SYMBOLCOMMON_NAMEaka. SYNONYMS
win.yorekey (Back to overview)

YoreKey

Actor(s): Kimsuky


There is no description at this point.

References
2021-11-18ProofpointDarien Huss, Selena Larson
@online{huss:20211118:triple:62c1c14, author = {Darien Huss and Selena Larson}, title = {{Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals}}, date = {2021-11-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals}, language = {English}, urldate = {2021-12-15} } Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals
YoreKey
2021-11-18ProofpointDarien Huss, Selena Larson
@techreport{huss:20211118:triple:dd07fa8, author = {Darien Huss and Selena Larson}, title = {{Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies}}, date = {2021-11-18}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf}, language = {English}, urldate = {2021-12-15} } Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies
YoreKey
Yara Rules
[TLP:WHITE] win_yorekey_auto (20230407 | Detects win.yorekey.)
rule win_yorekey_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.yorekey."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yorekey"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 750a 85c0 7506 ff15???????? }
            // n = 4, score = 200
            //   750a                 | jne                 0xc
            //   85c0                 | test                eax, eax
            //   7506                 | jne                 8
            //   ff15????????         |                     

        $sequence_1 = { 03048de0404100 eb02 8bc2 f6402480 0f8571ffffff }
            // n = 5, score = 100
            //   03048de0404100       | test                eax, eax
            //   eb02                 | jmp                 0xffffffd7
            //   8bc2                 | mov                 ecx, eax
            //   f6402480             | sar                 ecx, 5
            //   0f8571ffffff         | mov                 ecx, dword ptr [ecx*4 + 0x4140e0]

        $sequence_2 = { 4885c0 7509 488d053f190100 eb04 4883c010 4883c428 }
            // n = 6, score = 100
            //   4885c0               | xor                 ecx, ecx
            //   7509                 | inc                 ecx
            //   488d053f190100       | lea                 edx, [eax + 2]
            //   eb04                 | dec                 eax
            //   4883c010             | mov                 ecx, dword ptr [ebp - 0x69]
            //   4883c428             | mov                 ecx, 0x927c0

        $sequence_3 = { 488d0d62900100 e8???????? 85c0 740f 4533c0 33c9 418d5002 }
            // n = 7, score = 100
            //   488d0d62900100       | dec                 eax
            //   e8????????           |                     
            //   85c0                 | mov                 ecx, ebp
            //   740f                 | jmp                 0x6d
            //   4533c0               | dec                 eax
            //   33c9                 | lea                 ecx, [0x19062]
            //   418d5002             | test                eax, eax

        $sequence_4 = { c3 85f6 75bf 8935???????? 83f910 7305 b8???????? }
            // n = 7, score = 100
            //   c3                   | mov                 eax, 4
            //   85f6                 | dec                 eax
            //   75bf                 | mov                 ecx, edi
            //   8935????????         |                     
            //   83f910               | mov                 byte ptr [esp + 0x8b], dl
            //   7305                 | xor                 ebp, ebp
            //   b8????????           |                     

        $sequence_5 = { ebd5 8bc8 c1f905 8b0c8de0404100 83e01f c1e006 }
            // n = 6, score = 100
            //   ebd5                 | dec                 esp
            //   8bc8                 | mov                 eax, ebx
            //   c1f905               | mov                 edx, esi
            //   8b0c8de0404100       | dec                 eax
            //   83e01f               | lea                 edx, [esp + 0x38]
            //   c1e006               | inc                 ecx

        $sequence_6 = { 8b1d???????? 56 be01000000 6a00 8975fc ff15???????? 85c0 }
            // n = 7, score = 100
            //   8b1d????????         |                     
            //   56                   | lea                 ecx, [0x172b6]
            //   be01000000           | dec                 ecx
            //   6a00                 | mov                 ecx, eax
            //   8975fc               | dec                 esp
            //   ff15????????         |                     
            //   85c0                 | mov                 ecx, edi

        $sequence_7 = { 55 8bec 33c0 8b4d08 3b0cc5f0da4000 740a }
            // n = 6, score = 100
            //   55                   | and                 eax, 0x1f
            //   8bec                 | shl                 eax, 6
            //   33c0                 | ret                 
            //   8b4d08               | test                esi, esi
            //   3b0cc5f0da4000       | jne                 0xffffffc3
            //   740a                 | cmp                 ecx, 0x10

        $sequence_8 = { 4883c428 c3 4883ec28 488d1549000000 488d0db6720100 }
            // n = 5, score = 100
            //   4883c428             | dec                 ecx
            //   c3                   | mov                 ecx, esi
            //   4883ec28             | dec                 eax
            //   488d1549000000       | test                eax, eax
            //   488d0db6720100       | jne                 0xb

        $sequence_9 = { 488b4d97 e8???????? b9c0270900 ff15???????? e9???????? 498bce ff15???????? }
            // n = 7, score = 100
            //   488b4d97             | je                  0x13
            //   e8????????           |                     
            //   b9c0270900           | inc                 ebp
            //   ff15????????         |                     
            //   e9????????           |                     
            //   498bce               | xor                 eax, eax
            //   ff15????????         |                     

        $sequence_10 = { 8bf7 83e61f 8bc7 c1f805 c1e606 033485e0404100 8b45f8 }
            // n = 7, score = 100
            //   8bf7                 | jne                 0xc
            //   83e61f               | test                eax, eax
            //   8bc7                 | jne                 0xa
            //   c1f805               | push                esi
            //   c1e606               | mov                 esi, 1
            //   033485e0404100       | push                0
            //   8b45f8               | mov                 dword ptr [ebp - 4], esi

        $sequence_11 = { 498bc8 e8???????? 488b0d???????? 4c8bcf 4c8bc3 8bd6 }
            // n = 6, score = 100
            //   498bc8               | dec                 eax
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   4c8bcf               | lea                 eax, [0x1193f]
            //   4c8bc3               | jmp                 0xf
            //   8bd6                 | dec                 eax

        $sequence_12 = { e9???????? 488d542438 41b804000000 488bcf }
            // n = 4, score = 100
            //   e9????????           |                     
            //   488d542438           | add                 eax, 0x10
            //   41b804000000         | dec                 eax
            //   488bcf               | add                 esp, 0x28

        $sequence_13 = { c6864b01000043 c74668f0104100 6a0d e8???????? 59 8365fc00 }
            // n = 6, score = 100
            //   c6864b01000043       | inc                 esp
            //   c74668f0104100       | lea                 esp, [esi + 1]
            //   6a0d                 | inc                 ebp
            //   e8????????           |                     
            //   59                   | test                esp, esp
            //   8365fc00             | jle                 0xe5

        $sequence_14 = { 85c0 0f85d9000000 488d1558fd0000 41b810200100 488bcd e8???????? eb6b }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f85d9000000         | jne                 0xdf
            //   488d1558fd0000       | dec                 eax
            //   41b810200100         | lea                 edx, [0xfd58]
            //   488bcd               | inc                 ecx
            //   e8????????           |                     
            //   eb6b                 | mov                 eax, 0x12010

    condition:
        7 of them and filesize < 274432
}
Download all Yara Rules