   | push                edx
            //   894c2430             | mov                 dword ptr [esp + 0x30], ecx

        $sequence_7 = { 8bf8 ff15???????? 8b44240c 8b4804 8b10 51 }
            // n = 6, score = 400
            //   8bf8                 | mov                 edi, eax
            //   ff15????????         |                     
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   51                   | push                ecx

        $sequence_8 = { e8???????? 53 55 8bac241c140000 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   8bac241c140000       | mov                 ebp, dword ptr [esp + 0x141c]

        $sequence_9 = { 8d83e4000000 51 6a04 50 ff931c010000 3bc6 0f85a0010000 }
            // n = 7, score = 400
            //   8d83e4000000         | lea                 eax, [ebx + 0xe4]
            //   51                   | push                ecx
            //   6a04                 | push                4
            //   50                   | push                eax
            //   ff931c010000         | call                dword ptr [ebx + 0x11c]
            //   3bc6                 | cmp                 eax, esi
            //   0f85a0010000         | jne                 0x1a6

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules