TinyTyphon (Malware Family)

TinyTyphon

Actor(s): Dropping Elephant
VTCollection
There is no description at this point.
References

2016-08-08 ⋅ Forcepoint ⋅ Abel Toro, Andy Settle, Nicholas Griffin
MONSOON – ANALYSIS OF AN APT CAMPAIGN
BadNews TinyTyphon QUILTED TIGER
2016-08-08 ⋅ Forcepoint ⋅ Nicholas Griffin
MONSOON - Analysis Of An APT Campaign
BadNews TinyTyphon QUILTED TIGER
Yara Rules

[TLP:WHITE] win_tinytyphon_auto (20260504 | Detects win.tinytyphon.)
rule win_tinytyphon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.tinytyphon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7410 8b4508 0fbe08 0fbe550c 3bca }
            // n = 5, score = 200
            //   7410                 | je                  0x12
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   0fbe08               | movsx               ecx, byte ptr [eax]
            //   0fbe550c             | movsx               edx, byte ptr [ebp + 0xc]
            //   3bca                 | cmp                 ecx, edx

        $sequence_1 = { 8d8c08d9026f67 894ddc 8b55dc c1e20e 8b45dc c1e812 0bd0 }
            // n = 7, score = 200
            //   8d8c08d9026f67       | lea                 ecx, [eax + ecx + 0x676f02d9]
            //   894ddc               | mov                 dword ptr [ebp - 0x24], ecx
            //   8b55dc               | mov                 edx, dword ptr [ebp - 0x24]
            //   c1e20e               | shl                 edx, 0xe
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   c1e812               | shr                 eax, 0x12
            //   0bd0                 | or                  edx, eax

        $sequence_2 = { 8945b0 837db000 7406 837db0ff }
            // n = 4, score = 200
            //   8945b0               | mov                 dword ptr [ebp - 0x50], eax
            //   837db000             | cmp                 dword ptr [ebp - 0x50], 0
            //   7406                 | je                  8
            //   837db0ff             | cmp                 dword ptr [ebp - 0x50], -1

        $sequence_3 = { 6800040000 ff15???????? ebee 6a00 ff15???????? 33c0 8be5 }
            // n = 7, score = 200
            //   6800040000           | push                0x400
            //   ff15????????         |                     
            //   ebee                 | jmp                 0xfffffff0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   8be5                 | mov                 esp, ebp

        $sequence_4 = { 83c101 898ddcfeffff 8b95ecfeffff 0395dcfeffff 0fb602 3d9a000000 }
            // n = 6, score = 200
            //   83c101               | add                 ecx, 1
            //   898ddcfeffff         | mov                 dword ptr [ebp - 0x124], ecx
            //   8b95ecfeffff         | mov                 edx, dword ptr [ebp - 0x114]
            //   0395dcfeffff         | add                 edx, dword ptr [ebp - 0x124]
            //   0fb602               | movzx               eax, byte ptr [edx]
            //   3d9a000000           | cmp                 eax, 0x9a

        $sequence_5 = { 8b4de4 c1e909 0bc1 8945e4 8b55e4 0355dc 8955e4 }
            // n = 7, score = 200
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   c1e909               | shr                 ecx, 9
            //   0bc1                 | or                  eax, ecx
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   0355dc               | add                 edx, dword ptr [ebp - 0x24]
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx

        $sequence_6 = { 034de4 894df8 8b55f4 0fb64204 8b4df4 0fb65105 c1e208 }
            // n = 7, score = 200
            //   034de4               | add                 ecx, dword ptr [ebp - 0x1c]
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   0fb64204             | movzx               eax, byte ptr [edx + 4]
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   0fb65105             | movzx               edx, byte ptr [ecx + 5]
            //   c1e208               | shl                 edx, 8

        $sequence_7 = { c1e814 0bd0 8955e0 8b4de0 034df8 894de0 8b55f4 }
            // n = 7, score = 200
            //   c1e814               | shr                 eax, 0x14
            //   0bd0                 | or                  edx, eax
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   034df8               | add                 ecx, dword ptr [ebp - 8]
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]

        $sequence_8 = { 8945dc 8b55dc 0355e0 8955dc 8b45dc 3345e0 2345f8 }
            // n = 7, score = 200
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   8b55dc               | mov                 edx, dword ptr [ebp - 0x24]
            //   0355e0               | add                 edx, dword ptr [ebp - 0x20]
            //   8955dc               | mov                 dword ptr [ebp - 0x24], edx
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   3345e0               | xor                 eax, dword ptr [ebp - 0x20]
            //   2345f8               | and                 eax, dword ptr [ebp - 8]

        $sequence_9 = { e8???????? 83c408 8d4db8 51 ff15???????? 8945b0 837db000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8d4db8               | lea                 ecx, [ebp - 0x48]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8945b0               | mov                 dword ptr [ebp - 0x50], eax
            //   837db000             | cmp                 dword ptr [ebp - 0x50], 0

    condition:
        7 of them and filesize < 90112
}
Download all Yara Rules
TinyTyphon Propose Change

References

Yara Rules

TinyTyphon
