SYMBOLCOMMON_NAMEaka. SYNONYMS
win.yty (Back to overview)

yty

Actor(s): APT-C-35, Donot Team, Viceroy Tiger


There is no description at this point.

References
2022-01-18ESET ResearchFacundo Muñoz, Matías Porolli
@online{muoz:20220118:donot:724cf3f, author = {Facundo Muñoz and Matías Porolli}, title = {{DoNot Go! Do not respawn!}}, date = {2022-01-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/}, language = {English}, urldate = {2022-01-18} } DoNot Go! Do not respawn!
yty
2021-10-07Amnesty InternationalAmnesty International
@techreport{international:20211007:hackersforhire:4147fd6, author = {Amnesty International}, title = {{Hackers-for-Hire in West Africa - Activist in Togo attacked with Indian-made Spyware}}, date = {2021-10-07}, institution = {Amnesty International}, url = {https://www.amnesty.org/en/wp-content/uploads/2021/10/AFR5747562021ENGLISH.pdf}, language = {English}, urldate = {2021-11-02} } Hackers-for-Hire in West Africa - Activist in Togo attacked with Indian-made Spyware
yty
2020SecureworksSecureWorks
@online{secureworks:2020:zinc:13667ec, author = {SecureWorks}, title = {{ZINC EMERSON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/zinc-emerson}, language = {English}, urldate = {2020-05-23} } ZINC EMERSON
yty QUILTED TIGER
2019-11-15Positive TechnologiesPositive Technologies
@online{technologies:20191115:studying:b64a9fd, author = {Positive Technologies}, title = {{Studying Donot Team}}, date = {2019-11-15}, organization = {Positive Technologies}, url = {http://blog.ptsecurity.com/2019/11/studying-donot-team.html}, language = {English}, urldate = {2020-01-05} } Studying Donot Team
yty
2019-08-02NSHCThreatRecon Team
@online{team:20190802:sectore02:c2237b1, author = {ThreatRecon Team}, title = {{SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government}}, date = {2019-08-02}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/}, language = {English}, urldate = {2020-01-08} } SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government
yty
2018-07-26奇安信威胁情报中心 | 事件追踪
@online{:20180726:analysis:66722b6, author = {奇安信威胁情报中心 | 事件追踪}, title = {{Analysis of the latest attack activities of APT-C-35}}, date = {2018-07-26}, url = {https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/}, language = {Chinese}, urldate = {2020-01-08} } Analysis of the latest attack activities of APT-C-35
yty VICEROY TIGER
2018-03-08NetScoutASERT Team
@online{team:20180308:donot:6f0c645, author = {ASERT Team}, title = {{Donot Team Leverages New Modular Malware Framework in South Asia}}, date = {2018-03-08}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/}, language = {English}, urldate = {2020-01-09} } Donot Team Leverages New Modular Malware Framework in South Asia
yty
Yara Rules
[TLP:WHITE] win_yty_auto (20220808 | Detects win.yty.)
rule win_yty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.yty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83e001 0f840c000000 8365d8fe 8b7508 e9???????? c3 }
            // n = 6, score = 500
            //   83e001               | and                 eax, 1
            //   0f840c000000         | je                  0x12
            //   8365d8fe             | and                 dword ptr [ebp - 0x28], 0xfffffffe
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   e9????????           |                     
            //   c3                   | ret                 

        $sequence_1 = { 64a300000000 8b7508 33ff 897dd8 }
            // n = 4, score = 500
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   33ff                 | xor                 edi, edi
            //   897dd8               | mov                 dword ptr [ebp - 0x28], edi

        $sequence_2 = { 8bfe 8a1402 2ad1 80ea13 33c9 881407 }
            // n = 6, score = 400
            //   8bfe                 | mov                 edi, esi
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   2ad1                 | sub                 dl, cl
            //   80ea13               | sub                 dl, 0x13
            //   33c9                 | xor                 ecx, ecx
            //   881407               | mov                 byte ptr [edi + eax], dl

        $sequence_3 = { 807def00 8b5de8 7503 83cb02 8b16 8b4a04 }
            // n = 6, score = 400
            //   807def00             | cmp                 byte ptr [ebp - 0x11], 0
            //   8b5de8               | mov                 ebx, dword ptr [ebp - 0x18]
            //   7503                 | jne                 5
            //   83cb02               | or                  ebx, 2
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]

        $sequence_4 = { 8b4c3138 33db 895de8 885def 8975e0 85c9 7407 }
            // n = 7, score = 400
            //   8b4c3138             | mov                 ecx, dword ptr [ecx + esi + 0x38]
            //   33db                 | xor                 ebx, ebx
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx
            //   885def               | mov                 byte ptr [ebp - 0x11], bl
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   85c9                 | test                ecx, ecx
            //   7407                 | je                  9

        $sequence_5 = { c645fc01 e8???????? 8b10 8b4a04 03c8 }
            // n = 5, score = 400
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   e8????????           |                     
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]
            //   03c8                 | add                 ecx, eax

        $sequence_6 = { 51 e8???????? 83c408 8bf0 6a0a 8bce }
            // n = 6, score = 400
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8bf0                 | mov                 esi, eax
            //   6a0a                 | push                0xa
            //   8bce                 | mov                 ecx, esi

        $sequence_7 = { 80ea13 b903000000 eb69 8a1402 2ad1 }
            // n = 5, score = 400
            //   80ea13               | sub                 dl, 0x13
            //   b903000000           | mov                 ecx, 3
            //   eb69                 | jmp                 0x6b
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   2ad1                 | sub                 dl, cl

        $sequence_8 = { 80ea13 b902000000 e9???????? 8a1402 2ad1 }
            // n = 5, score = 400
            //   80ea13               | sub                 dl, 0x13
            //   b902000000           | mov                 ecx, 2
            //   e9????????           |                     
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   2ad1                 | sub                 dl, cl

        $sequence_9 = { 8b3e 2ad1 80ea04 b904000000 eb34 8a1402 2ad1 }
            // n = 7, score = 400
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   2ad1                 | sub                 dl, cl
            //   80ea04               | sub                 dl, 4
            //   b904000000           | mov                 ecx, 4
            //   eb34                 | jmp                 0x36
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   2ad1                 | sub                 dl, cl

        $sequence_10 = { 50 ffd2 ff15???????? 8a857bffffff 8b4df4 }
            // n = 5, score = 400
            //   50                   | push                eax
            //   ffd2                 | call                edx
            //   ff15????????         |                     
            //   8a857bffffff         | mov                 al, byte ptr [ebp - 0x85]
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_11 = { 8b08 8b5108 50 ffd2 8b8568ffffff 8b08 }
            // n = 6, score = 400
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   50                   | push                eax
            //   ffd2                 | call                edx
            //   8b8568ffffff         | mov                 eax, dword ptr [ebp - 0x98]
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_12 = { e8???????? 83c40c 8d8de8fdffff 51 53 53 }
            // n = 6, score = 400
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d8de8fdffff         | lea                 ecx, [ebp - 0x218]
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   53                   | push                ebx

        $sequence_13 = { e8???????? 8b5610 33c9 33c0 8d7910 85d2 }
            // n = 6, score = 400
            //   e8????????           |                     
            //   8b5610               | mov                 edx, dword ptr [esi + 0x10]
            //   33c9                 | xor                 ecx, ecx
            //   33c0                 | xor                 eax, eax
            //   8d7910               | lea                 edi, [ecx + 0x10]
            //   85d2                 | test                edx, edx

        $sequence_14 = { 53 50 e8???????? 83c40c 8d8de8fdffff }
            // n = 5, score = 400
            //   53                   | push                ebx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d8de8fdffff         | lea                 ecx, [ebp - 0x218]

        $sequence_15 = { 8906 894604 894608 8945fc 56 c745f001000000 }
            // n = 6, score = 400
            //   8906                 | mov                 dword ptr [esi], eax
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi
            //   c745f001000000       | mov                 dword ptr [ebp - 0x10], 1

        $sequence_16 = { 668910 8bc6 5b 8be5 5d c20400 }
            // n = 6, score = 400
            //   668910               | mov                 word ptr [eax], dx
            //   8bc6                 | mov                 eax, esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4

        $sequence_17 = { 50 8bce c60600 e8???????? 8b5610 33c9 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   c60600               | mov                 byte ptr [esi], 0
            //   e8????????           |                     
            //   8b5610               | mov                 edx, dword ptr [esi + 0x10]
            //   33c9                 | xor                 ecx, ecx

        $sequence_18 = { 8965f0 8bf9 8b7508 8b06 8b4804 8b4c3138 33db }
            // n = 7, score = 400
            //   8965f0               | mov                 dword ptr [ebp - 0x10], esp
            //   8bf9                 | mov                 edi, ecx
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   8b4c3138             | mov                 ecx, dword ptr [ecx + esi + 0x38]
            //   33db                 | xor                 ebx, ebx

        $sequence_19 = { 85d2 0f8425010000 83f904 0f8712010000 }
            // n = 4, score = 400
            //   85d2                 | test                edx, edx
            //   0f8425010000         | je                  0x12b
            //   83f904               | cmp                 ecx, 4
            //   0f8712010000         | ja                  0x118

        $sequence_20 = { 8bfe 80ea04 b901000000 e9???????? 8b5508 397d1c }
            // n = 6, score = 400
            //   8bfe                 | mov                 edi, esi
            //   80ea04               | sub                 dl, 4
            //   b901000000           | mov                 ecx, 1
            //   e9????????           |                     
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   397d1c               | cmp                 dword ptr [ebp + 0x1c], edi

        $sequence_21 = { 8b07 eb02 8bc7 8b4de0 }
            // n = 4, score = 300
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   eb02                 | jmp                 4
            //   8bc7                 | mov                 eax, edi
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]

        $sequence_22 = { ff15???????? 6a6d 56 ff15???????? 8b3d???????? 6a00 }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   6a6d                 | push                0x6d
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   6a00                 | push                0

        $sequence_23 = { 8ad1 c0ea02 8ac4 80e20f c0e004 }
            // n = 5, score = 300
            //   8ad1                 | mov                 dl, cl
            //   c0ea02               | shr                 dl, 2
            //   8ac4                 | mov                 al, ah
            //   80e20f               | and                 dl, 0xf
            //   c0e004               | shl                 al, 4

        $sequence_24 = { 8b4c1938 895dd4 85c9 7405 8b01 ff5004 c745fc00000000 }
            // n = 7, score = 200
            //   8b4c1938             | mov                 ecx, dword ptr [ecx + ebx + 0x38]
            //   895dd4               | mov                 dword ptr [ebp - 0x2c], ebx
            //   85c9                 | test                ecx, ecx
            //   7405                 | je                  7
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5004               | call                dword ptr [eax + 4]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_25 = { e8???????? 85c0 740c 8345f401 837df40d 76d4 eb01 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   740c                 | je                  0xe
            //   8345f401             | add                 dword ptr [ebp - 0xc], 1
            //   837df40d             | cmp                 dword ptr [ebp - 0xc], 0xd
            //   76d4                 | jbe                 0xffffffd6
            //   eb01                 | jmp                 3

        $sequence_26 = { 8b45f8 0fb608 0fbe91d8984600 8955e8 837de800 7513 }
            // n = 6, score = 100
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   0fb608               | movzx               ecx, byte ptr [eax]
            //   0fbe91d8984600       | movsx               edx, byte ptr [ecx + 0x4698d8]
            //   8955e8               | mov                 dword ptr [ebp - 0x18], edx
            //   837de800             | cmp                 dword ptr [ebp - 0x18], 0
            //   7513                 | jne                 0x15

        $sequence_27 = { ebee 53 83ec08 8b5c2410 }
            // n = 4, score = 100
            //   ebee                 | jmp                 0xfffffff0
            //   53                   | push                ebx
            //   83ec08               | sub                 esp, 8
            //   8b5c2410             | mov                 ebx, dword ptr [esp + 0x10]

        $sequence_28 = { 51 6b550c0c 8b8228744500 89851cfdffff 8b8d1cfdffff }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   6b550c0c             | imul                edx, dword ptr [ebp + 0xc], 0xc
            //   8b8228744500         | mov                 eax, dword ptr [edx + 0x457428]
            //   89851cfdffff         | mov                 dword ptr [ebp - 0x2e4], eax
            //   8b8d1cfdffff         | mov                 ecx, dword ptr [ebp - 0x2e4]

        $sequence_29 = { 8d8564ffffff 83c01c 890424 e8???????? 8944240c }
            // n = 5, score = 100
            //   8d8564ffffff         | lea                 eax, [ebp - 0x9c]
            //   83c01c               | add                 eax, 0x1c
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax

        $sequence_30 = { c685c4fcffff00 e8???????? 8d85e4faffff c645fc0b 50 c785e4faffff9c734300 }
            // n = 6, score = 100
            //   c685c4fcffff00       | mov                 byte ptr [ebp - 0x33c], 0
            //   e8????????           |                     
            //   8d85e4faffff         | lea                 eax, [ebp - 0x51c]
            //   c645fc0b             | mov                 byte ptr [ebp - 4], 0xb
            //   50                   | push                eax
            //   c785e4faffff9c734300     | mov    dword ptr [ebp - 0x51c], 0x43739c

        $sequence_31 = { 8b5508 8b45f4 01d0 0fb600 3c2e 7416 8345f401 }
            // n = 7, score = 100
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   01d0                 | add                 eax, edx
            //   0fb600               | movzx               eax, byte ptr [eax]
            //   3c2e                 | cmp                 al, 0x2e
            //   7416                 | je                  0x18
            //   8345f401             | add                 dword ptr [ebp - 0xc], 1

        $sequence_32 = { 52 8bcd 50 8d1564244100 e8???????? 58 5a }
            // n = 7, score = 100
            //   52                   | push                edx
            //   8bcd                 | mov                 ecx, ebp
            //   50                   | push                eax
            //   8d1564244100         | lea                 edx, [0x412464]
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   5a                   | pop                 edx

        $sequence_33 = { 6bd130 8b048500b04600 8b4c1018 898dd4ebffff 8b5510 035514 }
            // n = 6, score = 100
            //   6bd130               | imul                edx, ecx, 0x30
            //   8b048500b04600       | mov                 eax, dword ptr [eax*4 + 0x46b000]
            //   8b4c1018             | mov                 ecx, dword ptr [eax + edx + 0x18]
            //   898dd4ebffff         | mov                 dword ptr [ebp - 0x142c], ecx
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   035514               | add                 edx, dword ptr [ebp + 0x14]

        $sequence_34 = { c1e006 030495a0244300 eb05 b8???????? f6400420 }
            // n = 5, score = 100
            //   c1e006               | shl                 eax, 6
            //   030495a0244300       | add                 eax, dword ptr [edx*4 + 0x4324a0]
            //   eb05                 | jmp                 7
            //   b8????????           |                     
            //   f6400420             | test                byte ptr [eax + 4], 0x20

        $sequence_35 = { 8d3c8da0244300 8bf0 83e61f c1e606 8b0f 0fbe4c3104 83e101 }
            // n = 7, score = 100
            //   8d3c8da0244300       | lea                 edi, [ecx*4 + 0x4324a0]
            //   8bf0                 | mov                 esi, eax
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   0fbe4c3104           | movsx               ecx, byte ptr [ecx + esi + 4]
            //   83e101               | and                 ecx, 1

        $sequence_36 = { 8b04c520c34200 5d c3 33c0 }
            // n = 4, score = 100
            //   8b04c520c34200       | mov                 eax, dword ptr [eax*8 + 0x42c320]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax

        $sequence_37 = { 7510 8bc8 eb0c 0fb6c0 0fbe80b8b84300 03c8 }
            // n = 6, score = 100
            //   7510                 | jne                 0x12
            //   8bc8                 | mov                 ecx, eax
            //   eb0c                 | jmp                 0xe
            //   0fb6c0               | movzx               eax, al
            //   0fbe80b8b84300       | movsx               eax, byte ptr [eax + 0x43b8b8]
            //   03c8                 | add                 ecx, eax

        $sequence_38 = { e8???????? 80f901 7502 d9e0 833d????????00 0f8559a30000 8d0d40004300 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   80f901               | cmp                 cl, 1
            //   7502                 | jne                 4
            //   d9e0                 | fchs                
            //   833d????????00       |                     
            //   0f8559a30000         | jne                 0xa35f
            //   8d0d40004300         | lea                 ecx, [0x430040]

        $sequence_39 = { 770f 0fbec2 0fb680a8d14200 83e00f eb02 33c0 8b8dc0fdffff }
            // n = 7, score = 100
            //   770f                 | ja                  0x11
            //   0fbec2               | movsx               eax, dl
            //   0fb680a8d14200       | movzx               eax, byte ptr [eax + 0x42d1a8]
            //   83e00f               | and                 eax, 0xf
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   8b8dc0fdffff         | mov                 ecx, dword ptr [ebp - 0x240]

        $sequence_40 = { 68b0000000 8d85c4b9f0ff 6a00 50 e8???????? }
            // n = 5, score = 100
            //   68b0000000           | push                0xb0
            //   8d85c4b9f0ff         | lea                 eax, [ebp - 0xf463c]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_41 = { 0f28c1 660f73d908 660f73d804 660f7ec1 660f7ec8 6800040000 c1e110 }
            // n = 7, score = 100
            //   0f28c1               | movaps              xmm0, xmm1
            //   660f73d908           | psrldq              xmm1, 8
            //   660f73d804           | psrldq              xmm0, 4
            //   660f7ec1             | movd                ecx, xmm0
            //   660f7ec8             | movd                eax, xmm1
            //   6800040000           | push                0x400
            //   c1e110               | shl                 ecx, 0x10

        $sequence_42 = { 8b0485a0244300 c644080401 57 e8???????? }
            // n = 4, score = 100
            //   8b0485a0244300       | mov                 eax, dword ptr [eax*4 + 0x4324a0]
            //   c644080401           | mov                 byte ptr [eax + ecx + 4], 1
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_43 = { c745ac44000000 6a10 6a00 8d4594 50 e8???????? }
            // n = 6, score = 100
            //   c745ac44000000       | mov                 dword ptr [ebp - 0x54], 0x44
            //   6a10                 | push                0x10
            //   6a00                 | push                0
            //   8d4594               | lea                 eax, [ebp - 0x6c]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_44 = { 83c008 890424 e8???????? 85c0 0f849d040000 8b45d4 83c008 }
            // n = 7, score = 100
            //   83c008               | add                 eax, 8
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f849d040000         | je                  0x4a3
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   83c008               | add                 eax, 8

        $sequence_45 = { e8???????? 8bf0 8d85c4fbffff 3bc6 7446 8b85dcfbffff 83f808 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8d85c4fbffff         | lea                 eax, [ebp - 0x43c]
            //   3bc6                 | cmp                 eax, esi
            //   7446                 | je                  0x48
            //   8b85dcfbffff         | mov                 eax, dword ptr [ebp - 0x424]
            //   83f808               | cmp                 eax, 8

        $sequence_46 = { 837df40d 7507 c745f000000000 8b45f0 }
            // n = 4, score = 100
            //   837df40d             | cmp                 dword ptr [ebp - 0xc], 0xd
            //   7507                 | jne                 9
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_47 = { 1d1d1d1d1d 1d1d1d1d1d 1d1d1d1d1d 1d08090a0b 0c0d 0e 0f1011 }
            // n = 7, score = 100
            //   1d1d1d1d1d           | sbb                 eax, 0x1d1d1d1d
            //   1d1d1d1d1d           | sbb                 eax, 0x1d1d1d1d
            //   1d1d1d1d1d           | sbb                 eax, 0x1d1d1d1d
            //   1d08090a0b           | sbb                 eax, 0xb0a0908
            //   0c0d                 | or                  al, 0xd
            //   0e                   | push                cs
            //   0f1011               | movups              xmm2, xmmword ptr [ecx]

        $sequence_48 = { 6bd117 898278a04600 68???????? 8b45fc 50 ff15???????? 3305???????? }
            // n = 7, score = 100
            //   6bd117               | imul                edx, ecx, 0x17
            //   898278a04600         | mov                 dword ptr [edx + 0x46a078], eax
            //   68????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   3305????????         |                     

        $sequence_49 = { 6a0a 68???????? e8???????? 83c40c 85c0 7469 }
            // n = 6, score = 100
            //   6a0a                 | push                0xa
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   7469                 | je                  0x6b

        $sequence_50 = { 57 8b7d08 8bf1 83fffe 0f87c3000000 8b4618 3bc7 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8bf1                 | mov                 esi, ecx
            //   83fffe               | cmp                 edi, -2
            //   0f87c3000000         | ja                  0xc9
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]
            //   3bc7                 | cmp                 eax, edi

        $sequence_51 = { 01d8 83c025 3b45cc 0f8572010000 }
            // n = 4, score = 100
            //   01d8                 | add                 eax, ebx
            //   83c025               | add                 eax, 0x25
            //   3b45cc               | cmp                 eax, dword ptr [ebp - 0x34]
            //   0f8572010000         | jne                 0x178

        $sequence_52 = { 2b34bda0244300 c1fe06 8bc7 c1e005 03f0 }
            // n = 5, score = 100
            //   2b34bda0244300       | sub                 esi, dword ptr [edi*4 + 0x4324a0]
            //   c1fe06               | sar                 esi, 6
            //   8bc7                 | mov                 eax, edi
            //   c1e005               | shl                 eax, 5
            //   03f0                 | add                 esi, eax

        $sequence_53 = { 6aff 8d85f4fdffff 50 53 56 c785bcf1ffffb8b04200 ffd7 }
            // n = 7, score = 100
            //   6aff                 | push                -1
            //   8d85f4fdffff         | lea                 eax, [ebp - 0x20c]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   c785bcf1ffffb8b04200     | mov    dword ptr [ebp - 0xe44], 0x42b0b8
            //   ffd7                 | call                edi

        $sequence_54 = { c745e401000000 eb07 c745e400000000 c745e001000000 eb0e c745e000000000 c745e401000000 }
            // n = 7, score = 100
            //   c745e401000000       | mov                 dword ptr [ebp - 0x1c], 1
            //   eb07                 | jmp                 9
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   c745e001000000       | mov                 dword ptr [ebp - 0x20], 1
            //   eb0e                 | jmp                 0x10
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0
            //   c745e401000000       | mov                 dword ptr [ebp - 0x1c], 1

    condition:
        7 of them and filesize < 1097728
}
[TLP:WHITE] win_yty_w0   (20180312 | Modular malware framework with similarities to EHDevel)
import "pe"

rule win_yty_w0 {
    meta:
        author = "James E.C, ProofPoint"
        description = "Modular malware framework with similarities to EHDevel"
        hash = "1e0c1b97925e1ed90562d2c68971e038d8506b354dd6c1d2bcc252d2a48bc31c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty"
        malpedia_version = "20180312"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "/football/download2/" ascii wide
        $x2 = "/football/download/" ascii wide
        $x3 = "Caption: Xp>" wide

        $x_c2 = "5.135.199.0" ascii fullword

        $a1 = "getGoogle" ascii fullword
        $a2 = "/q /noretstart" wide
        $a3 = "IsInSandbox" ascii fullword
        $a4 = "syssystemnew" ascii fullword
        $a5 = "ytyinfo" ascii fullword
        $a6 = "\\ytyboth\\yty " ascii

        $s1 = "SELECT Name FROM Win32_Processor" wide
        $s2 = "SELECT Caption FROM Win32_OperatingSystem" wide
        $s3 = "SELECT SerialNumber FROM Win32_DiskDrive" wide
        $s4 = "VM: Yes" wide fullword
        $s5 = "VM: No" wide fullword
        $s6 = "helpdll.dll" ascii fullword
        $s7 = "boothelp.exe" ascii fullword
        $s8 = "SbieDll.dll" wide fullword
        $s9 = "dbghelp.dll" wide fullword
        $s10 = "YesNoMaybe" ascii fullword
        $s11 = "saveData" ascii fullword
        $s12 = "saveLogs" ascii fullword
    condition:
        pe.imphash() == "87775285899fa860b9963b11596a2ded" or 1 of ($x*) or 3 of ($a*) or 6 of ($s*)
}
Download all Yara Rules