SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_020_cia_vault7 (Back to overview)

Unidentified 020 (Vault7)

Actor(s): Longhorn


There is no description at this point.

References
2017-03-07WikileaksWikileaks
@online{wikileaks:20170307:vault:839b275, author = {Wikileaks}, title = {{Vault 7: CIA Hacking Tools Revealed}}, date = {2017-03-07}, organization = {Wikileaks}, url = {https://wikileaks.org/ciav7p1/cms/page_34308128.html}, language = {English}, urldate = {2020-01-08} } Vault 7: CIA Hacking Tools Revealed
Unidentified 020 (Vault7)
Yara Rules
[TLP:WHITE] win_unidentified_020_cia_vault7_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_unidentified_020_cia_vault7_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c408 85c0 74c2 8b55d8 52 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   74c2                 | je                  0xffffffc4
            //   8b55d8               | mov                 edx, dword ptr [ebp - 0x28]
            //   52                   | push                edx

        $sequence_1 = { ff15???????? 8bd8 899de0fbffff 85db 750b 89bde4fbffff e9???????? }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   899de0fbffff         | mov                 dword ptr [ebp - 0x420], ebx
            //   85db                 | test                ebx, ebx
            //   750b                 | jne                 0xd
            //   89bde4fbffff         | mov                 dword ptr [ebp - 0x41c], edi
            //   e9????????           |                     

        $sequence_2 = { 50 6804010000 ff15???????? 85c0 7510 33c0 8b4dfc }
            // n = 7, score = 200
            //   50                   | push                eax
            //   6804010000           | push                0x104
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7510                 | jne                 0x12
            //   33c0                 | xor                 eax, eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_3 = { 7512 68c1000000 ff15???????? 33c0 }
            // n = 4, score = 200
            //   7512                 | jne                 0x14
            //   68c1000000           | push                0xc1
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax

        $sequence_4 = { 001490 40 0023 d18a0688078a 46 018847018a46 }
            // n = 6, score = 200
            //   001490               | add                 byte ptr [eax + edx*4], dl
            //   40                   | inc                 eax
            //   0023                 | add                 byte ptr [ebx], ah
            //   d18a0688078a         | ror                 dword ptr [edx - 0x75f877fa], 1
            //   46                   | inc                 esi
            //   018847018a46         | add                 dword ptr [eax + 0x468a0147], ecx

        $sequence_5 = { 85c0 7505 b801000000 a3???????? b801000000 59 c3 }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   b801000000           | mov                 eax, 1
            //   a3????????           |                     
            //   b801000000           | mov                 eax, 1
            //   59                   | pop                 ecx
            //   c3                   | ret                 

        $sequence_6 = { 0fb60b 40 80b9c04b410000 74e8 8a13 }
            // n = 5, score = 200
            //   0fb60b               | movzx               ecx, byte ptr [ebx]
            //   40                   | inc                 eax
            //   80b9c04b410000       | cmp                 byte ptr [ecx + 0x414bc0], 0
            //   74e8                 | je                  0xffffffea
            //   8a13                 | mov                 dl, byte ptr [ebx]

        $sequence_7 = { 8dbc2420040000 be???????? e8???????? 85c0 }
            // n = 4, score = 200
            //   8dbc2420040000       | lea                 edi, [esp + 0x420]
            //   be????????           |                     
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_8 = { ff15???????? c705????????00000000 68000000f0 6a01 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   c705????????00000000     |     
            //   68000000f0           | push                0xf0000000
            //   6a01                 | push                1

        $sequence_9 = { 8985e4fdffff 8d85f0fdffff 50 c785ecfdffff00000000 c785ccfdffff02000000 ff15???????? }
            // n = 6, score = 200
            //   8985e4fdffff         | mov                 dword ptr [ebp - 0x21c], eax
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   50                   | push                eax
            //   c785ecfdffff00000000     | mov    dword ptr [ebp - 0x214], 0
            //   c785ccfdffff02000000     | mov    dword ptr [ebp - 0x234], 2
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 253952
}
Download all Yara Rules