SYMBOLCOMMON_NAMEaka. SYNONYMS
win.yty (Back to overview)

yty

Actor(s): APT-C-35, Donot Team, Viceroy Tiger


There is no description at this point.

References
2022-01-18ESET ResearchFacundo Muñoz, Matías Porolli
@online{muoz:20220118:donot:724cf3f, author = {Facundo Muñoz and Matías Porolli}, title = {{DoNot Go! Do not respawn!}}, date = {2022-01-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/}, language = {English}, urldate = {2022-01-18} } DoNot Go! Do not respawn!
yty
2021-10-07Amnesty InternationalAmnesty International
@techreport{international:20211007:hackersforhire:4147fd6, author = {Amnesty International}, title = {{Hackers-for-Hire in West Africa - Activist in Togo attacked with Indian-made Spyware}}, date = {2021-10-07}, institution = {Amnesty International}, url = {https://www.amnesty.org/en/wp-content/uploads/2021/10/AFR5747562021ENGLISH.pdf}, language = {English}, urldate = {2021-11-02} } Hackers-for-Hire in West Africa - Activist in Togo attacked with Indian-made Spyware
yty
2020SecureworksSecureWorks
@online{secureworks:2020:zinc:13667ec, author = {SecureWorks}, title = {{ZINC EMERSON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/zinc-emerson}, language = {English}, urldate = {2020-05-23} } ZINC EMERSON
yty QUILTED TIGER
2019-11-15Positive TechnologiesPositive Technologies
@online{technologies:20191115:studying:b64a9fd, author = {Positive Technologies}, title = {{Studying Donot Team}}, date = {2019-11-15}, organization = {Positive Technologies}, url = {http://blog.ptsecurity.com/2019/11/studying-donot-team.html}, language = {English}, urldate = {2020-01-05} } Studying Donot Team
yty
2019-08-02NSHCThreatRecon Team
@online{team:20190802:sectore02:c2237b1, author = {ThreatRecon Team}, title = {{SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government}}, date = {2019-08-02}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/}, language = {English}, urldate = {2020-01-08} } SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government
yty
2018-07-26奇安信威胁情报中心 | 事件追踪
@online{:20180726:analysis:66722b6, author = {奇安信威胁情报中心 | 事件追踪}, title = {{Analysis of the latest attack activities of APT-C-35}}, date = {2018-07-26}, url = {https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/}, language = {Chinese}, urldate = {2020-01-08} } Analysis of the latest attack activities of APT-C-35
yty VICEROY TIGER
2018-03-08NetScoutASERT Team
@online{team:20180308:donot:6f0c645, author = {ASERT Team}, title = {{Donot Team Leverages New Modular Malware Framework in South Asia}}, date = {2018-03-08}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/}, language = {English}, urldate = {2020-01-09} } Donot Team Leverages New Modular Malware Framework in South Asia
yty
Yara Rules
[TLP:WHITE] win_yty_auto (20230407 | Detects win.yty.)
rule win_yty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.yty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b45d8 83e001 0f840c000000 8365d8fe 8b7508 }
            // n = 5, score = 500
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   83e001               | and                 eax, 1
            //   0f840c000000         | je                  0x12
            //   8365d8fe             | and                 dword ptr [ebp - 0x28], 0xfffffffe
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]

        $sequence_1 = { 8365d8fe 8b7508 e9???????? c3 }
            // n = 4, score = 500
            //   8365d8fe             | and                 dword ptr [ebp - 0x28], 0xfffffffe
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   e9????????           |                     
            //   c3                   | ret                 

        $sequence_2 = { 50 8d45f4 64a300000000 8b7508 33ff 897dd8 }
            // n = 6, score = 500
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   33ff                 | xor                 edi, edi
            //   897dd8               | mov                 dword ptr [ebp - 0x28], edi

        $sequence_3 = { b903000000 eb69 8a1402 2ad1 }
            // n = 4, score = 400
            //   b903000000           | mov                 ecx, 3
            //   eb69                 | jmp                 0x6b
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   2ad1                 | sub                 dl, cl

        $sequence_4 = { 83c40c 8d8de8fdffff 51 53 53 6a28 }
            // n = 6, score = 400
            //   83c40c               | add                 esp, 0xc
            //   8d8de8fdffff         | lea                 ecx, [ebp - 0x218]
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6a28                 | push                0x28

        $sequence_5 = { 33c9 33c0 8d7910 85d2 0f8425010000 }
            // n = 5, score = 400
            //   33c9                 | xor                 ecx, ecx
            //   33c0                 | xor                 eax, eax
            //   8d7910               | lea                 edi, [ecx + 0x10]
            //   85d2                 | test                edx, edx
            //   0f8425010000         | je                  0x12b

        $sequence_6 = { eb34 8a1402 2ad1 8bfe 80ea04 }
            // n = 5, score = 400
            //   eb34                 | jmp                 0x36
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   2ad1                 | sub                 dl, cl
            //   8bfe                 | mov                 edi, esi
            //   80ea04               | sub                 dl, 4

        $sequence_7 = { 8bf9 8b7508 8b06 8b4804 8b4c3138 }
            // n = 5, score = 400
            //   8bf9                 | mov                 edi, ecx
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   8b4c3138             | mov                 ecx, dword ptr [ecx + esi + 0x38]

        $sequence_8 = { 57 50 8d45f4 64a300000000 8d8524ffffff 50 }
            // n = 6, score = 400
            //   57                   | push                edi
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8d8524ffffff         | lea                 eax, [ebp - 0xdc]
            //   50                   | push                eax

        $sequence_9 = { c645fc01 e8???????? 8b10 8b4a04 03c8 8b410c 2406 }
            // n = 7, score = 400
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   e8????????           |                     
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]
            //   03c8                 | add                 ecx, eax
            //   8b410c               | mov                 eax, dword ptr [ecx + 0xc]
            //   2406                 | and                 al, 6

        $sequence_10 = { 50 ffd2 8b8568ffffff 8b08 }
            // n = 4, score = 400
            //   50                   | push                eax
            //   ffd2                 | call                edx
            //   8b8568ffffff         | mov                 eax, dword ptr [ebp - 0x98]
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_11 = { 397e14 7214 8a1402 8b3e 2ad1 }
            // n = 5, score = 400
            //   397e14               | cmp                 dword ptr [esi + 0x14], edi
            //   7214                 | jb                  0x16
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   2ad1                 | sub                 dl, cl

        $sequence_12 = { 2ad1 80ea13 33c9 881407 bf10000000 40 }
            // n = 6, score = 400
            //   2ad1                 | sub                 dl, cl
            //   80ea13               | sub                 dl, 0x13
            //   33c9                 | xor                 ecx, ecx
            //   881407               | mov                 byte ptr [edi + eax], dl
            //   bf10000000           | mov                 edi, 0x10
            //   40                   | inc                 eax

        $sequence_13 = { 8b8570ffffff 8b08 8b5108 50 }
            // n = 4, score = 400
            //   8b8570ffffff         | mov                 eax, dword ptr [ebp - 0x90]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   50                   | push                eax

        $sequence_14 = { 668910 8bc6 5b 8be5 5d c20400 }
            // n = 6, score = 400
            //   668910               | mov                 word ptr [eax], dx
            //   8bc6                 | mov                 eax, esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4

        $sequence_15 = { 8b8570ffffff 8b10 50 8b4208 }
            // n = 4, score = 400
            //   8b8570ffffff         | mov                 eax, dword ptr [ebp - 0x90]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   50                   | push                eax
            //   8b4208               | mov                 eax, dword ptr [edx + 8]

        $sequence_16 = { 895de8 885def 8975e0 85c9 7407 8b11 8b4204 }
            // n = 7, score = 400
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx
            //   885def               | mov                 byte ptr [ebp - 0x11], bl
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   85c9                 | test                ecx, ecx
            //   7407                 | je                  9
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b4204               | mov                 eax, dword ptr [edx + 4]

        $sequence_17 = { 8d85e8fdffff 53 50 e8???????? 83c40c 8d8de8fdffff 51 }
            // n = 7, score = 400
            //   8d85e8fdffff         | lea                 eax, [ebp - 0x218]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d8de8fdffff         | lea                 ecx, [ebp - 0x218]
            //   51                   | push                ecx

        $sequence_18 = { 7303 8d5508 8b4e10 397e14 7204 8b3e }
            // n = 6, score = 400
            //   7303                 | jae                 5
            //   8d5508               | lea                 edx, [ebp + 8]
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]
            //   397e14               | cmp                 dword ptr [esi + 0x14], edi
            //   7204                 | jb                  6
            //   8b3e                 | mov                 edi, dword ptr [esi]

        $sequence_19 = { c745f000000000 6aff c745fc00000000 6a00 8d4508 c746140f000000 c7461000000000 }
            // n = 7, score = 400
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   6aff                 | push                -1
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   6a00                 | push                0
            //   8d4508               | lea                 eax, [ebp + 8]
            //   c746140f000000       | mov                 dword ptr [esi + 0x14], 0xf
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0

        $sequence_20 = { 8bfe 80ea13 b902000000 e9???????? 8b5508 397d1c }
            // n = 6, score = 400
            //   8bfe                 | mov                 edi, esi
            //   80ea13               | sub                 dl, 0x13
            //   b902000000           | mov                 ecx, 2
            //   e9????????           |                     
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   397d1c               | cmp                 dword ptr [ebp + 0x1c], edi

        $sequence_21 = { 50 8b410c ffd0 8d4f08 51 }
            // n = 5, score = 400
            //   50                   | push                eax
            //   8b410c               | mov                 eax, dword ptr [ecx + 0xc]
            //   ffd0                 | call                eax
            //   8d4f08               | lea                 ecx, [edi + 8]
            //   51                   | push                ecx

        $sequence_22 = { 8ad1 c0ea02 8ac4 80e20f }
            // n = 4, score = 300
            //   8ad1                 | mov                 dl, cl
            //   c0ea02               | shr                 dl, 2
            //   8ac4                 | mov                 al, ah
            //   80e20f               | and                 dl, 0xf

        $sequence_23 = { 56 ff15???????? 8b3d???????? 6a00 6a00 6a00 }
            // n = 6, score = 300
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_24 = { 8b4c1938 895dd4 85c9 7405 8b01 ff5004 c745fc00000000 }
            // n = 7, score = 200
            //   8b4c1938             | mov                 ecx, dword ptr [ecx + ebx + 0x38]
            //   895dd4               | mov                 dword ptr [ebp - 0x2c], ebx
            //   85c9                 | test                ecx, ecx
            //   7405                 | je                  7
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5004               | call                dword ptr [eax + 4]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_25 = { 57 8d8d38ffffff e8???????? 8d4da0 e8???????? 8d45a0 c745fc01000000 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   8d8d38ffffff         | lea                 ecx, [ebp - 0xc8]
            //   e8????????           |                     
            //   8d4da0               | lea                 ecx, [ebp - 0x60]
            //   e8????????           |                     
            //   8d45a0               | lea                 eax, [ebp - 0x60]
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1

        $sequence_26 = { 8d50ff 8b4508 01d0 c60000 836d0c01 837d0c00 }
            // n = 6, score = 100
            //   8d50ff               | lea                 edx, [eax - 1]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   01d0                 | add                 eax, edx
            //   c60000               | mov                 byte ptr [eax], 0
            //   836d0c01             | sub                 dword ptr [ebp + 0xc], 1
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0

        $sequence_27 = { e8???????? 89049d60cb4300 85c0 742f 8305????????40 8bfb }
            // n = 6, score = 100
            //   e8????????           |                     
            //   89049d60cb4300       | mov                 dword ptr [ebx*4 + 0x43cb60], eax
            //   85c0                 | test                eax, eax
            //   742f                 | je                  0x31
            //   8305????????40       |                     
            //   8bfb                 | mov                 edi, ebx

        $sequence_28 = { b9???????? 0f43c7 0f1f00 8a10 3a11 751a 84d2 }
            // n = 7, score = 100
            //   b9????????           |                     
            //   0f43c7               | cmovae              eax, edi
            //   0f1f00               | nop                 dword ptr [eax]
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   3a11                 | cmp                 dl, byte ptr [ecx]
            //   751a                 | jne                 0x1c
            //   84d2                 | test                dl, dl

        $sequence_29 = { eb0c 891c24 e8???????? 85c0 7439 3bb328020000 }
            // n = 6, score = 100
            //   eb0c                 | jmp                 0xe
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7439                 | je                  0x3b
            //   3bb328020000         | cmp                 esi, dword ptr [ebx + 0x228]

        $sequence_30 = { c7858cfcffff00000000 6a40 6a00 8d8590fcffff 50 }
            // n = 5, score = 100
            //   c7858cfcffff00000000     | mov    dword ptr [ebp - 0x374], 0
            //   6a40                 | push                0x40
            //   6a00                 | push                0
            //   8d8590fcffff         | lea                 eax, [ebp - 0x370]
            //   50                   | push                eax

        $sequence_31 = { 8b7508 57 56 8975f8 e8???????? 8b15???????? 8bf8 }
            // n = 7, score = 100
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   56                   | push                esi
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   e8????????           |                     
            //   8b15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_32 = { 0f84b9000000 8975e0 8b04bda0244300 0500080000 3bf0 0f8396000000 }
            // n = 6, score = 100
            //   0f84b9000000         | je                  0xbf
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   8b04bda0244300       | mov                 eax, dword ptr [edi*4 + 0x4324a0]
            //   0500080000           | add                 eax, 0x800
            //   3bf0                 | cmp                 esi, eax
            //   0f8396000000         | jae                 0x9c

        $sequence_33 = { c70424???????? e8???????? a3???????? a1???????? 85c0 746d }
            // n = 6, score = 100
            //   c70424????????       |                     
            //   e8????????           |                     
            //   a3????????           |                     
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   746d                 | je                  0x6f

        $sequence_34 = { c60000 eb0d 8345f401 817df409020000 }
            // n = 4, score = 100
            //   c60000               | mov                 byte ptr [eax], 0
            //   eb0d                 | jmp                 0xf
            //   8345f401             | add                 dword ptr [ebp - 0xc], 1
            //   817df409020000       | cmp                 dword ptr [ebp - 0xc], 0x209

        $sequence_35 = { 33c9 ff750c 668908 8bce ff7508 e8???????? 8bc6 }
            // n = 7, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   668908               | mov                 word ptr [eax], cx
            //   8bce                 | mov                 ecx, esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi

        $sequence_36 = { 8bf4 68204e0000 ff15???????? 3bf4 e8???????? 5f }
            // n = 6, score = 100
            //   8bf4                 | mov                 esi, esp
            //   68204e0000           | push                0x4e20
            //   ff15????????         |                     
            //   3bf4                 | cmp                 esi, esp
            //   e8????????           |                     
            //   5f                   | pop                 edi

        $sequence_37 = { 50 8d8d44b8f0ff e8???????? c645fc22 8d8d90bcf0ff 83bda4bcf0ff10 ba???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d8d44b8f0ff         | lea                 ecx, [ebp - 0xf47bc]
            //   e8????????           |                     
            //   c645fc22             | mov                 byte ptr [ebp - 4], 0x22
            //   8d8d90bcf0ff         | lea                 ecx, [ebp - 0xf4370]
            //   83bda4bcf0ff10       | cmp                 dword ptr [ebp - 0xf435c], 0x10
            //   ba????????           |                     

        $sequence_38 = { 7245 8b8dacfcffff 40 3d00100000 722e f6c11f 7405 }
            // n = 7, score = 100
            //   7245                 | jb                  0x47
            //   8b8dacfcffff         | mov                 ecx, dword ptr [ebp - 0x354]
            //   40                   | inc                 eax
            //   3d00100000           | cmp                 eax, 0x1000
            //   722e                 | jb                  0x30
            //   f6c11f               | test                cl, 0x1f
            //   7405                 | je                  7

        $sequence_39 = { a1???????? 01d0 0505010000 0fb69820604000 8b75dc 8b4508 }
            // n = 6, score = 100
            //   a1????????           |                     
            //   01d0                 | add                 eax, edx
            //   0505010000           | add                 eax, 0x105
            //   0fb69820604000       | movzx               ebx, byte ptr [eax + 0x406020]
            //   8b75dc               | mov                 esi, dword ptr [ebp - 0x24]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_40 = { 8d8d5cb8f0ff 50 e8???????? c645fc1b 8b853cb8f0ff 83f810 }
            // n = 6, score = 100
            //   8d8d5cb8f0ff         | lea                 ecx, [ebp - 0xf47a4]
            //   50                   | push                eax
            //   e8????????           |                     
            //   c645fc1b             | mov                 byte ptr [ebp - 4], 0x1b
            //   8b853cb8f0ff         | mov                 eax, dword ptr [ebp - 0xf47c4]
            //   83f810               | cmp                 eax, 0x10

        $sequence_41 = { 50 e8???????? 8b0d???????? b893244992 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   b893244992           | mov                 eax, 0x92492493

        $sequence_42 = { 6bd116 898278a04600 68???????? 8b45fc 50 ff15???????? 3305???????? }
            // n = 7, score = 100
            //   6bd116               | imul                edx, ecx, 0x16
            //   898278a04600         | mov                 dword ptr [edx + 0x46a078], eax
            //   68????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   3305????????         |                     

        $sequence_43 = { 8b7508 c7465c28c14200 83660800 33ff 47 }
            // n = 5, score = 100
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   c7465c28c14200       | mov                 dword ptr [esi + 0x5c], 0x42c128
            //   83660800             | and                 dword ptr [esi + 8], 0
            //   33ff                 | xor                 edi, edi
            //   47                   | inc                 edi

        $sequence_44 = { c705????????4b154100 8935???????? a3???????? ff15???????? a3???????? 83f8ff 0f84c1000000 }
            // n = 7, score = 100
            //   c705????????4b154100     |     
            //   8935????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     
            //   a3????????           |                     
            //   83f8ff               | cmp                 eax, -1
            //   0f84c1000000         | je                  0xc7

        $sequence_45 = { 8b45f8 0fb70c45cce14500 3bd1 7504 33c0 eb07 ebd8 }
            // n = 7, score = 100
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   0fb70c45cce14500     | movzx               ecx, word ptr [eax*2 + 0x45e1cc]
            //   3bd1                 | cmp                 edx, ecx
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb07                 | jmp                 9
            //   ebd8                 | jmp                 0xffffffda

        $sequence_46 = { c1fa05 c1e006 030495a0244300 eb05 }
            // n = 4, score = 100
            //   c1fa05               | sar                 edx, 5
            //   c1e006               | shl                 eax, 6
            //   030495a0244300       | add                 eax, dword ptr [edx*4 + 0x4324a0]
            //   eb05                 | jmp                 7

        $sequence_47 = { 0505010000 0fb68020604000 3c5c 751e 8b15???????? a1???????? 01c2 }
            // n = 7, score = 100
            //   0505010000           | add                 eax, 0x105
            //   0fb68020604000       | movzx               eax, byte ptr [eax + 0x406020]
            //   3c5c                 | cmp                 al, 0x5c
            //   751e                 | jne                 0x20
            //   8b15????????         |                     
            //   a1????????           |                     
            //   01c2                 | add                 edx, eax

        $sequence_48 = { 50 c78520efffffcc584600 e8???????? 83c404 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   c78520efffffcc584600     | mov    dword ptr [ebp - 0x10e0], 0x4658cc
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_49 = { 8b55dc a1???????? 01c2 a1???????? 01d0 0505010000 }
            // n = 6, score = 100
            //   8b55dc               | mov                 edx, dword ptr [ebp - 0x24]
            //   a1????????           |                     
            //   01c2                 | add                 edx, eax
            //   a1????????           |                     
            //   01d0                 | add                 eax, edx
            //   0505010000           | add                 eax, 0x105

        $sequence_50 = { 56 57 33ff ffb744fe4200 ff15???????? 898744fe4200 83c704 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   ffb744fe4200         | push                dword ptr [edi + 0x42fe44]
            //   ff15????????         |                     
            //   898744fe4200         | mov                 dword ptr [edi + 0x42fe44], eax
            //   83c704               | add                 edi, 4

        $sequence_51 = { c78324020000ffffffff c7832802000000000000 83c418 5b c3 }
            // n = 5, score = 100
            //   c78324020000ffffffff     | mov    dword ptr [ebx + 0x224], 0xffffffff
            //   c7832802000000000000     | mov    dword ptr [ebx + 0x228], 0
            //   83c418               | add                 esp, 0x18
            //   5b                   | pop                 ebx
            //   c3                   | ret                 

        $sequence_52 = { 85c0 0f84ce000000 66660f1f840000000000 8b95f8fdffff 85d2 0f84b6000000 }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   0f84ce000000         | je                  0xd4
            //   66660f1f840000000000     | nop    word ptr [eax + eax]
            //   8b95f8fdffff         | mov                 edx, dword ptr [ebp - 0x208]
            //   85d2                 | test                edx, edx
            //   0f84b6000000         | je                  0xbc

        $sequence_53 = { 8b4508 83f804 7709 8b048568b44200 5d c3 }
            // n = 6, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83f804               | cmp                 eax, 4
            //   7709                 | ja                  0xb
            //   8b048568b44200       | mov                 eax, dword ptr [eax*4 + 0x42b468]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_54 = { ff15???????? b90180ffff 663bc1 75b6 8d8d90bcf0ff e8???????? 8bf0 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   b90180ffff           | mov                 ecx, 0xffff8001
            //   663bc1               | cmp                 ax, cx
            //   75b6                 | jne                 0xffffffb8
            //   8d8d90bcf0ff         | lea                 ecx, [ebp - 0xf4370]
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

    condition:
        7 of them and filesize < 1097728
}
[TLP:WHITE] win_yty_w0   (20180312 | Modular malware framework with similarities to EHDevel)
import "pe"

rule win_yty_w0 {
    meta:
        author = "James E.C, ProofPoint"
        description = "Modular malware framework with similarities to EHDevel"
        hash = "1e0c1b97925e1ed90562d2c68971e038d8506b354dd6c1d2bcc252d2a48bc31c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty"
        malpedia_version = "20180312"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "/football/download2/" ascii wide
        $x2 = "/football/download/" ascii wide
        $x3 = "Caption: Xp>" wide

        $x_c2 = "5.135.199.0" ascii fullword

        $a1 = "getGoogle" ascii fullword
        $a2 = "/q /noretstart" wide
        $a3 = "IsInSandbox" ascii fullword
        $a4 = "syssystemnew" ascii fullword
        $a5 = "ytyinfo" ascii fullword
        $a6 = "\\ytyboth\\yty " ascii

        $s1 = "SELECT Name FROM Win32_Processor" wide
        $s2 = "SELECT Caption FROM Win32_OperatingSystem" wide
        $s3 = "SELECT SerialNumber FROM Win32_DiskDrive" wide
        $s4 = "VM: Yes" wide fullword
        $s5 = "VM: No" wide fullword
        $s6 = "helpdll.dll" ascii fullword
        $s7 = "boothelp.exe" ascii fullword
        $s8 = "SbieDll.dll" wide fullword
        $s9 = "dbghelp.dll" wide fullword
        $s10 = "YesNoMaybe" ascii fullword
        $s11 = "saveData" ascii fullword
        $s12 = "saveLogs" ascii fullword
    condition:
        pe.imphash() == "87775285899fa860b9963b11596a2ded" or 1 of ($x*) or 3 of ($a*) or 6 of ($s*)
}
Download all Yara Rules