SYMBOLCOMMON_NAMEaka. SYNONYMS
win.subzero (Back to overview)

Subzero

aka: Corelump, Jumplump

There is no description at this point.

References
2022-07-27MicrosoftMicrosoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), RiskIQ
@online{mstic:20220727:untangling:27dd5d0, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) and RiskIQ}, title = {{Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits}}, date = {2022-07-27}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/}, language = {English}, urldate = {2022-08-15} } Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits
Subzero
2021-12-17DSIRFDSIRF
@techreport{dsirf:20211217:dsirf:2c4b5ce, author = {DSIRF}, title = {{DSIRF Company Presentation}}, date = {2021-12-17}, institution = {DSIRF}, url = {https://cdn.netzpolitik.org/wp-upload/2021/12/2018-08-28_DSIRF_Company-Profile-Gov.redacted.pdf}, language = {English}, urldate = {2022-08-01} } DSIRF Company Presentation
Subzero
2021-12-17Netzpolitik.orgAndre Meister
@online{meister:20211217:wir:b75b5ff, author = {Andre Meister}, title = {{Wir enthüllen den Staatstrojaner „Subzero“ aus Österreich}}, date = {2021-12-17}, organization = {Netzpolitik.org}, url = {https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich/}, language = {Deutsch}, urldate = {2022-08-01} } Wir enthüllen den Staatstrojaner „Subzero“ aus Österreich
Subzero
2021-11-19FOCUSJan-Philipp Hein
@online{hein:20211119:im:ebe4c69, author = {Jan-Philipp Hein}, title = {{Im Rätsel um gruselige Spionage-Software führt die Spur über Wirecard in den Kreml}}, date = {2021-11-19}, organization = {FOCUS}, url = {https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html}, language = {German}, urldate = {2022-08-01} } Im Rätsel um gruselige Spionage-Software führt die Spur über Wirecard in den Kreml
Subzero
Yara Rules
[TLP:WHITE] win_subzero_auto (20230125 | Detects win.subzero.)
rule win_subzero_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.subzero."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.subzero"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { bb09000000 90 488d4bff 4885c9 7416 420fb71400 }
            // n = 6, score = 100
            //   bb09000000           | dec                 eax
            //   90                   | xor                 ecx, esp
            //   488d4bff             | dec                 eax
            //   4885c9               | mov                 ecx, edi
            //   7416                 | nop                 dword ptr [eax + eax]
            //   420fb71400           | xor                 eax, eax

        $sequence_1 = { c745a004000000 4585c0 0f85eae30200 442145a4 488b45a0 8bd1 488945d8 }
            // n = 7, score = 100
            //   c745a004000000       | dec                 eax
            //   4585c0               | lea                 ecx, [ebp + 7]
            //   0f85eae30200         | dec                 eax
            //   442145a4             | mov                 dword ptr [esp + 0x28], ecx
            //   488b45a0             | dec                 eax
            //   8bd1                 | mov                 dword ptr [ebp + 0x40], ecx
            //   488945d8             | mov                 dword ptr [ebp + 0x20], 0x28

        $sequence_2 = { e8???????? 488d5520 488bce 488bc3 ff15???????? 85c0 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488d5520             | dec                 esp
            //   488bce               | lea                 eax, [ebp + 0x38]
            //   488bc3               | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | lea                 edx, [0x15e61]

        $sequence_3 = { e8???????? 90 e9???????? 498bc7 e9???????? 488b8d68010000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   90                   | mov                 ecx, dword ptr [ebx + 0x18]
            //   e9????????           |                     
            //   498bc7               | test                ecx, ecx
            //   e9????????           |                     
            //   488b8d68010000       | je                  0x3fd

        $sequence_4 = { ff15???????? 408af0 488d4d48 e8???????? 4084f6 7509 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   408af0               | lea                 eax, [ebp + 0x10]
            //   488d4d48             | dec                 eax
            //   e8????????           |                     
            //   4084f6               | mov                 dword ptr [esp + 0xa0], eax
            //   7509                 | dec                 eax

        $sequence_5 = { e8???????? 488b18 48895c2468 48832000 488b4c2460 4885c9 0f8506440100 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b18               | sub                 esp, 0x20
            //   48895c2468           | dec                 eax
            //   48832000             | lea                 ebx, [ecx + 0x78]
            //   488b4c2460           | dec                 eax
            //   4885c9               | mov                 dword ptr [edx], 0
            //   0f8506440100         | dec                 eax

        $sequence_6 = { 488b01 488b4010 ff15???????? 90 e9???????? 488b01 488b4010 }
            // n = 7, score = 100
            //   488b01               | mov                 ecx, edi
            //   488b4010             | neg                 ecx
            //   ff15????????         |                     
            //   90                   | inc                 ebp
            //   e9????????           |                     
            //   488b01               | sbb                 eax, eax
            //   488b4010             | inc                 esp

        $sequence_7 = { 48894308 488bf3 488bfb 4889bc2488000000 4885f6 0f844e460100 488b4c2470 }
            // n = 7, score = 100
            //   48894308             | cmp                 dword ptr [esp + 0x30], 1
            //   488bf3               | je                  0x102
            //   488bfb               | xor                 edx, edx
            //   4889bc2488000000     | dec                 eax
            //   4885f6               | mov                 ecx, edi
            //   0f844e460100         | nop                 dword ptr [eax + eax]
            //   488b4c2470           | cmp                 dword ptr [esp + 0x30], 1

        $sequence_8 = { 4c8d05bba20100 66423b0c00 7411 4883c002 bd01000000 4883f806 72e3 }
            // n = 7, score = 100
            //   4c8d05bba20100       | mov                 ecx, 0xffffff
            //   66423b0c00           | cmp                 edx, 0x400
            //   7411                 | cmovbe              eax, ecx
            //   4883c002             | mov                 dword ptr [esp + 0x30], eax
            //   bd01000000           | inc                 ebp
            //   4883f806             | test                esp, esp
            //   72e3                 | je                  0x2ea

        $sequence_9 = { e8???????? 8be8 488b9c24e0000000 b801000000 448933 897b04 f00fc105???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8be8                 | dec                 eax
            //   488b9c24e0000000     | lea                 eax, [ebp + 0x10]
            //   b801000000           | dec                 eax
            //   448933               | mov                 dword ptr [esp + 0x80], eax
            //   897b04               | dec                 eax
            //   f00fc105????????     |                     

    condition:
        7 of them and filesize < 1420288
}
Download all Yara Rules