Actor(s): Rocket Kitten
There is no description at this point.
rule win_woolger_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-10-14" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.5.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger" malpedia_rule_date = "20201014" malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9" malpedia_version = "20201014" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c685fcf8ffff00 4f 8a4701 47 84c0 } // n = 5, score = 200 // c685fcf8ffff00 | mov byte ptr [ebp - 0x704], 0 // 4f | dec edi // 8a4701 | mov al, byte ptr [edi + 1] // 47 | inc edi // 84c0 | test al, al $sequence_1 = { e9???????? 83f809 750a be???????? } // n = 4, score = 200 // e9???????? | // 83f809 | cmp eax, 9 // 750a | jne 0xc // be???????? | $sequence_2 = { e9???????? 83f825 750a be???????? e9???????? 83f826 } // n = 6, score = 200 // e9???????? | // 83f825 | cmp eax, 0x25 // 750a | jne 0xc // be???????? | // e9???????? | // 83f826 | cmp eax, 0x26 $sequence_3 = { 0f848e000000 56 57 b980000000 8db5fcfdffff bf???????? } // n = 6, score = 200 // 0f848e000000 | je 0x94 // 56 | push esi // 57 | push edi // b980000000 | mov ecx, 0x80 // 8db5fcfdffff | lea esi, [ebp - 0x204] // bf???????? | $sequence_4 = { 83f814 750a be???????? e9???????? 83f81b } // n = 5, score = 200 // 83f814 | cmp eax, 0x14 // 750a | jne 0xc // be???????? | // e9???????? | // 83f81b | cmp eax, 0x1b $sequence_5 = { e9???????? 83f827 750a be???????? } // n = 4, score = 200 // e9???????? | // 83f827 | cmp eax, 0x27 // 750a | jne 0xc // be???????? | $sequence_6 = { 68???????? 56 6a00 6a00 ff15???????? 5e } // n = 6, score = 200 // 68???????? | // 56 | push esi // 6a00 | push 0 // 6a00 | push 0 // ff15???????? | // 5e | pop esi $sequence_7 = { 8d85fcfeffff 50 0f95c3 ff15???????? 8b4f08 51 8b4f04 } // n = 7, score = 200 // 8d85fcfeffff | lea eax, [ebp - 0x104] // 50 | push eax // 0f95c3 | setne bl // ff15???????? | // 8b4f08 | mov ecx, dword ptr [edi + 8] // 51 | push ecx // 8b4f04 | mov ecx, dword ptr [edi + 4] $sequence_8 = { 83c410 e8???????? 8bbdecfeffff eb1f be???????? eb13 be???????? } // n = 7, score = 200 // 83c410 | add esp, 0x10 // e8???????? | // 8bbdecfeffff | mov edi, dword ptr [ebp - 0x114] // eb1f | jmp 0x21 // be???????? | // eb13 | jmp 0x15 // be???????? | $sequence_9 = { 53 57 8b7d10 89bdecfeffff } // n = 4, score = 200 // 53 | push ebx // 57 | push edi // 8b7d10 | mov edi, dword ptr [ebp + 0x10] // 89bdecfeffff | mov dword ptr [ebp - 0x114], edi condition: 7 of them and filesize < 196608 }
/* Yara Rule Set Author: Florian Roth Date: 2015-09-01 Identifier: Rocket Kitten Keylogger */ rule win_woolger_w0 { meta: description = "Detects Keylogger used in Rocket Kitten APT" author = "Florian Roth" reference = "https://goo.gl/SjQhlp" date = "2015-09-01" super_rule = 1 hash1 = "1c9e519dca0468a87322bebe2a06741136de7969a4eb3efda0ab8db83f0807b4" hash2 = "495a15f9f30d6f6096a97c2bd8cc5edd4d78569b8d541b1d5a64169f8109bc5b" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "\\Release\\CWoolger.pdb" ascii $x2 = "WoolenLoger\\obj\\x86\\Release" ascii $x3 = "D:\\Yaser Logers\\" $z1 = "woolger" fullword wide $s1 = "oShellLink.TargetPath = \"" fullword ascii $s2 = "wscript.exe " fullword ascii $s3 = "strSTUP = WshShell.SpecialFolders(\"Startup\")" fullword ascii $s4 = "[CapsLock]" fullword ascii condition: /* File detection */ (uint16(0) == 0x5a4d and filesize < 200KB and (1 of ($x*) or ($z1 and 2 of ($s*)))) or /* Memory detection */ ($z1 and all of ($s*)) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY