SYMBOLCOMMON_NAMEaka. SYNONYMS
win.winnti (Back to overview)

Winnti

aka: BleDoor, JUMPALL, RbDoor, Pasteboy

Actor(s): APT17

VTCollection    

There is no description at this point.

References
2024-03-01HarfangLabHarfangLab CTR
A Comprehensive Analysis of i-SOON’s Commercial Offering
ShadowPad Winnti
2023-01-14YouTube (CODE BLUE)Takahiro Haruyama
[CB22]Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulation and Scanning
ShadowPad Winnti
2022-10-25VMware Threat Analysis UnitTakahiro Haruyama
Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti
2022-09-26Youtube (Virus Bulletin)Takahiro Haruyama
Tracking the entire iceberg long term APT malware C2 protocol emulation and scanning
ShadowPad Winnti
2022-09-19Virus BulletinTakahiro Haruyama
Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti
2022-05-12TEAMT5Leon Chang, Silvia Yeh
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu
2022-05-04CybereasonAkihiro Tomita, Assaf Dahan, Chen Erlich, Daniel Frank, Fusao Tanida, Niv Yona, Ofir Ozer
Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
PRIVATELOG Spyder STASHLOG Winnti
2022-05-04CybereasonAkihiro Tomita, Assaf Dahan, Chen Erlich, Daniel Frank, Fusao Tanida, Niv Yona, Ofir Ozer
Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
PRIVATELOG Spyder STASHLOG Winnti
2022-05-01BushidoTokenBushidoToken
Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti
2022-03-31Recorded FutureInsikt Group
China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware
Winnti TAG-28
2022-01-17Trend MicroCedric Pernet, Daniel Lunghi, Gloria Chen, Jaromír Hořejší, Joseph Chen, Kenney Lu
Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca
2021-11-16vmwareTakahiro Haruyama
Monitoring Winnti 4.0 C2 Servers for Two Years
Winnti
2021-09-28Recorded FutureInsikt Group®
4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan
PlugX Winnti
2021-09-21Recorded FutureInsikt Group®
China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware
Winnti
2021-09-14McAfeeChristiaan Beek
Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti
2021-07-08PTSecurityDenis Kuvshinov
How winnti APT grouping works
Korlia ShadowPad Winnti
2021-07-08YouTube (PT Product Update)Denis Kuvshinov
How winnti APT grouping works
Korlia ShadowPad Winnti
2021-07-08Recorded FutureInsikt Group®
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
ShadowPad Spyder Winnti
2021-06-05PrevailionDanny Adamitis
The Gh0st remain the same
Winnti
2021-04-29NTTThreat Detection NTT Ltd.
The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti Earth Lusca
2021-03-10ESET ResearchMathieu Tartare, Matthieu Faou, Thomas Dupuy
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-20FireEyeAndrew Davis
Emulation of Kernel Mode Rootkits With Speakeasy
Winnti
2020-12-24IronNetAdam Hlavek
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti
2020-11-03Kaspersky LabsGReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX POISONPLUG Rover ShadowPad SoreFang Winnti
2020-10-30YouTube (Kaspersky Tech)Kris McConkey
Around the world in 80 days 4.2bn packets
Cobalt Strike Derusbi HyperBro Poison Ivy ShadowPad Winnti
2020-10-12Malwarebytes LabsHossein Jazi, Jérôme Segura, Malwarebytes Threat Intelligence Team, Roberto Santos
Winnti APT group docks in Sri Lanka for new campaign
DBoxAgent SerialVlogger Winnti
2020-09-22vmwareOmar Elgebaly, Takahiro Haruyama
Detecting Threats in Real-time With Active C2 Information
Agent.BTZ Cobalt Strike Dacls NetWire RC PoshC2 Winnti
2020-09-18SymantecThreat Hunter Team
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX POISONPLUG ShadowPad Winnti
2020-08-06WiredAndy Greenberg
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Red Charon
2020-08-04BlackHatChung-Kuan Chen, Inndy Lin, Shang-De Jiang
Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Red Charon
2020-04-20QuoScientQuoIntelligence
WINNTI GROUP: Insights From the Past
Winnti
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03GIthub (superkhung)superkhung
GitHub Repository: winnti-sniff
Winnti
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-20Carbon BlackTakahiro Haruyama
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)
Winnti
2020-01-31TagesschauJan Lukas Strozyk
Deutsches Chemieunternehmen gehackt
Winnti
2020-01-31ESET ResearchMathieu Tartare
Winnti Group targeting universities in Hong Kong
ShadowPad Winnti
2020-01-01SecureworksSecureWorks
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41
2019-10-01CrowdStrikeKarl Scheuerman, Piotr Wojtyla
Don't miss the forest for the trees gleaning hunting value from too much intrusion data
Winnti
2019-09-30LastlineJason Zhang, Stefano Ortolani
HELO Winnti: Attack or Scan?
Winnti
2019-09-23MITREMITRE ATT&CK
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2019-09-04CarbonBlackTakahiro Haruyama
CB TAU Threat Intelligence Notification: Winnti Malware 4.0
Winnti
2019-09-04FireEyeFireEye
APT41: Double Dragon APT41, a dual espionage and cyber crime operation
EASYNIGHT Winnti
2019-08-09FireEyeFireEye
Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL POISONPLUG Winnti
2019-07-24Bayerischer RundfunkHakan Tanriverdi, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski, Svea Eckert
Attacking the Heart of the German Industry
Winnti
2019-07-24Github (br-data)Hakan Tanriverdi, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski, Svea Eckert
Winnti analysis
Winnti
2019-04-22Trend MicroMohamad Mokbel
C/C++ Runtime Library Code Tampering in Supply Chain
shadowhammer ShadowPad Winnti
2018-10-01Macnica NetworksMacnica Networks
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm
2018-05-22Github (TKCERT)thyssenkrupp CERT
Nmap Script to scan for Winnti infections
Winnti
2018-03-05Github (TKCERT)TKCERT
Suricata rules to detect Winnti communication
Winnti
2017-04-19Trend MicroTrendmicro
Of Pigs and Malware: Examining a Possible Member of the Winnti Group
Winnti
2017-03-22Trend MicroCedric Pernet
Winnti Abuses GitHub for C&C Communications
Winnti
2016-03-06Github (TKCERT)thyssenkrupp CERT
Network detector for Winnti malware
Winnti
2015-06-22Kaspersky LabsDmitry Tarakanov
Games are over: Winnti is now targeting pharmaceutical companies
Winnti APT41
2015-04-06NovettaNovetta
WINNTI ANALYSIS
Winnti
2015-01-01RuxconMatt McCormack
WHY ATTACKER TOOLSETS DO WHAT THEY DO
Winnti
2013-04-01Kaspersky LabsGReAT
Winnti - More than just a game
portless Winnti
Yara Rules
[TLP:WHITE] win_winnti_auto (20251219 | Detects win.winnti.)
rule win_winnti_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.winnti."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 56 ff15???????? 85c0 7e79 8d4c2418 8d942484000000 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7e79                 | jle                 0x7b
            //   8d4c2418             | lea                 ecx, [esp + 0x18]
            //   8d942484000000       | lea                 edx, [esp + 0x84]

        $sequence_1 = { 8dbc24c4000000 8d942410010000 f3ab 668b8424740b0000 bf???????? 66898424d2050000 83c9ff }
            // n = 7, score = 200
            //   8dbc24c4000000       | lea                 edi, [esp + 0xc4]
            //   8d942410010000       | lea                 edx, [esp + 0x110]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   668b8424740b0000     | mov                 ax, word ptr [esp + 0xb74]
            //   bf????????           |                     
            //   66898424d2050000     | mov                 word ptr [esp + 0x5d2], ax
            //   83c9ff               | or                  ecx, 0xffffffff

        $sequence_2 = { 8b734c 03f8 8bc1 c1e902 f3a5 8bc8 }
            // n = 6, score = 200
            //   8b734c               | mov                 esi, dword ptr [ebx + 0x4c]
            //   03f8                 | add                 edi, eax
            //   8bc1                 | mov                 eax, ecx
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bc8                 | mov                 ecx, eax

        $sequence_3 = { f3ab 8b8c2498010000 c644242004 51 c644242501 ff15???????? }
            // n = 6, score = 200
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8b8c2498010000       | mov                 ecx, dword ptr [esp + 0x198]
            //   c644242004           | mov                 byte ptr [esp + 0x20], 4
            //   51                   | push                ecx
            //   c644242501           | mov                 byte ptr [esp + 0x25], 1
            //   ff15????????         |                     

        $sequence_4 = { ffd7 68???????? 68???????? 89460c }
            // n = 4, score = 200
            //   ffd7                 | call                edi
            //   68????????           |                     
            //   68????????           |                     
            //   89460c               | mov                 dword ptr [esi + 0xc], eax

        $sequence_5 = { 85c0 751a 8bcb 8d142e 2bce 51 }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   751a                 | jne                 0x1c
            //   8bcb                 | mov                 ecx, ebx
            //   8d142e               | lea                 edx, [esi + ebp]
            //   2bce                 | sub                 ecx, esi
            //   51                   | push                ecx

        $sequence_6 = { e8???????? 8b4c2418 50 6800040000 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   50                   | push                eax
            //   6800040000           | push                0x400

        $sequence_7 = { 8bfa 83c9ff f2ae 8b54242c }
            // n = 4, score = 200
            //   8bfa                 | mov                 edi, edx
            //   83c9ff               | or                  ecx, 0xffffffff
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   8b54242c             | mov                 edx, dword ptr [esp + 0x2c]

        $sequence_8 = { 0f849a000000 4c8d5b2e 660f1f440000 410fb70b 458bca }
            // n = 5, score = 100
            //   0f849a000000         | je                  0x21
            //   4c8d5b2e             | inc                 ecx
            //   660f1f440000         | cmp                 esi, 1
            //   410fb70b             | jne                 0x15
            //   458bca               | je                  0xa0

        $sequence_9 = { 8b4b1c 4803cf 8b0491 4803c7 488b5c2410 }
            // n = 5, score = 100
            //   8b4b1c               | dec                 eax
            //   4803cf               | lea                 edx, [esp + 0x50]
            //   8b0491               | inc                 eax
            //   4803c7               | cmp                 byte ptr [esp + 0x50], dh
            //   488b5c2410           | inc                 eax

        $sequence_10 = { 4585d2 759d 488b7db7 458bd9 44894d97 }
            // n = 5, score = 100
            //   4585d2               | add                 ecx, edi
            //   759d                 | mov                 eax, dword ptr [ecx + edx*4]
            //   488b7db7             | dec                 eax
            //   458bd9               | add                 eax, edi
            //   44894d97             | dec                 eax

        $sequence_11 = { 4053 4883ec40 48c74424580a000000 488b442458 4c8d442458 }
            // n = 5, score = 100
            //   4053                 | xor                 eax, eax
            //   4883ec40             | dec                 eax
            //   48c74424580a000000     | add    esp, 0xe0
            //   488b442458           | inc                 ecx
            //   4c8d442458           | pop                 edi

        $sequence_12 = { 4863c9 e8???????? 488bd8 4c8d443710 4983781810 7203 4d8b00 }
            // n = 7, score = 100
            //   4863c9               | sub                 eax, edx
            //   e8????????           |                     
            //   488bd8               | dec                 eax
            //   4c8d443710           | mov                 dword ptr [esp + 0x88], 0
            //   4983781810           | dec                 eax
            //   7203                 | lea                 edx, [esp + 0x88]
            //   4d8b00               | dec                 eax

        $sequence_13 = { 75f1 408830 488d542450 4038742450 }
            // n = 4, score = 100
            //   75f1                 | js                  0x4c
            //   408830               | dec                 eax
            //   488d542450           | mov                 ecx, dword ptr [esp + 0xb0]
            //   4038742450           | jne                 0x13

        $sequence_14 = { 90 488bd0 488d4b28 e8???????? 90 48837dd710 7209 }
            // n = 7, score = 100
            //   90                   | pop                 esi
            //   488bd0               | or                  eax, 0xffffffff
            //   488d4b28             | pop                 ebp
            //   e8????????           |                     
            //   90                   | add                 esp, 8
            //   48837dd710           | ret                 
            //   7209                 | cdq                 

        $sequence_15 = { 4863d9 4c8be3 49c1fc05 4c8d355a4f0a00 83e31f 486bdb58 }
            // n = 6, score = 100
            //   4863d9               | lea                 edx, [0x1d853]
            //   4c8be3               | inc                 ebp
            //   49c1fc05             | test                edx, edx
            //   4c8d355a4f0a00       | jne                 0xffffffa2
            //   83e31f               | dec                 eax
            //   486bdb58             | mov                 edi, dword ptr [ebp - 0x49]

        $sequence_16 = { 48c784248800000000000000 488d942488000000 488d4c2428 e8???????? 488d05e7700100 4889442428 488d1553d80100 }
            // n = 7, score = 100
            //   48c784248800000000000000     | dec    eax
            //   488d942488000000     | lea                 edx, [ebp + 0x68]
            //   488d4c2428           | dec                 eax
            //   e8????????           |                     
            //   488d05e7700100       | mov                 ecx, dword ptr [ebp + 0x100]
            //   4889442428           | mov                 ecx, dword ptr [ebx + 0x1c]
            //   488d1553d80100       | dec                 eax

        $sequence_17 = { 7517 488d0513ac0a00 488b4c2430 483bc8 7406 e8???????? 90 }
            // n = 7, score = 100
            //   7517                 | mov                 ebx, dword ptr [esp + 0x10]
            //   488d0513ac0a00       | inc                 ecx
            //   488b4c2430           | push                edi
            //   483bc8               | dec                 eax
            //   7406                 | sub                 esp, 0xd0
            //   e8????????           |                     
            //   90                   | inc                 ebp

        $sequence_18 = { 7511 33c0 4881c4e0000000 415f 415e }
            // n = 5, score = 100
            //   7511                 | movzx               ecx, word ptr [ebx]
            //   33c0                 | inc                 ebp
            //   4881c4e0000000       | mov                 ecx, edx
            //   415f                 | mov                 ebx, eax
            //   415e                 | test                eax, eax

        $sequence_19 = { 4889742430 488b442440 48894310 48894b18 48897c2448 }
            // n = 5, score = 100
            //   4889742430           | xor                 esi, esi
            //   488b442440           | inc                 esp
            //   48894310             | mov                 dword ptr [esp + 0x60], esi
            //   48894b18             | dec                 esp
            //   48897c2448           | mov                 dword ptr [eax + 0x18], esi

        $sequence_20 = { 741e 837d6001 7511 488d5568 ff15???????? 488b8d00010000 ff15???????? }
            // n = 7, score = 100
            //   741e                 | inc                 ecx
            //   837d6001             | pop                 esi
            //   7511                 | jne                 0xfffffff3
            //   488d5568             | inc                 eax
            //   ff15????????         |                     
            //   488b8d00010000       | mov                 byte ptr [eax], dh
            //   ff15????????         |                     

        $sequence_21 = { 48897c2478 488b8c2400010000 4885c9 741f 4183fe01 7513 }
            // n = 6, score = 100
            //   48897c2478           | dec                 eax
            //   488b8c2400010000     | mov                 dword ptr [esp + 0x78], edi
            //   4885c9               | dec                 eax
            //   741f                 | mov                 ecx, dword ptr [esp + 0x100]
            //   4183fe01             | dec                 eax
            //   7513                 | test                ecx, ecx

        $sequence_22 = { 8bd8 85c0 7848 488b8c24b0000000 }
            // n = 4, score = 100
            //   8bd8                 | dec                 esp
            //   85c0                 | lea                 ebx, [ebx + 0x2e]
            //   7848                 | nop                 word ptr [eax + eax]
            //   488b8c24b0000000     | inc                 ecx

        $sequence_23 = { 488d0527eb0a00 eb04 4883c010 4883c428 c3 4883ec28 e8???????? }
            // n = 7, score = 100
            //   488d0527eb0a00       | lea                 ecx, [esp + 0x28]
            //   eb04                 | dec                 eax
            //   4883c010             | lea                 eax, [0x170e7]
            //   4883c428             | dec                 eax
            //   c3                   | mov                 dword ptr [esp + 0x28], eax
            //   4883ec28             | dec                 eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1581056
}
[TLP:WHITE] win_winnti_w0   (20190822 | rules used for retrohunting by BR Data.)
rule win_winnti_w0 {
    meta:
        author = "BR Data"
        source = "https://github.com/br-data/2019-winnti-analyse/"
        date = "2019-07-24"
        description = "rules used for retrohunting by BR Data."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20190822"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $load_magic = { C7 44 ?? ?? FF D8 FF E0 }
        $iter = { E9 EA EB EC ED EE EF F0 }
        $jpeg = { FF D8 FF E0 00 00 00 00 00 00 }

    condition:
        uint16(0) == 0x5a4d and
        $jpeg and
        ($load_magic or $iter in (@jpeg[1]..@jpeg[1]+200)) and
        for any i in (1..#jpeg): ( uint8(@jpeg[i] + 11) != 0 )
}
[TLP:WHITE] win_winnti_w1   (20190822 | rules used for retrohunting by BR Data.)
rule win_winnti_w1 {
    meta:
        author = "BR Data"
        source = "https://github.com/br-data/2019-winnti-analyse/"
        date = "2019-07-24"
        description = "rules used for retrohunting by BR Data."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20190822"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cooper = "Cooper"
        $pattern = { e9 ea eb ec ed ee ef f0}
    condition:
        uint16(0) == 0x5a4d and $cooper and ($pattern in (@cooper[1]..@cooper[1]+100))
}
[TLP:WHITE] win_winnti_w2   (20191207 | No description)
rule win_winnti_w2 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $e1 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411015}" ascii nocase
        $e2 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411014}" ascii nocase
        $e3 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411016}" ascii nocase
        $e4 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide
        $e5 = "BFE_Notify_Event_{7D00FA3C-FBDC-4A8D-AEEB-3F55A4890D2A}" nocase
    condition:
        (any of ($e*))
}
[TLP:WHITE] win_winnti_w3   (20191207 | No description)
rule win_winnti_w3 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $a1 = "IPSecMiniPort" wide fullword
        $a2 = "ndis6fw" wide fullword
        $a3 = "TCPIP" wide fullword
        $a4 = "NDIS.SYS" ascii fullword
        $a5 = "ntoskrnl.exe" ascii fullword
        $a6 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide
        $a7 = "\\Device\\Null" wide
        $a8 = "\\Device" wide
        $a9 = "\\Driver" wide
        $b1 = { 66 81 7? ?? 70 17 }
        $b2 = { 81 7? ?? 07 E0 15 00 }
        $b3 = { 8B 46 18 3D 03 60 15 00 }
    condition:
        (6 of ($a*)) and (2 of ($b*))
}
Download all Yara Rules