SYMBOLCOMMON_NAMEaka. SYNONYMS
win.yty (Back to overview)

yty

Actor(s): APT-C-35, Donot Team, Viceroy Tiger


There is no description at this point.

References
2022-01-18ESET ResearchFacundo Muñoz, Matías Porolli
@online{muoz:20220118:donot:724cf3f, author = {Facundo Muñoz and Matías Porolli}, title = {{DoNot Go! Do not respawn!}}, date = {2022-01-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/}, language = {English}, urldate = {2022-01-18} } DoNot Go! Do not respawn!
yty
2021-10-07Amnesty InternationalAmnesty International
@techreport{international:20211007:hackersforhire:4147fd6, author = {Amnesty International}, title = {{Hackers-for-Hire in West Africa - Activist in Togo attacked with Indian-made Spyware}}, date = {2021-10-07}, institution = {Amnesty International}, url = {https://www.amnesty.org/en/wp-content/uploads/2021/10/AFR5747562021ENGLISH.pdf}, language = {English}, urldate = {2021-11-02} } Hackers-for-Hire in West Africa - Activist in Togo attacked with Indian-made Spyware
yty
2020SecureworksSecureWorks
@online{secureworks:2020:zinc:13667ec, author = {SecureWorks}, title = {{ZINC EMERSON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/zinc-emerson}, language = {English}, urldate = {2020-05-23} } ZINC EMERSON
yty QUILTED TIGER
2019-11-15Positive TechnologiesPositive Technologies
@online{technologies:20191115:studying:b64a9fd, author = {Positive Technologies}, title = {{Studying Donot Team}}, date = {2019-11-15}, organization = {Positive Technologies}, url = {http://blog.ptsecurity.com/2019/11/studying-donot-team.html}, language = {English}, urldate = {2020-01-05} } Studying Donot Team
yty
2019-08-02NSHCThreatRecon Team
@online{team:20190802:sectore02:c2237b1, author = {ThreatRecon Team}, title = {{SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government}}, date = {2019-08-02}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/}, language = {English}, urldate = {2020-01-08} } SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government
yty
2018-07-26奇安信威胁情报中心 | 事件追踪
@online{:20180726:analysis:66722b6, author = {奇安信威胁情报中心 | 事件追踪}, title = {{Analysis of the latest attack activities of APT-C-35}}, date = {2018-07-26}, url = {https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/}, language = {Chinese}, urldate = {2020-01-08} } Analysis of the latest attack activities of APT-C-35
yty VICEROY TIGER
2018-03-08NetScoutASERT Team
@online{team:20180308:donot:6f0c645, author = {ASERT Team}, title = {{Donot Team Leverages New Modular Malware Framework in South Asia}}, date = {2018-03-08}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/}, language = {English}, urldate = {2020-01-09} } Donot Team Leverages New Modular Malware Framework in South Asia
yty
Yara Rules
[TLP:WHITE] win_yty_auto (20230125 | Detects win.yty.)
rule win_yty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.yty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d45f4 64a300000000 8b7508 33ff 897dd8 }
            // n = 5, score = 500
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   33ff                 | xor                 edi, edi
            //   897dd8               | mov                 dword ptr [ebp - 0x28], edi

        $sequence_1 = { c745fc00000000 6a00 8d4508 c746140f000000 c7461000000000 50 }
            // n = 6, score = 400
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   6a00                 | push                0
            //   8d4508               | lea                 eax, [ebp + 8]
            //   c746140f000000       | mov                 dword ptr [esi + 0x14], 0xf
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0
            //   50                   | push                eax

        $sequence_2 = { 33c5 50 8d45f4 64a300000000 c745f000000000 6aff c745fc00000000 }
            // n = 7, score = 400
            //   33c5                 | xor                 eax, ebp
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   6aff                 | push                -1
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_3 = { 51 e8???????? 83c408 8bf0 6a0a 8bce e8???????? }
            // n = 7, score = 400
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8bf0                 | mov                 esi, eax
            //   6a0a                 | push                0xa
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_4 = { 894604 894608 8945fc 56 c745f001000000 e8???????? }
            // n = 6, score = 400
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi
            //   c745f001000000       | mov                 dword ptr [ebp - 0x10], 1
            //   e8????????           |                     

        $sequence_5 = { 6a00 8bcf c645fc02 e8???????? 8b0e }
            // n = 5, score = 400
            //   6a00                 | push                0
            //   8bcf                 | mov                 ecx, edi
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   e8????????           |                     
            //   8b0e                 | mov                 ecx, dword ptr [esi]

        $sequence_6 = { 668910 8bc6 5b 8be5 5d c20400 }
            // n = 6, score = 400
            //   668910               | mov                 word ptr [eax], dx
            //   8bc6                 | mov                 eax, esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4

        $sequence_7 = { 8d5508 8b4e10 397e14 7204 8b3e eb02 }
            // n = 6, score = 400
            //   8d5508               | lea                 edx, [ebp + 8]
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]
            //   397e14               | cmp                 dword ptr [esi + 0x14], edi
            //   7204                 | jb                  6
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   eb02                 | jmp                 4

        $sequence_8 = { 8b5610 33c9 33c0 8d7910 }
            // n = 4, score = 400
            //   8b5610               | mov                 edx, dword ptr [esi + 0x10]
            //   33c9                 | xor                 ecx, ecx
            //   33c0                 | xor                 eax, eax
            //   8d7910               | lea                 edi, [ecx + 0x10]

        $sequence_9 = { 50 e8???????? 83c40c 8d8de8fdffff 51 53 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d8de8fdffff         | lea                 ecx, [ebp - 0x218]
            //   51                   | push                ecx
            //   53                   | push                ebx

        $sequence_10 = { b902000000 e9???????? 8a1402 2ad1 8bfe 80ea13 b902000000 }
            // n = 7, score = 400
            //   b902000000           | mov                 ecx, 2
            //   e9????????           |                     
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   2ad1                 | sub                 dl, cl
            //   8bfe                 | mov                 edi, esi
            //   80ea13               | sub                 dl, 0x13
            //   b902000000           | mov                 ecx, 2

        $sequence_11 = { 8d8de8fdffff 51 53 53 6a28 53 ff15???????? }
            // n = 7, score = 400
            //   8d8de8fdffff         | lea                 ecx, [ebp - 0x218]
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6a28                 | push                0x28
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_12 = { 8975e0 85c9 7407 8b11 8b4204 }
            // n = 5, score = 400
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   85c9                 | test                ecx, ecx
            //   7407                 | je                  9
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b4204               | mov                 eax, dword ptr [edx + 4]

        $sequence_13 = { 8b08 8b5108 50 ffd2 ff15???????? 8a857bffffff }
            // n = 6, score = 400
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   50                   | push                eax
            //   ffd2                 | call                edx
            //   ff15????????         |                     
            //   8a857bffffff         | mov                 al, byte ptr [ebp - 0x85]

        $sequence_14 = { c645fc01 e8???????? 8b10 8b4a04 03c8 }
            // n = 5, score = 400
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   e8????????           |                     
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]
            //   03c8                 | add                 ecx, eax

        $sequence_15 = { 8b3e 2ad1 80ea04 b904000000 eb34 8a1402 2ad1 }
            // n = 7, score = 400
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   2ad1                 | sub                 dl, cl
            //   80ea04               | sub                 dl, 4
            //   b904000000           | mov                 ecx, 4
            //   eb34                 | jmp                 0x36
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   2ad1                 | sub                 dl, cl

        $sequence_16 = { 8bfe 80ea04 b904000000 eb23 8b5508 397d1c 7303 }
            // n = 7, score = 400
            //   8bfe                 | mov                 edi, esi
            //   80ea04               | sub                 dl, 4
            //   b904000000           | mov                 ecx, 4
            //   eb23                 | jmp                 0x25
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   397d1c               | cmp                 dword ptr [ebp + 0x1c], edi
            //   7303                 | jae                 5

        $sequence_17 = { 8b35???????? 85c0 52 0f95c3 ffd6 }
            // n = 5, score = 400
            //   8b35????????         |                     
            //   85c0                 | test                eax, eax
            //   52                   | push                edx
            //   0f95c3               | setne               bl
            //   ffd6                 | call                esi

        $sequence_18 = { ffd2 8b8568ffffff 8b08 8b5108 }
            // n = 4, score = 400
            //   ffd2                 | call                edx
            //   8b8568ffffff         | mov                 eax, dword ptr [ebp - 0x98]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]

        $sequence_19 = { 8d5508 8b4e10 397e14 7214 8a1402 8b3e 2ad1 }
            // n = 7, score = 400
            //   8d5508               | lea                 edx, [ebp + 8]
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]
            //   397e14               | cmp                 dword ptr [esi + 0x14], edi
            //   7214                 | jb                  0x16
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   2ad1                 | sub                 dl, cl

        $sequence_20 = { 56 ff15???????? 8b3d???????? 6a00 6a00 6a00 }
            // n = 6, score = 300
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_21 = { 8b07 eb02 8bc7 8b4de0 }
            // n = 4, score = 300
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   eb02                 | jmp                 4
            //   8bc7                 | mov                 eax, edi
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]

        $sequence_22 = { 8ad1 c0ea02 8ac4 80e20f c0e004 }
            // n = 5, score = 300
            //   8ad1                 | mov                 dl, cl
            //   c0ea02               | shr                 dl, 2
            //   8ac4                 | mov                 al, ah
            //   80e20f               | and                 dl, 0xf
            //   c0e004               | shl                 al, 4

        $sequence_23 = { 8b45c0 6a00 50 57 ff15???????? 837d2008 8b450c }
            // n = 7, score = 200
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     
            //   837d2008             | cmp                 dword ptr [ebp + 0x20], 8
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_24 = { 8b4c1938 895dd4 85c9 7405 8b01 ff5004 c745fc00000000 }
            // n = 7, score = 200
            //   8b4c1938             | mov                 ecx, dword ptr [ecx + ebx + 0x38]
            //   895dd4               | mov                 dword ptr [ebp - 0x2c], ebx
            //   85c9                 | test                ecx, ecx
            //   7405                 | je                  7
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5004               | call                dword ptr [eax + 4]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_25 = { 8b8560f7ffff ff248564174200 83f808 0f84b5070000 83f807 }
            // n = 5, score = 100
            //   8b8560f7ffff         | mov                 eax, dword ptr [ebp - 0x8a0]
            //   ff248564174200       | jmp                 dword ptr [eax*4 + 0x421764]
            //   83f808               | cmp                 eax, 8
            //   0f84b5070000         | je                  0x7bb
            //   83f807               | cmp                 eax, 7

        $sequence_26 = { a1???????? 01c2 a1???????? 01d0 0505010000 0fb69020604000 }
            // n = 6, score = 100
            //   a1????????           |                     
            //   01c2                 | add                 edx, eax
            //   a1????????           |                     
            //   01d0                 | add                 eax, edx
            //   0505010000           | add                 eax, 0x105
            //   0fb69020604000       | movzx               edx, byte ptr [eax + 0x406020]

        $sequence_27 = { 83bde8ddffff00 740c c785dcddffffa4084500 eb0a c785dcddffffd4d44400 }
            // n = 5, score = 100
            //   83bde8ddffff00       | cmp                 dword ptr [ebp - 0x2218], 0
            //   740c                 | je                  0xe
            //   c785dcddffffa4084500     | mov    dword ptr [ebp - 0x2224], 0x4508a4
            //   eb0a                 | jmp                 0xc
            //   c785dcddffffd4d44400     | mov    dword ptr [ebp - 0x2224], 0x44d4d4

        $sequence_28 = { 89840d84feffff 8d85f0feffff c645fc02 50 c785f0feffff9c734300 e8???????? 8b8538ffffff }
            // n = 7, score = 100
            //   89840d84feffff       | mov                 dword ptr [ebp + ecx - 0x17c], eax
            //   8d85f0feffff         | lea                 eax, [ebp - 0x110]
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   50                   | push                eax
            //   c785f0feffff9c734300     | mov    dword ptr [ebp - 0x110], 0x43739c
            //   e8????????           |                     
            //   8b8538ffffff         | mov                 eax, dword ptr [ebp - 0xc8]

        $sequence_29 = { 33c0 39b880f94200 0f8491000000 ff45e4 83c030 3df0000000 72e7 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   39b880f94200         | cmp                 dword ptr [eax + 0x42f980], edi
            //   0f8491000000         | je                  0x97
            //   ff45e4               | inc                 dword ptr [ebp - 0x1c]
            //   83c030               | add                 eax, 0x30
            //   3df0000000           | cmp                 eax, 0xf0
            //   72e7                 | jb                  0xffffffe9

        $sequence_30 = { f7460c0c010000 754e 53 57 8d3c85c0104300 833f00 bb00100000 }
            // n = 7, score = 100
            //   f7460c0c010000       | test                dword ptr [esi + 0xc], 0x10c
            //   754e                 | jne                 0x50
            //   53                   | push                ebx
            //   57                   | push                edi
            //   8d3c85c0104300       | lea                 edi, [eax*4 + 0x4310c0]
            //   833f00               | cmp                 dword ptr [edi], 0
            //   bb00100000           | mov                 ebx, 0x1000

        $sequence_31 = { c745e088044300 ebbb d9e8 8b4510 dd18 e9???????? }
            // n = 6, score = 100
            //   c745e088044300       | mov                 dword ptr [ebp - 0x20], 0x430488
            //   ebbb                 | jmp                 0xffffffbd
            //   d9e8                 | fld1                
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   dd18                 | fstp                qword ptr [eax]
            //   e9????????           |                     

        $sequence_32 = { 890424 e8???????? 89c2 8b45dc 39c2 }
            // n = 5, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   89c2                 | mov                 edx, eax
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   39c2                 | cmp                 edx, eax

        $sequence_33 = { e8???????? 8945dc 817ddce0070000 0f8ece030000 c70424???????? e8???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   817ddce0070000       | cmp                 dword ptr [ebp - 0x24], 0x7e0
            //   0f8ece030000         | jle                 0x3d4
            //   c70424????????       |                     
            //   e8????????           |                     

        $sequence_34 = { c745ac44000000 6a10 6a00 8d4594 }
            // n = 4, score = 100
            //   c745ac44000000       | mov                 dword ptr [ebp - 0x54], 0x44
            //   6a10                 | push                0x10
            //   6a00                 | push                0
            //   8d4594               | lea                 eax, [ebp - 0x6c]

        $sequence_35 = { c705????????4b154100 8935???????? a3???????? ff15???????? a3???????? }
            // n = 5, score = 100
            //   c705????????4b154100     |     
            //   8935????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     
            //   a3????????           |                     

        $sequence_36 = { 8b4508 890424 e8???????? 3d04010000 7607 b801000000 }
            // n = 6, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   3d04010000           | cmp                 eax, 0x104
            //   7607                 | jbe                 9
            //   b801000000           | mov                 eax, 1

        $sequence_37 = { c78588feffff62625678 c7858cfeffff6f747a62 c78590feffff62546b7a c78594feffff7d757871 }
            // n = 4, score = 100
            //   c78588feffff62625678     | mov    dword ptr [ebp - 0x178], 0x78566262
            //   c7858cfeffff6f747a62     | mov    dword ptr [ebp - 0x174], 0x627a746f
            //   c78590feffff62546b7a     | mov    dword ptr [ebp - 0x170], 0x7a6b5462
            //   c78594feffff7d757871     | mov    dword ptr [ebp - 0x16c], 0x7178757d

        $sequence_38 = { 893c24 e8???????? 39e8 741e c74424045c000000 }
            // n = 5, score = 100
            //   893c24               | mov                 dword ptr [esp], edi
            //   e8????????           |                     
            //   39e8                 | cmp                 eax, ebp
            //   741e                 | je                  0x20
            //   c74424045c000000     | mov                 dword ptr [esp + 4], 0x5c

        $sequence_39 = { 8bf0 c1fe05 c1e106 030cb5a0244300 eb02 8bca f641247f }
            // n = 7, score = 100
            //   8bf0                 | mov                 esi, eax
            //   c1fe05               | sar                 esi, 5
            //   c1e106               | shl                 ecx, 6
            //   030cb5a0244300       | add                 ecx, dword ptr [esi*4 + 0x4324a0]
            //   eb02                 | jmp                 4
            //   8bca                 | mov                 ecx, edx
            //   f641247f             | test                byte ptr [ecx + 0x24], 0x7f

        $sequence_40 = { 8d8d3cfbffff e8???????? ba???????? 8bc8 e8???????? }
            // n = 5, score = 100
            //   8d8d3cfbffff         | lea                 ecx, [ebp - 0x4c4]
            //   e8????????           |                     
            //   ba????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     

        $sequence_41 = { e8???????? 8945f8 837df800 7c27 8d4514 8945e0 8b45e0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   7c27                 | jl                  0x29
            //   8d4514               | lea                 eax, [ebp + 0x14]
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]

        $sequence_42 = { 8a8160ce4300 8d4901 8881f7cd4300 84c0 75ed 8d8d28b8f0ff e8???????? }
            // n = 7, score = 100
            //   8a8160ce4300         | mov                 al, byte ptr [ecx + 0x43ce60]
            //   8d4901               | lea                 ecx, [ecx + 1]
            //   8881f7cd4300         | mov                 byte ptr [ecx + 0x43cdf7], al
            //   84c0                 | test                al, al
            //   75ed                 | jne                 0xffffffef
            //   8d8d28b8f0ff         | lea                 ecx, [ebp - 0xf47d8]
            //   e8????????           |                     

        $sequence_43 = { 740f 8b4d14 8b148dc4ea4500 8955f0 eb0d }
            // n = 5, score = 100
            //   740f                 | je                  0x11
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   8b148dc4ea4500       | mov                 edx, dword ptr [ecx*4 + 0x45eac4]
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   eb0d                 | jmp                 0xf

        $sequence_44 = { 68c4070000 68???????? 68???????? e8???????? 83c40c }
            // n = 5, score = 100
            //   68c4070000           | push                0x7c4
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_45 = { 8d0445ac054300 8bc8 2bce 6a03 }
            // n = 4, score = 100
            //   8d0445ac054300       | lea                 eax, [eax*2 + 0x4305ac]
            //   8bc8                 | mov                 ecx, eax
            //   2bce                 | sub                 ecx, esi
            //   6a03                 | push                3

        $sequence_46 = { eb07 c745d0d0924600 8b45d0 8a482d }
            // n = 4, score = 100
            //   eb07                 | jmp                 9
            //   c745d0d0924600       | mov                 dword ptr [ebp - 0x30], 0x4692d0
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   8a482d               | mov                 cl, byte ptr [eax + 0x2d]

        $sequence_47 = { 3d04010000 7607 b801000000 eb33 c744240404010000 c70424???????? e8???????? }
            // n = 7, score = 100
            //   3d04010000           | cmp                 eax, 0x104
            //   7607                 | jbe                 9
            //   b801000000           | mov                 eax, 1
            //   eb33                 | jmp                 0x35
            //   c744240404010000     | mov                 dword ptr [esp + 4], 0x104
            //   c70424????????       |                     
            //   e8????????           |                     

        $sequence_48 = { 8bac2438010000 81c43c010000 c3 c1e810 }
            // n = 4, score = 100
            //   8bac2438010000       | mov                 ebp, dword ptr [esp + 0x138]
            //   81c43c010000         | add                 esp, 0x13c
            //   c3                   | ret                 
            //   c1e810               | shr                 eax, 0x10

        $sequence_49 = { c74438a8dc724300 8b47a8 8b4804 8d41f8 894439a4 8b4798 8b4004 }
            // n = 7, score = 100
            //   c74438a8dc724300     | mov                 dword ptr [eax + edi - 0x58], 0x4372dc
            //   8b47a8               | mov                 eax, dword ptr [edi - 0x58]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   8d41f8               | lea                 eax, [ecx - 8]
            //   894439a4             | mov                 dword ptr [ecx + edi - 0x5c], eax
            //   8b4798               | mov                 eax, dword ptr [edi - 0x68]
            //   8b4004               | mov                 eax, dword ptr [eax + 4]

        $sequence_50 = { 8845ff 8d4dff e8???????? 8945e8 c745f434a54600 }
            // n = 5, score = 100
            //   8845ff               | mov                 byte ptr [ebp - 1], al
            //   8d4dff               | lea                 ecx, [ebp - 1]
            //   e8????????           |                     
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   c745f434a54600       | mov                 dword ptr [ebp - 0xc], 0x46a534

        $sequence_51 = { 8bbd40b8f0ff b8de000000 663bd8 0f8fdcfaffff }
            // n = 4, score = 100
            //   8bbd40b8f0ff         | mov                 edi, dword ptr [ebp - 0xf47c0]
            //   b8de000000           | mov                 eax, 0xde
            //   663bd8               | cmp                 bx, ax
            //   0f8fdcfaffff         | jg                  0xfffffae2

        $sequence_52 = { 85c0 0f84ce000000 66660f1f840000000000 8b95f8fdffff }
            // n = 4, score = 100
            //   85c0                 | test                eax, eax
            //   0f84ce000000         | je                  0xd4
            //   66660f1f840000000000     | nop    word ptr [eax + eax]
            //   8b95f8fdffff         | mov                 edx, dword ptr [ebp - 0x208]

        $sequence_53 = { 41 004f99 41 005c9941 006999 41 }
            // n = 6, score = 100
            //   41                   | inc                 ecx
            //   004f99               | add                 byte ptr [edi - 0x67], cl
            //   41                   | inc                 ecx
            //   005c9941             | add                 byte ptr [ecx + ebx*4 + 0x41], bl
            //   006999               | add                 byte ptr [ecx - 0x67], ch
            //   41                   | inc                 ecx

        $sequence_54 = { c745f001000000 66390b 741b 8bcb 8d5102 0f1f8000000000 668b01 }
            // n = 7, score = 100
            //   c745f001000000       | mov                 dword ptr [ebp - 0x10], 1
            //   66390b               | cmp                 word ptr [ebx], cx
            //   741b                 | je                  0x1d
            //   8bcb                 | mov                 ecx, ebx
            //   8d5102               | lea                 edx, [ecx + 2]
            //   0f1f8000000000       | nop                 dword ptr [eax]
            //   668b01               | mov                 ax, word ptr [ecx]

    condition:
        7 of them and filesize < 1097728
}
[TLP:WHITE] win_yty_w0   (20180312 | Modular malware framework with similarities to EHDevel)
import "pe"

rule win_yty_w0 {
    meta:
        author = "James E.C, ProofPoint"
        description = "Modular malware framework with similarities to EHDevel"
        hash = "1e0c1b97925e1ed90562d2c68971e038d8506b354dd6c1d2bcc252d2a48bc31c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty"
        malpedia_version = "20180312"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "/football/download2/" ascii wide
        $x2 = "/football/download/" ascii wide
        $x3 = "Caption: Xp>" wide

        $x_c2 = "5.135.199.0" ascii fullword

        $a1 = "getGoogle" ascii fullword
        $a2 = "/q /noretstart" wide
        $a3 = "IsInSandbox" ascii fullword
        $a4 = "syssystemnew" ascii fullword
        $a5 = "ytyinfo" ascii fullword
        $a6 = "\\ytyboth\\yty " ascii

        $s1 = "SELECT Name FROM Win32_Processor" wide
        $s2 = "SELECT Caption FROM Win32_OperatingSystem" wide
        $s3 = "SELECT SerialNumber FROM Win32_DiskDrive" wide
        $s4 = "VM: Yes" wide fullword
        $s5 = "VM: No" wide fullword
        $s6 = "helpdll.dll" ascii fullword
        $s7 = "boothelp.exe" ascii fullword
        $s8 = "SbieDll.dll" wide fullword
        $s9 = "dbghelp.dll" wide fullword
        $s10 = "YesNoMaybe" ascii fullword
        $s11 = "saveData" ascii fullword
        $s12 = "saveLogs" ascii fullword
    condition:
        pe.imphash() == "87775285899fa860b9963b11596a2ded" or 1 of ($x*) or 3 of ($a*) or 6 of ($s*)
}
Download all Yara Rules