SYMBOLCOMMON_NAMEaka. SYNONYMS
win.subzero (Back to overview)

Subzero

aka: Corelump, Jumplump

There is no description at this point.

References
2022-07-27MicrosoftMicrosoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), RiskIQ
@online{mstic:20220727:untangling:27dd5d0, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) and RiskIQ}, title = {{Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits}}, date = {2022-07-27}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/}, language = {English}, urldate = {2022-08-15} } Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits
Subzero
2021-12-17DSIRFDSIRF
@techreport{dsirf:20211217:dsirf:2c4b5ce, author = {DSIRF}, title = {{DSIRF Company Presentation}}, date = {2021-12-17}, institution = {DSIRF}, url = {https://cdn.netzpolitik.org/wp-upload/2021/12/2018-08-28_DSIRF_Company-Profile-Gov.redacted.pdf}, language = {English}, urldate = {2022-08-01} } DSIRF Company Presentation
Subzero
2021-12-17Netzpolitik.orgAndre Meister
@online{meister:20211217:wir:b75b5ff, author = {Andre Meister}, title = {{Wir enthüllen den Staatstrojaner „Subzero“ aus Österreich}}, date = {2021-12-17}, organization = {Netzpolitik.org}, url = {https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich/}, language = {Deutsch}, urldate = {2022-08-01} } Wir enthüllen den Staatstrojaner „Subzero“ aus Österreich
Subzero
2021-11-19FOCUSJan-Philipp Hein
@online{hein:20211119:im:ebe4c69, author = {Jan-Philipp Hein}, title = {{Im Rätsel um gruselige Spionage-Software führt die Spur über Wirecard in den Kreml}}, date = {2021-11-19}, organization = {FOCUS}, url = {https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html}, language = {German}, urldate = {2022-08-01} } Im Rätsel um gruselige Spionage-Software führt die Spur über Wirecard in den Kreml
Subzero
Yara Rules
[TLP:WHITE] win_subzero_auto (20230407 | Detects win.subzero.)
rule win_subzero_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.subzero."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.subzero"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8d4c2460 4c8bc6 488b13 e8???????? 488b4c2458 85c0 0f8831bb0100 }
            // n = 7, score = 100
            //   4c8d4c2460           | dec                 eax
            //   4c8bc6               | mov                 ecx, dword ptr [edi]
            //   488b13               | dec                 eax
            //   e8????????           |                     
            //   488b4c2458           | mov                 dword ptr [ecx], eax
            //   85c0                 | dec                 eax
            //   0f8831bb0100         | and                 dword ptr [edi], 0

        $sequence_1 = { 488bc7 ff15???????? 8bd8 85c0 0f889e360200 498b5f78 488b03 }
            // n = 7, score = 100
            //   488bc7               | and                 dword ptr [esp + 0x34], 0
            //   ff15????????         |                     
            //   8bd8                 | inc                 ebp
            //   85c0                 | xor                 ecx, ecx
            //   0f889e360200         | dec                 eax
            //   498b5f78             | and                 dword ptr [ecx + 0x590], 0
            //   488b03               | inc                 ecx

        $sequence_2 = { e8???????? 4c8d5c2450 8bc3 498b5b20 498b6b28 498b7330 498be3 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8d5c2450           | lea                 eax, [0x184d9]
            //   8bc3                 | dec                 eax
            //   498b5b20             | mov                 dword ptr [ebp + 0x200], eax
            //   498b6b28             | dec                 eax
            //   498b7330             | lea                 edx, [ebp - 0x80]
            //   498be3               | dec                 eax

        $sequence_3 = { 488d542448 488d4c2450 e8???????? 8bd8 85c0 0f886c770100 488b4c2448 }
            // n = 7, score = 100
            //   488d542448           | dec                 esp
            //   488d4c2450           | mov                 eax, dword ptr [esi]
            //   e8????????           |                     
            //   8bd8                 | dec                 eax
            //   85c0                 | mov                 ecx, eax
            //   0f886c770100         | dec                 eax
            //   488b4c2448           | mov                 edi, eax

        $sequence_4 = { e8???????? eb0c 488b03 33db 488987d8000000 4885f6 740f }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb0c                 | dec                 eax
            //   488b03               | mov                 dword ptr [esp + 0x28], eax
            //   33db                 | dec                 eax
            //   488987d8000000       | lea                 eax, [ebp - 0x80]
            //   4885f6               | dec                 eax
            //   740f                 | lea                 eax, [ebp - 0x74]

        $sequence_5 = { e8???????? 90 8bc7 488b5c2458 4883c430 415e 5f }
            // n = 7, score = 100
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   8bc7                 | lea                 ecx, [ebx + 8]
            //   488b5c2458           | dec                 eax
            //   4883c430             | lea                 eax, [ebp + 0x20]
            //   415e                 | dec                 eax
            //   5f                   | mov                 dword ptr [esp + 0x28], eax

        $sequence_6 = { e8???????? 8bd8 85c0 7956 488b4d5f 448bc8 4c8d05c1470500 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bd8                 | lea                 eax, [esp + 0x48]
            //   85c0                 | xor                 edx, edx
            //   7956                 | dec                 esp
            //   488b4d5f             | lea                 ecx, [0x1643a]
            //   448bc8               | dec                 eax
            //   4c8d05c1470500       | mov                 dword ptr [esp + 0x20], eax

        $sequence_7 = { 90 488d05e6f20500 48894310 8b4b28 85c9 0f85978c0300 488d4b30 }
            // n = 7, score = 100
            //   90                   | dec                 esp
            //   488d05e6f20500       | mov                 dword ptr [eax - 0x28], edi
            //   48894310             | dec                 eax
            //   8b4b28               | cmp                 esi, ebx
            //   85c9                 | je                  0x21c50
            //   0f85978c0300         | dec                 eax
            //   488d4b30             | mov                 eax, ebx

        $sequence_8 = { 7406 e8???????? 90 488b4b08 4885c9 7406 e8???????? }
            // n = 7, score = 100
            //   7406                 | dec                 eax
            //   e8????????           |                     
            //   90                   | mov                 dword ptr [edi + 0x10], eax
            //   488b4b08             | dec                 edx
            //   4885c9               | lea                 eax, [ebx + esi*8]
            //   7406                 | dec                 eax
            //   e8????????           |                     

        $sequence_9 = { bb05400080 4885c9 7411 4c8975cf 488b01 488b4010 ff15???????? }
            // n = 7, score = 100
            //   bb05400080           | dec                 eax
            //   4885c9               | mov                 edx, esi
            //   7411                 | dec                 eax
            //   4c8975cf             | mov                 eax, dword ptr [ecx]
            //   488b01               | dec                 eax
            //   488b4010             | mov                 eax, dword ptr [eax + 0x28]
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 1420288
}
Download all Yara Rules