SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tiny_turla (Back to overview)

TinyTurla

Actor(s): Turla Group


Talos describes this as a malware family with very scoped functionality and thus a small code footprint, likely used as a second chance backdoor.

References
2021-09-21Talos IntelligenceTalos
@online{talos:20210921:tinyturla:c5f6f90, author = {Talos}, title = {{TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines}}, date = {2021-09-21}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2021/09/tinyturla.html}, language = {English}, urldate = {2021-09-22} } TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines
TinyTurla
Yara Rules
[TLP:WHITE] win_tiny_turla_auto (20211008 | Detects win.tiny_turla.)
rule win_tiny_turla_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.tiny_turla."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiny_turla"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b301 45890c24 4d890f 440fb62a 44886d6f 44894d7f 4585c0 }
            // n = 7, score = 100
            //   b301                 | xor                 eax, eax
            //   45890c24             | jmp                 0x5d6
            //   4d890f               | mov                 eax, dword ptr [esp]
            //   440fb62a             | dec                 eax
            //   44886d6f             | mov                 ecx, dword ptr [esp + 0x20]
            //   44894d7f             | movzx               eax, word ptr [ecx + eax*2]
            //   4585c0               | je                  0x5c7

        $sequence_1 = { ff15???????? 448926 e9???????? 488d542440 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   448926               | dec                 esp
            //   e9????????           |                     
            //   488d542440           | mov                 esi, ecx

        $sequence_2 = { 442bf6 4c896c2420 458bc6 488d1437 }
            // n = 4, score = 100
            //   442bf6               | sub                 esp, 0x60
            //   4c896c2420           | inc                 ecx
            //   458bc6               | push                esi
            //   488d1437             | dec                 eax

        $sequence_3 = { c744246001000000 488d5308 488bcb ff15???????? }
            // n = 4, score = 100
            //   c744246001000000     | mov                 dword ptr [esp + 0x20], eax
            //   488d5308             | dec                 eax
            //   488bcb               | test                eax, eax
            //   ff15????????         |                     

        $sequence_4 = { b801000000 eb0a 8b0424 ffc0 890424 ebb8 }
            // n = 6, score = 100
            //   b801000000           | mov                 ecx, eax
            //   eb0a                 | dec                 eax
            //   8b0424               | mov                 ecx, dword ptr [esp + 0x30]
            //   ffc0                 | dec                 esp
            //   890424               | mov                 eax, dword ptr [ecx]
            //   ebb8                 | xor                 edx, edx

        $sequence_5 = { 41b818000000 33d2 498bcf e8???????? 488b0b 4883f9ff 740d }
            // n = 7, score = 100
            //   41b818000000         | dec                 ecx
            //   33d2                 | mov                 eax, dword ptr [edi]
            //   498bcf               | dec                 eax
            //   e8????????           |                     
            //   488b0b               | mov                 edx, esi
            //   4883f9ff             | mov                 byte ptr [eax + 1], bl
            //   740d                 | dec                 ecx

        $sequence_6 = { 41890424 448828 498b07 c6400102 e9???????? 410fb6c5 }
            // n = 6, score = 100
            //   41890424             | test                eax, eax
            //   448828               | je                  0xd4
            //   498b07               | dec                 esp
            //   c6400102             | mov                 dword ptr [esp + 0x30], esp
            //   e9????????           |                     
            //   410fb6c5             | inc                 ebp

        $sequence_7 = { 740e ff15???????? 48c74310ffffffff 33c0 e9???????? 4533c9 4c8d442450 }
            // n = 7, score = 100
            //   740e                 | dec                 eax
            //   ff15????????         |                     
            //   48c74310ffffffff     | lea                 ecx, dword ptr [esp + 0x58]
            //   33c0                 | test                eax, eax
            //   e9????????           |                     
            //   4533c9               | je                  0x15d4
            //   4c8d442450           | dec                 eax

        $sequence_8 = { 48c74308ffffffff 488b4b18 4883f9ff 740e ff15???????? }
            // n = 5, score = 100
            //   48c74308ffffffff     | mov                 dword ptr [esp + 4], eax
            //   488b4b18             | jmp                 0x3a
            //   4883f9ff             | mov                 eax, dword ptr [esp + 4]
            //   740e                 | xor                 al, al
            //   ff15????????         |                     

        $sequence_9 = { 488d5e10 488bcb e8???????? 4c8933 32db e9???????? 488bcf }
            // n = 7, score = 100
            //   488d5e10             | dec                 eax
            //   488bcb               | add                 ecx, 2
            //   e8????????           |                     
            //   4c8933               | dec                 eax
            //   32db                 | mov                 edx, esi
            //   e9????????           |                     
            //   488bcf               | mov                 byte ptr [eax + 1], bl

    condition:
        7 of them and filesize < 51200
}
Download all Yara Rules