SYMBOLCOMMON_NAMEaka. SYNONYMS
win.stuxnet (Back to overview)

Stuxnet

VTCollection    

There is no description at this point.

References
2023-04-11China Cybersecurity Industry AllianceChina Cybersecurity Industry Alliance
Review of Cyberattacks from US Intelligence Agencies - Based on Global Cybersecurity Communities' Analyses
DuQu Flame Gauss Stuxnet
2021-12-01ESET ResearchAlexis Dorais-Joncas, Facundo Muñoz
Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry
2021-08-05SymantecThreat Hunter Team
Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2021-05-17Medium s2wlabDenise Dasom Kim, Hyunmin Suh, Jungyeon Lim, YH Jeong
W3 May | EN | Story of the week: Code Signing Certificate on the Darkweb
Stuxnet
2021-02-11DomainToolsJoe Slowik
Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton
2020-09-28fmmresearch wordpressFacundo Muñoz
The Emerald Connection: EquationGroup collaboration with Stuxnet
Fanny Stuxnet
2020-09-28fmmresearch wordpressFacundo Muñoz
The Emerald Connection: Equation Group collaboration with Stuxnet
Fanny Stuxnet
2020-07-29Atlantic CouncilJune Lee, Stewart Scott, Trey Herr, William Loomis
BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain
EternalPetya GoldenSpy Kwampirs Stuxnet
2020-06-17Der SpiegelPatrick Beuth
Die erste Cyberwaffe und ihre Folgen
Stuxnet
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-09-02Yahoo NewsHuib Modderkolk, Kim Zetter
Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran
Stuxnet
2019-04-09Chronicle SecurityJuan Andrés Guerrero-Saade, Silas Cutler
The Oldest Stuxnet Component Dials Up
FlowerShop Stuxnet
2018-03-01CrySyS LabBoldizsar Bencsath
Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos
2017-04-13A blog about rootkits research and the Windows kernelArtem Baranov
Stuxnet drivers: detailed analysis
Stuxnet
2016-09-07Virus BulletinBrian Bartholomew, Juan Andrés Guerrero-Saade
Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks
DuQu JripBot Sinowal Stuxnet Wipbot
2011-09-09CodeProjectAmrThabet
Stuxnet Malware Analysis Paper
Stuxnet
2011-01-03ESET ResearchAleksandr Matrosov, David Harley, Eugene Rodionov, Juraj Malcho
Stuxnet Under the Microscope
Stuxnet
2010-12-27media.ccc.deBruce Dang, Peter Ferrie
Adventures in analyzing Stuxnet
Stuxnet
Yara Rules
[TLP:WHITE] win_stuxnet_auto (20260504 | Detects win.stuxnet.)
rule win_stuxnet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.stuxnet."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? bef4030000 03c6 e8???????? 8845ef 834dfcff 8d45e8 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   bef4030000           | mov                 esi, 0x3f4
            //   03c6                 | add                 eax, esi
            //   e8????????           |                     
            //   8845ef               | mov                 byte ptr [ebp - 0x11], al
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   8d45e8               | lea                 eax, [ebp - 0x18]

        $sequence_1 = { c3 55 8bec 83ec44 56 6a44 8d45bc }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec44               | sub                 esp, 0x44
            //   56                   | push                esi
            //   6a44                 | push                0x44
            //   8d45bc               | lea                 eax, [ebp - 0x44]

        $sequence_2 = { b8???????? e8???????? 81ecc8010000 53 56 57 8965f0 }
            // n = 7, score = 200
            //   b8????????           |                     
            //   e8????????           |                     
            //   81ecc8010000         | sub                 esp, 0x1c8
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8965f0               | mov                 dword ptr [ebp - 0x10], esp

        $sequence_3 = { 53 e8???????? 8d45d8 50 56 e8???????? 8365fc00 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   8365fc00             | and                 dword ptr [ebp - 4], 0

        $sequence_4 = { ff75e8 ff15???????? 85c0 0f85defeffff eb1a 8d45ac 50 }
            // n = 7, score = 200
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f85defeffff         | jne                 0xfffffee4
            //   eb1a                 | jmp                 0x1c
            //   8d45ac               | lea                 eax, [ebp - 0x54]
            //   50                   | push                eax

        $sequence_5 = { c645fc05 8d45f0 50 e8???????? c645fc04 8b75e8 3bf3 }
            // n = 7, score = 200
            //   c645fc05             | mov                 byte ptr [ebp - 4], 5
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4
            //   8b75e8               | mov                 esi, dword ptr [ebp - 0x18]
            //   3bf3                 | cmp                 esi, ebx

        $sequence_6 = { e8???????? 50 8d470c 50 ff15???????? 83670800 8d8714020000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d470c               | lea                 eax, [edi + 0xc]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83670800             | and                 dword ptr [edi + 8], 0
            //   8d8714020000         | lea                 eax, [edi + 0x214]

        $sequence_7 = { 8b5d08 56 6880000000 8bc3 e8???????? 8bf0 59 }
            // n = 7, score = 200
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   6880000000           | push                0x80
            //   8bc3                 | mov                 eax, ebx
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   59                   | pop                 ecx

        $sequence_8 = { e8???????? 8b4c2410 8988b4000000 8b4c2414 8988b8000000 834c2424ff 8d44240c }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8988b4000000         | mov                 dword ptr [eax + 0xb4], ecx
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8988b8000000         | mov                 dword ptr [eax + 0xb8], ecx
            //   834c2424ff           | or                  dword ptr [esp + 0x24], 0xffffffff
            //   8d44240c             | lea                 eax, [esp + 0xc]

        $sequence_9 = { c645fc03 8d462c 50 895e24 895e28 e8???????? 59 }
            // n = 7, score = 200
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   8d462c               | lea                 eax, [esi + 0x2c]
            //   50                   | push                eax
            //   895e24               | mov                 dword ptr [esi + 0x24], ebx
            //   895e28               | mov                 dword ptr [esi + 0x28], ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx

    condition:
        7 of them and filesize < 2495488
}
[TLP:WHITE] win_stuxnet_w0   (20190418 | Stuxshop standalone sample configuration)
rule win_stuxnet_w0 {
    meta:
        author = "JAG-S (turla@chronicle.security)"
        hash = "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579"
        description = "Stuxshop standalone sample configuration"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_version = "20190418"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cnc1 = "http://211.24.237.226/index.php?data=" ascii wide
        $cnc2 = "http://todaysfutbol.com/index.php?data=" ascii wide
        $cnc3 = "http://78.111.169.146/index.php?data=" ascii wide
        $cnc4 = "http://mypremierfutbol.com/index.php?data=" ascii wide
        $regkey1  =  "Software\\Microsoft\\Windows\\CurrentVersion\\MS-DOS Emulation" ascii wide
        $regkey2  =  "NTVDMParams" ascii wide
        $flowerOverlap1 = { 85 C0 75 3B 57 FF 75 1C FF 75 18 FF 75 14 50 FF 75 10 FF 75 FC FF 15 }
        $flowerOverlap2 = { 85 C0 75 4C 8B 45 1C 89 45 0C 8D 45 0C 50 8D 45 08 FF 75 18 50 6A 00 FF 75 10 FF 75 20 FF 15 }
        $flowerOverlap3  = { 55 8B EC 53 56 8B 75 20 85 F6 74 03 83 26 00 8D 45 20 5068 19 00 02 00 6A 00 FF 75 0C FF 75 08 }
        $flowerOverlap4  = { 55 8B EC 51 8D 4D FC 33 C0 51 50 6A 26 50 89 45 FC FF 15 }
        $flowerOverlap5  = { 85 DB 74 04 8B C3 EB 1A 8B 45 08 3B 45 14 74 07 B8 5D 06 00 00 EB 0B 85 F6 74 05 8B 45 0C 89 06 }
        $flowerOverlap6  = {   85 FF 74 12 83 7D F8 01 75 0C FF 75 0C FF 75 08 FF 15 }
    condition:
        all of  ($flowerOverlap*) or 2 of ($cnc*) or all of  ($regkey*)
}
[TLP:WHITE] win_stuxnet_w1   (20190418 | No description)
rule win_stuxnet_w1 {
    meta:
        author = "Silas Cutler (havex@Chronicle.Security)"
        desc = "Identifies the OS Check function in STUXSHOP and CheshireCat"
        hash = "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_version = "20190418"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $ = {10 F7 D8 1B C0 83 C0 ?? E9 ?? 01 00 00 39 85 7C FF FF FF 0F 85 ?? 01 00 00 83 BD 70 FF FF FF 04 8B 8D 74 FF FF FF 75 0B 85 C9 0F 85 ?? 01 00 00 6A 05 5E }
        $ = {01 00 00 3B FA 0F 84 ?? 01 00 00 80 7D 80 00 B1 62 74 1D 6A 0D 8D 45 80 68 ?? ?? ?? 10 50 FF 15 ?? ?? ?? 10 83 C4 0C B1 6F 85 C0 75 03 8A 4D 8D 8B C6 }
    condition:
        any of them
}
Download all Yara Rules