Actor(s): APT-C-35, Donot Team, EHDevel
There is no description at this point.
rule win_yty_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 33c5 50 8d45f4 64a300000000 8b7508 33ff 897dd8 } // n = 7, score = 500 // 33c5 | xor eax, ebp // 50 | push eax // 8d45f4 | lea eax, [ebp - 0xc] // 64a300000000 | mov dword ptr fs:[0], eax // 8b7508 | mov esi, dword ptr [ebp + 8] // 33ff | xor edi, edi // 897dd8 | mov dword ptr [ebp - 0x28], edi $sequence_1 = { 0f840c000000 8365d8fe 8b7508 e9???????? c3 } // n = 5, score = 500 // 0f840c000000 | je 0x12 // 8365d8fe | and dword ptr [ebp - 0x28], 0xfffffffe // 8b7508 | mov esi, dword ptr [ebp + 8] // e9???????? | // c3 | ret $sequence_2 = { 8945fc 56 c745f001000000 e8???????? 83c404 8bc6 } // n = 6, score = 400 // 8945fc | mov dword ptr [ebp - 4], eax // 56 | push esi // c745f001000000 | mov dword ptr [ebp - 0x10], 1 // e8???????? | // 83c404 | add esp, 4 // 8bc6 | mov eax, esi $sequence_3 = { 2ad1 80ea13 b903000000 eb69 8a1402 2ad1 8bfe } // n = 7, score = 400 // 2ad1 | sub dl, cl // 80ea13 | sub dl, 0x13 // b903000000 | mov ecx, 3 // eb69 | jmp 0x6b // 8a1402 | mov dl, byte ptr [edx + eax] // 2ad1 | sub dl, cl // 8bfe | mov edi, esi $sequence_4 = { 8b3e 2ad1 80ea04 b901000000 e9???????? } // n = 5, score = 400 // 8b3e | mov edi, dword ptr [esi] // 2ad1 | sub dl, cl // 80ea04 | sub dl, 4 // b901000000 | mov ecx, 1 // e9???????? | $sequence_5 = { 64a300000000 8d8524ffffff 50 e8???????? } // n = 4, score = 400 // 64a300000000 | mov dword ptr fs:[0], eax // 8d8524ffffff | lea eax, [ebp - 0xdc] // 50 | push eax // e8???????? | $sequence_6 = { 668910 8bc6 5b 8be5 5d c20400 } // n = 6, score = 400 // 668910 | mov word ptr [eax], dx // 8bc6 | mov eax, esi // 5b | pop ebx // 8be5 | mov esp, ebp // 5d | pop ebp // c20400 | ret 4 $sequence_7 = { 33c0 8d7910 85d2 0f8425010000 } // n = 4, score = 400 // 33c0 | xor eax, eax // 8d7910 | lea edi, [ecx + 0x10] // 85d2 | test edx, edx // 0f8425010000 | je 0x12b $sequence_8 = { 6a00 8bcf c645fc02 e8???????? 8b0e } // n = 5, score = 400 // 6a00 | push 0 // 8bcf | mov ecx, edi // c645fc02 | mov byte ptr [ebp - 4], 2 // e8???????? | // 8b0e | mov ecx, dword ptr [esi] $sequence_9 = { 8975e0 85c9 7407 8b11 8b4204 ffd0 c745fc00000000 } // n = 7, score = 400 // 8975e0 | mov dword ptr [ebp - 0x20], esi // 85c9 | test ecx, ecx // 7407 | je 9 // 8b11 | mov edx, dword ptr [ecx] // 8b4204 | mov eax, dword ptr [edx + 4] // ffd0 | call eax // c745fc00000000 | mov dword ptr [ebp - 4], 0 $sequence_10 = { 83c40c 8d8de8fdffff 51 53 53 6a28 } // n = 6, score = 400 // 83c40c | add esp, 0xc // 8d8de8fdffff | lea ecx, [ebp - 0x218] // 51 | push ecx // 53 | push ebx // 53 | push ebx // 6a28 | push 0x28 $sequence_11 = { 50 ffd2 8b8568ffffff 8b08 8b5108 } // n = 5, score = 400 // 50 | push eax // ffd2 | call edx // 8b8568ffffff | mov eax, dword ptr [ebp - 0x98] // 8b08 | mov ecx, dword ptr [eax] // 8b5108 | mov edx, dword ptr [ecx + 8] $sequence_12 = { 7303 8d5508 8b4e10 397e14 7211 } // n = 5, score = 400 // 7303 | jae 5 // 8d5508 | lea edx, [ebp + 8] // 8b4e10 | mov ecx, dword ptr [esi + 0x10] // 397e14 | cmp dword ptr [esi + 0x14], edi // 7211 | jb 0x13 $sequence_13 = { 8bfe 80ea13 b903000000 eb58 8b5508 } // n = 5, score = 400 // 8bfe | mov edi, esi // 80ea13 | sub dl, 0x13 // b903000000 | mov ecx, 3 // eb58 | jmp 0x5a // 8b5508 | mov edx, dword ptr [ebp + 8] $sequence_14 = { e8???????? 8b0e 8b5104 8b443238 c645ef01 } // n = 5, score = 400 // e8???????? | // 8b0e | mov ecx, dword ptr [esi] // 8b5104 | mov edx, dword ptr [ecx + 4] // 8b443238 | mov eax, dword ptr [edx + esi + 0x38] // c645ef01 | mov byte ptr [ebp - 0x11], 1 $sequence_15 = { 50 8bce c60600 e8???????? 8b5610 33c9 } // n = 6, score = 400 // 50 | push eax // 8bce | mov ecx, esi // c60600 | mov byte ptr [esi], 0 // e8???????? | // 8b5610 | mov edx, dword ptr [esi + 0x10] // 33c9 | xor ecx, ecx $sequence_16 = { 8906 894604 894608 8945fc 56 c745f001000000 } // n = 6, score = 400 // 8906 | mov dword ptr [esi], eax // 894604 | mov dword ptr [esi + 4], eax // 894608 | mov dword ptr [esi + 8], eax // 8945fc | mov dword ptr [ebp - 4], eax // 56 | push esi // c745f001000000 | mov dword ptr [ebp - 0x10], 1 $sequence_17 = { b904000000 eb34 8a1402 2ad1 8bfe 80ea04 b904000000 } // n = 7, score = 400 // b904000000 | mov ecx, 4 // eb34 | jmp 0x36 // 8a1402 | mov dl, byte ptr [edx + eax] // 2ad1 | sub dl, cl // 8bfe | mov edi, esi // 80ea04 | sub dl, 4 // b904000000 | mov ecx, 4 $sequence_18 = { 8b08 8b5108 50 ffd2 ff15???????? 8b8568ffffff } // n = 6, score = 400 // 8b08 | mov ecx, dword ptr [eax] // 8b5108 | mov edx, dword ptr [ecx + 8] // 50 | push eax // ffd2 | call edx // ff15???????? | // 8b8568ffffff | mov eax, dword ptr [ebp - 0x98] $sequence_19 = { 2ad1 80ea04 b904000000 eb34 8a1402 } // n = 5, score = 400 // 2ad1 | sub dl, cl // 80ea04 | sub dl, 4 // b904000000 | mov ecx, 4 // eb34 | jmp 0x36 // 8a1402 | mov dl, byte ptr [edx + eax] $sequence_20 = { 50 e8???????? 83c404 be08000000 } // n = 4, score = 300 // 50 | push eax // e8???????? | // 83c404 | add esp, 4 // be08000000 | mov esi, 8 $sequence_21 = { 8b06 8930 c745fc01000000 c7461807000000 } // n = 4, score = 300 // 8b06 | mov eax, dword ptr [esi] // 8930 | mov dword ptr [eax], esi // c745fc01000000 | mov dword ptr [ebp - 4], 1 // c7461807000000 | mov dword ptr [esi + 0x18], 7 $sequence_22 = { 6a6d 56 ff15???????? 8b3d???????? 6a00 6a00 6a00 } // n = 7, score = 300 // 6a6d | push 0x6d // 56 | push esi // ff15???????? | // 8b3d???????? | // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 $sequence_23 = { 68f4010000 50 e8???????? 83c40c } // n = 4, score = 300 // 68f4010000 | push 0x1f4 // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc $sequence_24 = { 8ad1 c0ea02 8ac4 80e20f c0e004 } // n = 5, score = 300 // 8ad1 | mov dl, cl // c0ea02 | shr dl, 2 // 8ac4 | mov al, ah // 80e20f | and dl, 0xf // c0e004 | shl al, 4 $sequence_25 = { 8b4c1938 895dd4 85c9 7405 8b01 ff5004 c745fc00000000 } // n = 7, score = 200 // 8b4c1938 | mov ecx, dword ptr [ecx + ebx + 0x38] // 895dd4 | mov dword ptr [ebp - 0x2c], ebx // 85c9 | test ecx, ecx // 7405 | je 7 // 8b01 | mov eax, dword ptr [ecx] // ff5004 | call dword ptr [eax + 4] // c745fc00000000 | mov dword ptr [ebp - 4], 0 $sequence_26 = { 8d8318010000 83c414 5b 5e c3 } // n = 5, score = 100 // 8d8318010000 | lea eax, [ebx + 0x118] // 83c414 | add esp, 0x14 // 5b | pop ebx // 5e | pop esi // c3 | ret $sequence_27 = { c1f806 03348560cb4300 f6462d01 7415 e8???????? c70016000000 e8???????? } // n = 7, score = 100 // c1f806 | sar eax, 6 // 03348560cb4300 | add esi, dword ptr [eax*4 + 0x43cb60] // f6462d01 | test byte ptr [esi + 0x2d], 1 // 7415 | je 0x17 // e8???????? | // c70016000000 | mov dword ptr [eax], 0x16 // e8???????? | $sequence_28 = { c70424???????? e8???????? a3???????? c745f400000000 } // n = 4, score = 100 // c70424???????? | // e8???????? | // a3???????? | // c745f400000000 | mov dword ptr [ebp - 0xc], 0 $sequence_29 = { 8d5001 8b4508 01d0 0fb600 } // n = 4, score = 100 // 8d5001 | lea edx, [eax + 1] // 8b4508 | mov eax, dword ptr [ebp + 8] // 01d0 | add eax, edx // 0fb600 | movzx eax, byte ptr [eax] $sequence_30 = { ff2485c8a64100 8b4dfc 8b5110 0fbe02 } // n = 4, score = 100 // ff2485c8a64100 | jmp dword ptr [eax*4 + 0x41a6c8] // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 8b5110 | mov edx, dword ptr [ecx + 0x10] // 0fbe02 | movsx eax, byte ptr [edx] $sequence_31 = { b9???????? e8???????? 85c0 743b } // n = 4, score = 100 // b9???????? | // e8???????? | // 85c0 | test eax, eax // 743b | je 0x3d $sequence_32 = { ff75d8 e8???????? 83c40c 8d4dd4 c745ec0f000000 } // n = 5, score = 100 // ff75d8 | push dword ptr [ebp - 0x28] // e8???????? | // 83c40c | add esp, 0xc // 8d4dd4 | lea ecx, [ebp - 0x2c] // c745ec0f000000 | mov dword ptr [ebp - 0x14], 0xf $sequence_33 = { c786d000000018cf4200 c786ac00000001000000 33c0 8b4dfc 5f 5e } // n = 6, score = 100 // c786d000000018cf4200 | mov dword ptr [esi + 0xd0], 0x42cf18 // c786ac00000001000000 | mov dword ptr [esi + 0xac], 1 // 33c0 | xor eax, eax // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 5f | pop edi // 5e | pop esi $sequence_34 = { 52 8b4508 50 e8???????? 8945f8 c745e000000000 8b45f8 } // n = 7, score = 100 // 52 | push edx // 8b4508 | mov eax, dword ptr [ebp + 8] // 50 | push eax // e8???????? | // 8945f8 | mov dword ptr [ebp - 8], eax // c745e000000000 | mov dword ptr [ebp - 0x20], 0 // 8b45f8 | mov eax, dword ptr [ebp - 8] $sequence_35 = { 68???????? e8???????? 68???????? ff15???????? 8b7508 c7465c28c14200 83660800 } // n = 7, score = 100 // 68???????? | // e8???????? | // 68???????? | // ff15???????? | // 8b7508 | mov esi, dword ptr [ebp + 8] // c7465c28c14200 | mov dword ptr [esi + 0x5c], 0x42c128 // 83660800 | and dword ptr [esi + 8], 0 $sequence_36 = { 8b15???????? a1???????? 01d0 0505010000 8945f4 eb20 } // n = 6, score = 100 // 8b15???????? | // a1???????? | // 01d0 | add eax, edx // 0505010000 | add eax, 0x105 // 8945f4 | mov dword ptr [ebp - 0xc], eax // eb20 | jmp 0x22 $sequence_37 = { 66c785eafeffff0000 c7442404fa000000 8d85bafeffff 890424 e8???????? } // n = 5, score = 100 // 66c785eafeffff0000 | mov word ptr [ebp - 0x116], 0 // c7442404fa000000 | mov dword ptr [esp + 4], 0xfa // 8d85bafeffff | lea eax, [ebp - 0x146] // 890424 | mov dword ptr [esp], eax // e8???????? | $sequence_38 = { 7777 8d9dfcfbffff 33c9 8a8104b04200 88840dfcfbffff 41 84c0 } // n = 7, score = 100 // 7777 | ja 0x79 // 8d9dfcfbffff | lea ebx, [ebp - 0x404] // 33c9 | xor ecx, ecx // 8a8104b04200 | mov al, byte ptr [ecx + 0x42b004] // 88840dfcfbffff | mov byte ptr [ebp + ecx - 0x404], al // 41 | inc ecx // 84c0 | test al, al $sequence_39 = { e8???????? 85ff 7473 837e1808 7234 8b4e04 eb32 } // n = 7, score = 100 // e8???????? | // 85ff | test edi, edi // 7473 | je 0x75 // 837e1808 | cmp dword ptr [esi + 0x18], 8 // 7234 | jb 0x36 // 8b4e04 | mov ecx, dword ptr [esi + 4] // eb32 | jmp 0x34 $sequence_40 = { c785bafeffff62624a78 c785befeffff6f7c6b4a c785c2feffff677a6762 c785c6feffff624c6f72 c785cafeffff6b796262 c785cefeffff69726f79 } // n = 6, score = 100 // c785bafeffff62624a78 | mov dword ptr [ebp - 0x146], 0x784a6262 // c785befeffff6f7c6b4a | mov dword ptr [ebp - 0x142], 0x4a6b7c6f // c785c2feffff677a6762 | mov dword ptr [ebp - 0x13e], 0x62677a67 // c785c6feffff624c6f72 | mov dword ptr [ebp - 0x13a], 0x726f4c62 // c785cafeffff6b796262 | mov dword ptr [ebp - 0x136], 0x6262796b // c785cefeffff69726f79 | mov dword ptr [ebp - 0x132], 0x796f7269 $sequence_41 = { 85f6 0f84b9000000 8975e0 8b04bda0244300 } // n = 4, score = 100 // 85f6 | test esi, esi // 0f84b9000000 | je 0xbf // 8975e0 | mov dword ptr [ebp - 0x20], esi // 8b04bda0244300 | mov eax, dword ptr [edi*4 + 0x4324a0] $sequence_42 = { 890424 e8???????? 8d8562feffff 890424 e8???????? } // n = 5, score = 100 // 890424 | mov dword ptr [esp], eax // e8???????? | // 8d8562feffff | lea eax, [ebp - 0x19e] // 890424 | mov dword ptr [esp], eax // e8???????? | $sequence_43 = { 6bd10b 898278a04600 68???????? 8b45fc 50 ff15???????? } // n = 6, score = 100 // 6bd10b | imul edx, ecx, 0xb // 898278a04600 | mov dword ptr [edx + 0x46a078], eax // 68???????? | // 8b45fc | mov eax, dword ptr [ebp - 4] // 50 | push eax // ff15???????? | $sequence_44 = { 8d41f8 89840d84feffff 8d85f0feffff c645fc02 } // n = 4, score = 100 // 8d41f8 | lea eax, [ecx - 8] // 89840d84feffff | mov dword ptr [ebp + ecx - 0x17c], eax // 8d85f0feffff | lea eax, [ebp - 0x110] // c645fc02 | mov byte ptr [ebp - 4], 2 $sequence_45 = { 0f848a000000 837de800 0f8480000000 8b4df8 6a0a 8b048d60cb4300 } // n = 6, score = 100 // 0f848a000000 | je 0x90 // 837de800 | cmp dword ptr [ebp - 0x18], 0 // 0f8480000000 | je 0x86 // 8b4df8 | mov ecx, dword ptr [ebp - 8] // 6a0a | push 0xa // 8b048d60cb4300 | mov eax, dword ptr [ecx*4 + 0x43cb60] $sequence_46 = { 896c2404 893c24 e8???????? 80be2c02000000 7439 c74424042f000000 } // n = 6, score = 100 // 896c2404 | mov dword ptr [esp + 4], ebp // 893c24 | mov dword ptr [esp], edi // e8???????? | // 80be2c02000000 | cmp byte ptr [esi + 0x22c], 0 // 7439 | je 0x3b // c74424042f000000 | mov dword ptr [esp + 4], 0x2f $sequence_47 = { 5d c3 8b04cd34f04200 5d c3 } // n = 5, score = 100 // 5d | pop ebp // c3 | ret // 8b04cd34f04200 | mov eax, dword ptr [ecx*8 + 0x42f034] // 5d | pop ebp // c3 | ret $sequence_48 = { 89857cfcffff 898580fcffff 8bf4 6804010000 8d85e8feffff 50 } // n = 6, score = 100 // 89857cfcffff | mov dword ptr [ebp - 0x384], eax // 898580fcffff | mov dword ptr [ebp - 0x380], eax // 8bf4 | mov esi, esp // 6804010000 | push 0x104 // 8d85e8feffff | lea eax, [ebp - 0x118] // 50 | push eax $sequence_49 = { 8b0c8d00b04600 0fb6540128 81e280000000 741b 8d8568ffffff 50 8b4de0 } // n = 7, score = 100 // 8b0c8d00b04600 | mov ecx, dword ptr [ecx*4 + 0x46b000] // 0fb6540128 | movzx edx, byte ptr [ecx + eax + 0x28] // 81e280000000 | and edx, 0x80 // 741b | je 0x1d // 8d8568ffffff | lea eax, [ebp - 0x98] // 50 | push eax // 8b4de0 | mov ecx, dword ptr [ebp - 0x20] $sequence_50 = { 741d 8bc7 c1f805 83e71f c1e706 8b0485a0244300 } // n = 6, score = 100 // 741d | je 0x1f // 8bc7 | mov eax, edi // c1f805 | sar eax, 5 // 83e71f | and edi, 0x1f // c1e706 | shl edi, 6 // 8b0485a0244300 | mov eax, dword ptr [eax*4 + 0x4324a0] $sequence_51 = { 8d8d8cefffff c785a0efffff00000000 66898590efffff e8???????? } // n = 4, score = 100 // 8d8d8cefffff | lea ecx, [ebp - 0x1074] // c785a0efffff00000000 | mov dword ptr [ebp - 0x1060], 0 // 66898590efffff | mov word ptr [ebp - 0x1070], ax // e8???????? | $sequence_52 = { 89840dd0bbf0ff c645fc1d 8d8544bcf0ff c78544bcf0ff9c734300 } // n = 4, score = 100 // 89840dd0bbf0ff | mov dword ptr [ebp + ecx - 0xf4430], eax // c645fc1d | mov byte ptr [ebp - 4], 0x1d // 8d8544bcf0ff | lea eax, [ebp - 0xf43bc] // c78544bcf0ff9c734300 | mov dword ptr [ebp - 0xf43bc], 0x43739c $sequence_53 = { 7541 d9ec d9c9 d9f1 833d????????00 0f85ac79ffff 8d0d70664300 } // n = 7, score = 100 // 7541 | jne 0x43 // d9ec | fldlg2 // d9c9 | fxch st(1) // d9f1 | fyl2x // 833d????????00 | // 0f85ac79ffff | jne 0xffff79b2 // 8d0d70664300 | lea ecx, [0x436670] condition: 7 of them and filesize < 1097728 }
import "pe" rule win_yty_w0 { meta: author = "James E.C, ProofPoint" description = "Modular malware framework with similarities to EHDevel" hash = "1e0c1b97925e1ed90562d2c68971e038d8506b354dd6c1d2bcc252d2a48bc31c" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty" malpedia_version = "20180312" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "/football/download2/" ascii wide $x2 = "/football/download/" ascii wide $x3 = "Caption: Xp>" wide $x_c2 = "5.135.199.0" ascii fullword $a1 = "getGoogle" ascii fullword $a2 = "/q /noretstart" wide $a3 = "IsInSandbox" ascii fullword $a4 = "syssystemnew" ascii fullword $a5 = "ytyinfo" ascii fullword $a6 = "\\ytyboth\\yty " ascii $s1 = "SELECT Name FROM Win32_Processor" wide $s2 = "SELECT Caption FROM Win32_OperatingSystem" wide $s3 = "SELECT SerialNumber FROM Win32_DiskDrive" wide $s4 = "VM: Yes" wide fullword $s5 = "VM: No" wide fullword $s6 = "helpdll.dll" ascii fullword $s7 = "boothelp.exe" ascii fullword $s8 = "SbieDll.dll" wide fullword $s9 = "dbghelp.dll" wide fullword $s10 = "YesNoMaybe" ascii fullword $s11 = "saveData" ascii fullword $s12 = "saveLogs" ascii fullword condition: pe.imphash() == "87775285899fa860b9963b11596a2ded" or 1 of ($x*) or 3 of ($a*) or 6 of ($s*) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY