WhiskerSpy (Malware Family)

WhiskerSpy

There is no description at this point.
References

2023-02-17 ⋅ Trend Micro ⋅ Joseph C Chen, Jaromír Hořejší
Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack
WhiskerSpy
Yara Rules

[TLP:WHITE] win_whiskerspy_auto (20230407 | Detects win.whiskerspy.)
rule win_whiskerspy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.whiskerspy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiskerspy"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33ff 8b06 8bcf d3e8 a801 }
            // n = 5, score = 300
            //   33ff                 | xor                 edi, edi
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8bcf                 | mov                 ecx, edi
            //   d3e8                 | shr                 eax, cl
            //   a801                 | test                al, 1

        $sequence_1 = { 4c8d9c2460010000 498b5b10 498b7318 498b7b20 4d8b7328 }
            // n = 5, score = 200
            //   4c8d9c2460010000     | dec                 eax
            //   498b5b10             | lea                 edx, [esp + 0x48]
            //   498b7318             | inc                 ecx
            //   498b7b20             | cmp                 esi, edi
            //   4d8b7328             | jne                 0x3e

        $sequence_2 = { 4c8d8590000000 488d55c8 488d4d98 ff15???????? }
            // n = 4, score = 200
            //   4c8d8590000000       | dec                 esp
            //   488d55c8             | lea                 eax, [ebp + 0x90]
            //   488d4d98             | dec                 eax
            //   ff15????????         |                     

        $sequence_3 = { 4c8d85b4010000 c785b401000080f10000 498bce 418d511b }
            // n = 4, score = 200
            //   4c8d85b4010000       | lea                 ecx, [ebp - 0x68]
            //   c785b401000080f10000     | xorps    xmm0, xmm0
            //   498bce               | xor                 eax, eax
            //   418d511b             | dec                 esp

        $sequence_4 = { 4c8d8d80010000 488d442460 33c9 4889442420 }
            // n = 4, score = 200
            //   4c8d8d80010000       | dec                 esp
            //   488d442460           | lea                 eax, [ebp + 0x1b4]
            //   33c9                 | mov                 dword ptr [ebp + 0x1b4], 0xf180
            //   4889442420           | dec                 ecx

        $sequence_5 = { 4c8d9c24b0010000 498b5b30 498b7340 498b7b48 410f2873f0 }
            // n = 5, score = 200
            //   4c8d9c24b0010000     | jne                 0x3e
            //   498b5b30             | inc                 ecx
            //   498b7340             | mov                 eax, ebp
            //   498b7b48             | dec                 esp
            //   410f2873f0           | lea                 ecx, [ebp + 0x98]

        $sequence_6 = { 4c8d8de0000000 4489742428 488d9538020000 41b802000000 }
            // n = 4, score = 200
            //   4c8d8de0000000       | lea                 ecx, [ebp + 0x180]
            //   4489742428           | dec                 eax
            //   488d9538020000       | lea                 eax, [esp + 0x60]
            //   41b802000000         | xor                 ecx, ecx

        $sequence_7 = { 4c8d8d98000000 488d542448 413bf7 7534 }
            // n = 4, score = 200
            //   4c8d8d98000000       | inc                 ecx
            //   488d542448           | lea                 edx, [ecx + 0x1b]
            //   413bf7               | xor                 edx, edx
            //   7534                 | dec                 eax

        $sequence_8 = { 015dd0 eb09 51 8d4dcc }
            // n = 4, score = 100
            //   015dd0               | inc                 ecx
            //   eb09                 | cmp                 esi, edi
            //   51                   | jne                 0x3e
            //   8d4dcc               | inc                 ecx

        $sequence_9 = { 0130 8b7510 83794c00 8bd3 }
            // n = 4, score = 100
            //   0130                 | dec                 eax
            //   8b7510               | lea                 eax, [esp + 0x60]
            //   83794c00             | xor                 ecx, ecx
            //   8bd3                 | dec                 eax

        $sequence_10 = { 0144241c 2bd8 83c410 8bd3 }
            // n = 4, score = 100
            //   0144241c             | mov                 dword ptr [esp + 0x20], eax
            //   2bd8                 | inc                 esp
            //   83c410               | lea                 eax, [edx + 1]
            //   8bd3                 | dec                 esp

        $sequence_11 = { 015508 85ff 0f8f6cffffff 7c08 }
            // n = 4, score = 100
            //   015508               | lea                 ecx, [ebp + 0x98]
            //   85ff                 | dec                 eax
            //   0f8f6cffffff         | lea                 edx, [esp + 0x48]
            //   7c08                 | inc                 ecx

        $sequence_12 = { 0110 eb23 8b4508 8b11 }
            // n = 4, score = 100
            //   0110                 | inc                 ecx
            //   eb23                 | lea                 edx, [ecx + 0x1b]
            //   8b4508               | dec                 esp
            //   8b11                 | lea                 eax, [ebp + 0x1b4]

        $sequence_13 = { 015de8 eb09 50 8d4de4 }
            // n = 4, score = 100
            //   015de8               | mov                 dword ptr [esp + 0x28], esi
            //   eb09                 | dec                 eax
            //   50                   | lea                 edx, [ebp + 0x238]
            //   8d4de4               | inc                 ecx

        $sequence_14 = { 0110 8b4508 eb25 8b01 ff501c 0fb7c8 b8ffff0000 }
            // n = 7, score = 100
            //   0110                 | inc                 ecx
            //   8b4508               | lea                 edx, [ecx + 0x1b]
            //   eb25                 | dec                 esp
            //   8b01                 | lea                 eax, [ebp + 0x1b4]
            //   ff501c               | mov                 dword ptr [ebp + 0x1b4], 0xf180
            //   0fb7c8               | dec                 ecx
            //   b8ffff0000           | mov                 ecx, esi

    condition:
        7 of them and filesize < 591872
}
Download all Yara Rules
WhiskerSpy Propose Change

References

Yara Rules

WhiskerSpy
