SYMBOLCOMMON_NAMEaka. SYNONYMS
win.yty (Back to overview)

yty

Actor(s): APT-C-35, Donot Team, EHDevel


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:zinc:13667ec, author = {SecureWorks}, title = {{ZINC EMERSON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/zinc-emerson}, language = {English}, urldate = {2020-05-23} } ZINC EMERSON
yty Dropping Elephant
2019-11-15Positive TechnologiesPositive Technologies
@online{technologies:20191115:studying:b64a9fd, author = {Positive Technologies}, title = {{Studying Donot Team}}, date = {2019-11-15}, organization = {Positive Technologies}, url = {http://blog.ptsecurity.com/2019/11/studying-donot-team.html}, language = {English}, urldate = {2020-01-05} } Studying Donot Team
yty
2019-08-02NSHCThreatRecon Team
@online{team:20190802:sectore02:c2237b1, author = {ThreatRecon Team}, title = {{SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government}}, date = {2019-08-02}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/}, language = {English}, urldate = {2020-01-08} } SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government
yty
2018-07-26奇安信威胁情报中心 | 事件追踪
@online{:20180726:analysis:66722b6, author = {奇安信威胁情报中心 | 事件追踪}, title = {{Analysis of the latest attack activities of APT-C-35}}, date = {2018-07-26}, url = {https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/}, language = {Chinese}, urldate = {2020-01-08} } Analysis of the latest attack activities of APT-C-35
yty APT-C-35
2018-03-08NetScoutASERT Team
@online{team:20180308:donot:6f0c645, author = {ASERT Team}, title = {{Donot Team Leverages New Modular Malware Framework in South Asia}}, date = {2018-03-08}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/}, language = {English}, urldate = {2020-01-09} } Donot Team Leverages New Modular Malware Framework in South Asia
yty
Yara Rules
[TLP:WHITE] win_yty_auto (20211008 | Detects win.yty.)
rule win_yty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.yty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 8b7508 0f84d5000000 83e80d 0f84a0000000 }
            // n = 5, score = 600
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   0f84d5000000         | je                  0xdb
            //   83e80d               | sub                 eax, 0xd
            //   0f84a0000000         | je                  0xa6

        $sequence_1 = { 8b4d10 0fb7c1 83e868 7441 }
            // n = 4, score = 600
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   0fb7c1               | movzx               eax, cx
            //   83e868               | sub                 eax, 0x68
            //   7441                 | je                  0x43

        $sequence_2 = { 0f84a0000000 2d02010000 7422 8b4514 8b5510 }
            // n = 5, score = 600
            //   0f84a0000000         | je                  0xa6
            //   2d02010000           | sub                 eax, 0x102
            //   7422                 | je                  0x24
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]

        $sequence_3 = { 48 7423 8b4514 50 51 6811010000 56 }
            // n = 7, score = 600
            //   48                   | dec                 eax
            //   7423                 | je                  0x25
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   6811010000           | push                0x111
            //   56                   | push                esi

        $sequence_4 = { 50 8d45f4 64a300000000 8b7508 33ff 897dd8 }
            // n = 6, score = 500
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, dword ptr [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   33ff                 | xor                 edi, edi
            //   897dd8               | mov                 dword ptr [ebp - 0x28], edi

        $sequence_5 = { 0f840c000000 8365d8fe 8b7508 e9???????? c3 8b542408 8d420c }
            // n = 7, score = 500
            //   0f840c000000         | je                  0x12
            //   8365d8fe             | and                 dword ptr [ebp - 0x28], 0xfffffffe
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   e9????????           |                     
            //   c3                   | ret                 
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   8d420c               | lea                 eax, dword ptr [edx + 0xc]

        $sequence_6 = { 83ec1c 8bcc 89642430 6aff 57 }
            // n = 5, score = 400
            //   83ec1c               | sub                 esp, 0x1c
            //   8bcc                 | mov                 ecx, esp
            //   89642430             | mov                 dword ptr [esp + 0x30], esp
            //   6aff                 | push                -1
            //   57                   | push                edi

        $sequence_7 = { 64a300000000 8d8524ffffff 50 e8???????? }
            // n = 4, score = 400
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8d8524ffffff         | lea                 eax, dword ptr [ebp - 0xdc]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_8 = { ffd2 8b8568ffffff 8b08 8b5108 }
            // n = 4, score = 400
            //   ffd2                 | call                edx
            //   8b8568ffffff         | mov                 eax, dword ptr [ebp - 0x98]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]

        $sequence_9 = { eb23 8b5508 397d1c 7303 8d5508 }
            // n = 5, score = 400
            //   eb23                 | jmp                 0x25
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   397d1c               | cmp                 dword ptr [ebp + 0x1c], edi
            //   7303                 | jae                 5
            //   8d5508               | lea                 edx, dword ptr [ebp + 8]

        $sequence_10 = { 80ea13 b903000000 eb58 8b5508 397d1c }
            // n = 5, score = 400
            //   80ea13               | sub                 dl, 0x13
            //   b903000000           | mov                 ecx, 3
            //   eb58                 | jmp                 0x5a
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   397d1c               | cmp                 dword ptr [ebp + 0x1c], edi

        $sequence_11 = { 5f 668910 8bc6 5b 8be5 5d c20400 }
            // n = 7, score = 400
            //   5f                   | pop                 edi
            //   668910               | mov                 word ptr [eax], dx
            //   8bc6                 | mov                 eax, esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4

        $sequence_12 = { b902000000 e9???????? 8a1402 2ad1 }
            // n = 4, score = 400
            //   b902000000           | mov                 ecx, 2
            //   e9????????           |                     
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   2ad1                 | sub                 dl, cl

        $sequence_13 = { 885def 8975e0 85c9 7407 8b11 8b4204 ffd0 }
            // n = 7, score = 400
            //   885def               | mov                 byte ptr [ebp - 0x11], bl
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   85c9                 | test                ecx, ecx
            //   7407                 | je                  9
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   ffd0                 | call                eax

        $sequence_14 = { 83c40c 8d8de8fdffff 51 53 53 6a28 }
            // n = 6, score = 400
            //   83c40c               | add                 esp, 0xc
            //   8d8de8fdffff         | lea                 ecx, dword ptr [ebp - 0x218]
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6a28                 | push                0x28

        $sequence_15 = { e9???????? 8a1402 2ad1 8bfe 80ea13 b902000000 e9???????? }
            // n = 7, score = 400
            //   e9????????           |                     
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   2ad1                 | sub                 dl, cl
            //   8bfe                 | mov                 edi, esi
            //   80ea13               | sub                 dl, 0x13
            //   b902000000           | mov                 ecx, 2
            //   e9????????           |                     

        $sequence_16 = { 33c9 33c0 8d7910 85d2 0f8425010000 }
            // n = 5, score = 400
            //   33c9                 | xor                 ecx, ecx
            //   33c0                 | xor                 eax, eax
            //   8d7910               | lea                 edi, dword ptr [ecx + 0x10]
            //   85d2                 | test                edx, edx
            //   0f8425010000         | je                  0x12b

        $sequence_17 = { 33c9 881407 bf10000000 40 3b4610 0f82dbfeffff 397d1c }
            // n = 7, score = 400
            //   33c9                 | xor                 ecx, ecx
            //   881407               | mov                 byte ptr [edi + eax], dl
            //   bf10000000           | mov                 edi, 0x10
            //   40                   | inc                 eax
            //   3b4610               | cmp                 eax, dword ptr [esi + 0x10]
            //   0f82dbfeffff         | jb                  0xfffffee1
            //   397d1c               | cmp                 dword ptr [ebp + 0x1c], edi

        $sequence_18 = { 0f82dbfeffff 397d1c 720c 8b4508 50 e8???????? }
            // n = 6, score = 400
            //   0f82dbfeffff         | jb                  0xfffffee1
            //   397d1c               | cmp                 dword ptr [ebp + 0x1c], edi
            //   720c                 | jb                  0xe
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_19 = { a1???????? 33c5 50 8d45f4 64a300000000 c745f000000000 6aff }
            // n = 7, score = 400
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, dword ptr [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   6aff                 | push                -1

        $sequence_20 = { 33db 895de8 885def 8975e0 }
            // n = 4, score = 400
            //   33db                 | xor                 ebx, ebx
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx
            //   885def               | mov                 byte ptr [ebp - 0x11], bl
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi

        $sequence_21 = { 8139ff6f4093 7615 e8???????? c70016000000 }
            // n = 4, score = 300
            //   8139ff6f4093         | cmp                 dword ptr [ecx], 0x93406fff
            //   7615                 | jbe                 0x17
            //   e8????????           |                     
            //   c70016000000         | mov                 dword ptr [eax], 0x16

        $sequence_22 = { 8b5508 837a0800 7d21 8b4508 8b4808 83c118 8b5508 }
            // n = 7, score = 300
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   837a0800             | cmp                 dword ptr [edx + 8], 0
            //   7d21                 | jge                 0x23
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   83c118               | add                 ecx, 0x18
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_23 = { 8901 8b5508 833a00 7d1f }
            // n = 4, score = 300
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   833a00               | cmp                 dword ptr [edx], 0
            //   7d1f                 | jge                 0x21

        $sequence_24 = { e8???????? 83c414 b816000000 e9???????? 6a24 68ff000000 8b5508 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   b816000000           | mov                 eax, 0x16
            //   e9????????           |                     
            //   6a24                 | push                0x24
            //   68ff000000           | push                0xff
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_25 = { 68f4010000 50 e8???????? 83c40c }
            // n = 4, score = 300
            //   68f4010000           | push                0x1f4
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_26 = { 50 e8???????? 8b4d08 894108 }
            // n = 4, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   894108               | mov                 dword ptr [ecx + 8], eax

        $sequence_27 = { 833900 7315 e8???????? c70016000000 }
            // n = 4, score = 300
            //   833900               | cmp                 dword ptr [ecx], 0
            //   7315                 | jae                 0x17
            //   e8????????           |                     
            //   c70016000000         | mov                 dword ptr [eax], 0x16

        $sequence_28 = { 833a00 7d1f 8b4508 8b08 83c13c }
            // n = 5, score = 300
            //   833a00               | cmp                 dword ptr [edx], 0
            //   7d1f                 | jge                 0x21
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   83c13c               | add                 ecx, 0x3c

        $sequence_29 = { 8b4c1938 895dd4 85c9 7405 8b01 ff5004 c745fc00000000 }
            // n = 7, score = 200
            //   8b4c1938             | mov                 ecx, dword ptr [ecx + ebx + 0x38]
            //   895dd4               | mov                 dword ptr [ebp - 0x2c], ebx
            //   85c9                 | test                ecx, ecx
            //   7405                 | je                  7
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5004               | call                dword ptr [eax + 4]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_30 = { 59 80cb01 8bc6 c1f805 8d0c85a0244300 8bc6 }
            // n = 6, score = 100
            //   59                   | pop                 ecx
            //   80cb01               | or                  bl, 1
            //   8bc6                 | mov                 eax, esi
            //   c1f805               | sar                 eax, 5
            //   8d0c85a0244300       | lea                 ecx, dword ptr [eax*4 + 0x4324a0]
            //   8bc6                 | mov                 eax, esi

        $sequence_31 = { 740a 66c7841e2c0200005c00 89f8 8b08 83c004 8d91fffefefe f7d1 }
            // n = 7, score = 100
            //   740a                 | je                  0xc
            //   66c7841e2c0200005c00     | mov    word ptr [esi + ebx + 0x22c], 0x5c
            //   89f8                 | mov                 eax, edi
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   83c004               | add                 eax, 4
            //   8d91fffefefe         | lea                 edx, dword ptr [ecx - 0x1010101]
            //   f7d1                 | not                 ecx

        $sequence_32 = { 85c0 0f849d040000 8b45d4 83c008 8944240c c7442408???????? }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   0f849d040000         | je                  0x4a3
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   83c008               | add                 eax, 8
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   c7442408????????     |                     

        $sequence_33 = { 56 57 33f6 bf???????? 833cf584fe420001 751d 8d04f580fe4200 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   33f6                 | xor                 esi, esi
            //   bf????????           |                     
            //   833cf584fe420001     | cmp                 dword ptr [esi*8 + 0x42fe84], 1
            //   751d                 | jne                 0x1f
            //   8d04f580fe4200       | lea                 eax, dword ptr [esi*8 + 0x42fe80]

        $sequence_34 = { 8d95d8fcffff 52 6a00 ff15???????? 3bf4 e8???????? }
            // n = 6, score = 100
            //   8d95d8fcffff         | lea                 edx, dword ptr [ebp - 0x328]
            //   52                   | push                edx
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   3bf4                 | cmp                 esi, esp
            //   e8????????           |                     

        $sequence_35 = { 3d01010000 7d0d 8a4c181c 888870f74200 40 }
            // n = 5, score = 100
            //   3d01010000           | cmp                 eax, 0x101
            //   7d0d                 | jge                 0xf
            //   8a4c181c             | mov                 cl, byte ptr [eax + ebx + 0x1c]
            //   888870f74200         | mov                 byte ptr [eax + 0x42f770], cl
            //   40                   | inc                 eax

        $sequence_36 = { 8d4198 89840d84feffff 8d8d8cfeffff e8???????? }
            // n = 4, score = 100
            //   8d4198               | lea                 eax, dword ptr [ecx - 0x68]
            //   89840d84feffff       | mov                 dword ptr [ebp + ecx - 0x17c], eax
            //   8d8d8cfeffff         | lea                 ecx, dword ptr [ebp - 0x174]
            //   e8????????           |                     

        $sequence_37 = { 50 8b04bd60cb4300 ff743018 ff15???????? 85c0 0f95c0 5f }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8b04bd60cb4300       | mov                 eax, dword ptr [edi*4 + 0x43cb60]
            //   ff743018             | push                dword ptr [eax + esi + 0x18]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f95c0               | setne               al
            //   5f                   | pop                 edi

        $sequence_38 = { 6bc930 8975e0 8db190f94200 8975e4 eb2b 8a4601 84c0 }
            // n = 7, score = 100
            //   6bc930               | imul                ecx, ecx, 0x30
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   8db190f94200         | lea                 esi, dword ptr [ecx + 0x42f990]
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   eb2b                 | jmp                 0x2d
            //   8a4601               | mov                 al, byte ptr [esi + 1]
            //   84c0                 | test                al, al

        $sequence_39 = { e8???????? c7042488130000 e8???????? 83ec04 c7442404???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   c7042488130000       | mov                 dword ptr [esp], 0x1388
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   c7442404????????     |                     

        $sequence_40 = { 55 89e5 eb12 8b450c 8d50ff }
            // n = 5, score = 100
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   eb12                 | jmp                 0x14
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8d50ff               | lea                 edx, dword ptr [eax - 1]

        $sequence_41 = { 7e38 8b4604 8b0c18 397c11fc }
            // n = 4, score = 100
            //   7e38                 | jle                 0x3a
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   8b0c18               | mov                 ecx, dword ptr [eax + ebx]
            //   397c11fc             | cmp                 dword ptr [ecx + edx - 4], edi

        $sequence_42 = { 8b45d4 8b75e8 83fe10 8d4dd4 }
            // n = 4, score = 100
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   8b75e8               | mov                 esi, dword ptr [ebp - 0x18]
            //   83fe10               | cmp                 esi, 0x10
            //   8d4dd4               | lea                 ecx, dword ptr [ebp - 0x2c]

        $sequence_43 = { 83ec28 c745f400000000 eb20 8b5508 }
            // n = 4, score = 100
            //   83ec28               | sub                 esp, 0x28
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0
            //   eb20                 | jmp                 0x22
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_44 = { b8cccccccc f3ab c745f800000000 c745d400000000 8b450c 83e801 8945e0 }
            // n = 7, score = 100
            //   b8cccccccc           | mov                 eax, 0xcccccccc
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   c745d400000000       | mov                 dword ptr [ebp - 0x2c], 0
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   83e801               | sub                 eax, 1
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax

        $sequence_45 = { 0f8715040000 ff249d3a0d4100 8b46e4 3b42e4 0f8481000000 0fb6f8 }
            // n = 6, score = 100
            //   0f8715040000         | ja                  0x41b
            //   ff249d3a0d4100       | jmp                 dword ptr [ebx*4 + 0x410d3a]
            //   8b46e4               | mov                 eax, dword ptr [esi - 0x1c]
            //   3b42e4               | cmp                 eax, dword ptr [edx - 0x1c]
            //   0f8481000000         | je                  0x87
            //   0fb6f8               | movzx               edi, al

        $sequence_46 = { c7042464000000 e8???????? 83ec04 c70424???????? e8???????? }
            // n = 5, score = 100
            //   c7042464000000       | mov                 dword ptr [esp], 0x64
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   c70424????????       |                     
            //   e8????????           |                     

        $sequence_47 = { 7313 3bfb 8bc3 8bce 0f42c7 }
            // n = 5, score = 100
            //   7313                 | jae                 0x15
            //   3bfb                 | cmp                 edi, ebx
            //   8bc3                 | mov                 eax, ebx
            //   8bce                 | mov                 ecx, esi
            //   0f42c7               | cmovb               eax, edi

        $sequence_48 = { 8bce 83e11f c1e106 8b0485a0244300 8d440804 8020fe 56 }
            // n = 7, score = 100
            //   8bce                 | mov                 ecx, esi
            //   83e11f               | and                 ecx, 0x1f
            //   c1e106               | shl                 ecx, 6
            //   8b0485a0244300       | mov                 eax, dword ptr [eax*4 + 0x4324a0]
            //   8d440804             | lea                 eax, dword ptr [eax + ecx + 4]
            //   8020fe               | and                 byte ptr [eax], 0xfe
            //   56                   | push                esi

        $sequence_49 = { 7443 83e801 0f8501010000 c745e08c044300 8b4508 8bcf 8b7510 }
            // n = 7, score = 100
            //   7443                 | je                  0x45
            //   83e801               | sub                 eax, 1
            //   0f8501010000         | jne                 0x107
            //   c745e08c044300       | mov                 dword ptr [ebp - 0x20], 0x43048c
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8bcf                 | mov                 ecx, edi
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]

        $sequence_50 = { 81ecb0000000 c745ef66696c65 c745f32e747874 c645f700 c7458b00000000 }
            // n = 5, score = 100
            //   81ecb0000000         | sub                 esp, 0xb0
            //   c745ef66696c65       | mov                 dword ptr [ebp - 0x11], 0x656c6966
            //   c745f32e747874       | mov                 dword ptr [ebp - 0xd], 0x7478742e
            //   c645f700             | mov                 byte ptr [ebp - 9], 0
            //   c7458b00000000       | mov                 dword ptr [ebp - 0x75], 0

        $sequence_51 = { c70424???????? e8???????? eb0c c70424???????? e8???????? 90 81c4b0000000 }
            // n = 7, score = 100
            //   c70424????????       |                     
            //   e8????????           |                     
            //   eb0c                 | jmp                 0xe
            //   c70424????????       |                     
            //   e8????????           |                     
            //   90                   | nop                 
            //   81c4b0000000         | add                 esp, 0xb0

    condition:
        7 of them and filesize < 1097728
}
[TLP:WHITE] win_yty_w0   (20180312 | Modular malware framework with similarities to EHDevel)
import "pe"

rule win_yty_w0 {
    meta:
        author = "James E.C, ProofPoint"
        description = "Modular malware framework with similarities to EHDevel"
        hash = "1e0c1b97925e1ed90562d2c68971e038d8506b354dd6c1d2bcc252d2a48bc31c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty"
        malpedia_version = "20180312"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "/football/download2/" ascii wide
        $x2 = "/football/download/" ascii wide
        $x3 = "Caption: Xp>" wide

        $x_c2 = "5.135.199.0" ascii fullword

        $a1 = "getGoogle" ascii fullword
        $a2 = "/q /noretstart" wide
        $a3 = "IsInSandbox" ascii fullword
        $a4 = "syssystemnew" ascii fullword
        $a5 = "ytyinfo" ascii fullword
        $a6 = "\\ytyboth\\yty " ascii

        $s1 = "SELECT Name FROM Win32_Processor" wide
        $s2 = "SELECT Caption FROM Win32_OperatingSystem" wide
        $s3 = "SELECT SerialNumber FROM Win32_DiskDrive" wide
        $s4 = "VM: Yes" wide fullword
        $s5 = "VM: No" wide fullword
        $s6 = "helpdll.dll" ascii fullword
        $s7 = "boothelp.exe" ascii fullword
        $s8 = "SbieDll.dll" wide fullword
        $s9 = "dbghelp.dll" wide fullword
        $s10 = "YesNoMaybe" ascii fullword
        $s11 = "saveData" ascii fullword
        $s12 = "saveLogs" ascii fullword
    condition:
        pe.imphash() == "87775285899fa860b9963b11596a2ded" or 1 of ($x*) or 3 of ($a*) or 6 of ($s*)
}
Download all Yara Rules