Actor(s): Rocket Kitten
There is no description at this point.
rule win_woolger_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b550c 8b4508 8b0d???????? 57 52 } // n = 5, score = 200 // 8b550c | mov edx, dword ptr [ebp + 0xc] // 8b4508 | mov eax, dword ptr [ebp + 8] // 8b0d???????? | // 57 | push edi // 52 | push edx $sequence_1 = { e9???????? 83f825 750a be???????? e9???????? 83f826 } // n = 6, score = 200 // e9???????? | // 83f825 | cmp eax, 0x25 // 750a | jne 0xc // be???????? | // e9???????? | // 83f826 | cmp eax, 0x26 $sequence_2 = { ffd7 68???????? 56 8985f4f4ffff ffd7 8dbdfcf8ffff 8985f8f4ffff } // n = 7, score = 200 // ffd7 | call edi // 68???????? | // 56 | push esi // 8985f4f4ffff | mov dword ptr [ebp - 0xb0c], eax // ffd7 | call edi // 8dbdfcf8ffff | lea edi, [ebp - 0x704] // 8985f8f4ffff | mov dword ptr [ebp - 0xb08], eax $sequence_3 = { 83c40c 8bc8 8a10 40 84d2 75f9 8dbdfcf8ffff } // n = 7, score = 200 // 83c40c | add esp, 0xc // 8bc8 | mov ecx, eax // 8a10 | mov dl, byte ptr [eax] // 40 | inc eax // 84d2 | test dl, dl // 75f9 | jne 0xfffffffb // 8dbdfcf8ffff | lea edi, [ebp - 0x704] $sequence_4 = { a1???????? 8b0d???????? 8995fcfeffff 0fb615???????? } // n = 4, score = 200 // a1???????? | // 8b0d???????? | // 8995fcfeffff | mov dword ptr [ebp - 0x104], edx // 0fb615???????? | $sequence_5 = { 57 0fb7d6 6a02 52 ff15???????? } // n = 5, score = 200 // 57 | push edi // 0fb7d6 | movzx edx, si // 6a02 | push 2 // 52 | push edx // ff15???????? | $sequence_6 = { 50 f3a4 ff15???????? 6a00 ff15???????? 6a00 } // n = 6, score = 200 // 50 | push eax // f3a4 | rep movsb byte ptr es:[edi], byte ptr [esi] // ff15???????? | // 6a00 | push 0 // ff15???????? | // 6a00 | push 0 $sequence_7 = { 52 ff15???????? e8???????? bf???????? e8???????? bf???????? } // n = 6, score = 200 // 52 | push edx // ff15???????? | // e8???????? | // bf???????? | // e8???????? | // bf???????? | $sequence_8 = { ffd6 2480 3c80 6a14 0f9485f5feffff } // n = 5, score = 200 // ffd6 | call esi // 2480 | and al, 0x80 // 3c80 | cmp al, 0x80 // 6a14 | push 0x14 // 0f9485f5feffff | sete byte ptr [ebp - 0x10b] $sequence_9 = { 51 8b4f04 8d95f0feffff 52 8b17 8d85fcfeffff 50 } // n = 7, score = 200 // 51 | push ecx // 8b4f04 | mov ecx, dword ptr [edi + 4] // 8d95f0feffff | lea edx, [ebp - 0x110] // 52 | push edx // 8b17 | mov edx, dword ptr [edi] // 8d85fcfeffff | lea eax, [ebp - 0x104] // 50 | push eax condition: 7 of them and filesize < 196608 }
/* Yara Rule Set Author: Florian Roth Date: 2015-09-01 Identifier: Rocket Kitten Keylogger */ rule win_woolger_w0 { meta: description = "Detects Keylogger used in Rocket Kitten APT" author = "Florian Roth" reference = "https://goo.gl/SjQhlp" date = "2015-09-01" super_rule = 1 hash1 = "1c9e519dca0468a87322bebe2a06741136de7969a4eb3efda0ab8db83f0807b4" hash2 = "495a15f9f30d6f6096a97c2bd8cc5edd4d78569b8d541b1d5a64169f8109bc5b" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "\\Release\\CWoolger.pdb" ascii $x2 = "WoolenLoger\\obj\\x86\\Release" ascii $x3 = "D:\\Yaser Logers\\" $z1 = "woolger" fullword wide $s1 = "oShellLink.TargetPath = \"" fullword ascii $s2 = "wscript.exe " fullword ascii $s3 = "strSTUP = WshShell.SpecialFolders(\"Startup\")" fullword ascii $s4 = "[CapsLock]" fullword ascii condition: /* File detection */ (uint16(0) == 0x5a4d and filesize < 200KB and (1 of ($x*) or ($z1 and 2 of ($s*)))) or /* Memory detection */ ($z1 and all of ($s*)) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY