Actor(s): APT17
There is no description at this point.
rule win_winnti_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.winnti." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 51 52 8bce e8???????? 53 8bf8 ff15???????? } // n = 7, score = 200 // 51 | mov esi, eax // 52 | add esp, 4 // 8bce | test esi, esi // e8???????? | // 53 | jne 0x12 // 8bf8 | pop edi // ff15???????? | $sequence_1 = { ff15???????? 663dffff 747b 663dfeff 7475 8b942494020000 83c9ff } // n = 7, score = 200 // ff15???????? | // 663dffff | pop esi // 747b | or eax, 0xffffffff // 663dfeff | push 1 // 7475 | push edx // 8b942494020000 | push 2 // 83c9ff | mov dword ptr [esp + 0x3c], esi $sequence_2 = { c22000 8b4d00 56 6a03 68c8000000 51 ff15???????? } // n = 7, score = 200 // c22000 | mov eax, dword ptr [esi + 0x3c] // 8b4d00 | xor edx, edx // 56 | add esp, 4 // 6a03 | test ebx, ebx // 68c8000000 | je 0xe2 // 51 | push ebp // ff15???????? | $sequence_3 = { 8bf0 83c404 85f6 7509 5f 5e 83c8ff } // n = 7, score = 200 // 8bf0 | lea edx, [0x16e1] // 83c404 | mov cl, 0x2e // 85f6 | dec eax // 7509 | sub edx, eax // 5f | dec esp // 5e | sub eax, ecx // 83c8ff | nop dword ptr [eax] $sequence_4 = { 807a025c 75bf 83c203 8a0a 56 33f6 b801000000 } // n = 7, score = 200 // 807a025c | mov ebp, dword ptr [esp + 0x30] // 75bf | push esi // 83c203 | push edi // 8a0a | mov dword ptr [esi + 8], ebx // 56 | mov dword ptr [esi + 0xc], ebx // 33f6 | call edi // b801000000 | push eax $sequence_5 = { 895e08 895e0c ffd7 50 } // n = 4, score = 200 // 895e08 | inc edi // 895e0c | lea ecx, [edx + ebx] // ffd7 | jne 0xfffffffa // 50 | dec eax $sequence_6 = { 83c404 85db 0f84da000000 55 8b6c2430 56 57 } // n = 7, score = 200 // 83c404 | dec eax // 85db | add esi, edi // 0f84da000000 | dec esp // 55 | add esi, edi // 8b6c2430 | inc ecx // 56 | dec edx // 57 | nop word ptr [eax + eax] $sequence_7 = { 6a01 52 6a02 8974243c 89742430 c644244800 ff15???????? } // n = 7, score = 200 // 6a01 | inc ecx // 52 | movzx eax, byte ptr [eax + ecx + 1] // 6a02 | mov byte ptr [ecx], dl // 8974243c | ret // 89742430 | mov ecx, dword ptr [esi + 0x54] // c644244800 | inc esp // ff15???????? | $sequence_8 = { 488d8a40000000 e9???????? 488b8a40000000 4883c108 e9???????? 488b8a80000000 e9???????? } // n = 7, score = 100 // 488d8a40000000 | push ebx // e9???????? | // 488b8a40000000 | mov edi, eax // 4883c108 | cmp ax, 0xffff // e9???????? | // 488b8a80000000 | je 0x81 // e9???????? | $sequence_9 = { 48037c2470 48897c2478 488b8c2400010000 4885c9 741f 4183fe01 7513 } // n = 7, score = 100 // 48037c2470 | inc ecx // 48897c2478 | push edi // 488b8c2400010000 | dec eax // 4885c9 | sub esp, 0x30 // 741f | dec esp // 4183fe01 | mov esi, ecx // 7513 | xor edi, edi $sequence_10 = { 4c8d25b6f10000 498b0c24 4d8bc5 488bd3 e8???????? 85c0 } // n = 6, score = 100 // 4c8d25b6f10000 | inc esp // 498b0c24 | mov dword ptr [ecx + edi + 0x1c], ebx // 4d8bc5 | dec ecx // 488bd3 | arpl bx, cx // e8???????? | // 85c0 | dec eax $sequence_11 = { 4803f7 4c03f7 41ffca 660f1f840000000000 478d0c1a } // n = 5, score = 100 // 4803f7 | inc ecx // 4c03f7 | cmp esi, 1 // 41ffca | jne 0x2b // 660f1f840000000000 | dec eax // 478d0c1a | lea edx, [esp + 0x50] $sequence_12 = { 75f8 488d15e1160000 b12e 482bd0 } // n = 4, score = 100 // 75f8 | inc esp // 488d15e1160000 | cmp byte ptr [esp + 0x50], dh // b12e | je 0xc // 482bd0 | nop $sequence_13 = { 4963f9 48897db7 453bc5 0f8e4f020000 418bc0 412bc5 448be0 } // n = 7, score = 100 // 4963f9 | cmp ax, 0xfffe // 48897db7 | je 0x81 // 453bc5 | mov edx, dword ptr [esp + 0x294] // 0f8e4f020000 | or ecx, 0xffffffff // 418bc0 | rep movsd dword ptr es:[edi], dword ptr [esi] // 412bc5 | mov eax, dword ptr [esp + 0x164] // 448be0 | mov ecx, edx $sequence_14 = { 3918 0f4c18 3bcb 0f8d87000000 488d3d979c0a00 ba58000000 488bcd } // n = 7, score = 100 // 3918 | and ecx, 3 // 0f4c18 | push eax // 3bcb | rep movsb byte ptr es:[edi], byte ptr [esi] // 0f8d87000000 | mov ecx, dword ptr [esp + 0x164] // 488d3d979c0a00 | dec eax // ba58000000 | lea ebx, [0xadeb] // 488bcd | dec eax $sequence_15 = { 4c2bc1 0f1f00 410fb6440801 8811 } // n = 4, score = 100 // 4c2bc1 | dec eax // 0f1f00 | inc edx // 410fb6440801 | dec eax // 8811 | mov dword ptr [esp + 0x10], edx $sequence_16 = { 4d85ed 7429 488d15fcd70a00 498bcd } // n = 4, score = 100 // 4d85ed | mov edx, ecx // 7429 | dec eax // 488d15fcd70a00 | sar edx, 0x10 // 498bcd | dec ecx $sequence_17 = { 4c8bc7 48894768 488d4567 ba18822200 } // n = 4, score = 100 // 4c8bc7 | dec esp // 48894768 | mov eax, edi // 488d4567 | dec eax // ba18822200 | mov dword ptr [edi + 0x68], eax $sequence_18 = { 4889542410 53 4881ecb0000000 33db } // n = 4, score = 100 // 4889542410 | mov ecx, dword ptr [esp + 0x100] // 53 | dec eax // 4881ecb0000000 | test ecx, ecx // 33db | je 0x31 $sequence_19 = { 488d542450 4438742450 740a 6690 48ffc2 } // n = 5, score = 100 // 488d542450 | dec eax // 4438742450 | add edi, dword ptr [esp + 0x70] // 740a | dec eax // 6690 | mov dword ptr [esp + 0x78], edi // 48ffc2 | dec eax $sequence_20 = { 488d1debad0000 488d3d64ae0000 eb0e 488b03 4885c0 7402 } // n = 6, score = 100 // 488d1debad0000 | push ecx // 488d3d64ae0000 | cmp byte ptr [edx + 2], 0x5c // eb0e | jne 0xffffffc1 // 488b03 | add edx, 3 // 4885c0 | mov cl, byte ptr [edx] // 7402 | push esi $sequence_21 = { 8a45d9 4b8b8cf800a20b00 88443139 4b8b84f800a20b00 8854303a eb4c 493bde } // n = 7, score = 100 // 8a45d9 | lea edi, [0xae64] // 4b8b8cf800a20b00 | jmp 0x17 // 88443139 | dec eax // 4b8b84f800a20b00 | mov eax, dword ptr [ebx] // 8854303a | dec eax // eb4c | test eax, eax // 493bde | je 0x13 $sequence_22 = { 57 4156 4157 4883ec30 4c8bf1 33ff } // n = 6, score = 100 // 57 | dec eax // 4156 | lea eax, [ebp + 0x67] // 4157 | mov edx, 0x228218 // 4883ec30 | push edi // 4c8bf1 | inc ecx // 33ff | push esi $sequence_23 = { 44895c391c 4963cb 488bd1 48c1fa10 498b8680000000 } // n = 5, score = 100 // 44895c391c | xor esi, esi // 4963cb | mov eax, 1 // 488bd1 | push ecx // 48c1fa10 | push edx // 498b8680000000 | mov ecx, esi condition: 7 of them and filesize < 1581056 }
rule win_winnti_w0 { meta: author = "BR Data" source = "https://github.com/br-data/2019-winnti-analyse/" date = "2019-07-24" description = "rules used for retrohunting by BR Data." malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20190822" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $load_magic = { C7 44 ?? ?? FF D8 FF E0 } $iter = { E9 EA EB EC ED EE EF F0 } $jpeg = { FF D8 FF E0 00 00 00 00 00 00 } condition: uint16(0) == 0x5a4d and $jpeg and ($load_magic or $iter in (@jpeg[1]..@jpeg[1]+200)) and for any i in (1..#jpeg): ( uint8(@jpeg[i] + 11) != 0 ) }
rule win_winnti_w1 { meta: author = "BR Data" source = "https://github.com/br-data/2019-winnti-analyse/" date = "2019-07-24" description = "rules used for retrohunting by BR Data." malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20190822" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $cooper = "Cooper" $pattern = { e9 ea eb ec ed ee ef f0} condition: uint16(0) == 0x5a4d and $cooper and ($pattern in (@cooper[1]..@cooper[1]+100)) }
rule win_winnti_w2 { meta: author = "Bundesamt fuer Verfassungsschutz" source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20191207" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $e1 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411015}" ascii nocase $e2 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411014}" ascii nocase $e3 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411016}" ascii nocase $e4 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide $e5 = "BFE_Notify_Event_{7D00FA3C-FBDC-4A8D-AEEB-3F55A4890D2A}" nocase condition: (any of ($e*)) }
rule win_winnti_w3 { meta: author = "Bundesamt fuer Verfassungsschutz" source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20191207" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $a1 = "IPSecMiniPort" wide fullword $a2 = "ndis6fw" wide fullword $a3 = "TCPIP" wide fullword $a4 = "NDIS.SYS" ascii fullword $a5 = "ntoskrnl.exe" ascii fullword $a6 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide $a7 = "\\Device\\Null" wide $a8 = "\\Device" wide $a9 = "\\Driver" wide $b1 = { 66 81 7? ?? 70 17 } $b2 = { 81 7? ?? 07 E0 15 00 } $b3 = { 8B 46 18 3D 03 60 15 00 } condition: (6 of ($a*)) and (2 of ($b*)) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
