Actor(s): APT-C-35, Donot Team, EHDevel
There is no description at this point.
rule win_yty_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-10-07" version = "1" description = "Detects win.yty." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty" malpedia_rule_date = "20211007" malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535" malpedia_version = "20211008" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 56 8b7508 0f84d5000000 83e80d 0f84a0000000 } // n = 5, score = 600 // 56 | push esi // 8b7508 | mov esi, dword ptr [ebp + 8] // 0f84d5000000 | je 0xdb // 83e80d | sub eax, 0xd // 0f84a0000000 | je 0xa6 $sequence_1 = { 8b4d10 0fb7c1 83e868 7441 } // n = 4, score = 600 // 8b4d10 | mov ecx, dword ptr [ebp + 0x10] // 0fb7c1 | movzx eax, cx // 83e868 | sub eax, 0x68 // 7441 | je 0x43 $sequence_2 = { 0f84a0000000 2d02010000 7422 8b4514 8b5510 } // n = 5, score = 600 // 0f84a0000000 | je 0xa6 // 2d02010000 | sub eax, 0x102 // 7422 | je 0x24 // 8b4514 | mov eax, dword ptr [ebp + 0x14] // 8b5510 | mov edx, dword ptr [ebp + 0x10] $sequence_3 = { 48 7423 8b4514 50 51 6811010000 56 } // n = 7, score = 600 // 48 | dec eax // 7423 | je 0x25 // 8b4514 | mov eax, dword ptr [ebp + 0x14] // 50 | push eax // 51 | push ecx // 6811010000 | push 0x111 // 56 | push esi $sequence_4 = { 50 8d45f4 64a300000000 8b7508 33ff 897dd8 } // n = 6, score = 500 // 50 | push eax // 8d45f4 | lea eax, dword ptr [ebp - 0xc] // 64a300000000 | mov dword ptr fs:[0], eax // 8b7508 | mov esi, dword ptr [ebp + 8] // 33ff | xor edi, edi // 897dd8 | mov dword ptr [ebp - 0x28], edi $sequence_5 = { 0f840c000000 8365d8fe 8b7508 e9???????? c3 8b542408 8d420c } // n = 7, score = 500 // 0f840c000000 | je 0x12 // 8365d8fe | and dword ptr [ebp - 0x28], 0xfffffffe // 8b7508 | mov esi, dword ptr [ebp + 8] // e9???????? | // c3 | ret // 8b542408 | mov edx, dword ptr [esp + 8] // 8d420c | lea eax, dword ptr [edx + 0xc] $sequence_6 = { 83ec1c 8bcc 89642430 6aff 57 } // n = 5, score = 400 // 83ec1c | sub esp, 0x1c // 8bcc | mov ecx, esp // 89642430 | mov dword ptr [esp + 0x30], esp // 6aff | push -1 // 57 | push edi $sequence_7 = { 64a300000000 8d8524ffffff 50 e8???????? } // n = 4, score = 400 // 64a300000000 | mov dword ptr fs:[0], eax // 8d8524ffffff | lea eax, dword ptr [ebp - 0xdc] // 50 | push eax // e8???????? | $sequence_8 = { ffd2 8b8568ffffff 8b08 8b5108 } // n = 4, score = 400 // ffd2 | call edx // 8b8568ffffff | mov eax, dword ptr [ebp - 0x98] // 8b08 | mov ecx, dword ptr [eax] // 8b5108 | mov edx, dword ptr [ecx + 8] $sequence_9 = { eb23 8b5508 397d1c 7303 8d5508 } // n = 5, score = 400 // eb23 | jmp 0x25 // 8b5508 | mov edx, dword ptr [ebp + 8] // 397d1c | cmp dword ptr [ebp + 0x1c], edi // 7303 | jae 5 // 8d5508 | lea edx, dword ptr [ebp + 8] $sequence_10 = { 80ea13 b903000000 eb58 8b5508 397d1c } // n = 5, score = 400 // 80ea13 | sub dl, 0x13 // b903000000 | mov ecx, 3 // eb58 | jmp 0x5a // 8b5508 | mov edx, dword ptr [ebp + 8] // 397d1c | cmp dword ptr [ebp + 0x1c], edi $sequence_11 = { 5f 668910 8bc6 5b 8be5 5d c20400 } // n = 7, score = 400 // 5f | pop edi // 668910 | mov word ptr [eax], dx // 8bc6 | mov eax, esi // 5b | pop ebx // 8be5 | mov esp, ebp // 5d | pop ebp // c20400 | ret 4 $sequence_12 = { b902000000 e9???????? 8a1402 2ad1 } // n = 4, score = 400 // b902000000 | mov ecx, 2 // e9???????? | // 8a1402 | mov dl, byte ptr [edx + eax] // 2ad1 | sub dl, cl $sequence_13 = { 885def 8975e0 85c9 7407 8b11 8b4204 ffd0 } // n = 7, score = 400 // 885def | mov byte ptr [ebp - 0x11], bl // 8975e0 | mov dword ptr [ebp - 0x20], esi // 85c9 | test ecx, ecx // 7407 | je 9 // 8b11 | mov edx, dword ptr [ecx] // 8b4204 | mov eax, dword ptr [edx + 4] // ffd0 | call eax $sequence_14 = { 83c40c 8d8de8fdffff 51 53 53 6a28 } // n = 6, score = 400 // 83c40c | add esp, 0xc // 8d8de8fdffff | lea ecx, dword ptr [ebp - 0x218] // 51 | push ecx // 53 | push ebx // 53 | push ebx // 6a28 | push 0x28 $sequence_15 = { e9???????? 8a1402 2ad1 8bfe 80ea13 b902000000 e9???????? } // n = 7, score = 400 // e9???????? | // 8a1402 | mov dl, byte ptr [edx + eax] // 2ad1 | sub dl, cl // 8bfe | mov edi, esi // 80ea13 | sub dl, 0x13 // b902000000 | mov ecx, 2 // e9???????? | $sequence_16 = { 33c9 33c0 8d7910 85d2 0f8425010000 } // n = 5, score = 400 // 33c9 | xor ecx, ecx // 33c0 | xor eax, eax // 8d7910 | lea edi, dword ptr [ecx + 0x10] // 85d2 | test edx, edx // 0f8425010000 | je 0x12b $sequence_17 = { 33c9 881407 bf10000000 40 3b4610 0f82dbfeffff 397d1c } // n = 7, score = 400 // 33c9 | xor ecx, ecx // 881407 | mov byte ptr [edi + eax], dl // bf10000000 | mov edi, 0x10 // 40 | inc eax // 3b4610 | cmp eax, dword ptr [esi + 0x10] // 0f82dbfeffff | jb 0xfffffee1 // 397d1c | cmp dword ptr [ebp + 0x1c], edi $sequence_18 = { 0f82dbfeffff 397d1c 720c 8b4508 50 e8???????? } // n = 6, score = 400 // 0f82dbfeffff | jb 0xfffffee1 // 397d1c | cmp dword ptr [ebp + 0x1c], edi // 720c | jb 0xe // 8b4508 | mov eax, dword ptr [ebp + 8] // 50 | push eax // e8???????? | $sequence_19 = { a1???????? 33c5 50 8d45f4 64a300000000 c745f000000000 6aff } // n = 7, score = 400 // a1???????? | // 33c5 | xor eax, ebp // 50 | push eax // 8d45f4 | lea eax, dword ptr [ebp - 0xc] // 64a300000000 | mov dword ptr fs:[0], eax // c745f000000000 | mov dword ptr [ebp - 0x10], 0 // 6aff | push -1 $sequence_20 = { 33db 895de8 885def 8975e0 } // n = 4, score = 400 // 33db | xor ebx, ebx // 895de8 | mov dword ptr [ebp - 0x18], ebx // 885def | mov byte ptr [ebp - 0x11], bl // 8975e0 | mov dword ptr [ebp - 0x20], esi $sequence_21 = { 8139ff6f4093 7615 e8???????? c70016000000 } // n = 4, score = 300 // 8139ff6f4093 | cmp dword ptr [ecx], 0x93406fff // 7615 | jbe 0x17 // e8???????? | // c70016000000 | mov dword ptr [eax], 0x16 $sequence_22 = { 8b5508 837a0800 7d21 8b4508 8b4808 83c118 8b5508 } // n = 7, score = 300 // 8b5508 | mov edx, dword ptr [ebp + 8] // 837a0800 | cmp dword ptr [edx + 8], 0 // 7d21 | jge 0x23 // 8b4508 | mov eax, dword ptr [ebp + 8] // 8b4808 | mov ecx, dword ptr [eax + 8] // 83c118 | add ecx, 0x18 // 8b5508 | mov edx, dword ptr [ebp + 8] $sequence_23 = { 8901 8b5508 833a00 7d1f } // n = 4, score = 300 // 8901 | mov dword ptr [ecx], eax // 8b5508 | mov edx, dword ptr [ebp + 8] // 833a00 | cmp dword ptr [edx], 0 // 7d1f | jge 0x21 $sequence_24 = { e8???????? 83c414 b816000000 e9???????? 6a24 68ff000000 8b5508 } // n = 7, score = 300 // e8???????? | // 83c414 | add esp, 0x14 // b816000000 | mov eax, 0x16 // e9???????? | // 6a24 | push 0x24 // 68ff000000 | push 0xff // 8b5508 | mov edx, dword ptr [ebp + 8] $sequence_25 = { 68f4010000 50 e8???????? 83c40c } // n = 4, score = 300 // 68f4010000 | push 0x1f4 // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc $sequence_26 = { 50 e8???????? 8b4d08 894108 } // n = 4, score = 300 // 50 | push eax // e8???????? | // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 894108 | mov dword ptr [ecx + 8], eax $sequence_27 = { 833900 7315 e8???????? c70016000000 } // n = 4, score = 300 // 833900 | cmp dword ptr [ecx], 0 // 7315 | jae 0x17 // e8???????? | // c70016000000 | mov dword ptr [eax], 0x16 $sequence_28 = { 833a00 7d1f 8b4508 8b08 83c13c } // n = 5, score = 300 // 833a00 | cmp dword ptr [edx], 0 // 7d1f | jge 0x21 // 8b4508 | mov eax, dword ptr [ebp + 8] // 8b08 | mov ecx, dword ptr [eax] // 83c13c | add ecx, 0x3c $sequence_29 = { 8b4c1938 895dd4 85c9 7405 8b01 ff5004 c745fc00000000 } // n = 7, score = 200 // 8b4c1938 | mov ecx, dword ptr [ecx + ebx + 0x38] // 895dd4 | mov dword ptr [ebp - 0x2c], ebx // 85c9 | test ecx, ecx // 7405 | je 7 // 8b01 | mov eax, dword ptr [ecx] // ff5004 | call dword ptr [eax + 4] // c745fc00000000 | mov dword ptr [ebp - 4], 0 $sequence_30 = { 59 80cb01 8bc6 c1f805 8d0c85a0244300 8bc6 } // n = 6, score = 100 // 59 | pop ecx // 80cb01 | or bl, 1 // 8bc6 | mov eax, esi // c1f805 | sar eax, 5 // 8d0c85a0244300 | lea ecx, dword ptr [eax*4 + 0x4324a0] // 8bc6 | mov eax, esi $sequence_31 = { 740a 66c7841e2c0200005c00 89f8 8b08 83c004 8d91fffefefe f7d1 } // n = 7, score = 100 // 740a | je 0xc // 66c7841e2c0200005c00 | mov word ptr [esi + ebx + 0x22c], 0x5c // 89f8 | mov eax, edi // 8b08 | mov ecx, dword ptr [eax] // 83c004 | add eax, 4 // 8d91fffefefe | lea edx, dword ptr [ecx - 0x1010101] // f7d1 | not ecx $sequence_32 = { 85c0 0f849d040000 8b45d4 83c008 8944240c c7442408???????? } // n = 6, score = 100 // 85c0 | test eax, eax // 0f849d040000 | je 0x4a3 // 8b45d4 | mov eax, dword ptr [ebp - 0x2c] // 83c008 | add eax, 8 // 8944240c | mov dword ptr [esp + 0xc], eax // c7442408???????? | $sequence_33 = { 56 57 33f6 bf???????? 833cf584fe420001 751d 8d04f580fe4200 } // n = 7, score = 100 // 56 | push esi // 57 | push edi // 33f6 | xor esi, esi // bf???????? | // 833cf584fe420001 | cmp dword ptr [esi*8 + 0x42fe84], 1 // 751d | jne 0x1f // 8d04f580fe4200 | lea eax, dword ptr [esi*8 + 0x42fe80] $sequence_34 = { 8d95d8fcffff 52 6a00 ff15???????? 3bf4 e8???????? } // n = 6, score = 100 // 8d95d8fcffff | lea edx, dword ptr [ebp - 0x328] // 52 | push edx // 6a00 | push 0 // ff15???????? | // 3bf4 | cmp esi, esp // e8???????? | $sequence_35 = { 3d01010000 7d0d 8a4c181c 888870f74200 40 } // n = 5, score = 100 // 3d01010000 | cmp eax, 0x101 // 7d0d | jge 0xf // 8a4c181c | mov cl, byte ptr [eax + ebx + 0x1c] // 888870f74200 | mov byte ptr [eax + 0x42f770], cl // 40 | inc eax $sequence_36 = { 8d4198 89840d84feffff 8d8d8cfeffff e8???????? } // n = 4, score = 100 // 8d4198 | lea eax, dword ptr [ecx - 0x68] // 89840d84feffff | mov dword ptr [ebp + ecx - 0x17c], eax // 8d8d8cfeffff | lea ecx, dword ptr [ebp - 0x174] // e8???????? | $sequence_37 = { 50 8b04bd60cb4300 ff743018 ff15???????? 85c0 0f95c0 5f } // n = 7, score = 100 // 50 | push eax // 8b04bd60cb4300 | mov eax, dword ptr [edi*4 + 0x43cb60] // ff743018 | push dword ptr [eax + esi + 0x18] // ff15???????? | // 85c0 | test eax, eax // 0f95c0 | setne al // 5f | pop edi $sequence_38 = { 6bc930 8975e0 8db190f94200 8975e4 eb2b 8a4601 84c0 } // n = 7, score = 100 // 6bc930 | imul ecx, ecx, 0x30 // 8975e0 | mov dword ptr [ebp - 0x20], esi // 8db190f94200 | lea esi, dword ptr [ecx + 0x42f990] // 8975e4 | mov dword ptr [ebp - 0x1c], esi // eb2b | jmp 0x2d // 8a4601 | mov al, byte ptr [esi + 1] // 84c0 | test al, al $sequence_39 = { e8???????? c7042488130000 e8???????? 83ec04 c7442404???????? } // n = 5, score = 100 // e8???????? | // c7042488130000 | mov dword ptr [esp], 0x1388 // e8???????? | // 83ec04 | sub esp, 4 // c7442404???????? | $sequence_40 = { 55 89e5 eb12 8b450c 8d50ff } // n = 5, score = 100 // 55 | push ebp // 89e5 | mov ebp, esp // eb12 | jmp 0x14 // 8b450c | mov eax, dword ptr [ebp + 0xc] // 8d50ff | lea edx, dword ptr [eax - 1] $sequence_41 = { 7e38 8b4604 8b0c18 397c11fc } // n = 4, score = 100 // 7e38 | jle 0x3a // 8b4604 | mov eax, dword ptr [esi + 4] // 8b0c18 | mov ecx, dword ptr [eax + ebx] // 397c11fc | cmp dword ptr [ecx + edx - 4], edi $sequence_42 = { 8b45d4 8b75e8 83fe10 8d4dd4 } // n = 4, score = 100 // 8b45d4 | mov eax, dword ptr [ebp - 0x2c] // 8b75e8 | mov esi, dword ptr [ebp - 0x18] // 83fe10 | cmp esi, 0x10 // 8d4dd4 | lea ecx, dword ptr [ebp - 0x2c] $sequence_43 = { 83ec28 c745f400000000 eb20 8b5508 } // n = 4, score = 100 // 83ec28 | sub esp, 0x28 // c745f400000000 | mov dword ptr [ebp - 0xc], 0 // eb20 | jmp 0x22 // 8b5508 | mov edx, dword ptr [ebp + 8] $sequence_44 = { b8cccccccc f3ab c745f800000000 c745d400000000 8b450c 83e801 8945e0 } // n = 7, score = 100 // b8cccccccc | mov eax, 0xcccccccc // f3ab | rep stosd dword ptr es:[edi], eax // c745f800000000 | mov dword ptr [ebp - 8], 0 // c745d400000000 | mov dword ptr [ebp - 0x2c], 0 // 8b450c | mov eax, dword ptr [ebp + 0xc] // 83e801 | sub eax, 1 // 8945e0 | mov dword ptr [ebp - 0x20], eax $sequence_45 = { 0f8715040000 ff249d3a0d4100 8b46e4 3b42e4 0f8481000000 0fb6f8 } // n = 6, score = 100 // 0f8715040000 | ja 0x41b // ff249d3a0d4100 | jmp dword ptr [ebx*4 + 0x410d3a] // 8b46e4 | mov eax, dword ptr [esi - 0x1c] // 3b42e4 | cmp eax, dword ptr [edx - 0x1c] // 0f8481000000 | je 0x87 // 0fb6f8 | movzx edi, al $sequence_46 = { c7042464000000 e8???????? 83ec04 c70424???????? e8???????? } // n = 5, score = 100 // c7042464000000 | mov dword ptr [esp], 0x64 // e8???????? | // 83ec04 | sub esp, 4 // c70424???????? | // e8???????? | $sequence_47 = { 7313 3bfb 8bc3 8bce 0f42c7 } // n = 5, score = 100 // 7313 | jae 0x15 // 3bfb | cmp edi, ebx // 8bc3 | mov eax, ebx // 8bce | mov ecx, esi // 0f42c7 | cmovb eax, edi $sequence_48 = { 8bce 83e11f c1e106 8b0485a0244300 8d440804 8020fe 56 } // n = 7, score = 100 // 8bce | mov ecx, esi // 83e11f | and ecx, 0x1f // c1e106 | shl ecx, 6 // 8b0485a0244300 | mov eax, dword ptr [eax*4 + 0x4324a0] // 8d440804 | lea eax, dword ptr [eax + ecx + 4] // 8020fe | and byte ptr [eax], 0xfe // 56 | push esi $sequence_49 = { 7443 83e801 0f8501010000 c745e08c044300 8b4508 8bcf 8b7510 } // n = 7, score = 100 // 7443 | je 0x45 // 83e801 | sub eax, 1 // 0f8501010000 | jne 0x107 // c745e08c044300 | mov dword ptr [ebp - 0x20], 0x43048c // 8b4508 | mov eax, dword ptr [ebp + 8] // 8bcf | mov ecx, edi // 8b7510 | mov esi, dword ptr [ebp + 0x10] $sequence_50 = { 81ecb0000000 c745ef66696c65 c745f32e747874 c645f700 c7458b00000000 } // n = 5, score = 100 // 81ecb0000000 | sub esp, 0xb0 // c745ef66696c65 | mov dword ptr [ebp - 0x11], 0x656c6966 // c745f32e747874 | mov dword ptr [ebp - 0xd], 0x7478742e // c645f700 | mov byte ptr [ebp - 9], 0 // c7458b00000000 | mov dword ptr [ebp - 0x75], 0 $sequence_51 = { c70424???????? e8???????? eb0c c70424???????? e8???????? 90 81c4b0000000 } // n = 7, score = 100 // c70424???????? | // e8???????? | // eb0c | jmp 0xe // c70424???????? | // e8???????? | // 90 | nop // 81c4b0000000 | add esp, 0xb0 condition: 7 of them and filesize < 1097728 }
import "pe" rule win_yty_w0 { meta: author = "James E.C, ProofPoint" description = "Modular malware framework with similarities to EHDevel" hash = "1e0c1b97925e1ed90562d2c68971e038d8506b354dd6c1d2bcc252d2a48bc31c" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty" malpedia_version = "20180312" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "/football/download2/" ascii wide $x2 = "/football/download/" ascii wide $x3 = "Caption: Xp>" wide $x_c2 = "5.135.199.0" ascii fullword $a1 = "getGoogle" ascii fullword $a2 = "/q /noretstart" wide $a3 = "IsInSandbox" ascii fullword $a4 = "syssystemnew" ascii fullword $a5 = "ytyinfo" ascii fullword $a6 = "\\ytyboth\\yty " ascii $s1 = "SELECT Name FROM Win32_Processor" wide $s2 = "SELECT Caption FROM Win32_OperatingSystem" wide $s3 = "SELECT SerialNumber FROM Win32_DiskDrive" wide $s4 = "VM: Yes" wide fullword $s5 = "VM: No" wide fullword $s6 = "helpdll.dll" ascii fullword $s7 = "boothelp.exe" ascii fullword $s8 = "SbieDll.dll" wide fullword $s9 = "dbghelp.dll" wide fullword $s10 = "YesNoMaybe" ascii fullword $s11 = "saveData" ascii fullword $s12 = "saveLogs" ascii fullword condition: pe.imphash() == "87775285899fa860b9963b11596a2ded" or 1 of ($x*) or 3 of ($a*) or 6 of ($s*) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY