SYMBOLCOMMON_NAMEaka. SYNONYMS
win.svcready (Back to overview)

SVCReady


There is no description at this point.

References
2022-06-10Soc InvestigationVignesh Bhaaskaran
@online{bhaaskaran:20220610:new:d2fb70b, author = {Vignesh Bhaaskaran}, title = {{New SVCReady malware loads from Word doc properties – Detection & Response}}, date = {2022-06-10}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/}, language = {English}, urldate = {2022-06-10} } New SVCReady malware loads from Word doc properties – Detection & Response
SVCReady
2022-06-06HPPatrick Schläpfer
@online{schlpfer:20220606:svcready:c673858, author = {Patrick Schläpfer}, title = {{SVCReady: A New Loader Gets Ready}}, date = {2022-06-06}, organization = {HP}, url = {https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/}, language = {English}, urldate = {2022-06-08} } SVCReady: A New Loader Gets Ready
SVCReady
Yara Rules
[TLP:WHITE] win_svcready_auto (20230125 | Detects win.svcready.)
rule win_svcready_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.svcready."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.svcready"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff760c ff15???????? 6a06 8d4c2424 51 50 ff15???????? }
            // n = 7, score = 500
            //   ff760c               | push                dword ptr [esi + 0xc]
            //   ff15????????         |                     
            //   6a06                 | push                6
            //   8d4c2424             | lea                 ecx, [esp + 0x24]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_1 = { 8b442404 8b4c2408 8908 c20800 8b442404 }
            // n = 5, score = 500
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   8908                 | mov                 dword ptr [eax], ecx
            //   c20800               | ret                 8
            //   8b442404             | mov                 eax, dword ptr [esp + 4]

        $sequence_2 = { 8b4c2410 45 8b742414 3b6c2430 72c0 33c0 }
            // n = 6, score = 500
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   45                   | inc                 ebp
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   3b6c2430             | cmp                 ebp, dword ptr [esp + 0x30]
            //   72c0                 | jb                  0xffffffc2
            //   33c0                 | xor                 eax, eax

        $sequence_3 = { 56 57 8b7c241c 8bc2 03ff 89442410 }
            // n = 6, score = 500
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7c241c             | mov                 edi, dword ptr [esp + 0x1c]
            //   8bc2                 | mov                 eax, edx
            //   03ff                 | add                 edi, edi
            //   89442410             | mov                 dword ptr [esp + 0x10], eax

        $sequence_4 = { 83e0f0 50 ff36 e8???????? 33c0 59 59 }
            // n = 7, score = 500
            //   83e0f0               | and                 eax, 0xfffffff0
            //   50                   | push                eax
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_5 = { f7d0 c1cd03 8bd1 0bd0 33d7 23f9 21542410 }
            // n = 7, score = 500
            //   f7d0                 | not                 eax
            //   c1cd03               | ror                 ebp, 3
            //   8bd1                 | mov                 edx, ecx
            //   0bd0                 | or                  edx, eax
            //   33d7                 | xor                 edx, edi
            //   23f9                 | and                 edi, ecx
            //   21542410             | and                 dword ptr [esp + 0x10], edx

        $sequence_6 = { 3bdd 0f43dd 85db 7416 8b0e 03c7 53 }
            // n = 7, score = 500
            //   3bdd                 | cmp                 ebx, ebp
            //   0f43dd               | cmovae              ebx, ebp
            //   85db                 | test                ebx, ebx
            //   7416                 | je                  0x18
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   03c7                 | add                 eax, edi
            //   53                   | push                ebx

        $sequence_7 = { ff7514 8d4dd8 ff7514 ff7510 e8???????? 8365fc00 }
            // n = 6, score = 500
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   e8????????           |                     
            //   8365fc00             | and                 dword ptr [ebp - 4], 0

        $sequence_8 = { 7504 897c2414 52 51 e8???????? 89442430 b82e000000 }
            // n = 7, score = 500
            //   7504                 | jne                 6
            //   897c2414             | mov                 dword ptr [esp + 0x14], edi
            //   52                   | push                edx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   b82e000000           | mov                 eax, 0x2e

        $sequence_9 = { c1cf0d 8bd1 894c2410 8be9 c1ce03 33d7 }
            // n = 6, score = 500
            //   c1cf0d               | ror                 edi, 0xd
            //   8bd1                 | mov                 edx, ecx
            //   894c2410             | mov                 dword ptr [esp + 0x10], ecx
            //   8be9                 | mov                 ebp, ecx
            //   c1ce03               | ror                 esi, 3
            //   33d7                 | xor                 edx, edi

    condition:
        7 of them and filesize < 1187840
}
[TLP:WHITE] win_svcready_w0   (20220609 | packed SVCReady / win.svcready)
rule win_svcready_w0 { 
   meta: 
        author = "@AndreGironda"
        description = "packed SVCReady / win.svcready"
        hash = "76d69ec491c0711f6cc60fbafcabf095"
        date = "June 8, 2022"
        tlp = "White"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.svcready"
        malpedia_rule_date = "20220608"
        malpedia_hash = ""
        malpedia_version = "20220609"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

   strings:
        $hex_1003b3e0 = { 52 75 6e 50 45 44 6c 6c 4e 61 74 69 76 65 3a 3a 46 69 6c 65 20 68 61 73 20 6e 6f 20 72 65 6c 6f 63 61 74 69 6f 6e }
        $hex_1003b424 = { 50 61 79 6c 6f 61 64 20 64 65 70 6c 6f 79 6d 65 6e 74 20 66 61 69 6c 65 64 2c 20 73 74 6f 70 70 69 6e 67 }
        $hex_1003c234 = { 4e 6f 74 20 73 75 70 70 6f 72 74 65 64 20 72 65 6c 6f 63 61 74 69 6f 6e 73 20 66 6f 72 6d 61 74 20 61 74 20 25 64 3a 20 25 64 0a 00 5b 2d 5d 20 }
        $hex_1003c2cc = { 49 6e 76 61 6c 69 64 20 61 64 64 72 65 73 73 20 6f 66 20 72 65 6c 6f 63 61 74 69 6f 6e 73 20 62 6c 6f 63 6b }

   condition:
        all of them
}
Download all Yara Rules