Winnti (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.winnti (Back to overview)

Winnti

aka: BleDoor, JUMPALL, RbDoor, Pasteboy

Actor(s): Axiom

There is no description at this point.

References

2021-11-16 ⋅ vmware ⋅ Takahiro Haruyama
Monitoring Winnti 4.0 C2 Servers for Two Years
Winnti

2021-09-28 ⋅ Recorded Future ⋅ Insikt Group®
4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan
PlugX Winnti

2021-09-21 ⋅ Recorded Future ⋅ Insikt Group®
China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware
Winnti

2021-09-14 ⋅ McAfee ⋅ Christiaan Beek
Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti

2021-07-08 ⋅ PTSecurity ⋅ Denis Kuvshinov
How winnti APT grouping works
Korlia ShadowPad Winnti

2021-07-08 ⋅ Recorded Future ⋅ Insikt Group®
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
ShadowPad Spyder Winnti

2021-07-08 ⋅ YouTube (PT Product Update) ⋅ Denis Kuvshinov
How winnti APT grouping works
Korlia ShadowPad Winnti

2021-04-29 ⋅ NTT ⋅ Threat Detection NTT Ltd.
The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti

2021-03-10 ⋅ ESET Research ⋅ Thomas Dupuy, Matthieu Faou, Mathieu Tartare
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-01-20 ⋅ FireEye ⋅ Andrew Davis
Emulation of Kernel Mode Rootkits With Speakeasy
Winnti

2020-12-24 ⋅ IronNet ⋅ Adam Hlavek
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti

2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti

2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti

2020-08-06 ⋅ Wired ⋅ Andy Greenberg
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Operation Skeleton Key

2020-08-04 ⋅ BlackHat ⋅ Chung-Kuan Chen, Inndy Lin, Shang-De Jiang
Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Operation Skeleton Key

2020-04-20 ⋅ QuoScient ⋅ QuoIntelligence
WINNTI GROUP: Insights From the Past
Winnti

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom

2020-03-03 ⋅ GIthub (superkhung) ⋅ superkhung
GitHub Repository: winnti-sniff
Winnti

2020-02-20 ⋅ Carbon Black ⋅ Takahiro Haruyama
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)
Winnti

2020-01-31 ⋅ ESET Research ⋅ Mathieu Tartare
Winnti Group targeting universities in Hong Kong
ShadowPad Winnti

2020-01-31 ⋅ Tagesschau ⋅ Jan Lukas Strozyk
Deutsches Chemieunternehmen gehackt
Winnti

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom

2019-10 ⋅ CrowdStrike ⋅ Karl Scheuerman, Piotr Wojtyla
Don't miss the forest for the trees gleaning hunting value from too much intrusion data
Winnti

2019-09-30 ⋅ Lastline ⋅ Jason Zhang, Stefano Ortolani
HELO Winnti: Attack or Scan?
Winnti

2019-09-04 ⋅ FireEye ⋅ FireEye
APT41: Double Dragon APT41, a dual espionage and cyber crime operation
EASYNIGHT Winnti

2019-09-04 ⋅ CarbonBlack ⋅ Takahiro Haruyama
CB TAU Threat Intelligence Notification: Winnti Malware 4.0
Winnti

2019-08-09 ⋅ FireEye ⋅ FireEye
Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti

2019-07-24 ⋅ Bayerischer Rundfunk ⋅ Hakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski
Attacking the Heart of the German Industry
Winnti

2019-07-24 ⋅ Github (br-data) ⋅ Hakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski
Winnti analysis
Winnti

2019-04-22 ⋅ Trend Micro ⋅ Mohamad Mokbel
C/C++ Runtime Library Code Tampering in Supply Chain
shadowhammer ShadowPad Winnti

2018-10-01 ⋅ Macnica Networks ⋅ Macnica Networks
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm

2018-05-22 ⋅ Github (TKCERT) ⋅ thyssenkrupp CERT
Nmap Script to scan for Winnti infections
Winnti

2018-03-05 ⋅ Github (TKCERT) ⋅ TKCERT
Suricata rules to detect Winnti communication
Winnti

2017-04-19 ⋅ Trend Micro ⋅ Trendmicro
Of Pigs and Malware: Examining a Possible Member of the Winnti Group
Winnti

2017-03-22 ⋅ Trend Micro ⋅ Cedric Pernet
Winnti Abuses GitHub for C&C Communications
Winnti

2016-03-06 ⋅ Github (TKCERT) ⋅ thyssenkrupp CERT
Network detector for Winnti malware
Winnti

2015-06-22 ⋅ Kaspersky Labs ⋅ Dmitry Tarakanov
Games are over: Winnti is now targeting pharmaceutical companies
Winnti Axiom

2015-04-06 ⋅ Novetta ⋅ Novetta
WINNTI ANALYSIS
Winnti

2015 ⋅ Ruxcon ⋅ Matt McCormack
WHY ATTACKER TOOLSETS DO WHAT THEY DO
Winnti

2013-04 ⋅ Kaspersky Labs ⋅ GReAT
Winnti - More than just a game
portless Winnti

Yara Rules

[TLP:WHITE] win_winnti_auto (20211008 \| Detects win.winnti.) rule win_winnti_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-10-07" version = "1" description = "Detects win.winnti." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_rule_date = "20211007" malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535" malpedia_version = "20211008" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { c7413401000000 33ed 680c030000 e8???????? 8bf0 b9c3000000 } // n = 6, score = 200 // c7413401000000 \| mov dword ptr [ecx + 0x34], 1 // 33ed \| xor ebp, ebp // 680c030000 \| push 0x30c // e8???????? \| // 8bf0 \| mov esi, eax // b9c3000000 \| mov ecx, 0xc3 $sequence_1 = { 8b4b18 8d442410 50 687e660480 } // n = 4, score = 200 // 8b4b18 \| mov ecx, dword ptr [ebx + 0x18] // 8d442410 \| lea eax, dword ptr [esp + 0x10] // 50 \| push eax // 687e660480 \| push 0x8004667e $sequence_2 = { 0fbf4c2434 894d00 83c504 895500 83c504 } // n = 5, score = 200 // 0fbf4c2434 \| movsx ecx, word ptr [esp + 0x34] // 894d00 \| mov dword ptr [ebp], ecx // 83c504 \| add ebp, 4 // 895500 \| mov dword ptr [ebp], edx // 83c504 \| add ebp, 4 $sequence_3 = { 53 56 57 8d7a08 83c9ff 33c0 } // n = 6, score = 200 // 53 \| push ebx // 56 \| push esi // 57 \| push edi // 8d7a08 \| lea edi, dword ptr [edx + 8] // 83c9ff \| or ecx, 0xffffffff // 33c0 \| xor eax, eax $sequence_4 = { 85c0 0f8509feffff 56 ff15???????? 55 e8???????? } // n = 6, score = 200 // 85c0 \| test eax, eax // 0f8509feffff \| jne 0xfffffe0f // 56 \| push esi // ff15???????? \| // 55 \| push ebp // e8???????? \| $sequence_5 = { 50 ffd6 5f 33c0 5e 81c474010000 c3 } // n = 7, score = 200 // 50 \| push eax // ffd6 \| call esi // 5f \| pop edi // 33c0 \| xor eax, eax // 5e \| pop esi // 81c474010000 \| add esp, 0x174 // c3 \| ret $sequence_6 = { 8bf1 8b4e10 e8???????? 85c0 0f851b010000 } // n = 5, score = 200 // 8bf1 \| mov esi, ecx // 8b4e10 \| mov ecx, dword ptr [esi + 0x10] // e8???????? \| // 85c0 \| test eax, eax // 0f851b010000 \| jne 0x121 $sequence_7 = { 50 ff15???????? 57 e8???????? 83c404 8bce } // n = 6, score = 200 // 50 \| push eax // ff15???????? \| // 57 \| push edi // e8???????? \| // 83c404 \| add esp, 4 // 8bce \| mov ecx, esi $sequence_8 = { 89442430 8b4704 4c8d050af40000 89442428 488d4500 418d542482 458bcc } // n = 7, score = 100 // 89442430 \| mov dword ptr [esp + 0x30], eax // 8b4704 \| mov eax, dword ptr [edi + 4] // 4c8d050af40000 \| dec esp // 89442428 \| lea eax, dword ptr [0xf40a] // 488d4500 \| mov dword ptr [esp + 0x28], eax // 418d542482 \| dec eax // 458bcc \| lea eax, dword ptr [ebp] $sequence_9 = { 48c1e205 498b0cc3 4863441114 85c0 744d 4c8bc8 49c1f910 } // n = 7, score = 100 // 48c1e205 \| add eax, eax // 498b0cc3 \| inc ecx // 4863441114 \| mov eax, dword ptr [eax] // 85c0 \| test eax, eax // 744d \| jne 0xffffff90 // 4c8bc8 \| nop // 49c1f910 \| dec eax $sequence_10 = { 4c8d4597 41b930000000 ba04822200 488bce c744242838000000 4889442420 ff15???????? } // n = 7, score = 100 // 4c8d4597 \| dec eax // 41b930000000 \| mov dword ptr [esp + 0x20], 0xfffffffe // ba04822200 \| dec eax // 488bce \| mov dword ptr [esp + 0x48], ebx // c744242838000000 \| dec eax // 4889442420 \| mov ebx, ecx // ff15???????? \| $sequence_11 = { 488d4401fa c3 488d4401f9 c3 488d4401f8 c3 488d05f9ed0000 } // n = 7, score = 100 // 488d4401fa \| xor edx, edx // c3 \| dec ecx // 488d4401f9 \| lea ecx, dword ptr [esi + 0x28] // c3 \| dec eax // 488d4401f8 \| mov dword ptr [ebp - 0x61], 0 // c3 \| dec eax // 488d05f9ed0000 \| mov dword ptr [ebp - 0x59], 0 $sequence_12 = { 488d4dd0 488bd8 488d059c690100 48894510 e8???????? 488b4dc0 } // n = 6, score = 100 // 488d4dd0 \| mov al, byte ptr [ecx + ebx + 0x1c] // 488bd8 \| inc edx // 488d059c690100 \| mov byte ptr [ecx + eax + 0xb7d50], al // 48894510 \| inc edx // e8???????? \| // 488b4dc0 \| dec esp $sequence_13 = { 48c744242000000000 ff15???????? 488b4c2458 8bd8 } // n = 4, score = 100 // 48c744242000000000 \| mov ecx, dword ptr [ebx + eax8] // ff15???????? \| // 488b4c2458 \| dec eax // 8bd8 \| arpl word ptr [ecx + edx + 0x14], ax $sequence_14 = { 4c03c0 418b00 85c0 758c } // n = 4, score = 100 // 4c03c0 \| ret // 418b00 \| dec eax // 85c0 \| lea eax, dword ptr [ecx + eax - 8] // 758c \| ret $sequence_15 = { 488d4c2440 ff15???????? 4883c8ff 488d4001 } // n = 4, score = 100 // 488d4c2440 \| rep stosd dword ptr es:[edi], eax // ff15???????? \| // 4883c8ff \| lea eax, dword ptr [esp + 0x3c] // 488d4001 \| je 0x141 $sequence_16 = { 81fa01010000 7d13 4863ca 8a44191c 42888401507d0b00 ffc2 } // n = 6, score = 100 // 81fa01010000 \| mov esi, 6 // 7d13 \| dec eax // 4863ca \| lea eax, dword ptr [ecx + eax - 6] // 8a44191c \| ret // 42888401507d0b00 \| dec eax // ffc2 \| lea eax, dword ptr [ecx + eax - 7] $sequence_17 = { 4c8bc7 33d2 498d4e28 e8???????? 48c7459f00000000 48c745a700000000 be06000000 } // n = 7, score = 100 // 4c8bc7 \| inc ecx // 33d2 \| lea edx, dword ptr [esp - 0x7e] // 498d4e28 \| inc ebp // e8???????? \| // 48c7459f00000000 \| mov ecx, esp // 48c745a700000000 \| dec esp // be06000000 \| mov eax, edi $sequence_18 = { 4533c9 4889442430 4d8bc6 ba0b832200 488bce 895c2428 4c89742420 } // n = 7, score = 100 // 4533c9 \| xor edx, edx // 4889442430 \| inc ecx // 4d8bc6 \| mov eax, 0x90 // ba0b832200 \| dec eax // 488bce \| mov ecx, eax // 895c2428 \| mov ecx, dword ptr [ebp - 0x51] // 4c89742420 \| dec eax $sequence_19 = { 488bf9 b964860000 66394c3804 7509 8b9c3888000000 eb04 8b5c3878 } // n = 7, score = 100 // 488bf9 \| test eax, eax // b964860000 \| je 0x56 // 66394c3804 \| dec esp // 7509 \| mov ecx, eax // 8b9c3888000000 \| dec ecx // eb04 \| sar ecx, 0x10 // 8b5c3878 \| mov dword ptr [esp + 0x30], eax $sequence_20 = { 0fb6ca 84d2 7411 ffc9 7406 } // n = 5, score = 100 // 0fb6ca \| mov eax, dword ptr [edi + 4] // 84d2 \| dec esp // 7411 \| lea eax, dword ptr [0xf40a] // ffc9 \| mov dword ptr [esp + 0x28], eax // 7406 \| dec eax $sequence_21 = { 90 488d05e6240100 488903 488b7b68 4885ff 7410 } // n = 6, score = 100 // 90 \| dec eax // 488d05e6240100 \| lea eax, dword ptr [0xedf9] // 488903 \| cmp edx, 0x101 // 488b7b68 \| jge 0x1b // 4885ff \| dec eax // 7410 \| arpl dx, cx $sequence_22 = { 0f843b010000 33d2 41b890000000 488bc8 e8???????? 8b4daf } // n = 6, score = 100 // 0f843b010000 \| dec eax // 33d2 \| mov ecx, dword ptr [ebp - 0x40] // 41b890000000 \| dec eax // 488bc8 \| shl edx, 5 // e8???????? \| // 8b4daf \| dec ecx $sequence_23 = { ff15???????? c74424281c000000 488d056c0a0000 4889442420 } // n = 4, score = 100 // ff15???????? \| // c74424281c000000 \| lea eax, dword ptr [ebp] // 488d056c0a0000 \| inc ecx // 4889442420 \| lea edx, dword ptr [esp - 0x7e] condition: 7 of them and filesize < 1581056 }
[TLP:WHITE] win_winnti_w0 (20190822 \| rules used for retrohunting by BR Data.) rule win_winnti_w0 { meta: author = "BR Data" source = "https://github.com/br-data/2019-winnti-analyse/" date = "2019-07-24" description = "rules used for retrohunting by BR Data." malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20190822" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $load_magic = { C7 44 ?? ?? FF D8 FF E0 } $iter = { E9 EA EB EC ED EE EF F0 } $jpeg = { FF D8 FF E0 00 00 00 00 00 00 } condition: uint16(0) == 0x5a4d and $jpeg and ($load_magic or $iter in (@jpeg[1]..@jpeg[1]+200)) and for any i in (1..#jpeg): ( uint8(@jpeg[i] + 11) != 0 ) }
[TLP:WHITE] win_winnti_w1 (20190822 \| rules used for retrohunting by BR Data.) rule win_winnti_w1 { meta: author = "BR Data" source = "https://github.com/br-data/2019-winnti-analyse/" date = "2019-07-24" description = "rules used for retrohunting by BR Data." malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20190822" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $cooper = "Cooper" $pattern = { e9 ea eb ec ed ee ef f0} condition: uint16(0) == 0x5a4d and $cooper and ($pattern in (@cooper[1]..@cooper[1]+100)) }
[TLP:WHITE] win_winnti_w2 (20191207 \| No description) rule win_winnti_w2 { meta: author = "Bundesamt fuer Verfassungsschutz" source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20191207" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $e1 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411015}" ascii nocase $e2 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411014}" ascii nocase $e3 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411016}" ascii nocase $e4 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide $e5 = "BFE_Notify_Event_{7D00FA3C-FBDC-4A8D-AEEB-3F55A4890D2A}" nocase condition: (any of ($e*)) }
[TLP:WHITE] win_winnti_w3 (20191207 \| No description) rule win_winnti_w3 { meta: author = "Bundesamt fuer Verfassungsschutz" source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20191207" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $a1 = "IPSecMiniPort" wide fullword $a2 = "ndis6fw" wide fullword $a3 = "TCPIP" wide fullword $a4 = "NDIS.SYS" ascii fullword $a5 = "ntoskrnl.exe" ascii fullword $a6 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide $a7 = "\\Device\\Null" wide $a8 = "\\Device" wide $a9 = "\\Driver" wide $b1 = { 66 81 7? ?? 70 17 } $b2 = { 81 7? ?? 07 E0 15 00 } $b3 = { 8B 46 18 3D 03 60 15 00 } condition: (6 of ($a)) and (2 of ($b)) }

Download all Yara Rules

[TLP:WHITE] win_winnti_auto (20211008 \| Detects win.winnti.) rule win_winnti_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-10-07" version = "1" description = "Detects win.winnti." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_rule_date = "20211007" malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535" malpedia_version = "20211008" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { c7413401000000 33ed 680c030000 e8???????? 8bf0 b9c3000000 } // n = 6, score = 200 // c7413401000000 \| mov dword ptr [ecx + 0x34], 1 // 33ed \| xor ebp, ebp // 680c030000 \| push 0x30c // e8???????? \| // 8bf0 \| mov esi, eax // b9c3000000 \| mov ecx, 0xc3 $sequence_1 = { 8b4b18 8d442410 50 687e660480 } // n = 4, score = 200 // 8b4b18 \| mov ecx, dword ptr [ebx + 0x18] // 8d442410 \| lea eax, dword ptr [esp + 0x10] // 50 \| push eax // 687e660480 \| push 0x8004667e $sequence_2 = { 0fbf4c2434 894d00 83c504 895500 83c504 } // n = 5, score = 200 // 0fbf4c2434 \| movsx ecx, word ptr [esp + 0x34] // 894d00 \| mov dword ptr [ebp], ecx // 83c504 \| add ebp, 4 // 895500 \| mov dword ptr [ebp], edx // 83c504 \| add ebp, 4 $sequence_3 = { 53 56 57 8d7a08 83c9ff 33c0 } // n = 6, score = 200 // 53 \| push ebx // 56 \| push esi // 57 \| push edi // 8d7a08 \| lea edi, dword ptr [edx + 8] // 83c9ff \| or ecx, 0xffffffff // 33c0 \| xor eax, eax $sequence_4 = { 85c0 0f8509feffff 56 ff15???????? 55 e8???????? } // n = 6, score = 200 // 85c0 \| test eax, eax // 0f8509feffff \| jne 0xfffffe0f // 56 \| push esi // ff15???????? \| // 55 \| push ebp // e8???????? \| $sequence_5 = { 50 ffd6 5f 33c0 5e 81c474010000 c3 } // n = 7, score = 200 // 50 \| push eax // ffd6 \| call esi // 5f \| pop edi // 33c0 \| xor eax, eax // 5e \| pop esi // 81c474010000 \| add esp, 0x174 // c3 \| ret $sequence_6 = { 8bf1 8b4e10 e8???????? 85c0 0f851b010000 } // n = 5, score = 200 // 8bf1 \| mov esi, ecx // 8b4e10 \| mov ecx, dword ptr [esi + 0x10] // e8???????? \| // 85c0 \| test eax, eax // 0f851b010000 \| jne 0x121 $sequence_7 = { 50 ff15???????? 57 e8???????? 83c404 8bce } // n = 6, score = 200 // 50 \| push eax // ff15???????? \| // 57 \| push edi // e8???????? \| // 83c404 \| add esp, 4 // 8bce \| mov ecx, esi $sequence_8 = { 89442430 8b4704 4c8d050af40000 89442428 488d4500 418d542482 458bcc } // n = 7, score = 100 // 89442430 \| mov dword ptr [esp + 0x30], eax // 8b4704 \| mov eax, dword ptr [edi + 4] // 4c8d050af40000 \| dec esp // 89442428 \| lea eax, dword ptr [0xf40a] // 488d4500 \| mov dword ptr [esp + 0x28], eax // 418d542482 \| dec eax // 458bcc \| lea eax, dword ptr [ebp] $sequence_9 = { 48c1e205 498b0cc3 4863441114 85c0 744d 4c8bc8 49c1f910 } // n = 7, score = 100 // 48c1e205 \| add eax, eax // 498b0cc3 \| inc ecx // 4863441114 \| mov eax, dword ptr [eax] // 85c0 \| test eax, eax // 744d \| jne 0xffffff90 // 4c8bc8 \| nop // 49c1f910 \| dec eax $sequence_10 = { 4c8d4597 41b930000000 ba04822200 488bce c744242838000000 4889442420 ff15???????? } // n = 7, score = 100 // 4c8d4597 \| dec eax // 41b930000000 \| mov dword ptr [esp + 0x20], 0xfffffffe // ba04822200 \| dec eax // 488bce \| mov dword ptr [esp + 0x48], ebx // c744242838000000 \| dec eax // 4889442420 \| mov ebx, ecx // ff15???????? \| $sequence_11 = { 488d4401fa c3 488d4401f9 c3 488d4401f8 c3 488d05f9ed0000 } // n = 7, score = 100 // 488d4401fa \| xor edx, edx // c3 \| dec ecx // 488d4401f9 \| lea ecx, dword ptr [esi + 0x28] // c3 \| dec eax // 488d4401f8 \| mov dword ptr [ebp - 0x61], 0 // c3 \| dec eax // 488d05f9ed0000 \| mov dword ptr [ebp - 0x59], 0 $sequence_12 = { 488d4dd0 488bd8 488d059c690100 48894510 e8???????? 488b4dc0 } // n = 6, score = 100 // 488d4dd0 \| mov al, byte ptr [ecx + ebx + 0x1c] // 488bd8 \| inc edx // 488d059c690100 \| mov byte ptr [ecx + eax + 0xb7d50], al // 48894510 \| inc edx // e8???????? \| // 488b4dc0 \| dec esp $sequence_13 = { 48c744242000000000 ff15???????? 488b4c2458 8bd8 } // n = 4, score = 100 // 48c744242000000000 \| mov ecx, dword ptr [ebx + eax8] // ff15???????? \| // 488b4c2458 \| dec eax // 8bd8 \| arpl word ptr [ecx + edx + 0x14], ax $sequence_14 = { 4c03c0 418b00 85c0 758c } // n = 4, score = 100 // 4c03c0 \| ret // 418b00 \| dec eax // 85c0 \| lea eax, dword ptr [ecx + eax - 8] // 758c \| ret $sequence_15 = { 488d4c2440 ff15???????? 4883c8ff 488d4001 } // n = 4, score = 100 // 488d4c2440 \| rep stosd dword ptr es:[edi], eax // ff15???????? \| // 4883c8ff \| lea eax, dword ptr [esp + 0x3c] // 488d4001 \| je 0x141 $sequence_16 = { 81fa01010000 7d13 4863ca 8a44191c 42888401507d0b00 ffc2 } // n = 6, score = 100 // 81fa01010000 \| mov esi, 6 // 7d13 \| dec eax // 4863ca \| lea eax, dword ptr [ecx + eax - 6] // 8a44191c \| ret // 42888401507d0b00 \| dec eax // ffc2 \| lea eax, dword ptr [ecx + eax - 7] $sequence_17 = { 4c8bc7 33d2 498d4e28 e8???????? 48c7459f00000000 48c745a700000000 be06000000 } // n = 7, score = 100 // 4c8bc7 \| inc ecx // 33d2 \| lea edx, dword ptr [esp - 0x7e] // 498d4e28 \| inc ebp // e8???????? \| // 48c7459f00000000 \| mov ecx, esp // 48c745a700000000 \| dec esp // be06000000 \| mov eax, edi $sequence_18 = { 4533c9 4889442430 4d8bc6 ba0b832200 488bce 895c2428 4c89742420 } // n = 7, score = 100 // 4533c9 \| xor edx, edx // 4889442430 \| inc ecx // 4d8bc6 \| mov eax, 0x90 // ba0b832200 \| dec eax // 488bce \| mov ecx, eax // 895c2428 \| mov ecx, dword ptr [ebp - 0x51] // 4c89742420 \| dec eax $sequence_19 = { 488bf9 b964860000 66394c3804 7509 8b9c3888000000 eb04 8b5c3878 } // n = 7, score = 100 // 488bf9 \| test eax, eax // b964860000 \| je 0x56 // 66394c3804 \| dec esp // 7509 \| mov ecx, eax // 8b9c3888000000 \| dec ecx // eb04 \| sar ecx, 0x10 // 8b5c3878 \| mov dword ptr [esp + 0x30], eax $sequence_20 = { 0fb6ca 84d2 7411 ffc9 7406 } // n = 5, score = 100 // 0fb6ca \| mov eax, dword ptr [edi + 4] // 84d2 \| dec esp // 7411 \| lea eax, dword ptr [0xf40a] // ffc9 \| mov dword ptr [esp + 0x28], eax // 7406 \| dec eax $sequence_21 = { 90 488d05e6240100 488903 488b7b68 4885ff 7410 } // n = 6, score = 100 // 90 \| dec eax // 488d05e6240100 \| lea eax, dword ptr [0xedf9] // 488903 \| cmp edx, 0x101 // 488b7b68 \| jge 0x1b // 4885ff \| dec eax // 7410 \| arpl dx, cx $sequence_22 = { 0f843b010000 33d2 41b890000000 488bc8 e8???????? 8b4daf } // n = 6, score = 100 // 0f843b010000 \| dec eax // 33d2 \| mov ecx, dword ptr [ebp - 0x40] // 41b890000000 \| dec eax // 488bc8 \| shl edx, 5 // e8???????? \| // 8b4daf \| dec ecx $sequence_23 = { ff15???????? c74424281c000000 488d056c0a0000 4889442420 } // n = 4, score = 100 // ff15???????? \| // c74424281c000000 \| lea eax, dword ptr [ebp] // 488d056c0a0000 \| inc ecx // 4889442420 \| lea edx, dword ptr [esp - 0x7e] condition: 7 of them and filesize < 1581056 }
[TLP:WHITE] win_winnti_w0 (20190822 \| rules used for retrohunting by BR Data.) rule win_winnti_w0 { meta: author = "BR Data" source = "https://github.com/br-data/2019-winnti-analyse/" date = "2019-07-24" description = "rules used for retrohunting by BR Data." malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20190822" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $load_magic = { C7 44 ?? ?? FF D8 FF E0 } $iter = { E9 EA EB EC ED EE EF F0 } $jpeg = { FF D8 FF E0 00 00 00 00 00 00 } condition: uint16(0) == 0x5a4d and $jpeg and ($load_magic or $iter in (@jpeg[1]..@jpeg[1]+200)) and for any i in (1..#jpeg): ( uint8(@jpeg[i] + 11) != 0 ) }
[TLP:WHITE] win_winnti_w1 (20190822 \| rules used for retrohunting by BR Data.) rule win_winnti_w1 { meta: author = "BR Data" source = "https://github.com/br-data/2019-winnti-analyse/" date = "2019-07-24" description = "rules used for retrohunting by BR Data." malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20190822" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $cooper = "Cooper" $pattern = { e9 ea eb ec ed ee ef f0} condition: uint16(0) == 0x5a4d and $cooper and ($pattern in (@cooper[1]..@cooper[1]+100)) }
[TLP:WHITE] win_winnti_w2 (20191207 \| No description) rule win_winnti_w2 { meta: author = "Bundesamt fuer Verfassungsschutz" source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20191207" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $e1 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411015}" ascii nocase $e2 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411014}" ascii nocase $e3 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411016}" ascii nocase $e4 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide $e5 = "BFE_Notify_Event_{7D00FA3C-FBDC-4A8D-AEEB-3F55A4890D2A}" nocase condition: (any of ($e*)) }
[TLP:WHITE] win_winnti_w3 (20191207 \| No description) rule win_winnti_w3 { meta: author = "Bundesamt fuer Verfassungsschutz" source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20191207" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $a1 = "IPSecMiniPort" wide fullword $a2 = "ndis6fw" wide fullword $a3 = "TCPIP" wide fullword $a4 = "NDIS.SYS" ascii fullword $a5 = "ntoskrnl.exe" ascii fullword $a6 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide $a7 = "\\Device\\Null" wide $a8 = "\\Device" wide $a9 = "\\Driver" wide $b1 = { 66 81 7? ?? 70 17 } $b2 = { 81 7? ?? 07 E0 15 00 } $b3 = { 8B 46 18 3D 03 60 15 00 } condition: (6 of ($a)) and (2 of ($b)) }

Winnti Propose Change

References

Yara Rules

Winnti