Actor(s): APT-C-35, Donot Team, Viceroy Tiger
There is no description at this point.
rule win_yty_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-08-05" version = "1" description = "Detects win.yty." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty" malpedia_rule_date = "20220805" malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71" malpedia_version = "20220808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83e001 0f840c000000 8365d8fe 8b7508 e9???????? c3 } // n = 6, score = 500 // 83e001 | and eax, 1 // 0f840c000000 | je 0x12 // 8365d8fe | and dword ptr [ebp - 0x28], 0xfffffffe // 8b7508 | mov esi, dword ptr [ebp + 8] // e9???????? | // c3 | ret $sequence_1 = { 64a300000000 8b7508 33ff 897dd8 } // n = 4, score = 500 // 64a300000000 | mov dword ptr fs:[0], eax // 8b7508 | mov esi, dword ptr [ebp + 8] // 33ff | xor edi, edi // 897dd8 | mov dword ptr [ebp - 0x28], edi $sequence_2 = { 8bfe 8a1402 2ad1 80ea13 33c9 881407 } // n = 6, score = 400 // 8bfe | mov edi, esi // 8a1402 | mov dl, byte ptr [edx + eax] // 2ad1 | sub dl, cl // 80ea13 | sub dl, 0x13 // 33c9 | xor ecx, ecx // 881407 | mov byte ptr [edi + eax], dl $sequence_3 = { 807def00 8b5de8 7503 83cb02 8b16 8b4a04 } // n = 6, score = 400 // 807def00 | cmp byte ptr [ebp - 0x11], 0 // 8b5de8 | mov ebx, dword ptr [ebp - 0x18] // 7503 | jne 5 // 83cb02 | or ebx, 2 // 8b16 | mov edx, dword ptr [esi] // 8b4a04 | mov ecx, dword ptr [edx + 4] $sequence_4 = { 8b4c3138 33db 895de8 885def 8975e0 85c9 7407 } // n = 7, score = 400 // 8b4c3138 | mov ecx, dword ptr [ecx + esi + 0x38] // 33db | xor ebx, ebx // 895de8 | mov dword ptr [ebp - 0x18], ebx // 885def | mov byte ptr [ebp - 0x11], bl // 8975e0 | mov dword ptr [ebp - 0x20], esi // 85c9 | test ecx, ecx // 7407 | je 9 $sequence_5 = { c645fc01 e8???????? 8b10 8b4a04 03c8 } // n = 5, score = 400 // c645fc01 | mov byte ptr [ebp - 4], 1 // e8???????? | // 8b10 | mov edx, dword ptr [eax] // 8b4a04 | mov ecx, dword ptr [edx + 4] // 03c8 | add ecx, eax $sequence_6 = { 51 e8???????? 83c408 8bf0 6a0a 8bce } // n = 6, score = 400 // 51 | push ecx // e8???????? | // 83c408 | add esp, 8 // 8bf0 | mov esi, eax // 6a0a | push 0xa // 8bce | mov ecx, esi $sequence_7 = { 80ea13 b903000000 eb69 8a1402 2ad1 } // n = 5, score = 400 // 80ea13 | sub dl, 0x13 // b903000000 | mov ecx, 3 // eb69 | jmp 0x6b // 8a1402 | mov dl, byte ptr [edx + eax] // 2ad1 | sub dl, cl $sequence_8 = { 80ea13 b902000000 e9???????? 8a1402 2ad1 } // n = 5, score = 400 // 80ea13 | sub dl, 0x13 // b902000000 | mov ecx, 2 // e9???????? | // 8a1402 | mov dl, byte ptr [edx + eax] // 2ad1 | sub dl, cl $sequence_9 = { 8b3e 2ad1 80ea04 b904000000 eb34 8a1402 2ad1 } // n = 7, score = 400 // 8b3e | mov edi, dword ptr [esi] // 2ad1 | sub dl, cl // 80ea04 | sub dl, 4 // b904000000 | mov ecx, 4 // eb34 | jmp 0x36 // 8a1402 | mov dl, byte ptr [edx + eax] // 2ad1 | sub dl, cl $sequence_10 = { 50 ffd2 ff15???????? 8a857bffffff 8b4df4 } // n = 5, score = 400 // 50 | push eax // ffd2 | call edx // ff15???????? | // 8a857bffffff | mov al, byte ptr [ebp - 0x85] // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] $sequence_11 = { 8b08 8b5108 50 ffd2 8b8568ffffff 8b08 } // n = 6, score = 400 // 8b08 | mov ecx, dword ptr [eax] // 8b5108 | mov edx, dword ptr [ecx + 8] // 50 | push eax // ffd2 | call edx // 8b8568ffffff | mov eax, dword ptr [ebp - 0x98] // 8b08 | mov ecx, dword ptr [eax] $sequence_12 = { e8???????? 83c40c 8d8de8fdffff 51 53 53 } // n = 6, score = 400 // e8???????? | // 83c40c | add esp, 0xc // 8d8de8fdffff | lea ecx, [ebp - 0x218] // 51 | push ecx // 53 | push ebx // 53 | push ebx $sequence_13 = { e8???????? 8b5610 33c9 33c0 8d7910 85d2 } // n = 6, score = 400 // e8???????? | // 8b5610 | mov edx, dword ptr [esi + 0x10] // 33c9 | xor ecx, ecx // 33c0 | xor eax, eax // 8d7910 | lea edi, [ecx + 0x10] // 85d2 | test edx, edx $sequence_14 = { 53 50 e8???????? 83c40c 8d8de8fdffff } // n = 5, score = 400 // 53 | push ebx // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc // 8d8de8fdffff | lea ecx, [ebp - 0x218] $sequence_15 = { 8906 894604 894608 8945fc 56 c745f001000000 } // n = 6, score = 400 // 8906 | mov dword ptr [esi], eax // 894604 | mov dword ptr [esi + 4], eax // 894608 | mov dword ptr [esi + 8], eax // 8945fc | mov dword ptr [ebp - 4], eax // 56 | push esi // c745f001000000 | mov dword ptr [ebp - 0x10], 1 $sequence_16 = { 668910 8bc6 5b 8be5 5d c20400 } // n = 6, score = 400 // 668910 | mov word ptr [eax], dx // 8bc6 | mov eax, esi // 5b | pop ebx // 8be5 | mov esp, ebp // 5d | pop ebp // c20400 | ret 4 $sequence_17 = { 50 8bce c60600 e8???????? 8b5610 33c9 } // n = 6, score = 400 // 50 | push eax // 8bce | mov ecx, esi // c60600 | mov byte ptr [esi], 0 // e8???????? | // 8b5610 | mov edx, dword ptr [esi + 0x10] // 33c9 | xor ecx, ecx $sequence_18 = { 8965f0 8bf9 8b7508 8b06 8b4804 8b4c3138 33db } // n = 7, score = 400 // 8965f0 | mov dword ptr [ebp - 0x10], esp // 8bf9 | mov edi, ecx // 8b7508 | mov esi, dword ptr [ebp + 8] // 8b06 | mov eax, dword ptr [esi] // 8b4804 | mov ecx, dword ptr [eax + 4] // 8b4c3138 | mov ecx, dword ptr [ecx + esi + 0x38] // 33db | xor ebx, ebx $sequence_19 = { 85d2 0f8425010000 83f904 0f8712010000 } // n = 4, score = 400 // 85d2 | test edx, edx // 0f8425010000 | je 0x12b // 83f904 | cmp ecx, 4 // 0f8712010000 | ja 0x118 $sequence_20 = { 8bfe 80ea04 b901000000 e9???????? 8b5508 397d1c } // n = 6, score = 400 // 8bfe | mov edi, esi // 80ea04 | sub dl, 4 // b901000000 | mov ecx, 1 // e9???????? | // 8b5508 | mov edx, dword ptr [ebp + 8] // 397d1c | cmp dword ptr [ebp + 0x1c], edi $sequence_21 = { 8b07 eb02 8bc7 8b4de0 } // n = 4, score = 300 // 8b07 | mov eax, dword ptr [edi] // eb02 | jmp 4 // 8bc7 | mov eax, edi // 8b4de0 | mov ecx, dword ptr [ebp - 0x20] $sequence_22 = { ff15???????? 6a6d 56 ff15???????? 8b3d???????? 6a00 } // n = 6, score = 300 // ff15???????? | // 6a6d | push 0x6d // 56 | push esi // ff15???????? | // 8b3d???????? | // 6a00 | push 0 $sequence_23 = { 8ad1 c0ea02 8ac4 80e20f c0e004 } // n = 5, score = 300 // 8ad1 | mov dl, cl // c0ea02 | shr dl, 2 // 8ac4 | mov al, ah // 80e20f | and dl, 0xf // c0e004 | shl al, 4 $sequence_24 = { 8b4c1938 895dd4 85c9 7405 8b01 ff5004 c745fc00000000 } // n = 7, score = 200 // 8b4c1938 | mov ecx, dword ptr [ecx + ebx + 0x38] // 895dd4 | mov dword ptr [ebp - 0x2c], ebx // 85c9 | test ecx, ecx // 7405 | je 7 // 8b01 | mov eax, dword ptr [ecx] // ff5004 | call dword ptr [eax + 4] // c745fc00000000 | mov dword ptr [ebp - 4], 0 $sequence_25 = { e8???????? 85c0 740c 8345f401 837df40d 76d4 eb01 } // n = 7, score = 100 // e8???????? | // 85c0 | test eax, eax // 740c | je 0xe // 8345f401 | add dword ptr [ebp - 0xc], 1 // 837df40d | cmp dword ptr [ebp - 0xc], 0xd // 76d4 | jbe 0xffffffd6 // eb01 | jmp 3 $sequence_26 = { 8b45f8 0fb608 0fbe91d8984600 8955e8 837de800 7513 } // n = 6, score = 100 // 8b45f8 | mov eax, dword ptr [ebp - 8] // 0fb608 | movzx ecx, byte ptr [eax] // 0fbe91d8984600 | movsx edx, byte ptr [ecx + 0x4698d8] // 8955e8 | mov dword ptr [ebp - 0x18], edx // 837de800 | cmp dword ptr [ebp - 0x18], 0 // 7513 | jne 0x15 $sequence_27 = { ebee 53 83ec08 8b5c2410 } // n = 4, score = 100 // ebee | jmp 0xfffffff0 // 53 | push ebx // 83ec08 | sub esp, 8 // 8b5c2410 | mov ebx, dword ptr [esp + 0x10] $sequence_28 = { 51 6b550c0c 8b8228744500 89851cfdffff 8b8d1cfdffff } // n = 5, score = 100 // 51 | push ecx // 6b550c0c | imul edx, dword ptr [ebp + 0xc], 0xc // 8b8228744500 | mov eax, dword ptr [edx + 0x457428] // 89851cfdffff | mov dword ptr [ebp - 0x2e4], eax // 8b8d1cfdffff | mov ecx, dword ptr [ebp - 0x2e4] $sequence_29 = { 8d8564ffffff 83c01c 890424 e8???????? 8944240c } // n = 5, score = 100 // 8d8564ffffff | lea eax, [ebp - 0x9c] // 83c01c | add eax, 0x1c // 890424 | mov dword ptr [esp], eax // e8???????? | // 8944240c | mov dword ptr [esp + 0xc], eax $sequence_30 = { c685c4fcffff00 e8???????? 8d85e4faffff c645fc0b 50 c785e4faffff9c734300 } // n = 6, score = 100 // c685c4fcffff00 | mov byte ptr [ebp - 0x33c], 0 // e8???????? | // 8d85e4faffff | lea eax, [ebp - 0x51c] // c645fc0b | mov byte ptr [ebp - 4], 0xb // 50 | push eax // c785e4faffff9c734300 | mov dword ptr [ebp - 0x51c], 0x43739c $sequence_31 = { 8b5508 8b45f4 01d0 0fb600 3c2e 7416 8345f401 } // n = 7, score = 100 // 8b5508 | mov edx, dword ptr [ebp + 8] // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // 01d0 | add eax, edx // 0fb600 | movzx eax, byte ptr [eax] // 3c2e | cmp al, 0x2e // 7416 | je 0x18 // 8345f401 | add dword ptr [ebp - 0xc], 1 $sequence_32 = { 52 8bcd 50 8d1564244100 e8???????? 58 5a } // n = 7, score = 100 // 52 | push edx // 8bcd | mov ecx, ebp // 50 | push eax // 8d1564244100 | lea edx, [0x412464] // e8???????? | // 58 | pop eax // 5a | pop edx $sequence_33 = { 6bd130 8b048500b04600 8b4c1018 898dd4ebffff 8b5510 035514 } // n = 6, score = 100 // 6bd130 | imul edx, ecx, 0x30 // 8b048500b04600 | mov eax, dword ptr [eax*4 + 0x46b000] // 8b4c1018 | mov ecx, dword ptr [eax + edx + 0x18] // 898dd4ebffff | mov dword ptr [ebp - 0x142c], ecx // 8b5510 | mov edx, dword ptr [ebp + 0x10] // 035514 | add edx, dword ptr [ebp + 0x14] $sequence_34 = { c1e006 030495a0244300 eb05 b8???????? f6400420 } // n = 5, score = 100 // c1e006 | shl eax, 6 // 030495a0244300 | add eax, dword ptr [edx*4 + 0x4324a0] // eb05 | jmp 7 // b8???????? | // f6400420 | test byte ptr [eax + 4], 0x20 $sequence_35 = { 8d3c8da0244300 8bf0 83e61f c1e606 8b0f 0fbe4c3104 83e101 } // n = 7, score = 100 // 8d3c8da0244300 | lea edi, [ecx*4 + 0x4324a0] // 8bf0 | mov esi, eax // 83e61f | and esi, 0x1f // c1e606 | shl esi, 6 // 8b0f | mov ecx, dword ptr [edi] // 0fbe4c3104 | movsx ecx, byte ptr [ecx + esi + 4] // 83e101 | and ecx, 1 $sequence_36 = { 8b04c520c34200 5d c3 33c0 } // n = 4, score = 100 // 8b04c520c34200 | mov eax, dword ptr [eax*8 + 0x42c320] // 5d | pop ebp // c3 | ret // 33c0 | xor eax, eax $sequence_37 = { 7510 8bc8 eb0c 0fb6c0 0fbe80b8b84300 03c8 } // n = 6, score = 100 // 7510 | jne 0x12 // 8bc8 | mov ecx, eax // eb0c | jmp 0xe // 0fb6c0 | movzx eax, al // 0fbe80b8b84300 | movsx eax, byte ptr [eax + 0x43b8b8] // 03c8 | add ecx, eax $sequence_38 = { e8???????? 80f901 7502 d9e0 833d????????00 0f8559a30000 8d0d40004300 } // n = 7, score = 100 // e8???????? | // 80f901 | cmp cl, 1 // 7502 | jne 4 // d9e0 | fchs // 833d????????00 | // 0f8559a30000 | jne 0xa35f // 8d0d40004300 | lea ecx, [0x430040] $sequence_39 = { 770f 0fbec2 0fb680a8d14200 83e00f eb02 33c0 8b8dc0fdffff } // n = 7, score = 100 // 770f | ja 0x11 // 0fbec2 | movsx eax, dl // 0fb680a8d14200 | movzx eax, byte ptr [eax + 0x42d1a8] // 83e00f | and eax, 0xf // eb02 | jmp 4 // 33c0 | xor eax, eax // 8b8dc0fdffff | mov ecx, dword ptr [ebp - 0x240] $sequence_40 = { 68b0000000 8d85c4b9f0ff 6a00 50 e8???????? } // n = 5, score = 100 // 68b0000000 | push 0xb0 // 8d85c4b9f0ff | lea eax, [ebp - 0xf463c] // 6a00 | push 0 // 50 | push eax // e8???????? | $sequence_41 = { 0f28c1 660f73d908 660f73d804 660f7ec1 660f7ec8 6800040000 c1e110 } // n = 7, score = 100 // 0f28c1 | movaps xmm0, xmm1 // 660f73d908 | psrldq xmm1, 8 // 660f73d804 | psrldq xmm0, 4 // 660f7ec1 | movd ecx, xmm0 // 660f7ec8 | movd eax, xmm1 // 6800040000 | push 0x400 // c1e110 | shl ecx, 0x10 $sequence_42 = { 8b0485a0244300 c644080401 57 e8???????? } // n = 4, score = 100 // 8b0485a0244300 | mov eax, dword ptr [eax*4 + 0x4324a0] // c644080401 | mov byte ptr [eax + ecx + 4], 1 // 57 | push edi // e8???????? | $sequence_43 = { c745ac44000000 6a10 6a00 8d4594 50 e8???????? } // n = 6, score = 100 // c745ac44000000 | mov dword ptr [ebp - 0x54], 0x44 // 6a10 | push 0x10 // 6a00 | push 0 // 8d4594 | lea eax, [ebp - 0x6c] // 50 | push eax // e8???????? | $sequence_44 = { 83c008 890424 e8???????? 85c0 0f849d040000 8b45d4 83c008 } // n = 7, score = 100 // 83c008 | add eax, 8 // 890424 | mov dword ptr [esp], eax // e8???????? | // 85c0 | test eax, eax // 0f849d040000 | je 0x4a3 // 8b45d4 | mov eax, dword ptr [ebp - 0x2c] // 83c008 | add eax, 8 $sequence_45 = { e8???????? 8bf0 8d85c4fbffff 3bc6 7446 8b85dcfbffff 83f808 } // n = 7, score = 100 // e8???????? | // 8bf0 | mov esi, eax // 8d85c4fbffff | lea eax, [ebp - 0x43c] // 3bc6 | cmp eax, esi // 7446 | je 0x48 // 8b85dcfbffff | mov eax, dword ptr [ebp - 0x424] // 83f808 | cmp eax, 8 $sequence_46 = { 837df40d 7507 c745f000000000 8b45f0 } // n = 4, score = 100 // 837df40d | cmp dword ptr [ebp - 0xc], 0xd // 7507 | jne 9 // c745f000000000 | mov dword ptr [ebp - 0x10], 0 // 8b45f0 | mov eax, dword ptr [ebp - 0x10] $sequence_47 = { 1d1d1d1d1d 1d1d1d1d1d 1d1d1d1d1d 1d08090a0b 0c0d 0e 0f1011 } // n = 7, score = 100 // 1d1d1d1d1d | sbb eax, 0x1d1d1d1d // 1d1d1d1d1d | sbb eax, 0x1d1d1d1d // 1d1d1d1d1d | sbb eax, 0x1d1d1d1d // 1d08090a0b | sbb eax, 0xb0a0908 // 0c0d | or al, 0xd // 0e | push cs // 0f1011 | movups xmm2, xmmword ptr [ecx] $sequence_48 = { 6bd117 898278a04600 68???????? 8b45fc 50 ff15???????? 3305???????? } // n = 7, score = 100 // 6bd117 | imul edx, ecx, 0x17 // 898278a04600 | mov dword ptr [edx + 0x46a078], eax // 68???????? | // 8b45fc | mov eax, dword ptr [ebp - 4] // 50 | push eax // ff15???????? | // 3305???????? | $sequence_49 = { 6a0a 68???????? e8???????? 83c40c 85c0 7469 } // n = 6, score = 100 // 6a0a | push 0xa // 68???????? | // e8???????? | // 83c40c | add esp, 0xc // 85c0 | test eax, eax // 7469 | je 0x6b $sequence_50 = { 57 8b7d08 8bf1 83fffe 0f87c3000000 8b4618 3bc7 } // n = 7, score = 100 // 57 | push edi // 8b7d08 | mov edi, dword ptr [ebp + 8] // 8bf1 | mov esi, ecx // 83fffe | cmp edi, -2 // 0f87c3000000 | ja 0xc9 // 8b4618 | mov eax, dword ptr [esi + 0x18] // 3bc7 | cmp eax, edi $sequence_51 = { 01d8 83c025 3b45cc 0f8572010000 } // n = 4, score = 100 // 01d8 | add eax, ebx // 83c025 | add eax, 0x25 // 3b45cc | cmp eax, dword ptr [ebp - 0x34] // 0f8572010000 | jne 0x178 $sequence_52 = { 2b34bda0244300 c1fe06 8bc7 c1e005 03f0 } // n = 5, score = 100 // 2b34bda0244300 | sub esi, dword ptr [edi*4 + 0x4324a0] // c1fe06 | sar esi, 6 // 8bc7 | mov eax, edi // c1e005 | shl eax, 5 // 03f0 | add esi, eax $sequence_53 = { 6aff 8d85f4fdffff 50 53 56 c785bcf1ffffb8b04200 ffd7 } // n = 7, score = 100 // 6aff | push -1 // 8d85f4fdffff | lea eax, [ebp - 0x20c] // 50 | push eax // 53 | push ebx // 56 | push esi // c785bcf1ffffb8b04200 | mov dword ptr [ebp - 0xe44], 0x42b0b8 // ffd7 | call edi $sequence_54 = { c745e401000000 eb07 c745e400000000 c745e001000000 eb0e c745e000000000 c745e401000000 } // n = 7, score = 100 // c745e401000000 | mov dword ptr [ebp - 0x1c], 1 // eb07 | jmp 9 // c745e400000000 | mov dword ptr [ebp - 0x1c], 0 // c745e001000000 | mov dword ptr [ebp - 0x20], 1 // eb0e | jmp 0x10 // c745e000000000 | mov dword ptr [ebp - 0x20], 0 // c745e401000000 | mov dword ptr [ebp - 0x1c], 1 condition: 7 of them and filesize < 1097728 }
import "pe" rule win_yty_w0 { meta: author = "James E.C, ProofPoint" description = "Modular malware framework with similarities to EHDevel" hash = "1e0c1b97925e1ed90562d2c68971e038d8506b354dd6c1d2bcc252d2a48bc31c" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty" malpedia_version = "20180312" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "/football/download2/" ascii wide $x2 = "/football/download/" ascii wide $x3 = "Caption: Xp>" wide $x_c2 = "5.135.199.0" ascii fullword $a1 = "getGoogle" ascii fullword $a2 = "/q /noretstart" wide $a3 = "IsInSandbox" ascii fullword $a4 = "syssystemnew" ascii fullword $a5 = "ytyinfo" ascii fullword $a6 = "\\ytyboth\\yty " ascii $s1 = "SELECT Name FROM Win32_Processor" wide $s2 = "SELECT Caption FROM Win32_OperatingSystem" wide $s3 = "SELECT SerialNumber FROM Win32_DiskDrive" wide $s4 = "VM: Yes" wide fullword $s5 = "VM: No" wide fullword $s6 = "helpdll.dll" ascii fullword $s7 = "boothelp.exe" ascii fullword $s8 = "SbieDll.dll" wide fullword $s9 = "dbghelp.dll" wide fullword $s10 = "YesNoMaybe" ascii fullword $s11 = "saveData" ascii fullword $s12 = "saveLogs" ascii fullword condition: pe.imphash() == "87775285899fa860b9963b11596a2ded" or 1 of ($x*) or 3 of ($a*) or 6 of ($s*) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY