SVCReady (Malware Family)

SVCReady

VTCollection

According to PCrisk, SVCReady collects information about the infected system such as username, computer name, time zone, computer manufacturer, BIOS, and firmware. Also, it gathers lists of running processes and installed software. SVCReady sends collected data to the C2 server. Additionally, SVCReady attempts to maintain its foothold on the system by creating a scheduled task.

References

2022-06-10 ⋅ Soc Investigation ⋅ Vignesh Bhaaskaran
New SVCReady malware loads from Word doc properties – Detection & Response
SVCReady

2022-06-06 ⋅ HP ⋅ Patrick Schläpfer
SVCReady: A New Loader Gets Ready
SVCReady

Yara Rules

[TLP:WHITE] win_svcready_auto (20230808 | Detects win.svcready.)

rule win_svcready_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.svcready."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.svcready"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c8 c1ca0d 33ce 8bc3 33c1 c1ce03 894c2418 }
            // n = 7, score = 500
            //   33c8                 | xor                 ecx, eax
            //   c1ca0d               | ror                 edx, 0xd
            //   33ce                 | xor                 ecx, esi
            //   8bc3                 | mov                 eax, ebx
            //   33c1                 | xor                 eax, ecx
            //   c1ce03               | ror                 esi, 3
            //   894c2418             | mov                 dword ptr [esp + 0x18], ecx

        $sequence_1 = { 83611000 c741140f000000 68???????? c60100 e8???????? 8365fc00 }
            // n = 6, score = 500
            //   83611000             | and                 dword ptr [ecx + 0x10], 0
            //   c741140f000000       | mov                 dword ptr [ecx + 0x14], 0xf
            //   68????????           |                     
            //   c60100               | mov                 byte ptr [ecx], 0
            //   e8????????           |                     
            //   8365fc00             | and                 dword ptr [ebp - 4], 0

        $sequence_2 = { 59 59 895dc0 895dc4 895dc8 8b4df4 8bc6 }
            // n = 7, score = 500
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   895dc0               | mov                 dword ptr [ebp - 0x40], ebx
            //   895dc4               | mov                 dword ptr [ebp - 0x3c], ebx
            //   895dc8               | mov                 dword ptr [ebp - 0x38], ebx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8bc6                 | mov                 eax, esi

        $sequence_3 = { 8904d1 56 ff742410 8d4f04 e8???????? 8b44240c 5f }
            // n = 7, score = 500
            //   8904d1               | mov                 dword ptr [ecx + edx*8], eax
            //   56                   | push                esi
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   8d4f04               | lea                 ecx, [edi + 4]
            //   e8????????           |                     
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   5f                   | pop                 edi

        $sequence_4 = { 8bd8 8a0b 80f97f 0f855fffffff 8b54240c 8b4d18 }
            // n = 6, score = 500
            //   8bd8                 | mov                 ebx, eax
            //   8a0b                 | mov                 cl, byte ptr [ebx]
            //   80f97f               | cmp                 cl, 0x7f
            //   0f855fffffff         | jne                 0xffffff65
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]

        $sequence_5 = { d1cb 33d5 8bc7 c1e003 33da c1cd07 }
            // n = 6, score = 500
            //   d1cb                 | ror                 ebx, 1
            //   33d5                 | xor                 edx, ebp
            //   8bc7                 | mov                 eax, edi
            //   c1e003               | shl                 eax, 3
            //   33da                 | xor                 ebx, edx
            //   c1cd07               | ror                 ebp, 7

        $sequence_6 = { 33c3 8bd7 33c5 0bd3 8bda 0bd1 33d9 }
            // n = 7, score = 500
            //   33c3                 | xor                 eax, ebx
            //   8bd7                 | mov                 edx, edi
            //   33c5                 | xor                 eax, ebp
            //   0bd3                 | or                  edx, ebx
            //   8bda                 | mov                 ebx, edx
            //   0bd1                 | or                  edx, ecx
            //   33d9                 | xor                 ebx, ecx

        $sequence_7 = { e8???????? 83c414 eb1a 53 57 e8???????? 668b442430 }
            // n = 7, score = 500
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   eb1a                 | jmp                 0x1c
            //   53                   | push                ebx
            //   57                   | push                edi
            //   e8????????           |                     
            //   668b442430           | mov                 ax, word ptr [esp + 0x30]

        $sequence_8 = { c645fc01 8d45d8 ff7508 53 6a10 83ec18 8bcc }
            // n = 7, score = 500
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   6a10                 | push                0x10
            //   83ec18               | sub                 esp, 0x18
            //   8bcc                 | mov                 ecx, esp

        $sequence_9 = { 7607 bbffffff7f eb0a b816000000 3bd8 0f42d8 8d4b01 }
            // n = 7, score = 500
            //   7607                 | jbe                 9
            //   bbffffff7f           | mov                 ebx, 0x7fffffff
            //   eb0a                 | jmp                 0xc
            //   b816000000           | mov                 eax, 0x16
            //   3bd8                 | cmp                 ebx, eax
            //   0f42d8               | cmovb               ebx, eax
            //   8d4b01               | lea                 ecx, [ebx + 1]

    condition:
        7 of them and filesize < 1187840
}

[TLP:WHITE] win_svcready_w0 (20220609 | packed SVCReady / win.svcready)

rule win_svcready_w0 { 
   meta: 
        author = "@AndreGironda"
        description = "packed SVCReady / win.svcready"
        hash = "76d69ec491c0711f6cc60fbafcabf095"
        date = "June 8, 2022"
        tlp = "White"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.svcready"
        malpedia_rule_date = "20220608"
        malpedia_hash = ""
        malpedia_version = "20220609"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

   strings:
        $hex_1003b3e0 = { 52 75 6e 50 45 44 6c 6c 4e 61 74 69 76 65 3a 3a 46 69 6c 65 20 68 61 73 20 6e 6f 20 72 65 6c 6f 63 61 74 69 6f 6e }
        $hex_1003b424 = { 50 61 79 6c 6f 61 64 20 64 65 70 6c 6f 79 6d 65 6e 74 20 66 61 69 6c 65 64 2c 20 73 74 6f 70 70 69 6e 67 }
        $hex_1003c234 = { 4e 6f 74 20 73 75 70 70 6f 72 74 65 64 20 72 65 6c 6f 63 61 74 69 6f 6e 73 20 66 6f 72 6d 61 74 20 61 74 20 25 64 3a 20 25 64 0a 00 5b 2d 5d 20 }
        $hex_1003c2cc = { 49 6e 76 61 6c 69 64 20 61 64 64 72 65 73 73 20 6f 66 20 72 65 6c 6f 63 61 74 69 6f 6e 73 20 62 6c 6f 63 6b }

   condition:
        all of them
}

Download all Yara Rules

SVCReady Propose Change

References

Yara Rules

SVCReady