SYMBOLCOMMON_NAMEaka. SYNONYMS
win.winnti (Back to overview)

Winnti

aka: BleDoor, JUMPALL, RbDoor, Pasteboy

Actor(s): Axiom


There is no description at this point.

References
2020-09-18SymantecThreat Hunter Team
@online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-04-20QuoScientQuoIntelligence
@online{quointelligence:20200420:winnti:6a4fb66, author = {QuoIntelligence}, title = {{WINNTI GROUP: Insights From the Past}}, date = {2020-04-20}, organization = {QuoScient}, url = {https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/}, language = {English}, urldate = {2020-04-21} } WINNTI GROUP: Insights From the Past
Winnti
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-03-03GIthub (superkhung)superkhung
@online{superkhung:20200303:github:8ea37ed, author = {superkhung}, title = {{GitHub Repository: winnti-sniff}}, date = {2020-03-03}, organization = {GIthub (superkhung)}, url = {https://github.com/superkhung/winnti-sniff}, language = {English}, urldate = {2020-03-04} } GitHub Repository: winnti-sniff
Winnti
2020-02-20Carbon BlackTakahiro Haruyama
@online{haruyama:20200220:threat:aa4ef11, author = {Takahiro Haruyama}, title = {{Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)}}, date = {2020-02-20}, organization = {Carbon Black}, url = {https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/}, language = {English}, urldate = {2020-02-21} } Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)
Winnti
2020-01-31ESET ResearchMathieu Tartare
@online{tartare:20200131:winnti:9f891e4, author = {Mathieu Tartare}, title = {{Winnti Group targeting universities in Hong Kong}}, date = {2020-01-31}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/}, language = {English}, urldate = {2020-02-03} } Winnti Group targeting universities in Hong Kong
ShadowPad Winnti
2020-01-31TagesschauJan Lukas Strozyk
@online{strozyk:20200131:deutsches:d0a9221, author = {Jan Lukas Strozyk}, title = {{Deutsches Chemieunternehmen gehackt}}, date = {2020-01-31}, organization = {Tagesschau}, url = {https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html}, language = {German}, urldate = {2020-02-03} } Deutsches Chemieunternehmen gehackt
Winnti
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2019-09-30LastlineJason Zhang, Stefano Ortolani
@online{zhang:20190930:helo:559ed11, author = {Jason Zhang and Stefano Ortolani}, title = {{HELO Winnti: Attack or Scan?}}, date = {2019-09-30}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/helo-winnti-attack-scan/}, language = {English}, urldate = {2019-10-23} } HELO Winnti: Attack or Scan?
Winnti
2019-09-04FireEyeFireEye
@online{fireeye:20190904:apt41:b5d6780, author = {FireEye}, title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-09-04}, organization = {FireEye}, url = {https://content.fireeye.com/api/pdfproxy?id=86840}, language = {English}, urldate = {2020-01-13} } APT41: Double Dragon APT41, a dual espionage and cyber crime operation
EASYNIGHT Winnti
2019-09-04CarbonBlackTakahiro Haruyama
@online{haruyama:20190904:cb:7c71995, author = {Takahiro Haruyama}, title = {{CB TAU Threat Intelligence Notification: Winnti Malware 4.0}}, date = {2019-09-04}, organization = {CarbonBlack}, url = {https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/}, language = {English}, urldate = {2019-12-17} } CB TAU Threat Intelligence Notification: Winnti Malware 4.0
Winnti
2019-08-09FireEyeFireEye
@online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti
2019-07-24Bayerischer RundfunkHakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski
@online{tanriverdi:20190724:attacking:66ef327, author = {Hakan Tanriverdi and Svea Eckert and Jan Strozyk and Maximilian Zierer and Rebecca Ciesielski}, title = {{Attacking the Heart of the German Industry}}, date = {2019-07-24}, organization = {Bayerischer Rundfunk}, url = {http://web.br.de/interaktiv/winnti/english/}, language = {English}, urldate = {2019-11-29} } Attacking the Heart of the German Industry
Winnti
2019-07-24Github (br-data)Hakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski
@online{tanriverdi:20190724:winnti:25b27fb, author = {Hakan Tanriverdi and Svea Eckert and Jan Strozyk and Maximilian Zierer and Rebecca Ciesielski}, title = {{Winnti analysis}}, date = {2019-07-24}, organization = {Github (br-data)}, url = {https://github.com/br-data/2019-winnti-analyse/}, language = {English}, urldate = {2019-12-10} } Winnti analysis
Winnti
2018-05-22Github (TKCERT)thyssenkrupp CERT
@online{cert:20180522:nmap:1ee2530, author = {thyssenkrupp CERT}, title = {{Nmap Script to scan for Winnti infections}}, date = {2018-05-22}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-nmap-script}, language = {English}, urldate = {2020-01-07} } Nmap Script to scan for Winnti infections
Winnti
2018-03-05Github (TKCERT)TKCERT
@online{tkcert:20180305:suricata:0b45f94, author = {TKCERT}, title = {{Suricata rules to detect Winnti communication}}, date = {2018-03-05}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-suricata-lua}, language = {English}, urldate = {2020-01-07} } Suricata rules to detect Winnti communication
Winnti
2017-04-19Trend MicroTrendmicro
@online{trendmicro:20170419:of:1656f97, author = {Trendmicro}, title = {{Of Pigs and Malware: Examining a Possible Member of the Winnti Group}}, date = {2017-04-19}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/}, language = {English}, urldate = {2019-12-04} } Of Pigs and Malware: Examining a Possible Member of the Winnti Group
Winnti
2017-03-22Trend MicroCedric Pernet
@online{pernet:20170322:winnti:bfd35bc, author = {Cedric Pernet}, title = {{Winnti Abuses GitHub for C&C Communications}}, date = {2017-03-22}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/}, language = {English}, urldate = {2019-07-09} } Winnti Abuses GitHub for C&C Communications
Winnti
2016-03-06Github (TKCERT)thyssenkrupp CERT
@online{cert:20160306:network:f9244d3, author = {thyssenkrupp CERT}, title = {{Network detector for Winnti malware}}, date = {2016-03-06}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-detector}, language = {English}, urldate = {2020-01-07} } Network detector for Winnti malware
Winnti
2015-06-22Kaspersky LabsDmitry Tarakanov
@online{tarakanov:20150622:games:aba8183, author = {Dmitry Tarakanov}, title = {{Games are over: Winnti is now targeting pharmaceutical companies}}, date = {2015-06-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/games-are-over/70991/}, language = {English}, urldate = {2019-12-20} } Games are over: Winnti is now targeting pharmaceutical companies
Winnti Axiom
2015-04-06NovettaNovetta
@techreport{novetta:20150406:winnti:acc4030, author = {Novetta}, title = {{WINNTI ANALYSIS}}, date = {2015-04-06}, institution = {Novetta}, url = {https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf}, language = {English}, urldate = {2020-01-10} } WINNTI ANALYSIS
Winnti
2015RuxconMatt McCormack
@techreport{mccormack:2015:why:fa3d041, author = {Matt McCormack}, title = {{WHY ATTACKER TOOLSETS DO WHAT THEY DO}}, date = {2015}, institution = {Ruxcon}, url = {http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf}, language = {English}, urldate = {2020-01-08} } WHY ATTACKER TOOLSETS DO WHAT THEY DO
Winnti
2013-04Kaspersky LabsGReAT
@techreport{great:201304:winnti:c8e6f40, author = {GReAT}, title = {{Winnti - More than just a game}}, date = {2013-04}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf}, language = {English}, urldate = {2019-07-11} } Winnti - More than just a game
portless Winnti
Yara Rules
[TLP:WHITE] win_winnti_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_winnti_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 7540 8d442414 8bce }
            // n = 4, score = 100
            //   85c0                 | sub                 esp, 0x40
            //   7540                 | dec                 eax
            //   8d442414             | mov                 ebp, edx
            //   8bce                 | dec                 eax

        $sequence_1 = { 663918 75f7 488d1590110000 482bd0 }
            // n = 4, score = 100
            //   663918               | add                 eax, edx
            //   75f7                 | xor                 edx, edx
            //   488d1590110000       | mov                 eax, ecx
            //   482bd0               | inc                 ecx

        $sequence_2 = { 7537 8b442418 8b4804 8b10 51 52 8bce }
            // n = 7, score = 100
            //   7537                 | mov                 ecx, dword ptr [ebx + 0x44]
            //   8b442418             | mov                 edx, dword ptr [ebx + 0x48]
            //   8b4804               | mov                 ebp, dword ptr [ebx + 0x14]
            //   8b10                 | test                eax, eax
            //   51                   | jg                  0x48
            //   52                   | push                esi
            //   8bce                 | push                0x3e8

        $sequence_3 = { 4503c2 33d2 8bc1 41f7f2 85d2 7402 }
            // n = 6, score = 100
            //   4503c2               | nop                 dword ptr [eax + eax]
            //   33d2                 | inc                 ebx
            //   8bc1                 | movzx               ecx, byte ptr [ecx + eax]
            //   41f7f2               | lea                 eax, [ecx - 0x41]
            //   85d2                 | cmp                 al, 0x19
            //   7402                 | inc                 ebp

        $sequence_4 = { 8b44241c 3d08020000 7387 3bc7 7483 }
            // n = 5, score = 100
            //   8b44241c             | jbe                 0x94
            //   3d08020000           | mov                 ecx, dword ptr [eax + ebx + 0xb0]
            //   7387                 | test                ecx, ecx
            //   3bc7                 | je                  0x94
            //   7483                 | test                eax, eax

        $sequence_5 = { ffc2 0fb603 4238bc00207a0b00 74e4 0fb60b 420fbe8401207a0b00 }
            // n = 6, score = 100
            //   ffc2                 | mov                 ecx, esi
            //   0fb603               | mov                 byte ptr [esi + edi], 0
            //   4238bc00207a0b00     | mov                 ecx, dword ptr [ebx + 8]
            //   74e4                 | test                ecx, ecx
            //   0fb60b               | je                  0xb
            //   420fbe8401207a0b00     | push    edi

        $sequence_6 = { e9???????? 8bdf 895db7 41ffc0 4489459b }
            // n = 5, score = 100
            //   e9????????           |                     
            //   8bdf                 | inc                 edx
            //   895db7               | cmp                 byte ptr [eax + eax + 0xb7a20], bh
            //   41ffc0               | je                  0xffffffee
            //   4489459b             | movzx               ecx, byte ptr [ebx]

        $sequence_7 = { 85c0 7f44 56 ff15???????? 68e8030000 33f6 ff15???????? }
            // n = 7, score = 100
            //   85c0                 | xor                 ecx, ecx
            //   7f44                 | jb                  0xffffffa8
            //   56                   | dec                 eax
            //   ff15????????         |                     
            //   68e8030000           | arpl                word ptr [ebx + 0x3c], ax
            //   33f6                 | cmp                 dword ptr [eax + ebx + 0x84], 5
            //   ff15????????         |                     

        $sequence_8 = { 488d442440 4889442428 488d050cbb0a00 4889442420 }
            // n = 4, score = 100
            //   488d442440           | mov                 ecx, dword ptr [eax + 4]
            //   4889442428           | mov                 edx, dword ptr [eax]
            //   488d050cbb0a00       | push                ecx
            //   4889442420           | push                edx

        $sequence_9 = { 488d5128 488d4de7 e8???????? 90 }
            // n = 4, score = 100
            //   488d5128             | push                2
            //   488d4de7             | mov                 ecx, dword ptr [esp + 0x190]
            //   e8????????           |                     
            //   90                   | mov                 esi, dword ptr [esp + 0x24]

        $sequence_10 = { 413bec 7532 4585ed 742d 488b9680000000 4963dc }
            // n = 6, score = 100
            //   413bec               | dec                 eax
            //   7532                 | lea                 eax, [0xabb0c]
            //   4585ed               | dec                 eax
            //   742d                 | mov                 dword ptr [esp + 0x20], eax
            //   488b9680000000       | inc                 edx
            //   4963dc               | movzx               eax, byte ptr [ebx]

        $sequence_11 = { 8bd9 55 56 57 8b4b44 8b5348 8b6b14 }
            // n = 7, score = 100
            //   8bd9                 | mov                 ecx, dword ptr [ebp + 0xb0]
            //   55                   | dec                 eax
            //   56                   | test                ecx, ecx
            //   57                   | cmp                 eax, 1
            //   8b4b44               | jle                 0x22
            //   8b5348               | dec                 eax
            //   8b6b14               | lea                 ecx, [0x120a]

        $sequence_12 = { 33c9 85c0 0f8514010000 4c8d2d32560a00 41b804010000 668935???????? }
            // n = 6, score = 100
            //   33c9                 | mov                 ecx, edx
            //   85c0                 | sub                 ecx, esi
            //   0f8514010000         | cmp                 ecx, 0x80000
            //   4c8d2d32560a00       | dec                 eax
            //   41b804010000         | lea                 eax, [esp + 0x40]
            //   668935????????       |                     

        $sequence_13 = { 4883ec40 488bea 488b8db0000000 4885c9 }
            // n = 4, score = 100
            //   4883ec40             | mul                 edx
            //   488bea               | shr                 edx, 3
            //   488b8db0000000       | cmp                 edx, 0xa
            //   4885c9               | inc                 ecx

        $sequence_14 = { c6043e00 8b4b08 85c9 7407 57 56 }
            // n = 6, score = 100
            //   c6043e00             | xor                 esi, esi
            //   8b4b08               | mov                 eax, dword ptr [esp + 0x1c]
            //   85c9                 | cmp                 eax, 0x208
            //   7407                 | jae                 0xffffff89
            //   57                   | cmp                 eax, edi
            //   56                   | je                  0xffffff89

        $sequence_15 = { 57 6a00 6a01 6a02 ff15???????? 8b8c2490010000 }
            // n = 6, score = 100
            //   57                   | mov                 eax, dword ptr [ebx + 0x30]
            //   6a00                 | push                ecx
            //   6a01                 | mov                 ecx, dword ptr [ebx + 0x2c]
            //   6a02                 | push                edx
            //   ff15????????         |                     
            //   8b8c2490010000       | push                ebp

        $sequence_16 = { 41f6c320 7405 0c80 418800 4180fa0f 0f8625feffff 41800801 }
            // n = 7, score = 100
            //   41f6c320             | dec                 eax
            //   7405                 | lea                 edx, [0x1190]
            //   0c80                 | dec                 eax
            //   418800               | sub                 edx, eax
            //   4180fa0f             | mov                 eax, 0xcccccccd
            //   0f8625feffff         | inc                 ecx
            //   41800801             | inc                 eax

        $sequence_17 = { 4d85c9 7444 4c2bca 0f1f840000000000 430fb60c01 8d41bf 3c19 }
            // n = 7, score = 100
            //   4d85c9               | dec                 eax
            //   7444                 | lea                 eax, [esp + 0x80]
            //   4c2bca               | dec                 ebp
            //   0f1f840000000000     | test                ecx, ecx
            //   430fb60c01           | je                  0x49
            //   8d41bf               | dec                 esp
            //   3c19                 | sub                 ecx, edx

        $sequence_18 = { 83f801 7e1d f0ff0d???????? 488d0d0a120000 ff15???????? 33c9 ff15???????? }
            // n = 7, score = 100
            //   83f801               | test                bl, 0x20
            //   7e1d                 | je                  0xb
            //   f0ff0d????????       |                     
            //   488d0d0a120000       | or                  al, 0x80
            //   ff15????????         |                     
            //   33c9                 | inc                 ecx
            //   ff15????????         |                     

        $sequence_19 = { 33c0 e9???????? c784249800000030000000 4c89b424a0000000 c78424b000000040000000 488d842480000000 }
            // n = 6, score = 100
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   c784249800000030000000     | mov    dword ptr [esp + 0x98], 0x30
            //   4c89b424a0000000     | dec                 esp
            //   c78424b000000040000000     | mov    dword ptr [esp + 0xa0], esi
            //   488d842480000000     | mov                 dword ptr [esp + 0xb0], 0x40

        $sequence_20 = { ffd3 448b05???????? 488b0d???????? 33d2 48893d???????? }
            // n = 5, score = 100
            //   ffd3                 | dec                 eax
            //   448b05????????       |                     
            //   488b0d????????       |                     
            //   33d2                 | mov                 dword ptr [esp + 0x28], eax
            //   48893d????????       |                     

        $sequence_21 = { 8b4330 51 8b4b2c 52 55 50 51 }
            // n = 7, score = 100
            //   8b4330               | jne                 0x42
            //   51                   | lea                 eax, [esp + 0x14]
            //   8b4b2c               | mov                 ecx, esi
            //   52                   | mov                 ebx, ecx
            //   55                   | push                ebp
            //   50                   | push                esi
            //   51                   | push                edi

        $sequence_22 = { b8cdcccccc 41ffc0 f7e2 c1ea03 83fa0a }
            // n = 5, score = 100
            //   b8cdcccccc           | div                 edx
            //   41ffc0               | test                edx, edx
            //   f7e2                 | je                  0xd
            //   c1ea03               | cmp                 word ptr [eax], bx
            //   83fa0a               | jne                 0xfffffffc

        $sequence_23 = { e8???????? 4c8d1de5660100 4c895c2428 488d15e1ce0100 488d4c2428 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   4c8d1de5660100       | push                esi
            //   4c895c2428           | push                edi
            //   488d15e1ce0100       | push                0
            //   488d4c2428           | push                1

    condition:
        7 of them and filesize < 1581056
}
[TLP:WHITE] win_winnti_w0   (20190822 | rules used for retrohunting by BR Data.)
rule win_winnti_w0 {
    meta:
        author = "BR Data"
        source = "https://github.com/br-data/2019-winnti-analyse/"
        date = "2019-07-24"
        description = "rules used for retrohunting by BR Data."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20190822"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $load_magic = { C7 44 ?? ?? FF D8 FF E0 }
        $iter = { E9 EA EB EC ED EE EF F0 }
        $jpeg = { FF D8 FF E0 00 00 00 00 00 00 }

    condition:
        uint16(0) == 0x5a4d and
        $jpeg and
        ($load_magic or $iter in (@jpeg[1]..@jpeg[1]+200)) and
        for any i in (1..#jpeg): ( uint8(@jpeg[i] + 11) != 0 )
}
[TLP:WHITE] win_winnti_w1   (20190822 | rules used for retrohunting by BR Data.)
rule win_winnti_w1 {
    meta:
        author = "BR Data"
        source = "https://github.com/br-data/2019-winnti-analyse/"
        date = "2019-07-24"
        description = "rules used for retrohunting by BR Data."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20190822"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cooper = "Cooper"
        $pattern = { e9 ea eb ec ed ee ef f0}
    condition:
        uint16(0) == 0x5a4d and $cooper and ($pattern in (@cooper[1]..@cooper[1]+100))
}
[TLP:WHITE] win_winnti_w2   (20191207 | No description)
rule win_winnti_w2 {
    meta:
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $e1 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411015}" ascii nocase
        $e2 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411014}" ascii nocase
        $e3 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411016}" ascii nocase
        $e4 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide
        $e5 = "BFE_Notify_Event_{7D00FA3C-FBDC-4A8D-AEEB-3F55A4890D2A}" nocase
    condition:
        (any of ($e*))
}
[TLP:WHITE] win_winnti_w3   (20191207 | No description)
rule win_winnti_w3 {
    meta:
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = "IPSecMiniPort" wide fullword
        $a2 = "ndis6fw" wide fullword
        $a3 = "TCPIP" wide fullword
        $a4 = "NDIS.SYS" ascii fullword
        $a5 = "ntoskrnl.exe" ascii fullword
        $a6 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide
        $a7 = "\\Device\\Null" wide
        $a8 = "\\Device" wide
        $a9 = "\\Driver" wide
        $b1 = { 66 81 7? ?? 70 17 }
        $b2 = { 81 7? ?? 07 E0 15 00 }
        $b3 = { 8B 46 18 3D 03 60 15 00 }
    condition:
        (6 of ($a*)) and (2 of ($b*))
}
Download all Yara Rules