SVCReady (Malware Family)

SVCReady

VTCollection

According to PCrisk, SVCReady collects information about the infected system such as username, computer name, time zone, computer manufacturer, BIOS, and firmware. Also, it gathers lists of running processes and installed software. SVCReady sends collected data to the C2 server. Additionally, SVCReady attempts to maintain its foothold on the system by creating a scheduled task.

References

2022-06-10 ⋅ Soc Investigation ⋅ Vignesh Bhaaskaran
New SVCReady malware loads from Word doc properties – Detection & Response
SVCReady

2022-06-06 ⋅ HP ⋅ Patrick Schläpfer
SVCReady: A New Loader Gets Ready
SVCReady

Yara Rules

[TLP:WHITE] win_svcready_auto (20260504 | Detects win.svcready.)

rule win_svcready_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.svcready."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.svcready"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8365fc00 8b7508 3b750c 7411 0fb606 50 8bcf }
            // n = 7, score = 500
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   3b750c               | cmp                 esi, dword ptr [ebp + 0xc]
            //   7411                 | je                  0x13
            //   0fb606               | movzx               eax, byte ptr [esi]
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi

        $sequence_1 = { 51 e8???????? 83c408 8b7508 8d4514 }
            // n = 5, score = 500
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8d4514               | lea                 eax, [ebp + 0x14]

        $sequence_2 = { 8bce e8???????? 014610 115e14 8b4710 }
            // n = 5, score = 500
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   014610               | add                 dword ptr [esi + 0x10], eax
            //   115e14               | adc                 dword ptr [esi + 0x14], ebx
            //   8b4710               | mov                 eax, dword ptr [edi + 0x10]

        $sequence_3 = { 8b0438 03c7 ffd0 0faf45dc 50 e8???????? }
            // n = 6, score = 500
            //   8b0438               | mov                 eax, dword ptr [eax + edi]
            //   03c7                 | add                 eax, edi
            //   ffd0                 | call                eax
            //   0faf45dc             | imul                eax, dword ptr [ebp - 0x24]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_4 = { 894c2410 8be9 c1ce03 33d7 89742414 8bc6 }
            // n = 6, score = 500
            //   894c2410             | mov                 dword ptr [esp + 0x10], ecx
            //   8be9                 | mov                 ebp, ecx
            //   c1ce03               | ror                 esi, 3
            //   33d7                 | xor                 edx, edi
            //   89742414             | mov                 dword ptr [esp + 0x14], esi
            //   8bc6                 | mov                 eax, esi

        $sequence_5 = { 8b4dd8 85c9 741a 8b45e0 2bc1 83e0fc 50 }
            // n = 7, score = 500
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   85c9                 | test                ecx, ecx
            //   741a                 | je                  0x1c
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   2bc1                 | sub                 eax, ecx
            //   83e0fc               | and                 eax, 0xfffffffc
            //   50                   | push                eax

        $sequence_6 = { c645fc01 8d45d8 ff7508 53 6a10 83ec18 8bcc }
            // n = 7, score = 500
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   6a10                 | push                0x10
            //   83ec18               | sub                 esp, 0x18
            //   8bcc                 | mov                 ecx, esp

        $sequence_7 = { 7449 57 e8???????? 6a05 5f 3bc7 7239 }
            // n = 7, score = 500
            //   7449                 | je                  0x4b
            //   57                   | push                edi
            //   e8????????           |                     
            //   6a05                 | push                5
            //   5f                   | pop                 edi
            //   3bc7                 | cmp                 eax, edi
            //   7239                 | jb                  0x3b

        $sequence_8 = { 5f 5e 5b c9 c21400 51 ff750c }
            // n = 7, score = 500
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c21400               | ret                 0x14
            //   51                   | push                ecx
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_9 = { 8b5c2414 8b742410 6a0b 59 0fb6440c1c 0fa4f308 99 }
            // n = 7, score = 500
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   8b742410             | mov                 esi, dword ptr [esp + 0x10]
            //   6a0b                 | push                0xb
            //   59                   | pop                 ecx
            //   0fb6440c1c           | movzx               eax, byte ptr [esp + ecx + 0x1c]
            //   0fa4f308             | shld                ebx, esi, 8
            //   99                   | cdq                 

    condition:
        7 of them and filesize < 1187840
}

[TLP:WHITE] win_svcready_w0 (20220609 | packed SVCReady / win.svcready)

rule win_svcready_w0 { 
   meta: 
        author = "@AndreGironda"
        description = "packed SVCReady / win.svcready"
        hash = "76d69ec491c0711f6cc60fbafcabf095"
        date = "June 8, 2022"
        tlp = "White"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.svcready"
        malpedia_rule_date = "20220608"
        malpedia_hash = ""
        malpedia_version = "20220609"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

   strings:
        $hex_1003b3e0 = { 52 75 6e 50 45 44 6c 6c 4e 61 74 69 76 65 3a 3a 46 69 6c 65 20 68 61 73 20 6e 6f 20 72 65 6c 6f 63 61 74 69 6f 6e }
        $hex_1003b424 = { 50 61 79 6c 6f 61 64 20 64 65 70 6c 6f 79 6d 65 6e 74 20 66 61 69 6c 65 64 2c 20 73 74 6f 70 70 69 6e 67 }
        $hex_1003c234 = { 4e 6f 74 20 73 75 70 70 6f 72 74 65 64 20 72 65 6c 6f 63 61 74 69 6f 6e 73 20 66 6f 72 6d 61 74 20 61 74 20 25 64 3a 20 25 64 0a 00 5b 2d 5d 20 }
        $hex_1003c2cc = { 49 6e 76 61 6c 69 64 20 61 64 64 72 65 73 73 20 6f 66 20 72 65 6c 6f 63 61 74 69 6f 6e 73 20 62 6c 6f 63 6b }

   condition:
        all of them
}

Download all Yara Rules

SVCReady Propose Change

References

Yara Rules

SVCReady