SYMBOLCOMMON_NAMEaka. SYNONYMS
win.whiskerspy (Back to overview)

WhiskerSpy

There is no description at this point.

References
2023-02-17Trend MicroJoseph C Chen, Jaromír Hořejší
@online{chen:20230217:earth:1066266, author = {Joseph C Chen and Jaromír Hořejší}, title = {{Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack}}, date = {2023-02-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html}, language = {English}, urldate = {2023-02-24} } Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack
WhiskerSpy
Yara Rules
[TLP:WHITE] win_whiskerspy_auto (20230715 | Detects win.whiskerspy.)
rule win_whiskerspy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.whiskerspy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiskerspy"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33ff 8b06 8bcf d3e8 }
            // n = 4, score = 300
            //   33ff                 | xor                 edi, edi
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8bcf                 | mov                 ecx, edi
            //   d3e8                 | shr                 eax, cl

        $sequence_1 = { 72e8 488d4ddc ff15???????? 488bc8 }
            // n = 4, score = 200
            //   72e8                 | inc                 esp
            //   488d4ddc             | movzx               ecx, word ptr [ebp - 0xe]
            //   ff15????????         |                     
            //   488bc8               | inc                 esp

        $sequence_2 = { 72e8 488d442440 4889bd40020000 4533c9 }
            // n = 4, score = 200
            //   72e8                 | movzx               ecx, word ptr [ebp - 6]
            //   488d442440           | movzx               edx, word ptr [ebp - 8]
            //   4889bd40020000       | jb                  0xffffffea
            //   4533c9               | movzx               eax, word ptr [ebp - 4]

        $sequence_3 = { 72e4 488d95ec000000 488d8d20030000 ff15???????? }
            // n = 4, score = 200
            //   72e4                 | mov                 ecx, edi
            //   488d95ec000000       | jb                  0xffffffe6
            //   488d8d20030000       | dec                 eax
            //   ff15????????         |                     

        $sequence_4 = { 72e8 488d5548 498bcc e8???????? }
            // n = 4, score = 200
            //   72e8                 | xor                 ecx, ecx
            //   488d5548             | dec                 eax
            //   498bcc               | mov                 dword ptr [ebp + 0x238], eax
            //   e8????????           |                     

        $sequence_5 = { 72e8 0fb745fc 0fb74dfa 0fb755f8 }
            // n = 4, score = 200
            //   72e8                 | dec                 eax
            //   0fb745fc             | lea                 ecx, [ebp + 0x320]
            //   0fb74dfa             | mov                 byte ptr [ebp + 0x9b], 0x7f
            //   0fb755f8             | jb                  0xfffffffb

        $sequence_6 = { 72e8 488d557f 488bcf e8???????? }
            // n = 4, score = 200
            //   72e8                 | lea                 eax, [esp + 0x40]
            //   488d557f             | dec                 eax
            //   488bcf               | mov                 dword ptr [ebp + 0x240], edi
            //   e8????????           |                     

        $sequence_7 = { 72e4 488d95c2000000 488d8dc0030000 ff15???????? }
            // n = 4, score = 200
            //   72e4                 | jb                  0xffffffe6
            //   488d95c2000000       | dec                 eax
            //   488d8dc0030000       | lea                 edx, [ebp + 0xc2]
            //   ff15????????         |                     

        $sequence_8 = { 0110 eb23 8b4508 8b11 }
            // n = 4, score = 100
            //   0110                 | xor                 ecx, ecx
            //   eb23                 | dec                 eax
            //   8b4508               | mov                 dword ptr [ebp + 0x238], eax
            //   8b11                 | jb                  0xffffffea

        $sequence_9 = { 0110 8b4508 eb25 8b01 ff501c 0fb7c8 b8ffff0000 }
            // n = 7, score = 100
            //   0110                 | xor                 ecx, ecx
            //   8b4508               | jb                  0xffffffea
            //   eb25                 | dec                 eax
            //   8b01                 | lea                 eax, [esp + 0x40]
            //   ff501c               | dec                 eax
            //   0fb7c8               | mov                 dword ptr [ebp + 0x240], edi
            //   b8ffff0000           | inc                 ebp

        $sequence_10 = { 0144241c 2bd8 83c410 8bd3 }
            // n = 4, score = 100
            //   0144241c             | mov                 edx, 0xec0e4e8e
            //   2bd8                 | dec                 eax
            //   83c410               | mov                 edi, eax
            //   8bd3                 | jb                  0xffffffea

        $sequence_11 = { 0130 8b7510 83794c00 8bd3 }
            // n = 4, score = 100
            //   0130                 | mov                 dword ptr [ebp + 0x238], eax
            //   8b7510               | inc                 ebp
            //   83794c00             | xor                 eax, eax
            //   8bd3                 | mov                 dword ptr [esp + 0x50], edi

        $sequence_12 = { 015508 85ff 0f8f6cffffff 7c08 }
            // n = 4, score = 100
            //   015508               | jb                  0xffffffea
            //   85ff                 | dec                 eax
            //   0f8f6cffffff         | lea                 edx, [ebp + 0x48]
            //   7c08                 | dec                 ecx

        $sequence_13 = { 015dd0 eb09 51 8d4dcc }
            // n = 4, score = 100
            //   015dd0               | dec                 eax
            //   eb09                 | mov                 ecx, edi
            //   51                   | dec                 ecx
            //   8d4dcc               | mov                 ecx, ebp

        $sequence_14 = { 015de8 eb09 50 8d4de4 }
            // n = 4, score = 100
            //   015de8               | mov                 ecx, esp
            //   eb09                 | jb                  0xffffffea
            //   50                   | dec                 eax
            //   8d4de4               | lea                 edx, [ebp - 0x3c]

    condition:
        7 of them and filesize < 591872
}
Download all Yara Rules