SYMBOLCOMMON_NAMEaka. SYNONYMS
win.usbferry (Back to overview)

USBferry

Actor(s): Pirate Panda


There is no description at this point.

References
2020-05-12Trend MicroJoey Chen
@online{chen:20200512:tropic:8fff7a4, author = {Joey Chen}, title = {{Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments}}, date = {2020-05-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/}, language = {English}, urldate = {2020-05-14} } Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments
USBferry
2020-05-12Trend MicroJoey Chen
@techreport{chen:20200512:tropic:a3285d0, author = {Joey Chen}, title = {{Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments (Technical Brief)}}, date = {2020-05-12}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf}, language = {English}, urldate = {2020-05-14} } Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments (Technical Brief)
USBferry
Yara Rules
[TLP:WHITE] win_usbferry_auto (20211008 | Detects win.usbferry.)
rule win_usbferry_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.usbferry."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 741c 807f013a 7516 8b85acfaffff }
            // n = 4, score = 200
            //   741c                 | je                  0x1e
            //   807f013a             | cmp                 byte ptr [edi + 1], 0x3a
            //   7516                 | jne                 0x18
            //   8b85acfaffff         | mov                 eax, dword ptr [ebp - 0x554]

        $sequence_1 = { 837d1404 7547 6a04 8d4d1c }
            // n = 4, score = 200
            //   837d1404             | cmp                 dword ptr [ebp + 0x14], 4
            //   7547                 | jne                 0x49
            //   6a04                 | push                4
            //   8d4d1c               | lea                 ecx, dword ptr [ebp + 0x1c]

        $sequence_2 = { 0f85dc000000 83bd64ffffff04 0f86cf000000 83bd64ffffff05 }
            // n = 4, score = 200
            //   0f85dc000000         | jne                 0xe2
            //   83bd64ffffff04       | cmp                 dword ptr [ebp - 0x9c], 4
            //   0f86cf000000         | jbe                 0xd5
            //   83bd64ffffff05       | cmp                 dword ptr [ebp - 0x9c], 5

        $sequence_3 = { c645b365 c645b45c c645b54d c645b669 c645b763 }
            // n = 5, score = 200
            //   c645b365             | mov                 byte ptr [ebp - 0x4d], 0x65
            //   c645b45c             | mov                 byte ptr [ebp - 0x4c], 0x5c
            //   c645b54d             | mov                 byte ptr [ebp - 0x4b], 0x4d
            //   c645b669             | mov                 byte ptr [ebp - 0x4a], 0x69
            //   c645b763             | mov                 byte ptr [ebp - 0x49], 0x63

        $sequence_4 = { 57 8bc2 894dfc 8a2d???????? }
            // n = 4, score = 200
            //   57                   | push                edi
            //   8bc2                 | mov                 eax, edx
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8a2d????????         |                     

        $sequence_5 = { 89857cf5ffff 899578f5ffff 8d8da8faffff 83c1ff 898d90f5ffff 8b9590f5ffff }
            // n = 6, score = 200
            //   89857cf5ffff         | mov                 dword ptr [ebp - 0xa84], eax
            //   899578f5ffff         | mov                 dword ptr [ebp - 0xa88], edx
            //   8d8da8faffff         | lea                 ecx, dword ptr [ebp - 0x558]
            //   83c1ff               | add                 ecx, -1
            //   898d90f5ffff         | mov                 dword ptr [ebp - 0xa70], ecx
            //   8b9590f5ffff         | mov                 edx, dword ptr [ebp - 0xa70]

        $sequence_6 = { 741b ffb5b4faffff 8b8db0faffff ffb5acfaffff }
            // n = 4, score = 200
            //   741b                 | je                  0x1d
            //   ffb5b4faffff         | push                dword ptr [ebp - 0x54c]
            //   8b8db0faffff         | mov                 ecx, dword ptr [ebp - 0x550]
            //   ffb5acfaffff         | push                dword ptr [ebp - 0x554]

        $sequence_7 = { 741d 6a0a 5e 8bc1 }
            // n = 4, score = 200
            //   741d                 | je                  0x1f
            //   6a0a                 | push                0xa
            //   5e                   | pop                 esi
            //   8bc1                 | mov                 eax, ecx

        $sequence_8 = { c645d569 c645d66f c645d76e c645d85c c645d957 c645da69 }
            // n = 6, score = 200
            //   c645d569             | mov                 byte ptr [ebp - 0x2b], 0x69
            //   c645d66f             | mov                 byte ptr [ebp - 0x2a], 0x6f
            //   c645d76e             | mov                 byte ptr [ebp - 0x29], 0x6e
            //   c645d85c             | mov                 byte ptr [ebp - 0x28], 0x5c
            //   c645d957             | mov                 byte ptr [ebp - 0x27], 0x57
            //   c645da69             | mov                 byte ptr [ebp - 0x26], 0x69

        $sequence_9 = { 03f7 8a03 84c0 7446 2bde }
            // n = 5, score = 200
            //   03f7                 | add                 esi, edi
            //   8a03                 | mov                 al, byte ptr [ebx]
            //   84c0                 | test                al, al
            //   7446                 | je                  0x48
            //   2bde                 | sub                 ebx, esi

        $sequence_10 = { 50 e8???????? 83c408 c645ac53 c645ad6f c645ae66 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   c645ac53             | mov                 byte ptr [ebp - 0x54], 0x53
            //   c645ad6f             | mov                 byte ptr [ebp - 0x53], 0x6f
            //   c645ae66             | mov                 byte ptr [ebp - 0x52], 0x66

        $sequence_11 = { 6a00 6a00 8d8da4f5ffff 51 }
            // n = 4, score = 200
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d8da4f5ffff         | lea                 ecx, dword ptr [ebp - 0xa5c]
            //   51                   | push                ecx

        $sequence_12 = { c645c36f c645c477 c645c573 c645c620 c645c74e c645c854 c645c95c }
            // n = 7, score = 200
            //   c645c36f             | mov                 byte ptr [ebp - 0x3d], 0x6f
            //   c645c477             | mov                 byte ptr [ebp - 0x3c], 0x77
            //   c645c573             | mov                 byte ptr [ebp - 0x3b], 0x73
            //   c645c620             | mov                 byte ptr [ebp - 0x3a], 0x20
            //   c645c74e             | mov                 byte ptr [ebp - 0x39], 0x4e
            //   c645c854             | mov                 byte ptr [ebp - 0x38], 0x54
            //   c645c95c             | mov                 byte ptr [ebp - 0x37], 0x5c

        $sequence_13 = { 3a1a 7507 41 42 }
            // n = 4, score = 200
            //   3a1a                 | cmp                 bl, byte ptr [edx]
            //   7507                 | jne                 9
            //   41                   | inc                 ecx
            //   42                   | inc                 edx

        $sequence_14 = { 8b5508 52 ff15???????? 85c0 7422 }
            // n = 5, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7422                 | je                  0x24

        $sequence_15 = { 57 8b7d08 8d4de8 0f28cb 8955e4 897de0 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8d4de8               | lea                 ecx, dword ptr [ebp - 0x18]
            //   0f28cb               | movaps              xmm1, xmm3
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi

    condition:
        7 of them and filesize < 638976
}
Download all Yara Rules