SYMBOLCOMMON_NAMEaka. SYNONYMS
win.winnti (Back to overview)

Winnti

aka: BleDoor, JUMPALL, RbDoor, Pasteboy

Actor(s): Axiom


There is no description at this point.

References
2021-03-26SonicWallSonicWall CaptureLabs Threats Research Team
@online{team:20210326:chinas:d31ffa4, author = {SonicWall CaptureLabs Threats Research Team}, title = {{China’s “Winnti” Spyder Module}}, date = {2021-03-26}, organization = {SonicWall}, url = {https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/}, language = {English}, urldate = {2021-04-14} } China’s “Winnti” Spyder Module
Winnti
2021-03-10ESET ResearchThomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2021-01-20FireEyeAndrew Davis
@online{davis:20210120:emulation:4061f1c, author = {Andrew Davis}, title = {{Emulation of Kernel Mode Rootkits With Speakeasy}}, date = {2021-01-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html}, language = {English}, urldate = {2021-01-25} } Emulation of Kernel Mode Rootkits With Speakeasy
Winnti
2020-12-24IronNetAdam Hlavek
@online{hlavek:20201224:china:723bed3, author = {Adam Hlavek}, title = {{China cyber attacks: the current threat landscape}}, date = {2020-12-24}, organization = {IronNet}, url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape}, language = {English}, urldate = {2021-01-01} } China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-09-18SymantecThreat Hunter Team
@online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-08-06WiredAndy Greenberg
@online{greenberg:20200806:chinese:32c43e3, author = {Andy Greenberg}, title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}}, date = {2020-08-06}, organization = {Wired}, url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/}, language = {English}, urldate = {2020-11-04} } Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Operation Skeleton Key
2020-08-04BlackHatChung-Kuan Chen, Inndy Lin, Shang-De Jiang
@techreport{chen:20200804:operation:4cf417f, author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang}, title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}}, date = {2020-08-04}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf}, language = {English}, urldate = {2020-11-04} } Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Operation Skeleton Key
2020-04-20QuoScientQuoIntelligence
@online{quointelligence:20200420:winnti:6a4fb66, author = {QuoIntelligence}, title = {{WINNTI GROUP: Insights From the Past}}, date = {2020-04-20}, organization = {QuoScient}, url = {https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/}, language = {English}, urldate = {2020-04-21} } WINNTI GROUP: Insights From the Past
Winnti
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-03-03GIthub (superkhung)superkhung
@online{superkhung:20200303:github:8ea37ed, author = {superkhung}, title = {{GitHub Repository: winnti-sniff}}, date = {2020-03-03}, organization = {GIthub (superkhung)}, url = {https://github.com/superkhung/winnti-sniff}, language = {English}, urldate = {2020-03-04} } GitHub Repository: winnti-sniff
Winnti
2020-02-20Carbon BlackTakahiro Haruyama
@online{haruyama:20200220:threat:aa4ef11, author = {Takahiro Haruyama}, title = {{Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)}}, date = {2020-02-20}, organization = {Carbon Black}, url = {https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/}, language = {English}, urldate = {2020-02-21} } Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)
Winnti
2020-01-31ESET ResearchMathieu Tartare
@online{tartare:20200131:winnti:9f891e4, author = {Mathieu Tartare}, title = {{Winnti Group targeting universities in Hong Kong}}, date = {2020-01-31}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/}, language = {English}, urldate = {2020-02-03} } Winnti Group targeting universities in Hong Kong
ShadowPad Winnti
2020-01-31TagesschauJan Lukas Strozyk
@online{strozyk:20200131:deutsches:d0a9221, author = {Jan Lukas Strozyk}, title = {{Deutsches Chemieunternehmen gehackt}}, date = {2020-01-31}, organization = {Tagesschau}, url = {https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html}, language = {German}, urldate = {2020-02-03} } Deutsches Chemieunternehmen gehackt
Winnti
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2019-10CrowdStrikeKarl Scheuerman, Piotr Wojtyla
@online{scheuerman:201910:dont:11aa9dc, author = {Karl Scheuerman and Piotr Wojtyla}, title = {{Don't miss the forest for the trees gleaning hunting value from too much intrusion data}}, date = {2019-10}, organization = {CrowdStrike}, url = {https://docplayer.net/162112338-Don-t-miss-the-forest-for-the-trees-gleaning-hunting-value-from-too-much-intrusion-data.html}, language = {English}, urldate = {2021-03-31} } Don't miss the forest for the trees gleaning hunting value from too much intrusion data
Winnti
2019-09-30LastlineJason Zhang, Stefano Ortolani
@online{zhang:20190930:helo:559ed11, author = {Jason Zhang and Stefano Ortolani}, title = {{HELO Winnti: Attack or Scan?}}, date = {2019-09-30}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/helo-winnti-attack-scan/}, language = {English}, urldate = {2019-10-23} } HELO Winnti: Attack or Scan?
Winnti
2019-09-04FireEyeFireEye
@online{fireeye:20190904:apt41:b5d6780, author = {FireEye}, title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-09-04}, organization = {FireEye}, url = {https://content.fireeye.com/api/pdfproxy?id=86840}, language = {English}, urldate = {2020-01-13} } APT41: Double Dragon APT41, a dual espionage and cyber crime operation
EASYNIGHT Winnti
2019-09-04CarbonBlackTakahiro Haruyama
@online{haruyama:20190904:cb:7c71995, author = {Takahiro Haruyama}, title = {{CB TAU Threat Intelligence Notification: Winnti Malware 4.0}}, date = {2019-09-04}, organization = {CarbonBlack}, url = {https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/}, language = {English}, urldate = {2019-12-17} } CB TAU Threat Intelligence Notification: Winnti Malware 4.0
Winnti
2019-08-09FireEyeFireEye
@online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti
2019-07-24Bayerischer RundfunkHakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski
@online{tanriverdi:20190724:attacking:66ef327, author = {Hakan Tanriverdi and Svea Eckert and Jan Strozyk and Maximilian Zierer and Rebecca Ciesielski}, title = {{Attacking the Heart of the German Industry}}, date = {2019-07-24}, organization = {Bayerischer Rundfunk}, url = {http://web.br.de/interaktiv/winnti/english/}, language = {English}, urldate = {2019-11-29} } Attacking the Heart of the German Industry
Winnti
2019-07-24Github (br-data)Hakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski
@online{tanriverdi:20190724:winnti:25b27fb, author = {Hakan Tanriverdi and Svea Eckert and Jan Strozyk and Maximilian Zierer and Rebecca Ciesielski}, title = {{Winnti analysis}}, date = {2019-07-24}, organization = {Github (br-data)}, url = {https://github.com/br-data/2019-winnti-analyse/}, language = {English}, urldate = {2019-12-10} } Winnti analysis
Winnti
2018-10-01Macnica NetworksMacnica Networks
@techreport{networks:20181001:trends:17b1db5, author = {Macnica Networks}, title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}}, date = {2018-10-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm
2018-05-22Github (TKCERT)thyssenkrupp CERT
@online{cert:20180522:nmap:1ee2530, author = {thyssenkrupp CERT}, title = {{Nmap Script to scan for Winnti infections}}, date = {2018-05-22}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-nmap-script}, language = {English}, urldate = {2020-01-07} } Nmap Script to scan for Winnti infections
Winnti
2018-03-05Github (TKCERT)TKCERT
@online{tkcert:20180305:suricata:0b45f94, author = {TKCERT}, title = {{Suricata rules to detect Winnti communication}}, date = {2018-03-05}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-suricata-lua}, language = {English}, urldate = {2020-01-07} } Suricata rules to detect Winnti communication
Winnti
2017-04-19Trend MicroTrendmicro
@online{trendmicro:20170419:of:1656f97, author = {Trendmicro}, title = {{Of Pigs and Malware: Examining a Possible Member of the Winnti Group}}, date = {2017-04-19}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/}, language = {English}, urldate = {2019-12-04} } Of Pigs and Malware: Examining a Possible Member of the Winnti Group
Winnti
2017-03-22Trend MicroCedric Pernet
@online{pernet:20170322:winnti:bfd35bc, author = {Cedric Pernet}, title = {{Winnti Abuses GitHub for C&C Communications}}, date = {2017-03-22}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/}, language = {English}, urldate = {2019-07-09} } Winnti Abuses GitHub for C&C Communications
Winnti
2016-03-06Github (TKCERT)thyssenkrupp CERT
@online{cert:20160306:network:f9244d3, author = {thyssenkrupp CERT}, title = {{Network detector for Winnti malware}}, date = {2016-03-06}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-detector}, language = {English}, urldate = {2020-01-07} } Network detector for Winnti malware
Winnti
2015-06-22Kaspersky LabsDmitry Tarakanov
@online{tarakanov:20150622:games:aba8183, author = {Dmitry Tarakanov}, title = {{Games are over: Winnti is now targeting pharmaceutical companies}}, date = {2015-06-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/games-are-over/70991/}, language = {English}, urldate = {2019-12-20} } Games are over: Winnti is now targeting pharmaceutical companies
Winnti Axiom
2015-04-06NovettaNovetta
@techreport{novetta:20150406:winnti:acc4030, author = {Novetta}, title = {{WINNTI ANALYSIS}}, date = {2015-04-06}, institution = {Novetta}, url = {https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf}, language = {English}, urldate = {2020-01-10} } WINNTI ANALYSIS
Winnti
2015RuxconMatt McCormack
@techreport{mccormack:2015:why:fa3d041, author = {Matt McCormack}, title = {{WHY ATTACKER TOOLSETS DO WHAT THEY DO}}, date = {2015}, institution = {Ruxcon}, url = {http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf}, language = {English}, urldate = {2020-01-08} } WHY ATTACKER TOOLSETS DO WHAT THEY DO
Winnti
2013-04Kaspersky LabsGReAT
@techreport{great:201304:winnti:c8e6f40, author = {GReAT}, title = {{Winnti - More than just a game}}, date = {2013-04}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf}, language = {English}, urldate = {2019-07-11} } Winnti - More than just a game
portless Winnti
Yara Rules
[TLP:WHITE] win_winnti_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_winnti_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4304 83f804 7526 8b4338 8b7344 99 2bc2 }
            // n = 7, score = 200
            //   8b4304               | dec                 eax
            //   83f804               | lea                 ecx, [0x116d]
            //   7526                 | inc                 ecx
            //   8b4338               | mov                 ecx, 0x30
            //   8b7344               | mov                 edx, 0x228204
            //   99                   | dec                 eax
            //   2bc2                 | mov                 ecx, esi

        $sequence_1 = { 56 53 6801a00000 e8???????? 56 e8???????? 83c404 }
            // n = 7, score = 200
            //   56                   | cmp                 eax, 4
            //   53                   | jne                 0x28
            //   6801a00000           | mov                 eax, dword ptr [ebx + 0x38]
            //   e8????????           |                     
            //   56                   | mov                 esi, dword ptr [ebx + 0x44]
            //   e8????????           |                     
            //   83c404               | cdq                 

        $sequence_2 = { 6a01 81c2???????? 57 52 56 }
            // n = 5, score = 200
            //   6a01                 | mov                 dword ptr [esp + 0x40], esi
            //   81c2????????         |                     
            //   57                   | movzx               ecx, cx
            //   52                   | sub                 ecx, eax
            //   56                   | jne                 0x11

        $sequence_3 = { c21400 8b4c2424 57 8bd1 33c0 }
            // n = 5, score = 200
            //   c21400               | inc                 esp
            //   8b4c2424             | mov                 edx, dword ptr [ebx + 0x18]
            //   57                   | dec                 eax
            //   8bd1                 | add                 esi, edi
            //   33c0                 | dec                 esp

        $sequence_4 = { 83ec10 8b442414 53 8bd9 55 }
            // n = 5, score = 200
            //   83ec10               | dec                 eax
            //   8b442414             | lea                 edx, [esp + 0x40]
            //   53                   | dec                 eax
            //   8bd9                 | mov                 ecx, edi
            //   55                   | dec                 esp

        $sequence_5 = { 52 ffd7 83c670 56 ffd7 5f }
            // n = 6, score = 200
            //   52                   | add                 esi, edi
            //   ffd7                 | sub                 esp, 0x10
            //   83c670               | mov                 eax, dword ptr [esp + 0x14]
            //   56                   | push                ebx
            //   ffd7                 | mov                 ebx, ecx
            //   5f                   | push                ebp

        $sequence_6 = { 7409 50 e8???????? 83c404 8b4658 3bc3 }
            // n = 6, score = 200
            //   7409                 | mov                 dword ptr [esp + 0x28], 0x38
            //   50                   | dec                 eax
            //   e8????????           |                     
            //   83c404               | mov                 dword ptr [esp + 0x20], eax
            //   8b4658               | inc                 esp
            //   3bc3                 | mov                 esi, dword ptr [ebx + 0x24]

        $sequence_7 = { 8d049504000000 50 e8???????? 89442424 8b442418 83c404 }
            // n = 6, score = 200
            //   8d049504000000       | push                1
            //   50                   | push                edi
            //   e8????????           |                     
            //   89442424             | push                edx
            //   8b442418             | push                esi
            //   83c404               | mov                 eax, dword ptr [ebx + 4]

        $sequence_8 = { 740a 6690 48ffc2 403832 75f8 }
            // n = 5, score = 100
            //   740a                 | je                  0xc
            //   6690                 | nop                 
            //   48ffc2               | dec                 eax
            //   403832               | inc                 edx
            //   75f8                 | inc                 eax

        $sequence_9 = { 48ffc0 4883f83c 7647 498bcd e8???????? 4c8d05bf720000 41b903000000 }
            // n = 7, score = 100
            //   48ffc0               | xor                 eax, eax
            //   4883f83c             | add                 esp, dword ptr [ebp - 0x28]
            //   7647                 | popal               
            //   498bcd               | mov                 eax, dword ptr [ebp - 0x24]
            //   e8????????           |                     
            //   4c8d05bf720000       | mov                 dword ptr [ebp - 0x38], eax
            //   41b903000000         | push                eax

        $sequence_10 = { 5e 5d c3 8b4e54 448b463c 33d2 }
            // n = 6, score = 100
            //   5e                   | inc                 esp
            //   5d                   | mov                 byte ptr [eax], dh
            //   c3                   | dec                 eax
            //   8b4e54               | lea                 ecx, [esp + 0x50]
            //   448b463c             | test                cl, cl
            //   33d2                 | jne                 0xfffffff3

        $sequence_11 = { ff15???????? 488bc8 488d842460020000 4c8d442440 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   488bc8               | cmp                 byte ptr [edx], dh
            //   488d842460020000     | jne                 0xfffffffd
            //   4c8d442440           | dec                 eax

        $sequence_12 = { 4885c9 7510 4d85c0 7404 }
            // n = 4, score = 100
            //   4885c9               | pop                 ebp
            //   7510                 | ret                 
            //   4d85c0               | mov                 ecx, dword ptr [esi + 0x54]
            //   7404                 | inc                 esp

        $sequence_13 = { 4883ec20 488d05276a0100 8bfa 488bd9 }
            // n = 4, score = 100
            //   4883ec20             | ret                 0x14
            //   488d05276a0100       | mov                 ecx, dword ptr [esp + 0x24]
            //   8bfa                 | push                edi
            //   488bd9               | mov                 edx, ecx

        $sequence_14 = { 41b930000000 ba04822200 488bce c744242838000000 4889442420 }
            // n = 5, score = 100
            //   41b930000000         | inc                 eax
            //   ba04822200           | cmp                 byte ptr [edx], dh
            //   488bce               | dec                 eax
            //   c744242838000000     | test                ecx, ecx
            //   4889442420           | jne                 0x12

        $sequence_15 = { 0f8415020000 488d542440 488bcf 4c89742440 }
            // n = 4, score = 100
            //   0f8415020000         | mov                 eax, dword ptr [esi + 0x3c]
            //   488d542440           | xor                 edx, edx
            //   488bcf               | inc                 eax
            //   4c89742440           | cmp                 byte ptr [esp + 0x50], dh

        $sequence_16 = { 486301 488d0c80 488d0505440b00 488d0cc8 e8???????? }
            // n = 5, score = 100
            //   486301               | dec                 ebx
            //   488d0c80             | mov                 ecx, dword ptr [eax + edi*8 + 0xba200]
            //   488d0505440b00       | dec                 eax
            //   488d0cc8             | inc                 ebx
            //   e8????????           |                     

        $sequence_17 = { 0fb64c0201 488d4001 84c9 75f1 448830 488d4c2450 }
            // n = 6, score = 100
            //   0fb64c0201           | mov                 ecx, eax
            //   488d4001             | dec                 eax
            //   84c9                 | lea                 eax, [esp + 0x260]
            //   75f1                 | dec                 esp
            //   448830               | lea                 eax, [esp + 0x40]
            //   488d4c2450           | movzx               ecx, byte ptr [edx + eax + 1]

        $sequence_18 = { 33c9 ff15???????? 488d0d0fc10000 ff15???????? }
            // n = 4, score = 100
            //   33c9                 | mov                 byte ptr [ecx + esi + 0x3a], al
            //   ff15????????         |                     
            //   488d0d0fc10000       | dec                 eax
            //   ff15????????         |                     

        $sequence_19 = { 48894de8 488d05a8690100 488d1559d00100 488d4dd0 48895df0 488945d0 }
            // n = 6, score = 100
            //   48894de8             | sub                 eax, edx
            //   488d05a8690100       | je                  0xb
            //   488d1559d00100       | push                eax
            //   488d4dd0             | add                 esp, 4
            //   48895df0             | mov                 eax, dword ptr [esi + 0x58]
            //   488945d0             | cmp                 eax, ebx

        $sequence_20 = { 4b8b8cf800a20b00 48ffc3 8844313a 4863c2 482bd8 eb13 8b4d48 }
            // n = 7, score = 100
            //   4b8b8cf800a20b00     | push                ebp
            //   48ffc3               | push                1
            //   8844313a             | push                edi
            //   4863c2               | push                edx
            //   482bd8               | push                esi
            //   eb13                 | mov                 eax, dword ptr [ebx + 4]
            //   8b4d48               | cmp                 eax, 4

        $sequence_21 = { 85db 0f8443030000 f6c310 7467 83ff3c 0f8475030000 }
            // n = 6, score = 100
            //   85db                 | arpl                dx, ax
            //   0f8443030000         | dec                 eax
            //   f6c310               | sub                 ebx, eax
            //   7467                 | jmp                 0x1f
            //   83ff3c               | mov                 ecx, dword ptr [ebp + 0x48]
            //   0f8475030000         | dec                 eax

        $sequence_22 = { 0fb7c9 2bc8 750f 488d0d6d110000 }
            // n = 4, score = 100
            //   0fb7c9               | je                  0x11
            //   2bc8                 | nop                 
            //   750f                 | dec                 eax
            //   488d0d6d110000       | inc                 edx

        $sequence_23 = { 48035110 488b4c2420 4883c110 e8???????? 488b4c2430 }
            // n = 5, score = 100
            //   48035110             | jne                 0x28
            //   488b4c2420           | mov                 eax, dword ptr [ebx + 0x38]
            //   4883c110             | mov                 esi, dword ptr [ebx + 0x44]
            //   e8????????           |                     
            //   488b4c2430           | cdq                 

    condition:
        7 of them and filesize < 1581056
}
[TLP:WHITE] win_winnti_w0   (20190822 | rules used for retrohunting by BR Data.)
rule win_winnti_w0 {
    meta:
        author = "BR Data"
        source = "https://github.com/br-data/2019-winnti-analyse/"
        date = "2019-07-24"
        description = "rules used for retrohunting by BR Data."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20190822"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $load_magic = { C7 44 ?? ?? FF D8 FF E0 }
        $iter = { E9 EA EB EC ED EE EF F0 }
        $jpeg = { FF D8 FF E0 00 00 00 00 00 00 }

    condition:
        uint16(0) == 0x5a4d and
        $jpeg and
        ($load_magic or $iter in (@jpeg[1]..@jpeg[1]+200)) and
        for any i in (1..#jpeg): ( uint8(@jpeg[i] + 11) != 0 )
}
[TLP:WHITE] win_winnti_w1   (20190822 | rules used for retrohunting by BR Data.)
rule win_winnti_w1 {
    meta:
        author = "BR Data"
        source = "https://github.com/br-data/2019-winnti-analyse/"
        date = "2019-07-24"
        description = "rules used for retrohunting by BR Data."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20190822"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cooper = "Cooper"
        $pattern = { e9 ea eb ec ed ee ef f0}
    condition:
        uint16(0) == 0x5a4d and $cooper and ($pattern in (@cooper[1]..@cooper[1]+100))
}
[TLP:WHITE] win_winnti_w2   (20191207 | No description)
rule win_winnti_w2 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $e1 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411015}" ascii nocase
        $e2 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411014}" ascii nocase
        $e3 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411016}" ascii nocase
        $e4 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide
        $e5 = "BFE_Notify_Event_{7D00FA3C-FBDC-4A8D-AEEB-3F55A4890D2A}" nocase
    condition:
        (any of ($e*))
}
[TLP:WHITE] win_winnti_w3   (20191207 | No description)
rule win_winnti_w3 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $a1 = "IPSecMiniPort" wide fullword
        $a2 = "ndis6fw" wide fullword
        $a3 = "TCPIP" wide fullword
        $a4 = "NDIS.SYS" ascii fullword
        $a5 = "ntoskrnl.exe" ascii fullword
        $a6 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide
        $a7 = "\\Device\\Null" wide
        $a8 = "\\Device" wide
        $a9 = "\\Driver" wide
        $b1 = { 66 81 7? ?? 70 17 }
        $b2 = { 81 7? ?? 07 E0 15 00 }
        $b3 = { 8B 46 18 3D 03 60 15 00 }
    condition:
        (6 of ($a*)) and (2 of ($b*))
}
Download all Yara Rules