Actor(s): APT-C-35, Donot Team, Viceroy Tiger
There is no description at this point.
rule win_yty_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.yty." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 0f840c000000 8365d8fe 8b7508 e9???????? } // n = 4, score = 500 // 0f840c000000 | je 0x12 // 8365d8fe | and dword ptr [ebp - 0x28], 0xfffffffe // 8b7508 | mov esi, dword ptr [ebp + 8] // e9???????? | $sequence_1 = { 8d45f4 64a300000000 8b7508 33ff 897dd8 } // n = 5, score = 500 // 8d45f4 | lea eax, [ebp - 0xc] // 64a300000000 | mov dword ptr fs:[0], eax // 8b7508 | mov esi, dword ptr [ebp + 8] // 33ff | xor edi, edi // 897dd8 | mov dword ptr [ebp - 0x28], edi $sequence_2 = { 8975e0 85c9 7407 8b11 8b4204 ffd0 c745fc00000000 } // n = 7, score = 400 // 8975e0 | mov dword ptr [ebp - 0x20], esi // 85c9 | test ecx, ecx // 7407 | je 9 // 8b11 | mov edx, dword ptr [ecx] // 8b4204 | mov eax, dword ptr [edx + 4] // ffd0 | call eax // c745fc00000000 | mov dword ptr [ebp - 4], 0 $sequence_3 = { 668910 8bc6 5b 8be5 5d c20400 } // n = 6, score = 400 // 668910 | mov word ptr [eax], dx // 8bc6 | mov eax, esi // 5b | pop ebx // 8be5 | mov esp, ebp // 5d | pop ebp // c20400 | ret 4 $sequence_4 = { ffd2 8b8568ffffff 8b08 8b5108 50 } // n = 5, score = 400 // ffd2 | call edx // 8b8568ffffff | mov eax, dword ptr [ebp - 0x98] // 8b08 | mov ecx, dword ptr [eax] // 8b5108 | mov edx, dword ptr [ecx + 8] // 50 | push eax $sequence_5 = { eb69 8a1402 2ad1 8bfe 80ea13 } // n = 5, score = 400 // eb69 | jmp 0x6b // 8a1402 | mov dl, byte ptr [edx + eax] // 2ad1 | sub dl, cl // 8bfe | mov edi, esi // 80ea13 | sub dl, 0x13 $sequence_6 = { 6a00 8d4508 c746140f000000 c7461000000000 } // n = 4, score = 400 // 6a00 | push 0 // 8d4508 | lea eax, [ebp + 8] // c746140f000000 | mov dword ptr [esi + 0x14], 0xf // c7461000000000 | mov dword ptr [esi + 0x10], 0 $sequence_7 = { 750c 680e000780 e8???????? 33ff c745fcffffffff } // n = 5, score = 400 // 750c | jne 0xe // 680e000780 | push 0x8007000e // e8???????? | // 33ff | xor edi, edi // c745fcffffffff | mov dword ptr [ebp - 4], 0xffffffff $sequence_8 = { 80ea04 b904000000 eb23 8b5508 397d1c 7303 } // n = 6, score = 400 // 80ea04 | sub dl, 4 // b904000000 | mov ecx, 4 // eb23 | jmp 0x25 // 8b5508 | mov edx, dword ptr [ebp + 8] // 397d1c | cmp dword ptr [ebp + 0x1c], edi // 7303 | jae 5 $sequence_9 = { 85c0 52 0f95c3 ffd6 } // n = 4, score = 400 // 85c0 | test eax, eax // 52 | push edx // 0f95c3 | setne bl // ffd6 | call esi $sequence_10 = { 2ad1 8bfe 80ea04 b901000000 e9???????? } // n = 5, score = 400 // 2ad1 | sub dl, cl // 8bfe | mov edi, esi // 80ea04 | sub dl, 4 // b901000000 | mov ecx, 1 // e9???????? | $sequence_11 = { 40 3b4610 0f82dbfeffff 397d1c } // n = 4, score = 400 // 40 | inc eax // 3b4610 | cmp eax, dword ptr [esi + 0x10] // 0f82dbfeffff | jb 0xfffffee1 // 397d1c | cmp dword ptr [ebp + 0x1c], edi $sequence_12 = { 83c40c 8d8de8fdffff 51 53 53 } // n = 5, score = 400 // 83c40c | add esp, 0xc // 8d8de8fdffff | lea ecx, [ebp - 0x218] // 51 | push ecx // 53 | push ebx // 53 | push ebx $sequence_13 = { 8b4e10 397e14 7211 8a1402 8b3e } // n = 5, score = 400 // 8b4e10 | mov ecx, dword ptr [esi + 0x10] // 397e14 | cmp dword ptr [esi + 0x14], edi // 7211 | jb 0x13 // 8a1402 | mov dl, byte ptr [edx + eax] // 8b3e | mov edi, dword ptr [esi] $sequence_14 = { 894608 8945fc 56 c745f001000000 } // n = 4, score = 400 // 894608 | mov dword ptr [esi + 8], eax // 8945fc | mov dword ptr [ebp - 4], eax // 56 | push esi // c745f001000000 | mov dword ptr [ebp - 0x10], 1 $sequence_15 = { 8bcf e8???????? 8b0e 8b5104 8b443238 } // n = 5, score = 400 // 8bcf | mov ecx, edi // e8???????? | // 8b0e | mov ecx, dword ptr [esi] // 8b5104 | mov edx, dword ptr [ecx + 4] // 8b443238 | mov eax, dword ptr [edx + esi + 0x38] $sequence_16 = { 53 50 e8???????? 83c40c 8d8de8fdffff } // n = 5, score = 400 // 53 | push ebx // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc // 8d8de8fdffff | lea ecx, [ebp - 0x218] $sequence_17 = { 7303 8d5508 8b4e10 397e14 7214 } // n = 5, score = 400 // 7303 | jae 5 // 8d5508 | lea edx, [ebp + 8] // 8b4e10 | mov ecx, dword ptr [esi + 0x10] // 397e14 | cmp dword ptr [esi + 0x14], edi // 7214 | jb 0x16 $sequence_18 = { 8bfe 8a1402 2ad1 80ea13 33c9 881407 } // n = 6, score = 400 // 8bfe | mov edi, esi // 8a1402 | mov dl, byte ptr [edx + eax] // 2ad1 | sub dl, cl // 80ea13 | sub dl, 0x13 // 33c9 | xor ecx, ecx // 881407 | mov byte ptr [edi + eax], dl $sequence_19 = { 8b4c3138 33db 895de8 885def 8975e0 } // n = 5, score = 400 // 8b4c3138 | mov ecx, dword ptr [ecx + esi + 0x38] // 33db | xor ebx, ebx // 895de8 | mov dword ptr [ebp - 0x18], ebx // 885def | mov byte ptr [ebp - 0x11], bl // 8975e0 | mov dword ptr [ebp - 0x20], esi $sequence_20 = { 807def00 8b5de8 7503 83cb02 8b16 8b4a04 } // n = 6, score = 400 // 807def00 | cmp byte ptr [ebp - 0x11], 0 // 8b5de8 | mov ebx, dword ptr [ebp - 0x18] // 7503 | jne 5 // 83cb02 | or ebx, 2 // 8b16 | mov edx, dword ptr [esi] // 8b4a04 | mov ecx, dword ptr [edx + 4] $sequence_21 = { c0ea02 8ac4 80e20f c0e004 } // n = 4, score = 300 // c0ea02 | shr dl, 2 // 8ac4 | mov al, ah // 80e20f | and dl, 0xf // c0e004 | shl al, 4 $sequence_22 = { 8b07 eb02 8bc7 8b4de0 } // n = 4, score = 300 // 8b07 | mov eax, dword ptr [edi] // eb02 | jmp 4 // 8bc7 | mov eax, edi // 8b4de0 | mov ecx, dword ptr [ebp - 0x20] $sequence_23 = { 8b4c1938 895dd4 85c9 7405 8b01 ff5004 c745fc00000000 } // n = 7, score = 200 // 8b4c1938 | mov ecx, dword ptr [ecx + ebx + 0x38] // 895dd4 | mov dword ptr [ebp - 0x2c], ebx // 85c9 | test ecx, ecx // 7405 | je 7 // 8b01 | mov eax, dword ptr [ecx] // ff5004 | call dword ptr [eax + 4] // c745fc00000000 | mov dword ptr [ebp - 4], 0 $sequence_24 = { 8b85c4f5ffff 50 e8???????? 83c404 8d95c0f5ffff 33c9 52 } // n = 7, score = 200 // 8b85c4f5ffff | mov eax, dword ptr [ebp - 0xa3c] // 50 | push eax // e8???????? | // 83c404 | add esp, 4 // 8d95c0f5ffff | lea edx, [ebp - 0xa40] // 33c9 | xor ecx, ecx // 52 | push edx $sequence_25 = { 8bcc 8975f4 50 e8???????? ff7510 8d4dd4 } // n = 6, score = 100 // 8bcc | mov ecx, esp // 8975f4 | mov dword ptr [ebp - 0xc], esi // 50 | push eax // e8???????? | // ff7510 | push dword ptr [ebp + 0x10] // 8d4dd4 | lea ecx, [ebp - 0x2c] $sequence_26 = { 762a 8b4d08 8b5108 8a8210a04600 2c01 8845ff 8b4d08 } // n = 7, score = 100 // 762a | jbe 0x2c // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 8b5108 | mov edx, dword ptr [ecx + 8] // 8a8210a04600 | mov al, byte ptr [edx + 0x46a010] // 2c01 | sub al, 1 // 8845ff | mov byte ptr [ebp - 1], al // 8b4d08 | mov ecx, dword ptr [ebp + 8] $sequence_27 = { 68???????? ff15???????? 3bf4 e8???????? 8bf4 8b4594 50 } // n = 7, score = 100 // 68???????? | // ff15???????? | // 3bf4 | cmp esi, esp // e8???????? | // 8bf4 | mov esi, esp // 8b4594 | mov eax, dword ptr [ebp - 0x6c] // 50 | push eax $sequence_28 = { b9???????? e8???????? 51 8d8d90bcf0ff } // n = 4, score = 100 // b9???????? | // e8???????? | // 51 | push ecx // 8d8d90bcf0ff | lea ecx, [ebp - 0xf4370] $sequence_29 = { 6bf630 8b0c8d60cb4300 80643128fd 5f } // n = 4, score = 100 // 6bf630 | imul esi, esi, 0x30 // 8b0c8d60cb4300 | mov ecx, dword ptr [ecx*4 + 0x43cb60] // 80643128fd | and byte ptr [ecx + esi + 0x28], 0xfd // 5f | pop edi $sequence_30 = { 8bec 8b4508 8bc8 83e01f c1f905 8b0c8da0244300 } // n = 6, score = 100 // 8bec | mov ebp, esp // 8b4508 | mov eax, dword ptr [ebp + 8] // 8bc8 | mov ecx, eax // 83e01f | and eax, 0x1f // c1f905 | sar ecx, 5 // 8b0c8da0244300 | mov ecx, dword ptr [ecx*4 + 0x4324a0] $sequence_31 = { 83e61f 8d3c8da0244300 8b0f c1e606 833c0eff 7535 833d????????01 } // n = 7, score = 100 // 83e61f | and esi, 0x1f // 8d3c8da0244300 | lea edi, [ecx*4 + 0x4324a0] // 8b0f | mov ecx, dword ptr [edi] // c1e606 | shl esi, 6 // 833c0eff | cmp dword ptr [esi + ecx], -1 // 7535 | jne 0x37 // 833d????????01 | $sequence_32 = { c745e401000000 e9???????? c745e000000000 8b15???????? a1???????? 01d0 } // n = 6, score = 100 // c745e401000000 | mov dword ptr [ebp - 0x1c], 1 // e9???????? | // c745e000000000 | mov dword ptr [ebp - 0x20], 0 // 8b15???????? | // a1???????? | // 01d0 | add eax, edx $sequence_33 = { ff15???????? 85c0 0f85e3020000 68???????? 50 50 ff15???????? } // n = 7, score = 100 // ff15???????? | // 85c0 | test eax, eax // 0f85e3020000 | jne 0x2e9 // 68???????? | // 50 | push eax // 50 | push eax // ff15???????? | $sequence_34 = { 8b4804 8d4190 89840df0b8f0ff 8d8d04b9f0ff e8???????? 8b85f4b8f0ff 8b4004 } // n = 7, score = 100 // 8b4804 | mov ecx, dword ptr [eax + 4] // 8d4190 | lea eax, [ecx - 0x70] // 89840df0b8f0ff | mov dword ptr [ebp + ecx - 0xf4710], eax // 8d8d04b9f0ff | lea ecx, [ebp - 0xf46fc] // e8???????? | // 8b85f4b8f0ff | mov eax, dword ptr [ebp - 0xf470c] // 8b4004 | mov eax, dword ptr [eax + 4] $sequence_35 = { 0f851f040000 8d853cfeffff 83c01c 890424 } // n = 4, score = 100 // 0f851f040000 | jne 0x425 // 8d853cfeffff | lea eax, [ebp - 0x1c4] // 83c01c | add eax, 0x1c // 890424 | mov dword ptr [esp], eax $sequence_36 = { 8b4d0c 83e13f 6bd130 8b048500b04600 } // n = 4, score = 100 // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] // 83e13f | and ecx, 0x3f // 6bd130 | imul edx, ecx, 0x30 // 8b048500b04600 | mov eax, dword ptr [eax*4 + 0x46b000] $sequence_37 = { 3bf4 e8???????? 8bf4 8b8574fcffff 50 ff15???????? 3bf4 } // n = 7, score = 100 // 3bf4 | cmp esi, esp // e8???????? | // 8bf4 | mov esi, esp // 8b8574fcffff | mov eax, dword ptr [ebp - 0x38c] // 50 | push eax // ff15???????? | // 3bf4 | cmp esi, esp $sequence_38 = { 01ca 0fb612 89d1 8b550c 01ca 8810 } // n = 6, score = 100 // 01ca | add edx, ecx // 0fb612 | movzx edx, byte ptr [edx] // 89d1 | mov ecx, edx // 8b550c | mov edx, dword ptr [ebp + 0xc] // 01ca | add edx, ecx // 8810 | mov byte ptr [eax], dl $sequence_39 = { 740c c785d4ddffffac084500 eb0a c785d4ddffffd4d44400 8b85a4ddffff 50 } // n = 6, score = 100 // 740c | je 0xe // c785d4ddffffac084500 | mov dword ptr [ebp - 0x222c], 0x4508ac // eb0a | jmp 0xc // c785d4ddffffd4d44400 | mov dword ptr [ebp - 0x222c], 0x44d4d4 // 8b85a4ddffff | mov eax, dword ptr [ebp - 0x225c] // 50 | push eax $sequence_40 = { 8b4508 890424 e8???????? 8945d8 837dd800 0f847a050000 } // n = 6, score = 100 // 8b4508 | mov eax, dword ptr [ebp + 8] // 890424 | mov dword ptr [esp], eax // e8???????? | // 8945d8 | mov dword ptr [ebp - 0x28], eax // 837dd800 | cmp dword ptr [ebp - 0x28], 0 // 0f847a050000 | je 0x580 $sequence_41 = { e8???????? c78562feffff00000000 8d8566feffff b960000000 bb00000000 } // n = 5, score = 100 // e8???????? | // c78562feffff00000000 | mov dword ptr [ebp - 0x19e], 0 // 8d8566feffff | lea eax, [ebp - 0x19a] // b960000000 | mov ecx, 0x60 // bb00000000 | mov ebx, 0 $sequence_42 = { 8d8da8efffff e8???????? 50 8d8dd0efffff e8???????? 8d8da8efffff e9???????? } // n = 7, score = 100 // 8d8da8efffff | lea ecx, [ebp - 0x1058] // e8???????? | // 50 | push eax // 8d8dd0efffff | lea ecx, [ebp - 0x1030] // e8???????? | // 8d8da8efffff | lea ecx, [ebp - 0x1058] // e9???????? | $sequence_43 = { e8???????? 83ec0c 8d8ddcfbffff 0f1000 0f1105???????? f30f7e4010 } // n = 6, score = 100 // e8???????? | // 83ec0c | sub esp, 0xc // 8d8ddcfbffff | lea ecx, [ebp - 0x424] // 0f1000 | movups xmm0, xmmword ptr [eax] // 0f1105???????? | // f30f7e4010 | movq xmm0, qword ptr [eax + 0x10] $sequence_44 = { f3ab c745f800000000 c745d400000000 8b450c } // n = 4, score = 100 // f3ab | rep stosd dword ptr es:[edi], eax // c745f800000000 | mov dword ptr [ebp - 8], 0 // c745d400000000 | mov dword ptr [ebp - 0x2c], 0 // 8b450c | mov eax, dword ptr [ebp + 0xc] $sequence_45 = { e8???????? c78324020000ffffffff c78328020000ffffffff 83c414 5b } // n = 5, score = 100 // e8???????? | // c78324020000ffffffff | mov dword ptr [ebx + 0x224], 0xffffffff // c78328020000ffffffff | mov dword ptr [ebx + 0x228], 0xffffffff // 83c414 | add esp, 0x14 // 5b | pop ebx $sequence_46 = { 56 53 83ec14 8b5c2420 e8???????? 85db c70000000000 } // n = 7, score = 100 // 56 | push esi // 53 | push ebx // 83ec14 | sub esp, 0x14 // 8b5c2420 | mov ebx, dword ptr [esp + 0x20] // e8???????? | // 85db | test ebx, ebx // c70000000000 | mov dword ptr [eax], 0 $sequence_47 = { e9???????? 8975e4 33c0 39b880f94200 } // n = 4, score = 100 // e9???????? | // 8975e4 | mov dword ptr [ebp - 0x1c], esi // 33c0 | xor eax, eax // 39b880f94200 | cmp dword ptr [eax + 0x42f980], edi $sequence_48 = { 750c c785bcddffff60084500 eb0a c785bcddffffd4d44400 b802000000 } // n = 5, score = 100 // 750c | jne 0xe // c785bcddffff60084500 | mov dword ptr [ebp - 0x2244], 0x450860 // eb0a | jmp 0xc // c785bcddffffd4d44400 | mov dword ptr [ebp - 0x2244], 0x44d4d4 // b802000000 | mov eax, 2 $sequence_49 = { 83e63f c1ff06 6bf630 8b04bd60cb4300 f644302880 741f e8???????? } // n = 7, score = 100 // 83e63f | and esi, 0x3f // c1ff06 | sar edi, 6 // 6bf630 | imul esi, esi, 0x30 // 8b04bd60cb4300 | mov eax, dword ptr [edi*4 + 0x43cb60] // f644302880 | test byte ptr [eax + esi + 0x28], 0x80 // 741f | je 0x21 // e8???????? | $sequence_50 = { 8d15f0224100 e8???????? 58 5a } // n = 4, score = 100 // 8d15f0224100 | lea edx, [0x4122f0] // e8???????? | // 58 | pop eax // 5a | pop edx $sequence_51 = { 83e826 89c2 a1???????? c744240800000000 89542404 890424 e8???????? } // n = 7, score = 100 // 83e826 | sub eax, 0x26 // 89c2 | mov edx, eax // a1???????? | // c744240800000000 | mov dword ptr [esp + 8], 0 // 89542404 | mov dword ptr [esp + 4], edx // 890424 | mov dword ptr [esp], eax // e8???????? | $sequence_52 = { 0f87b1030000 ff24bd41574200 8b41e4 3b42e4 7478 0fb642e4 0fb671e4 } // n = 7, score = 100 // 0f87b1030000 | ja 0x3b7 // ff24bd41574200 | jmp dword ptr [edi*4 + 0x425741] // 8b41e4 | mov eax, dword ptr [ecx - 0x1c] // 3b42e4 | cmp eax, dword ptr [edx - 0x1c] // 7478 | je 0x7a // 0fb642e4 | movzx eax, byte ptr [edx - 0x1c] // 0fb671e4 | movzx esi, byte ptr [ecx - 0x1c] $sequence_53 = { 57 897de8 ff15???????? 8bd0 8955ec c645fc01 c746140f000000 } // n = 7, score = 100 // 57 | push edi // 897de8 | mov dword ptr [ebp - 0x18], edi // ff15???????? | // 8bd0 | mov edx, eax // 8955ec | mov dword ptr [ebp - 0x14], edx // c645fc01 | mov byte ptr [ebp - 4], 1 // c746140f000000 | mov dword ptr [esi + 0x14], 0xf $sequence_54 = { c745dc03000000 eb7c c745e088044300 ebbb d9e8 } // n = 5, score = 100 // c745dc03000000 | mov dword ptr [ebp - 0x24], 3 // eb7c | jmp 0x7e // c745e088044300 | mov dword ptr [ebp - 0x20], 0x430488 // ebbb | jmp 0xffffffbd // d9e8 | fld1 condition: 7 of them and filesize < 1097728 }
import "pe" rule win_yty_w0 { meta: author = "James E.C, ProofPoint" description = "Modular malware framework with similarities to EHDevel" hash = "1e0c1b97925e1ed90562d2c68971e038d8506b354dd6c1d2bcc252d2a48bc31c" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty" malpedia_version = "20180312" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "/football/download2/" ascii wide $x2 = "/football/download/" ascii wide $x3 = "Caption: Xp>" wide $x_c2 = "5.135.199.0" ascii fullword $a1 = "getGoogle" ascii fullword $a2 = "/q /noretstart" wide $a3 = "IsInSandbox" ascii fullword $a4 = "syssystemnew" ascii fullword $a5 = "ytyinfo" ascii fullword $a6 = "\\ytyboth\\yty " ascii $s1 = "SELECT Name FROM Win32_Processor" wide $s2 = "SELECT Caption FROM Win32_OperatingSystem" wide $s3 = "SELECT SerialNumber FROM Win32_DiskDrive" wide $s4 = "VM: Yes" wide fullword $s5 = "VM: No" wide fullword $s6 = "helpdll.dll" ascii fullword $s7 = "boothelp.exe" ascii fullword $s8 = "SbieDll.dll" wide fullword $s9 = "dbghelp.dll" wide fullword $s10 = "YesNoMaybe" ascii fullword $s11 = "saveData" ascii fullword $s12 = "saveLogs" ascii fullword condition: pe.imphash() == "87775285899fa860b9963b11596a2ded" or 1 of ($x*) or 3 of ($a*) or 6 of ($s*) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY