SYMBOLCOMMON_NAMEaka. SYNONYMS
win.winnti (Back to overview)

Winnti

aka: BleDoor, JUMPALL, RbDoor

Actor(s): Axiom


There is no description at this point.

References
2020-04-20QuoScientQuoIntelligence
@online{quointelligence:20200420:winnti:6a4fb66, author = {QuoIntelligence}, title = {{WINNTI GROUP: Insights From the Past}}, date = {2020-04-20}, organization = {QuoScient}, url = {https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/}, language = {English}, urldate = {2020-04-21} } WINNTI GROUP: Insights From the Past
Winnti
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-03-03GIthub (superkhung)superkhung
@online{superkhung:20200303:github:8ea37ed, author = {superkhung}, title = {{GitHub Repository: winnti-sniff}}, date = {2020-03-03}, organization = {GIthub (superkhung)}, url = {https://github.com/superkhung/winnti-sniff}, language = {English}, urldate = {2020-03-04} } GitHub Repository: winnti-sniff
Winnti
2020-02-20Carbon BlackTakahiro Haruyama
@online{haruyama:20200220:threat:aa4ef11, author = {Takahiro Haruyama}, title = {{Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)}}, date = {2020-02-20}, organization = {Carbon Black}, url = {https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/}, language = {English}, urldate = {2020-02-21} } Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)
Winnti
2020-01-31ESET ResearchMathieu Tartare
@online{tartare:20200131:winnti:9f891e4, author = {Mathieu Tartare}, title = {{Winnti Group targeting universities in Hong Kong}}, date = {2020-01-31}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/}, language = {English}, urldate = {2020-02-03} } Winnti Group targeting universities in Hong Kong
ShadowPad Winnti
2020-01-31TagesschauJan Lukas Strozyk
@online{strozyk:20200131:deutsches:d0a9221, author = {Jan Lukas Strozyk}, title = {{Deutsches Chemieunternehmen gehackt}}, date = {2020-01-31}, organization = {Tagesschau}, url = {https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html}, language = {German}, urldate = {2020-02-03} } Deutsches Chemieunternehmen gehackt
Winnti
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2019-09-30LastlineJason Zhang, Stefano Ortolani
@online{zhang:20190930:helo:559ed11, author = {Jason Zhang and Stefano Ortolani}, title = {{HELO Winnti: Attack or Scan?}}, date = {2019-09-30}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/helo-winnti-attack-scan/}, language = {English}, urldate = {2019-10-23} } HELO Winnti: Attack or Scan?
Winnti
2019-09-04FireEyeFireEye
@online{fireeye:20190904:apt41:b5d6780, author = {FireEye}, title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-09-04}, organization = {FireEye}, url = {https://content.fireeye.com/api/pdfproxy?id=86840}, language = {English}, urldate = {2020-01-13} } APT41: Double Dragon APT41, a dual espionage and cyber crime operation
EASYNIGHT Winnti
2019-09-04CarbonBlackTakahiro Haruyama
@online{haruyama:20190904:cb:7c71995, author = {Takahiro Haruyama}, title = {{CB TAU Threat Intelligence Notification: Winnti Malware 4.0}}, date = {2019-09-04}, organization = {CarbonBlack}, url = {https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/}, language = {English}, urldate = {2019-12-17} } CB TAU Threat Intelligence Notification: Winnti Malware 4.0
Winnti
2019-08-09FireEyeFireEye
@online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti
2019-07-24Bayerischer RundfunkHakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski
@online{tanriverdi:20190724:attacking:66ef327, author = {Hakan Tanriverdi and Svea Eckert and Jan Strozyk and Maximilian Zierer and Rebecca Ciesielski}, title = {{Attacking the Heart of the German Industry}}, date = {2019-07-24}, organization = {Bayerischer Rundfunk}, url = {http://web.br.de/interaktiv/winnti/english/}, language = {English}, urldate = {2019-11-29} } Attacking the Heart of the German Industry
Winnti
2019-07-24Github (br-data)Hakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski
@online{tanriverdi:20190724:winnti:25b27fb, author = {Hakan Tanriverdi and Svea Eckert and Jan Strozyk and Maximilian Zierer and Rebecca Ciesielski}, title = {{Winnti analysis}}, date = {2019-07-24}, organization = {Github (br-data)}, url = {https://github.com/br-data/2019-winnti-analyse/}, language = {English}, urldate = {2019-12-10} } Winnti analysis
Winnti
2018-05-22Github (TKCERT)thyssenkrupp CERT
@online{cert:20180522:nmap:1ee2530, author = {thyssenkrupp CERT}, title = {{Nmap Script to scan for Winnti infections}}, date = {2018-05-22}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-nmap-script}, language = {English}, urldate = {2020-01-07} } Nmap Script to scan for Winnti infections
Winnti
2018-03-05Github (TKCERT)TKCERT
@online{tkcert:20180305:suricata:0b45f94, author = {TKCERT}, title = {{Suricata rules to detect Winnti communication}}, date = {2018-03-05}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-suricata-lua}, language = {English}, urldate = {2020-01-07} } Suricata rules to detect Winnti communication
Winnti
2017-04-19Trend MicroTrendmicro
@online{trendmicro:20170419:of:1656f97, author = {Trendmicro}, title = {{Of Pigs and Malware: Examining a Possible Member of the Winnti Group}}, date = {2017-04-19}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/}, language = {English}, urldate = {2019-12-04} } Of Pigs and Malware: Examining a Possible Member of the Winnti Group
Winnti
2017-03-22Trend MicroCedric Pernet
@online{pernet:20170322:winnti:bfd35bc, author = {Cedric Pernet}, title = {{Winnti Abuses GitHub for C&C Communications}}, date = {2017-03-22}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/}, language = {English}, urldate = {2019-07-09} } Winnti Abuses GitHub for C&C Communications
Winnti
2016-03-06Github (TKCERT)thyssenkrupp CERT
@online{cert:20160306:network:f9244d3, author = {thyssenkrupp CERT}, title = {{Network detector for Winnti malware}}, date = {2016-03-06}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-detector}, language = {English}, urldate = {2020-01-07} } Network detector for Winnti malware
Winnti
2015-06-22Kaspersky LabsDmitry Tarakanov
@online{tarakanov:20150622:games:aba8183, author = {Dmitry Tarakanov}, title = {{Games are over: Winnti is now targeting pharmaceutical companies}}, date = {2015-06-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/games-are-over/70991/}, language = {English}, urldate = {2019-12-20} } Games are over: Winnti is now targeting pharmaceutical companies
Winnti Axiom
2015-04-06NovettaNovetta
@techreport{novetta:20150406:winnti:acc4030, author = {Novetta}, title = {{WINNTI ANALYSIS}}, date = {2015-04-06}, institution = {Novetta}, url = {https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf}, language = {English}, urldate = {2020-01-10} } WINNTI ANALYSIS
Winnti
2015RuxconMatt McCormack
@techreport{mccormack:2015:why:fa3d041, author = {Matt McCormack}, title = {{WHY ATTACKER TOOLSETS DO WHAT THEY DO}}, date = {2015}, institution = {Ruxcon}, url = {http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf}, language = {English}, urldate = {2020-01-08} } WHY ATTACKER TOOLSETS DO WHAT THEY DO
Winnti
2013-04Kaspersky LabsGReAT
@techreport{great:201304:winnti:c8e6f40, author = {GReAT}, title = {{Winnti - More than just a game}}, date = {2013-04}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf}, language = {English}, urldate = {2019-07-11} } Winnti - More than just a game
portless Winnti
Yara Rules
[TLP:WHITE] win_winnti_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_winnti_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb62 ff15???????? 3d2e050000 742e 83f805 7429 }
            // n = 6, score = 200
            //   eb62                 | lea                 ecx, [esp]
            //   ff15????????         |                     
            //   3d2e050000           | push                0x1c
            //   742e                 | push                ecx
            //   83f805               | push                1
            //   7429                 | call                edx

        $sequence_1 = { 85f6 7443 8b542418 8d4c2413 c1e206 51 }
            // n = 6, score = 200
            //   85f6                 | lea                 edi, [esp + 0x48]
            //   7443                 | or                  ecx, 0xffffffff
            //   8b542418             | xor                 eax, eax
            //   8d4c2413             | repne scasb         al, byte ptr es:[edi]
            //   c1e206               | not                 ecx
            //   51                   | mov                 dword ptr [esp + 8], 2

        $sequence_2 = { 83e103 f3a4 8d7c2448 83c9ff 33c0 f2ae f7d1 }
            // n = 7, score = 200
            //   83e103               | dec                 eax
            //   f3a4                 | mov                 dword ptr [esp + 0x38], ebx
            //   8d7c2448             | inc                 ecx
            //   83c9ff               | movzx               eax, byte ptr [eax]
            //   33c0                 | inc                 ecx
            //   f2ae                 | inc                 dl
            //   f7d1                 | dec                 ecx

        $sequence_3 = { 8d8e0c040000 6880000000 51 ff15???????? b97f000000 2bc8 85c9 }
            // n = 7, score = 200
            //   8d8e0c040000         | test                byte ptr [eax + edx + 0x4100], 0x80
            //   6880000000           | dec                 eax
            //   51                   | add                 eax, edi
            //   ff15????????         |                     
            //   b97f000000           | dec                 eax
            //   2bc8                 | mov                 ebx, dword ptr [esp + 0x10]
            //   85c9                 | dec                 eax

        $sequence_4 = { 8b4c2414 8d942414060000 51 52 }
            // n = 4, score = 200
            //   8b4c2414             | mov                 ebp, dword ptr [esp + 0x18]
            //   8d942414060000       | dec                 eax
            //   51                   | mov                 esi, dword ptr [esp + 0x20]
            //   52                   | fild                qword ptr [esp + 0x1c]

        $sequence_5 = { f3ab 8d442424 6a64 50 56 ff15???????? 85c0 }
            // n = 7, score = 200
            //   f3ab                 | fild                qword ptr [esp + 0x24]
            //   8d442424             | fdivp               st(1)
            //   6a64                 | mov                 ecx, dword ptr [esp + 0x18]
            //   50                   | push                eax
            //   56                   | and                 ecx, 3
            //   ff15????????         |                     
            //   85c0                 | rep movsb           byte ptr es:[edi], byte ptr [esi]

        $sequence_6 = { df6c241c df6c2424 def9 dc0d???????? e8???????? 8b4c2418 50 }
            // n = 7, score = 200
            //   df6c241c             | test                eax, eax
            //   df6c2424             | js                  0x9d
            //   def9                 | test                eax, eax
            //   dc0d????????         |                     
            //   e8????????           |                     
            //   8b4c2418             | je                  0xb9
            //   50                   | mov                 eax, dword ptr [ebp - 0x51]

        $sequence_7 = { c744240802000000 8d4c2400 6a1c 51 6a01 ffd2 }
            // n = 6, score = 200
            //   c744240802000000     | inc                 ecx
            //   8d4c2400             | inc                 ecx
            //   6a1c                 | cmp                 dl, 0xf
            //   51                   | je                  0x76
            //   6a01                 | inc                 ecx
            //   ffd2                 | movzx               eax, byte ptr [ecx]

        $sequence_8 = { 4883ec20 488d05a3230100 8bda 488bf9 }
            // n = 4, score = 100
            //   4883ec20             | lea                 esi, [edi - 0x3b]
            //   488d05a3230100       | inc                 esp
            //   8bda                 | lea                 ebp, [edi - 0x40]
            //   488bf9               | dec                 eax

        $sequence_9 = { 83ff3a 0f84ac000000 83ff2f 7518 458bfe }
            // n = 5, score = 100
            //   83ff3a               | push                edi
            //   0f84ac000000         | mov                 esi, eax
            //   83ff2f               | add                 esp, 4
            //   7518                 | test                esi, esi
            //   458bfe               | fild                qword ptr [esp + 0x1c]

        $sequence_10 = { 4c8d2531550a00 e9???????? 41bf98000000 b901000000 418bd7 e8???????? }
            // n = 6, score = 100
            //   4c8d2531550a00       | shl                 edx, 6
            //   e9????????           |                     
            //   41bf98000000         | push                ecx
            //   b901000000           | jmp                 0x68
            //   418bd7               | cmp                 eax, 0x52e
            //   e8????????           |                     

        $sequence_11 = { ff15???????? 488bc8 488d842460020000 4c8d442440 4889442420 e8???????? 33db }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488bc8               | dec                 eax
            //   488d842460020000     | inc                 ebx
            //   4c8d442440           | xor                 edx, edx
            //   4889442420           | dec                 eax
            //   e8????????           |                     
            //   33db                 | mov                 dword ptr [esp + 0x28], 0

        $sequence_12 = { 488d0503600100 85ff 0f84de050000 4585ff }
            // n = 4, score = 100
            //   488d0503600100       | fild                qword ptr [esp + 0x24]
            //   85ff                 | fdivp               st(1)
            //   0f84de050000         | mov                 ecx, dword ptr [esp + 0x18]
            //   4585ff               | push                eax

        $sequence_13 = { 7513 4c8d258c5a0100 8d77c5 448d6fc0 e9???????? 488d159d5a0100 }
            // n = 6, score = 100
            //   7513                 | test                eax, eax
            //   4c8d258c5a0100       | test                esi, esi
            //   8d77c5               | je                  0x4d
            //   448d6fc0             | mov                 edx, dword ptr [esp + 0x18]
            //   e9????????           |                     
            //   488d159d5a0100       | lea                 ecx, [esp + 0x13]

        $sequence_14 = { 410fb600 41fec2 49ffc1 4180fa0f 7466 410fb601 f684100041000080 }
            // n = 7, score = 100
            //   410fb600             | lea                 ecx, [0x11d5]
            //   41fec2               | mov                 ebx, eax
            //   49ffc1               | test                eax, eax
            //   4180fa0f             | js                  0x3d
            //   7466                 | dec                 eax
            //   410fb601             | mov                 ecx, dword ptr [esp + 0x58]
            //   f684100041000080     | dec                 esp

        $sequence_15 = { eb07 488d0dd5110000 ff15???????? f0ff0d???????? }
            // n = 4, score = 100
            //   eb07                 | dec                 eax
            //   488d0dd5110000       | mov                 dword ptr [esp + 0x20], 0
            //   ff15????????         |                     
            //   f0ff0d????????       |                     

        $sequence_16 = { 85c0 0f8492000000 8b45af 48895c2438 }
            // n = 4, score = 100
            //   85c0                 | mov                 dword ptr [esp + 0x20], eax
            //   0f8492000000         | xor                 ebx, ebx
            //   8b45af               | jmp                 9
            //   48895c2438           | dec                 eax

        $sequence_17 = { 48c1e105 488b04d0 0fb744080c 8945df 41c7400800000000 4883cfff 4c8bc7 }
            // n = 7, score = 100
            //   48c1e105             | test                al, al
            //   488b04d0             | push                edi
            //   0fb744080c           | je                  0x240
            //   8945df               | mov                 ebp, dword ptr [esp + 0x15c]
            //   41c7400800000000     | jne                 0x15
            //   4883cfff             | dec                 esp
            //   4c8bc7               | lea                 esp, [0x15a8c]

        $sequence_18 = { 837b1000 0f8594000000 488d0d9c660000 4c8bc3 ba40000000 e8???????? }
            // n = 6, score = 100
            //   837b1000             | je                  0x3b
            //   0f8594000000         | cmp                 eax, 5
            //   488d0d9c660000       | je                  0x3b
            //   4c8bc3               | push                edi
            //   ba40000000           | lea                 edi, [ebx + 1]
            //   e8????????           |                     

        $sequence_19 = { 8bd8 85c0 7837 488b4c2458 4c8d442430 41b910000000 }
            // n = 6, score = 100
            //   8bd8                 | dec                 eax
            //   85c0                 | mov                 ecx, dword ptr [esp + 0x58]
            //   7837                 | dec                 eax
            //   488b4c2458           | mov                 ecx, eax
            //   4c8d442430           | dec                 eax
            //   41b910000000         | lea                 eax, [esp + 0x260]

        $sequence_20 = { 33d2 48c744242800000000 48c744242000000000 ff15???????? 488b4c2458 }
            // n = 5, score = 100
            //   33d2                 | dec                 eax
            //   48c744242800000000     | add    edi, dword ptr [esp + 0x70]
            //   48c744242000000000     | dec    eax
            //   ff15????????         |                     
            //   488b4c2458           | mov                 dword ptr [esp + 0x78], edi

        $sequence_21 = { 786d 418bc7 4803f0 4889b424c8000000 48037c2470 48897c2478 48ffc3 }
            // n = 7, score = 100
            //   786d                 | js                  0x6f
            //   418bc7               | inc                 ecx
            //   4803f0               | mov                 eax, edi
            //   4889b424c8000000     | dec                 eax
            //   48037c2470           | add                 esi, eax
            //   48897c2478           | dec                 eax
            //   48ffc3               | mov                 dword ptr [esp + 0xc8], esi

        $sequence_22 = { bb01000000 e8???????? 85c0 787e }
            // n = 4, score = 100
            //   bb01000000           | dec                 esp
            //   e8????????           |                     
            //   85c0                 | lea                 eax, [esp + 0x40]
            //   787e                 | dec                 eax

        $sequence_23 = { 488b8180000000 488b10 f7420c00008000 752c 837a1400 7426 }
            // n = 6, score = 100
            //   488b8180000000       | lea                 edx, [0x15a9d]
            //   488b10               | dec                 esp
            //   f7420c00008000       | lea                 esp, [0xa5531]
            //   752c                 | inc                 ecx
            //   837a1400             | mov                 edi, 0x98
            //   7426                 | mov                 ecx, 1

    condition:
        7 of them and filesize < 1581056
}
[TLP:WHITE] win_winnti_w0   (20190822 | rules used for retrohunting by BR Data.)
rule win_winnti_w0 {
    meta:
        author = "BR Data"
        source = "https://github.com/br-data/2019-winnti-analyse/"
        date = "2019-07-24"
        description = "rules used for retrohunting by BR Data."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20190822"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $load_magic = { C7 44 ?? ?? FF D8 FF E0 }
        $iter = { E9 EA EB EC ED EE EF F0 }
        $jpeg = { FF D8 FF E0 00 00 00 00 00 00 }

    condition:
        uint16(0) == 0x5a4d and
        $jpeg and
        ($load_magic or $iter in (@jpeg[1]..@jpeg[1]+200)) and
        for any i in (1..#jpeg): ( uint8(@jpeg[i] + 11) != 0 )
}
[TLP:WHITE] win_winnti_w1   (20190822 | rules used for retrohunting by BR Data.)
rule win_winnti_w1 {
    meta:
        author = "BR Data"
        source = "https://github.com/br-data/2019-winnti-analyse/"
        date = "2019-07-24"
        description = "rules used for retrohunting by BR Data."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20190822"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cooper = "Cooper"
        $pattern = { e9 ea eb ec ed ee ef f0}
    condition:
        uint16(0) == 0x5a4d and $cooper and ($pattern in (@cooper[1]..@cooper[1]+100))
}
[TLP:WHITE] win_winnti_w2   (20191207 | No description)
rule win_winnti_w2 {
    meta:
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $e1 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411015}" ascii nocase
        $e2 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411014}" ascii nocase
        $e3 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411016}" ascii nocase
        $e4 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide
        $e5 = "BFE_Notify_Event_{7D00FA3C-FBDC-4A8D-AEEB-3F55A4890D2A}" nocase
    condition:
        (any of ($e*))
}
[TLP:WHITE] win_winnti_w3   (20191207 | No description)
rule win_winnti_w3 {
    meta:
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = "IPSecMiniPort" wide fullword
        $a2 = "ndis6fw" wide fullword
        $a3 = "TCPIP" wide fullword
        $a4 = "NDIS.SYS" ascii fullword
        $a5 = "ntoskrnl.exe" ascii fullword
        $a6 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide
        $a7 = "\\Device\\Null" wide
        $a8 = "\\Device" wide
        $a9 = "\\Driver" wide
        $b1 = { 66 81 7? ?? 70 17 }
        $b2 = { 81 7? ?? 07 E0 15 00 }
        $b3 = { 8B 46 18 3D 03 60 15 00 }
    condition:
        (6 of ($a*)) and (2 of ($b*))
}
Download all Yara Rules