SYMBOLCOMMON_NAMEaka. SYNONYMS
win.younglotus (Back to overview)

YoungLotus

aka: DarkShare
VTCollection    

Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.

PE timestamps suggest that it came into existence in the second half of 2014.

Some versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).

References
2017-06-14Youtube (hasherezade)hasherezade
Unpacking YoungLotus malware
YoungLotus
Yara Rules
[TLP:WHITE] win_younglotus_auto (20230808 | Detects win.younglotus.)
rule win_younglotus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.younglotus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6802000080 e8???????? 83c41c 6a01 }
            // n = 4, score = 1000
            //   6802000080           | push                0x80000002
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   6a01                 | push                1

        $sequence_1 = { e8???????? 2b450c 50 8b4dfc }
            // n = 4, score = 800
            //   e8????????           |                     
            //   2b450c               | sub                 eax, dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_2 = { 8b45e0 25ff000000 e9???????? c745e401000000 8b550c }
            // n = 5, score = 800
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   25ff000000           | and                 eax, 0xff
            //   e9????????           |                     
            //   c745e401000000       | mov                 dword ptr [ebp - 0x1c], 1
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]

        $sequence_3 = { 50 ff15???????? 8b4dfc 8981a4000000 68???????? }
            // n = 5, score = 800
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8981a4000000         | mov                 dword ptr [ecx + 0xa4], eax
            //   68????????           |                     

        $sequence_4 = { 50 8b4d0c 81e970010000 51 }
            // n = 4, score = 800
            //   50                   | push                eax
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   81e970010000         | sub                 ecx, 0x170
            //   51                   | push                ecx

        $sequence_5 = { 83bda4faffff00 751b 68???????? 8d85a8faffff 50 ff15???????? 83c408 }
            // n = 7, score = 800
            //   83bda4faffff00       | cmp                 dword ptr [ebp - 0x55c], 0
            //   751b                 | jne                 0x1d
            //   68????????           |                     
            //   8d85a8faffff         | lea                 eax, [ebp - 0x558]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_6 = { 6804010000 6a00 8d8da8faffff 51 6a01 6a00 }
            // n = 6, score = 800
            //   6804010000           | push                0x104
            //   6a00                 | push                0
            //   8d8da8faffff         | lea                 ecx, [ebp - 0x558]
            //   51                   | push                ecx
            //   6a01                 | push                1
            //   6a00                 | push                0

        $sequence_7 = { 83c40c 8b45fc 83c00f 8945f8 6a03 }
            // n = 5, score = 800
            //   83c40c               | add                 esp, 0xc
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c00f               | add                 eax, 0xf
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   6a03                 | push                3

        $sequence_8 = { 56 57 68???????? ff15???????? 8945dc 68???????? }
            // n = 6, score = 600
            //   56                   | push                esi
            //   57                   | push                edi
            //   68????????           |                     
            //   ff15????????         |                     
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   68????????           |                     

        $sequence_9 = { 50 ffd3 85c0 8945fc 0f84b7000000 }
            // n = 5, score = 400
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   0f84b7000000         | je                  0xbd

        $sequence_10 = { 68???????? ffd6 ff7508 e8???????? 8bf8 59 85ff }
            // n = 7, score = 400
            //   68????????           |                     
            //   ffd6                 | call                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   59                   | pop                 ecx
            //   85ff                 | test                edi, edi

        $sequence_11 = { ff7508 50 e8???????? 8d430f }
            // n = 4, score = 400
            //   ff7508               | push                dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d430f               | lea                 eax, [ebx + 0xf]

        $sequence_12 = { 50 8945f4 ffd6 8d4df8 }
            // n = 4, score = 400
            //   50                   | push                eax
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   ffd6                 | call                esi
            //   8d4df8               | lea                 ecx, [ebp - 8]

        $sequence_13 = { 6a01 53 ff15???????? 8b4de8 6a03 }
            // n = 5, score = 400
            //   6a01                 | push                1
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   6a03                 | push                3

        $sequence_14 = { 8945e8 ffd6 68???????? 8945ec ffd7 68???????? }
            // n = 6, score = 400
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   ffd6                 | call                esi
            //   68????????           |                     
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   ffd7                 | call                edi
            //   68????????           |                     

        $sequence_15 = { ffd0 50 ff55f0 85c0 746f 8b450c }
            // n = 6, score = 400
            //   ffd0                 | call                eax
            //   50                   | push                eax
            //   ff55f0               | call                dword ptr [ebp - 0x10]
            //   85c0                 | test                eax, eax
            //   746f                 | je                  0x71
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

    condition:
        7 of them and filesize < 106496
}
Download all Yara Rules