SYMBOLCOMMON_NAMEaka. SYNONYMS
win.wipbot (Back to overview)

Wipbot

aka: Epic, Tavdig

Actor(s): Turla Group


There is no description at this point.

References
2016-09-07Virus BulletinBrian Bartholomew, Juan Andrés Guerrero-Saade
@techreport{bartholomew:20160907:wave:96e9f50, author = {Brian Bartholomew and Juan Andrés Guerrero-Saade}, title = {{Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks}}, date = {2016-09-07}, institution = {Virus Bulletin}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf}, language = {English}, urldate = {2020-03-13} } Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks
DuQu JripBot Sinowal Stuxnet Wipbot
2016-01-14SymantecSecurity Response
@techreport{response:20160114:waterbug:51a4dbd, author = {Security Response}, title = {{The Waterbug attack group}}, date = {2016-01-14}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf}, language = {English}, urldate = {2020-01-09} } The Waterbug attack group
Agent.BTZ Wipbot
2016-01-14SymantecSecurity Response
@online{response:20160114:waterbug:9dbc59e, author = {Security Response}, title = {{The Waterbug attack group}}, date = {2016-01-14}, organization = {Symantec}, url = {https://docs.broadcom.com/doc/waterbug-attack-group}, language = {English}, urldate = {2022-04-25} } The Waterbug attack group
Agent.BTZ Cobra Carbon System Wipbot
2014-08-07Kaspersky LabsGReAT
@online{great:20140807:epic:f8b0803, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/65545/the-epic-turla-operation/}, language = {English}, urldate = {2021-07-02} } The Epic Turla Operation
Cobra Carbon System Uroburos Wipbot Turla
Yara Rules
[TLP:WHITE] win_wipbot_auto (20221125 | Detects win.wipbot.)
rule win_wipbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.wipbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c 89442428 e8???????? 49 89c2 31c0 4c }
            // n = 7, score = 100
            //   4c                   | dec                 esp
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   e8????????           |                     
            //   49                   | dec                 ecx
            //   89c2                 | mov                 edx, eax
            //   31c0                 | xor                 eax, eax
            //   4c                   | dec                 esp

        $sequence_1 = { 83c220 01f0 89542408 ffd0 83ec0c 8d4de0 }
            // n = 6, score = 100
            //   83c220               | add                 edx, 0x20
            //   01f0                 | add                 eax, esi
            //   89542408             | mov                 dword ptr [esp + 8], edx
            //   ffd0                 | call                eax
            //   83ec0c               | sub                 esp, 0xc
            //   8d4de0               | lea                 ecx, [ebp - 0x20]

        $sequence_2 = { 744d 48 8b5c2420 41 89ff }
            // n = 5, score = 100
            //   744d                 | je                  0x4f
            //   48                   | dec                 eax
            //   8b5c2420             | mov                 ebx, dword ptr [esp + 0x20]
            //   41                   | inc                 ecx
            //   89ff                 | mov                 edi, edi

        $sequence_3 = { 48 89f1 e8???????? 85c0 0f8454010000 e9???????? }
            // n = 6, score = 100
            //   48                   | dec                 eax
            //   89f1                 | mov                 ecx, esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8454010000         | je                  0x15a
            //   e9????????           |                     

        $sequence_4 = { 89ce 45 89c0 48 29c6 49 }
            // n = 6, score = 100
            //   89ce                 | mov                 esi, ecx
            //   45                   | inc                 ebp
            //   89c0                 | mov                 eax, eax
            //   48                   | dec                 eax
            //   29c6                 | sub                 esi, eax
            //   49                   | dec                 ecx

        $sequence_5 = { 891c24 ffd0 89c2 8b45e0 56 85d2 }
            // n = 6, score = 100
            //   891c24               | mov                 dword ptr [esp], ebx
            //   ffd0                 | call                eax
            //   89c2                 | mov                 edx, eax
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   56                   | push                esi
            //   85d2                 | test                edx, edx

        $sequence_6 = { c744243802000000 4c 896c2430 4c 8d442478 48 }
            // n = 6, score = 100
            //   c744243802000000     | mov                 dword ptr [esp + 0x38], 2
            //   4c                   | dec                 esp
            //   896c2430             | mov                 dword ptr [esp + 0x30], ebp
            //   4c                   | dec                 esp
            //   8d442478             | lea                 eax, [esp + 0x78]
            //   48                   | dec                 eax

        $sequence_7 = { 66837b0200 0f84ab000000 8b4b08 e8???????? 48 85c0 48 }
            // n = 7, score = 100
            //   66837b0200           | cmp                 word ptr [ebx + 2], 0
            //   0f84ab000000         | je                  0xb1
            //   8b4b08               | mov                 ecx, dword ptr [ebx + 8]
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   85c0                 | test                eax, eax
            //   48                   | dec                 eax

        $sequence_8 = { 48 8d2c06 e8???????? 31d2 eb0d 89d1 ffc2 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   8d2c06               | lea                 ebp, [esi + eax]
            //   e8????????           |                     
            //   31d2                 | xor                 edx, edx
            //   eb0d                 | jmp                 0xf
            //   89d1                 | mov                 ecx, edx
            //   ffc2                 | inc                 edx

        $sequence_9 = { 48 89542420 ba8a9be5e1 e8???????? 49 89c2 b8010000c0 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   89542420             | mov                 dword ptr [esp + 0x20], edx
            //   ba8a9be5e1           | mov                 edx, 0xe1e59b8a
            //   e8????????           |                     
            //   49                   | dec                 ecx
            //   89c2                 | mov                 edx, eax
            //   b8010000c0           | mov                 eax, 0xc0000001

    condition:
        7 of them and filesize < 253952
}
Download all Yara Rules