SYMBOLCOMMON_NAMEaka. SYNONYMS
win.subzero (Back to overview)

Subzero

aka: Corelump, Jumplump

There is no description at this point.

References
2022-07-27MicrosoftMicrosoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), RiskIQ
@online{mstic:20220727:untangling:27dd5d0, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) and RiskIQ}, title = {{Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits}}, date = {2022-07-27}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/}, language = {English}, urldate = {2022-08-15} } Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits
Subzero
2021-12-17DSIRFDSIRF
@techreport{dsirf:20211217:dsirf:2c4b5ce, author = {DSIRF}, title = {{DSIRF Company Presentation}}, date = {2021-12-17}, institution = {DSIRF}, url = {https://cdn.netzpolitik.org/wp-upload/2021/12/2018-08-28_DSIRF_Company-Profile-Gov.redacted.pdf}, language = {English}, urldate = {2022-08-01} } DSIRF Company Presentation
Subzero
2021-12-17Netzpolitik.orgAndre Meister
@online{meister:20211217:wir:b75b5ff, author = {Andre Meister}, title = {{Wir enthüllen den Staatstrojaner „Subzero“ aus Österreich}}, date = {2021-12-17}, organization = {Netzpolitik.org}, url = {https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich/}, language = {Deutsch}, urldate = {2022-08-01} } Wir enthüllen den Staatstrojaner „Subzero“ aus Österreich
Subzero
2021-11-19FOCUSJan-Philipp Hein
@online{hein:20211119:im:ebe4c69, author = {Jan-Philipp Hein}, title = {{Im Rätsel um gruselige Spionage-Software führt die Spur über Wirecard in den Kreml}}, date = {2021-11-19}, organization = {FOCUS}, url = {https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html}, language = {German}, urldate = {2022-08-01} } Im Rätsel um gruselige Spionage-Software führt die Spur über Wirecard in den Kreml
Subzero
Yara Rules
[TLP:WHITE] win_subzero_auto (20230808 | Detects win.subzero.)
rule win_subzero_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.subzero."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.subzero"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 99 2bc2 d1f8 f7d8 8bc8 e9???????? 8bc2 }
            // n = 7, score = 100
            //   99                   | nop                 dword ptr [eax + eax]
            //   2bc2                 | dec                 eax
            //   d1f8                 | mov                 dword ptr [esp + 0x50], ebx
            //   f7d8                 | inc                 ebp
            //   8bc8                 | movzx               eax, byte ptr [ebp]
            //   e9????????           |                     
            //   8bc2                 | inc                 ebp

        $sequence_1 = { c6411800 498bcb 498b5108 488b5208 e8???????? 498b4108 e9???????? }
            // n = 7, score = 100
            //   c6411800             | nop                 dword ptr [eax + eax]
            //   498bcb               | dec                 eax
            //   498b5108             | and                 dword ptr [ebx + 0x10], 0
            //   488b5208             | dec                 eax
            //   e8????????           |                     
            //   498b4108             | mov                 ecx, ebx
            //   e9????????           |                     

        $sequence_2 = { 33db 48ff15???????? 0f1f440000 85c0 7409 8a5c2424 f6d3 }
            // n = 7, score = 100
            //   33db                 | dec                 esp
            //   48ff15????????       |                     
            //   0f1f440000           | mov                 esi, edx
            //   85c0                 | dec                 eax
            //   7409                 | mov                 ebx, ecx
            //   8a5c2424             | jne                 0x15152
            //   f6d3                 | dec                 eax

        $sequence_3 = { e8???????? 488b4b30 4885c9 7405 e8???????? 488b4b10 4885c9 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b4b30             | sub                 eax, ecx
            //   4885c9               | mov                 dword ptr [ebp - 0xd], 2
            //   7405                 | dec                 ecx
            //   e8????????           |                     
            //   488b4b10             | mov                 ecx, dword ptr [edx + 0x20]
            //   4885c9               | mov                 dword ptr [ebp - 1], 0x3c

        $sequence_4 = { 48ff15???????? 0f1f440000 8b55a8 2b55a0 8b4dac 2b4da4 2b4c2450 }
            // n = 7, score = 100
            //   48ff15????????       |                     
            //   0f1f440000           | nop                 dword ptr [eax + eax]
            //   8b55a8               | or                  eax, 0xff000000
            //   2b55a0               | dec                 esp
            //   8b4dac               | mov                 dword ptr [ebp + 0x77], ebp
            //   2b4da4               | xor                 edx, edx
            //   2b4c2450             | inc                 ebp

        $sequence_5 = { 0f2945f7 f20f104dc7 f20f114d07 0f1045cf 0f294517 f20f104ddf f20f114d27 }
            // n = 7, score = 100
            //   0f2945f7             | dec                 ecx
            //   f20f104dc7           | mov                 dword ptr [esi + 0xf0], ebp
            //   f20f114d07           | dec                 ecx
            //   0f1045cf             | mov                 dword ptr [esi + 0xf8], ebp
            //   0f294517             | dec                 ecx
            //   f20f104ddf           | mov                 dword ptr [esi + 0x100], ebp
            //   f20f114d27           | inc                 cx

        $sequence_6 = { f7d3 81e305400080 488d4c2420 e8???????? 488b742458 8bc3 488b5c2450 }
            // n = 7, score = 100
            //   f7d3                 | je                  0x14a1
            //   81e305400080         | cmp                 byte ptr [ebx + 0x5ac], 0
            //   488d4c2420           | dec                 eax
            //   e8????????           |                     
            //   488b742458           | lea                 edx, [esp + 0x58]
            //   8bc3                 | dec                 eax
            //   488b5c2450           | mov                 ecx, ebp

        $sequence_7 = { 498bca e8???????? 8bd8 488d4da7 e8???????? 85db 791d }
            // n = 7, score = 100
            //   498bca               | mov                 dword ptr [ebp - 0x10], eax
            //   e8????????           |                     
            //   8bd8                 | dec                 ecx
            //   488d4da7             | mov                 esi, ecx
            //   e8????????           |                     
            //   85db                 | dec                 ebp
            //   791d                 | mov                 esi, eax

        $sequence_8 = { 488b01 488b4038 ff15???????? 90 488d4de0 e8???????? 85ff }
            // n = 7, score = 100
            //   488b01               | dec                 eax
            //   488b4038             | lea                 ecx, [esp + 0x60]
            //   ff15????????         |                     
            //   90                   | nop                 
            //   488d4de0             | dec                 eax
            //   e8????????           |                     
            //   85ff                 | lea                 ecx, [esp + 0x70]

        $sequence_9 = { e8???????? 488b4b30 4c8d442458 33d2 e8???????? 488b4c2450 408af8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b4b30             | lea                 eax, [0x11e2f]
            //   4c8d442458           | dec                 eax
            //   33d2                 | mov                 dword ptr [ebx + 0x10], eax
            //   e8????????           |                     
            //   488b4c2450           | dec                 eax
            //   408af8               | test                ecx, ecx

    condition:
        7 of them and filesize < 1420288
}
Download all Yara Rules