USBferry (Malware Family)

USBferry

There is no description at this point.
References

2020-05-12 ⋅ Trend Micro ⋅ Joey Chen
Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments
USBferry
2020-05-12 ⋅ Trend Micro ⋅ Joey Chen
Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments (Technical Brief)
USBferry
Yara Rules

[TLP:WHITE] win_usbferry_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_usbferry_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 747c 0fb717 85d2 746b }
            // n = 4, score = 200
            //   747c                 | je                  0x7e
            //   0fb717               | movzx               edx, word ptr [edi]
            //   85d2                 | test                edx, edx
            //   746b                 | je                  0x6d

        $sequence_1 = { c685affaffff6c c685b0faffff20 c685b1faffff2d c685b2faffff66 c685b3faffff20 c685b4faffff2d c685b5faffff69 }
            // n = 7, score = 200
            //   c685affaffff6c       | mov                 byte ptr [ebp - 0x551], 0x6c
            //   c685b0faffff20       | mov                 byte ptr [ebp - 0x550], 0x20
            //   c685b1faffff2d       | mov                 byte ptr [ebp - 0x54f], 0x2d
            //   c685b2faffff66       | mov                 byte ptr [ebp - 0x54e], 0x66
            //   c685b3faffff20       | mov                 byte ptr [ebp - 0x54d], 0x20
            //   c685b4faffff2d       | mov                 byte ptr [ebp - 0x54c], 0x2d
            //   c685b5faffff69       | mov                 byte ptr [ebp - 0x54b], 0x69

        $sequence_2 = { c645b161 c645b272 c645b365 c645b45c }
            // n = 4, score = 200
            //   c645b161             | mov                 byte ptr [ebp - 0x4f], 0x61
            //   c645b272             | mov                 byte ptr [ebp - 0x4e], 0x72
            //   c645b365             | mov                 byte ptr [ebp - 0x4d], 0x65
            //   c645b45c             | mov                 byte ptr [ebp - 0x4c], 0x5c

        $sequence_3 = { eb05 f20f59dd 48 85c0 7ff7 }
            // n = 5, score = 200
            //   eb05                 | jmp                 7
            //   f20f59dd             | mulsd               xmm3, xmm5
            //   48                   | dec                 eax
            //   85c0                 | test                eax, eax
            //   7ff7                 | jg                  0xfffffff9

        $sequence_4 = { 83c40c c785f8fffeff00000000 8d95fcfffeff 52 ff15???????? 8b4dfc }
            // n = 6, score = 200
            //   83c40c               | add                 esp, 0xc
            //   c785f8fffeff00000000     | mov    dword ptr [ebp - 0x10008], 0
            //   8d95fcfffeff         | lea                 edx, [ebp - 0x10004]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_5 = { e8???????? cc 53 8bda 56 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   cc                   | int3                
            //   53                   | push                ebx
            //   8bda                 | mov                 ebx, edx
            //   56                   | push                esi

        $sequence_6 = { 8b45c0 e9???????? 8b45e0 50 ff15???????? }
            // n = 5, score = 200
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   e9????????           |                     
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_7 = { c645d569 c645d66f c645d76e c645d85c c645d957 }
            // n = 5, score = 200
            //   c645d569             | mov                 byte ptr [ebp - 0x2b], 0x69
            //   c645d66f             | mov                 byte ptr [ebp - 0x2a], 0x6f
            //   c645d76e             | mov                 byte ptr [ebp - 0x29], 0x6e
            //   c645d85c             | mov                 byte ptr [ebp - 0x28], 0x5c
            //   c645d957             | mov                 byte ptr [ebp - 0x27], 0x57

        $sequence_8 = { 33f6 8bd1 57 33ff 46 8d8ae40f0000 }
            // n = 6, score = 200
            //   33f6                 | xor                 esi, esi
            //   8bd1                 | mov                 edx, ecx
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   46                   | inc                 esi
            //   8d8ae40f0000         | lea                 ecx, [edx + 0xfe4]

        $sequence_9 = { 760c 0f570d???????? c6012d eb03 c6012b f20f1005???????? 41 }
            // n = 7, score = 200
            //   760c                 | jbe                 0xe
            //   0f570d????????       |                     
            //   c6012d               | mov                 byte ptr [ecx], 0x2d
            //   eb03                 | jmp                 5
            //   c6012b               | mov                 byte ptr [ecx], 0x2b
            //   f20f1005????????     |                     
            //   41                   | inc                 ecx

        $sequence_10 = { 8d45ec 50 8d8da8feffff 51 }
            // n = 4, score = 200
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   50                   | push                eax
            //   8d8da8feffff         | lea                 ecx, [ebp - 0x158]
            //   51                   | push                ecx

        $sequence_11 = { 8d85f4fbffff 56 50 752b }
            // n = 4, score = 200
            //   8d85f4fbffff         | lea                 eax, [ebp - 0x40c]
            //   56                   | push                esi
            //   50                   | push                eax
            //   752b                 | jne                 0x2d

        $sequence_12 = { c3 55 8bec 81ec60050000 a1???????? 33c5 8945f8 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec60050000         | sub                 esp, 0x560
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_13 = { 8945f8 83659800 0f28c3 f20f11458c 53 56 8bf1 }
            // n = 7, score = 200
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   83659800             | and                 dword ptr [ebp - 0x68], 0
            //   0f28c3               | movaps              xmm0, xmm3
            //   f20f11458c           | movsd               qword ptr [ebp - 0x74], xmm0
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx

        $sequence_14 = { c645e66c c645e761 c645e873 c645e968 }
            // n = 4, score = 200
            //   c645e66c             | mov                 byte ptr [ebp - 0x1a], 0x6c
            //   c645e761             | mov                 byte ptr [ebp - 0x19], 0x61
            //   c645e873             | mov                 byte ptr [ebp - 0x18], 0x73
            //   c645e968             | mov                 byte ptr [ebp - 0x17], 0x68

        $sequence_15 = { 83e103 f3a4 6a00 8d85a8feffff }
            // n = 4, score = 200
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   6a00                 | push                0
            //   8d85a8feffff         | lea                 eax, [ebp - 0x158]

    condition:
        7 of them and filesize < 638976
}
Download all Yara Rules
USBferry Propose Change

References

Yara Rules

USBferry
