Actor(s): APT-C-35, Donot Team, Viceroy Tiger
There is no description at this point.
rule win_yty_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.yty." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d45f4 64a300000000 8b7508 33ff 897dd8 } // n = 5, score = 500 // 8d45f4 | lea eax, [ebp - 0xc] // 64a300000000 | mov dword ptr fs:[0], eax // 8b7508 | mov esi, dword ptr [ebp + 8] // 33ff | xor edi, edi // 897dd8 | mov dword ptr [ebp - 0x28], edi $sequence_1 = { c745fc00000000 6a00 8d4508 c746140f000000 c7461000000000 50 } // n = 6, score = 400 // c745fc00000000 | mov dword ptr [ebp - 4], 0 // 6a00 | push 0 // 8d4508 | lea eax, [ebp + 8] // c746140f000000 | mov dword ptr [esi + 0x14], 0xf // c7461000000000 | mov dword ptr [esi + 0x10], 0 // 50 | push eax $sequence_2 = { 33c5 50 8d45f4 64a300000000 c745f000000000 6aff c745fc00000000 } // n = 7, score = 400 // 33c5 | xor eax, ebp // 50 | push eax // 8d45f4 | lea eax, [ebp - 0xc] // 64a300000000 | mov dword ptr fs:[0], eax // c745f000000000 | mov dword ptr [ebp - 0x10], 0 // 6aff | push -1 // c745fc00000000 | mov dword ptr [ebp - 4], 0 $sequence_3 = { 51 e8???????? 83c408 8bf0 6a0a 8bce e8???????? } // n = 7, score = 400 // 51 | push ecx // e8???????? | // 83c408 | add esp, 8 // 8bf0 | mov esi, eax // 6a0a | push 0xa // 8bce | mov ecx, esi // e8???????? | $sequence_4 = { 894604 894608 8945fc 56 c745f001000000 e8???????? } // n = 6, score = 400 // 894604 | mov dword ptr [esi + 4], eax // 894608 | mov dword ptr [esi + 8], eax // 8945fc | mov dword ptr [ebp - 4], eax // 56 | push esi // c745f001000000 | mov dword ptr [ebp - 0x10], 1 // e8???????? | $sequence_5 = { 6a00 8bcf c645fc02 e8???????? 8b0e } // n = 5, score = 400 // 6a00 | push 0 // 8bcf | mov ecx, edi // c645fc02 | mov byte ptr [ebp - 4], 2 // e8???????? | // 8b0e | mov ecx, dword ptr [esi] $sequence_6 = { 668910 8bc6 5b 8be5 5d c20400 } // n = 6, score = 400 // 668910 | mov word ptr [eax], dx // 8bc6 | mov eax, esi // 5b | pop ebx // 8be5 | mov esp, ebp // 5d | pop ebp // c20400 | ret 4 $sequence_7 = { 8d5508 8b4e10 397e14 7204 8b3e eb02 } // n = 6, score = 400 // 8d5508 | lea edx, [ebp + 8] // 8b4e10 | mov ecx, dword ptr [esi + 0x10] // 397e14 | cmp dword ptr [esi + 0x14], edi // 7204 | jb 6 // 8b3e | mov edi, dword ptr [esi] // eb02 | jmp 4 $sequence_8 = { 8b5610 33c9 33c0 8d7910 } // n = 4, score = 400 // 8b5610 | mov edx, dword ptr [esi + 0x10] // 33c9 | xor ecx, ecx // 33c0 | xor eax, eax // 8d7910 | lea edi, [ecx + 0x10] $sequence_9 = { 50 e8???????? 83c40c 8d8de8fdffff 51 53 } // n = 6, score = 400 // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc // 8d8de8fdffff | lea ecx, [ebp - 0x218] // 51 | push ecx // 53 | push ebx $sequence_10 = { b902000000 e9???????? 8a1402 2ad1 8bfe 80ea13 b902000000 } // n = 7, score = 400 // b902000000 | mov ecx, 2 // e9???????? | // 8a1402 | mov dl, byte ptr [edx + eax] // 2ad1 | sub dl, cl // 8bfe | mov edi, esi // 80ea13 | sub dl, 0x13 // b902000000 | mov ecx, 2 $sequence_11 = { 8d8de8fdffff 51 53 53 6a28 53 ff15???????? } // n = 7, score = 400 // 8d8de8fdffff | lea ecx, [ebp - 0x218] // 51 | push ecx // 53 | push ebx // 53 | push ebx // 6a28 | push 0x28 // 53 | push ebx // ff15???????? | $sequence_12 = { 8975e0 85c9 7407 8b11 8b4204 } // n = 5, score = 400 // 8975e0 | mov dword ptr [ebp - 0x20], esi // 85c9 | test ecx, ecx // 7407 | je 9 // 8b11 | mov edx, dword ptr [ecx] // 8b4204 | mov eax, dword ptr [edx + 4] $sequence_13 = { 8b08 8b5108 50 ffd2 ff15???????? 8a857bffffff } // n = 6, score = 400 // 8b08 | mov ecx, dword ptr [eax] // 8b5108 | mov edx, dword ptr [ecx + 8] // 50 | push eax // ffd2 | call edx // ff15???????? | // 8a857bffffff | mov al, byte ptr [ebp - 0x85] $sequence_14 = { c645fc01 e8???????? 8b10 8b4a04 03c8 } // n = 5, score = 400 // c645fc01 | mov byte ptr [ebp - 4], 1 // e8???????? | // 8b10 | mov edx, dword ptr [eax] // 8b4a04 | mov ecx, dword ptr [edx + 4] // 03c8 | add ecx, eax $sequence_15 = { 8b3e 2ad1 80ea04 b904000000 eb34 8a1402 2ad1 } // n = 7, score = 400 // 8b3e | mov edi, dword ptr [esi] // 2ad1 | sub dl, cl // 80ea04 | sub dl, 4 // b904000000 | mov ecx, 4 // eb34 | jmp 0x36 // 8a1402 | mov dl, byte ptr [edx + eax] // 2ad1 | sub dl, cl $sequence_16 = { 8bfe 80ea04 b904000000 eb23 8b5508 397d1c 7303 } // n = 7, score = 400 // 8bfe | mov edi, esi // 80ea04 | sub dl, 4 // b904000000 | mov ecx, 4 // eb23 | jmp 0x25 // 8b5508 | mov edx, dword ptr [ebp + 8] // 397d1c | cmp dword ptr [ebp + 0x1c], edi // 7303 | jae 5 $sequence_17 = { 8b35???????? 85c0 52 0f95c3 ffd6 } // n = 5, score = 400 // 8b35???????? | // 85c0 | test eax, eax // 52 | push edx // 0f95c3 | setne bl // ffd6 | call esi $sequence_18 = { ffd2 8b8568ffffff 8b08 8b5108 } // n = 4, score = 400 // ffd2 | call edx // 8b8568ffffff | mov eax, dword ptr [ebp - 0x98] // 8b08 | mov ecx, dword ptr [eax] // 8b5108 | mov edx, dword ptr [ecx + 8] $sequence_19 = { 8d5508 8b4e10 397e14 7214 8a1402 8b3e 2ad1 } // n = 7, score = 400 // 8d5508 | lea edx, [ebp + 8] // 8b4e10 | mov ecx, dword ptr [esi + 0x10] // 397e14 | cmp dword ptr [esi + 0x14], edi // 7214 | jb 0x16 // 8a1402 | mov dl, byte ptr [edx + eax] // 8b3e | mov edi, dword ptr [esi] // 2ad1 | sub dl, cl $sequence_20 = { 56 ff15???????? 8b3d???????? 6a00 6a00 6a00 } // n = 6, score = 300 // 56 | push esi // ff15???????? | // 8b3d???????? | // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 $sequence_21 = { 8b07 eb02 8bc7 8b4de0 } // n = 4, score = 300 // 8b07 | mov eax, dword ptr [edi] // eb02 | jmp 4 // 8bc7 | mov eax, edi // 8b4de0 | mov ecx, dword ptr [ebp - 0x20] $sequence_22 = { 8ad1 c0ea02 8ac4 80e20f c0e004 } // n = 5, score = 300 // 8ad1 | mov dl, cl // c0ea02 | shr dl, 2 // 8ac4 | mov al, ah // 80e20f | and dl, 0xf // c0e004 | shl al, 4 $sequence_23 = { 8b45c0 6a00 50 57 ff15???????? 837d2008 8b450c } // n = 7, score = 200 // 8b45c0 | mov eax, dword ptr [ebp - 0x40] // 6a00 | push 0 // 50 | push eax // 57 | push edi // ff15???????? | // 837d2008 | cmp dword ptr [ebp + 0x20], 8 // 8b450c | mov eax, dword ptr [ebp + 0xc] $sequence_24 = { 8b4c1938 895dd4 85c9 7405 8b01 ff5004 c745fc00000000 } // n = 7, score = 200 // 8b4c1938 | mov ecx, dword ptr [ecx + ebx + 0x38] // 895dd4 | mov dword ptr [ebp - 0x2c], ebx // 85c9 | test ecx, ecx // 7405 | je 7 // 8b01 | mov eax, dword ptr [ecx] // ff5004 | call dword ptr [eax + 4] // c745fc00000000 | mov dword ptr [ebp - 4], 0 $sequence_25 = { 8b8560f7ffff ff248564174200 83f808 0f84b5070000 83f807 } // n = 5, score = 100 // 8b8560f7ffff | mov eax, dword ptr [ebp - 0x8a0] // ff248564174200 | jmp dword ptr [eax*4 + 0x421764] // 83f808 | cmp eax, 8 // 0f84b5070000 | je 0x7bb // 83f807 | cmp eax, 7 $sequence_26 = { a1???????? 01c2 a1???????? 01d0 0505010000 0fb69020604000 } // n = 6, score = 100 // a1???????? | // 01c2 | add edx, eax // a1???????? | // 01d0 | add eax, edx // 0505010000 | add eax, 0x105 // 0fb69020604000 | movzx edx, byte ptr [eax + 0x406020] $sequence_27 = { 83bde8ddffff00 740c c785dcddffffa4084500 eb0a c785dcddffffd4d44400 } // n = 5, score = 100 // 83bde8ddffff00 | cmp dword ptr [ebp - 0x2218], 0 // 740c | je 0xe // c785dcddffffa4084500 | mov dword ptr [ebp - 0x2224], 0x4508a4 // eb0a | jmp 0xc // c785dcddffffd4d44400 | mov dword ptr [ebp - 0x2224], 0x44d4d4 $sequence_28 = { 89840d84feffff 8d85f0feffff c645fc02 50 c785f0feffff9c734300 e8???????? 8b8538ffffff } // n = 7, score = 100 // 89840d84feffff | mov dword ptr [ebp + ecx - 0x17c], eax // 8d85f0feffff | lea eax, [ebp - 0x110] // c645fc02 | mov byte ptr [ebp - 4], 2 // 50 | push eax // c785f0feffff9c734300 | mov dword ptr [ebp - 0x110], 0x43739c // e8???????? | // 8b8538ffffff | mov eax, dword ptr [ebp - 0xc8] $sequence_29 = { 33c0 39b880f94200 0f8491000000 ff45e4 83c030 3df0000000 72e7 } // n = 7, score = 100 // 33c0 | xor eax, eax // 39b880f94200 | cmp dword ptr [eax + 0x42f980], edi // 0f8491000000 | je 0x97 // ff45e4 | inc dword ptr [ebp - 0x1c] // 83c030 | add eax, 0x30 // 3df0000000 | cmp eax, 0xf0 // 72e7 | jb 0xffffffe9 $sequence_30 = { f7460c0c010000 754e 53 57 8d3c85c0104300 833f00 bb00100000 } // n = 7, score = 100 // f7460c0c010000 | test dword ptr [esi + 0xc], 0x10c // 754e | jne 0x50 // 53 | push ebx // 57 | push edi // 8d3c85c0104300 | lea edi, [eax*4 + 0x4310c0] // 833f00 | cmp dword ptr [edi], 0 // bb00100000 | mov ebx, 0x1000 $sequence_31 = { c745e088044300 ebbb d9e8 8b4510 dd18 e9???????? } // n = 6, score = 100 // c745e088044300 | mov dword ptr [ebp - 0x20], 0x430488 // ebbb | jmp 0xffffffbd // d9e8 | fld1 // 8b4510 | mov eax, dword ptr [ebp + 0x10] // dd18 | fstp qword ptr [eax] // e9???????? | $sequence_32 = { 890424 e8???????? 89c2 8b45dc 39c2 } // n = 5, score = 100 // 890424 | mov dword ptr [esp], eax // e8???????? | // 89c2 | mov edx, eax // 8b45dc | mov eax, dword ptr [ebp - 0x24] // 39c2 | cmp edx, eax $sequence_33 = { e8???????? 8945dc 817ddce0070000 0f8ece030000 c70424???????? e8???????? } // n = 6, score = 100 // e8???????? | // 8945dc | mov dword ptr [ebp - 0x24], eax // 817ddce0070000 | cmp dword ptr [ebp - 0x24], 0x7e0 // 0f8ece030000 | jle 0x3d4 // c70424???????? | // e8???????? | $sequence_34 = { c745ac44000000 6a10 6a00 8d4594 } // n = 4, score = 100 // c745ac44000000 | mov dword ptr [ebp - 0x54], 0x44 // 6a10 | push 0x10 // 6a00 | push 0 // 8d4594 | lea eax, [ebp - 0x6c] $sequence_35 = { c705????????4b154100 8935???????? a3???????? ff15???????? a3???????? } // n = 5, score = 100 // c705????????4b154100 | // 8935???????? | // a3???????? | // ff15???????? | // a3???????? | $sequence_36 = { 8b4508 890424 e8???????? 3d04010000 7607 b801000000 } // n = 6, score = 100 // 8b4508 | mov eax, dword ptr [ebp + 8] // 890424 | mov dword ptr [esp], eax // e8???????? | // 3d04010000 | cmp eax, 0x104 // 7607 | jbe 9 // b801000000 | mov eax, 1 $sequence_37 = { c78588feffff62625678 c7858cfeffff6f747a62 c78590feffff62546b7a c78594feffff7d757871 } // n = 4, score = 100 // c78588feffff62625678 | mov dword ptr [ebp - 0x178], 0x78566262 // c7858cfeffff6f747a62 | mov dword ptr [ebp - 0x174], 0x627a746f // c78590feffff62546b7a | mov dword ptr [ebp - 0x170], 0x7a6b5462 // c78594feffff7d757871 | mov dword ptr [ebp - 0x16c], 0x7178757d $sequence_38 = { 893c24 e8???????? 39e8 741e c74424045c000000 } // n = 5, score = 100 // 893c24 | mov dword ptr [esp], edi // e8???????? | // 39e8 | cmp eax, ebp // 741e | je 0x20 // c74424045c000000 | mov dword ptr [esp + 4], 0x5c $sequence_39 = { 8bf0 c1fe05 c1e106 030cb5a0244300 eb02 8bca f641247f } // n = 7, score = 100 // 8bf0 | mov esi, eax // c1fe05 | sar esi, 5 // c1e106 | shl ecx, 6 // 030cb5a0244300 | add ecx, dword ptr [esi*4 + 0x4324a0] // eb02 | jmp 4 // 8bca | mov ecx, edx // f641247f | test byte ptr [ecx + 0x24], 0x7f $sequence_40 = { 8d8d3cfbffff e8???????? ba???????? 8bc8 e8???????? } // n = 5, score = 100 // 8d8d3cfbffff | lea ecx, [ebp - 0x4c4] // e8???????? | // ba???????? | // 8bc8 | mov ecx, eax // e8???????? | $sequence_41 = { e8???????? 8945f8 837df800 7c27 8d4514 8945e0 8b45e0 } // n = 7, score = 100 // e8???????? | // 8945f8 | mov dword ptr [ebp - 8], eax // 837df800 | cmp dword ptr [ebp - 8], 0 // 7c27 | jl 0x29 // 8d4514 | lea eax, [ebp + 0x14] // 8945e0 | mov dword ptr [ebp - 0x20], eax // 8b45e0 | mov eax, dword ptr [ebp - 0x20] $sequence_42 = { 8a8160ce4300 8d4901 8881f7cd4300 84c0 75ed 8d8d28b8f0ff e8???????? } // n = 7, score = 100 // 8a8160ce4300 | mov al, byte ptr [ecx + 0x43ce60] // 8d4901 | lea ecx, [ecx + 1] // 8881f7cd4300 | mov byte ptr [ecx + 0x43cdf7], al // 84c0 | test al, al // 75ed | jne 0xffffffef // 8d8d28b8f0ff | lea ecx, [ebp - 0xf47d8] // e8???????? | $sequence_43 = { 740f 8b4d14 8b148dc4ea4500 8955f0 eb0d } // n = 5, score = 100 // 740f | je 0x11 // 8b4d14 | mov ecx, dword ptr [ebp + 0x14] // 8b148dc4ea4500 | mov edx, dword ptr [ecx*4 + 0x45eac4] // 8955f0 | mov dword ptr [ebp - 0x10], edx // eb0d | jmp 0xf $sequence_44 = { 68c4070000 68???????? 68???????? e8???????? 83c40c } // n = 5, score = 100 // 68c4070000 | push 0x7c4 // 68???????? | // 68???????? | // e8???????? | // 83c40c | add esp, 0xc $sequence_45 = { 8d0445ac054300 8bc8 2bce 6a03 } // n = 4, score = 100 // 8d0445ac054300 | lea eax, [eax*2 + 0x4305ac] // 8bc8 | mov ecx, eax // 2bce | sub ecx, esi // 6a03 | push 3 $sequence_46 = { eb07 c745d0d0924600 8b45d0 8a482d } // n = 4, score = 100 // eb07 | jmp 9 // c745d0d0924600 | mov dword ptr [ebp - 0x30], 0x4692d0 // 8b45d0 | mov eax, dword ptr [ebp - 0x30] // 8a482d | mov cl, byte ptr [eax + 0x2d] $sequence_47 = { 3d04010000 7607 b801000000 eb33 c744240404010000 c70424???????? e8???????? } // n = 7, score = 100 // 3d04010000 | cmp eax, 0x104 // 7607 | jbe 9 // b801000000 | mov eax, 1 // eb33 | jmp 0x35 // c744240404010000 | mov dword ptr [esp + 4], 0x104 // c70424???????? | // e8???????? | $sequence_48 = { 8bac2438010000 81c43c010000 c3 c1e810 } // n = 4, score = 100 // 8bac2438010000 | mov ebp, dword ptr [esp + 0x138] // 81c43c010000 | add esp, 0x13c // c3 | ret // c1e810 | shr eax, 0x10 $sequence_49 = { c74438a8dc724300 8b47a8 8b4804 8d41f8 894439a4 8b4798 8b4004 } // n = 7, score = 100 // c74438a8dc724300 | mov dword ptr [eax + edi - 0x58], 0x4372dc // 8b47a8 | mov eax, dword ptr [edi - 0x58] // 8b4804 | mov ecx, dword ptr [eax + 4] // 8d41f8 | lea eax, [ecx - 8] // 894439a4 | mov dword ptr [ecx + edi - 0x5c], eax // 8b4798 | mov eax, dword ptr [edi - 0x68] // 8b4004 | mov eax, dword ptr [eax + 4] $sequence_50 = { 8845ff 8d4dff e8???????? 8945e8 c745f434a54600 } // n = 5, score = 100 // 8845ff | mov byte ptr [ebp - 1], al // 8d4dff | lea ecx, [ebp - 1] // e8???????? | // 8945e8 | mov dword ptr [ebp - 0x18], eax // c745f434a54600 | mov dword ptr [ebp - 0xc], 0x46a534 $sequence_51 = { 8bbd40b8f0ff b8de000000 663bd8 0f8fdcfaffff } // n = 4, score = 100 // 8bbd40b8f0ff | mov edi, dword ptr [ebp - 0xf47c0] // b8de000000 | mov eax, 0xde // 663bd8 | cmp bx, ax // 0f8fdcfaffff | jg 0xfffffae2 $sequence_52 = { 85c0 0f84ce000000 66660f1f840000000000 8b95f8fdffff } // n = 4, score = 100 // 85c0 | test eax, eax // 0f84ce000000 | je 0xd4 // 66660f1f840000000000 | nop word ptr [eax + eax] // 8b95f8fdffff | mov edx, dword ptr [ebp - 0x208] $sequence_53 = { 41 004f99 41 005c9941 006999 41 } // n = 6, score = 100 // 41 | inc ecx // 004f99 | add byte ptr [edi - 0x67], cl // 41 | inc ecx // 005c9941 | add byte ptr [ecx + ebx*4 + 0x41], bl // 006999 | add byte ptr [ecx - 0x67], ch // 41 | inc ecx $sequence_54 = { c745f001000000 66390b 741b 8bcb 8d5102 0f1f8000000000 668b01 } // n = 7, score = 100 // c745f001000000 | mov dword ptr [ebp - 0x10], 1 // 66390b | cmp word ptr [ebx], cx // 741b | je 0x1d // 8bcb | mov ecx, ebx // 8d5102 | lea edx, [ecx + 2] // 0f1f8000000000 | nop dword ptr [eax] // 668b01 | mov ax, word ptr [ecx] condition: 7 of them and filesize < 1097728 }
import "pe" rule win_yty_w0 { meta: author = "James E.C, ProofPoint" description = "Modular malware framework with similarities to EHDevel" hash = "1e0c1b97925e1ed90562d2c68971e038d8506b354dd6c1d2bcc252d2a48bc31c" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty" malpedia_version = "20180312" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "/football/download2/" ascii wide $x2 = "/football/download/" ascii wide $x3 = "Caption: Xp>" wide $x_c2 = "5.135.199.0" ascii fullword $a1 = "getGoogle" ascii fullword $a2 = "/q /noretstart" wide $a3 = "IsInSandbox" ascii fullword $a4 = "syssystemnew" ascii fullword $a5 = "ytyinfo" ascii fullword $a6 = "\\ytyboth\\yty " ascii $s1 = "SELECT Name FROM Win32_Processor" wide $s2 = "SELECT Caption FROM Win32_OperatingSystem" wide $s3 = "SELECT SerialNumber FROM Win32_DiskDrive" wide $s4 = "VM: Yes" wide fullword $s5 = "VM: No" wide fullword $s6 = "helpdll.dll" ascii fullword $s7 = "boothelp.exe" ascii fullword $s8 = "SbieDll.dll" wide fullword $s9 = "dbghelp.dll" wide fullword $s10 = "YesNoMaybe" ascii fullword $s11 = "saveData" ascii fullword $s12 = "saveLogs" ascii fullword condition: pe.imphash() == "87775285899fa860b9963b11596a2ded" or 1 of ($x*) or 3 of ($a*) or 6 of ($s*) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY