SYMBOLCOMMON_NAMEaka. SYNONYMS
win.yty (Back to overview)

yty

Actor(s): APT-C-35, Donot Team, EHDevel


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:zinc:13667ec, author = {SecureWorks}, title = {{ZINC EMERSON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/zinc-emerson}, language = {English}, urldate = {2020-05-23} } ZINC EMERSON
yty Dropping Elephant
2019-11-15Positive TechnologiesPositive Technologies
@online{technologies:20191115:studying:b64a9fd, author = {Positive Technologies}, title = {{Studying Donot Team}}, date = {2019-11-15}, organization = {Positive Technologies}, url = {http://blog.ptsecurity.com/2019/11/studying-donot-team.html}, language = {English}, urldate = {2020-01-05} } Studying Donot Team
yty
2019-08-02NSHCThreatRecon Team
@online{team:20190802:sectore02:c2237b1, author = {ThreatRecon Team}, title = {{SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government}}, date = {2019-08-02}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/}, language = {English}, urldate = {2020-01-08} } SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government
yty
2018-07-26奇安信威胁情报中心 | 事件追踪
@online{:20180726:analysis:66722b6, author = {奇安信威胁情报中心 | 事件追踪}, title = {{Analysis of the latest attack activities of APT-C-35}}, date = {2018-07-26}, url = {https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/}, language = {Chinese}, urldate = {2020-01-08} } Analysis of the latest attack activities of APT-C-35
yty APT-C-35
2018-03-08NetScoutASERT Team
@online{team:20180308:donot:6f0c645, author = {ASERT Team}, title = {{Donot Team Leverages New Modular Malware Framework in South Asia}}, date = {2018-03-08}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/}, language = {English}, urldate = {2020-01-09} } Donot Team Leverages New Modular Malware Framework in South Asia
yty
Yara Rules
[TLP:WHITE] win_yty_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_yty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c5 50 8d45f4 64a300000000 8b7508 33ff 897dd8 }
            // n = 7, score = 500
            //   33c5                 | xor                 eax, ebp
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   33ff                 | xor                 edi, edi
            //   897dd8               | mov                 dword ptr [ebp - 0x28], edi

        $sequence_1 = { 0f840c000000 8365d8fe 8b7508 e9???????? c3 }
            // n = 5, score = 500
            //   0f840c000000         | je                  0x12
            //   8365d8fe             | and                 dword ptr [ebp - 0x28], 0xfffffffe
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   e9????????           |                     
            //   c3                   | ret                 

        $sequence_2 = { 8945fc 56 c745f001000000 e8???????? 83c404 8bc6 }
            // n = 6, score = 400
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi
            //   c745f001000000       | mov                 dword ptr [ebp - 0x10], 1
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8bc6                 | mov                 eax, esi

        $sequence_3 = { 2ad1 80ea13 b903000000 eb69 8a1402 2ad1 8bfe }
            // n = 7, score = 400
            //   2ad1                 | sub                 dl, cl
            //   80ea13               | sub                 dl, 0x13
            //   b903000000           | mov                 ecx, 3
            //   eb69                 | jmp                 0x6b
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   2ad1                 | sub                 dl, cl
            //   8bfe                 | mov                 edi, esi

        $sequence_4 = { 8b3e 2ad1 80ea04 b901000000 e9???????? }
            // n = 5, score = 400
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   2ad1                 | sub                 dl, cl
            //   80ea04               | sub                 dl, 4
            //   b901000000           | mov                 ecx, 1
            //   e9????????           |                     

        $sequence_5 = { 64a300000000 8d8524ffffff 50 e8???????? }
            // n = 4, score = 400
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8d8524ffffff         | lea                 eax, [ebp - 0xdc]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_6 = { 668910 8bc6 5b 8be5 5d c20400 }
            // n = 6, score = 400
            //   668910               | mov                 word ptr [eax], dx
            //   8bc6                 | mov                 eax, esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4

        $sequence_7 = { 33c0 8d7910 85d2 0f8425010000 }
            // n = 4, score = 400
            //   33c0                 | xor                 eax, eax
            //   8d7910               | lea                 edi, [ecx + 0x10]
            //   85d2                 | test                edx, edx
            //   0f8425010000         | je                  0x12b

        $sequence_8 = { 6a00 8bcf c645fc02 e8???????? 8b0e }
            // n = 5, score = 400
            //   6a00                 | push                0
            //   8bcf                 | mov                 ecx, edi
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   e8????????           |                     
            //   8b0e                 | mov                 ecx, dword ptr [esi]

        $sequence_9 = { 8975e0 85c9 7407 8b11 8b4204 ffd0 c745fc00000000 }
            // n = 7, score = 400
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   85c9                 | test                ecx, ecx
            //   7407                 | je                  9
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   ffd0                 | call                eax
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_10 = { 83c40c 8d8de8fdffff 51 53 53 6a28 }
            // n = 6, score = 400
            //   83c40c               | add                 esp, 0xc
            //   8d8de8fdffff         | lea                 ecx, [ebp - 0x218]
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6a28                 | push                0x28

        $sequence_11 = { 50 ffd2 8b8568ffffff 8b08 8b5108 }
            // n = 5, score = 400
            //   50                   | push                eax
            //   ffd2                 | call                edx
            //   8b8568ffffff         | mov                 eax, dword ptr [ebp - 0x98]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]

        $sequence_12 = { 7303 8d5508 8b4e10 397e14 7211 }
            // n = 5, score = 400
            //   7303                 | jae                 5
            //   8d5508               | lea                 edx, [ebp + 8]
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]
            //   397e14               | cmp                 dword ptr [esi + 0x14], edi
            //   7211                 | jb                  0x13

        $sequence_13 = { 8bfe 80ea13 b903000000 eb58 8b5508 }
            // n = 5, score = 400
            //   8bfe                 | mov                 edi, esi
            //   80ea13               | sub                 dl, 0x13
            //   b903000000           | mov                 ecx, 3
            //   eb58                 | jmp                 0x5a
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_14 = { e8???????? 8b0e 8b5104 8b443238 c645ef01 }
            // n = 5, score = 400
            //   e8????????           |                     
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8b5104               | mov                 edx, dword ptr [ecx + 4]
            //   8b443238             | mov                 eax, dword ptr [edx + esi + 0x38]
            //   c645ef01             | mov                 byte ptr [ebp - 0x11], 1

        $sequence_15 = { 50 8bce c60600 e8???????? 8b5610 33c9 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   c60600               | mov                 byte ptr [esi], 0
            //   e8????????           |                     
            //   8b5610               | mov                 edx, dword ptr [esi + 0x10]
            //   33c9                 | xor                 ecx, ecx

        $sequence_16 = { 8906 894604 894608 8945fc 56 c745f001000000 }
            // n = 6, score = 400
            //   8906                 | mov                 dword ptr [esi], eax
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi
            //   c745f001000000       | mov                 dword ptr [ebp - 0x10], 1

        $sequence_17 = { b904000000 eb34 8a1402 2ad1 8bfe 80ea04 b904000000 }
            // n = 7, score = 400
            //   b904000000           | mov                 ecx, 4
            //   eb34                 | jmp                 0x36
            //   8a1402               | mov                 dl, byte ptr [edx + eax]
            //   2ad1                 | sub                 dl, cl
            //   8bfe                 | mov                 edi, esi
            //   80ea04               | sub                 dl, 4
            //   b904000000           | mov                 ecx, 4

        $sequence_18 = { 8b08 8b5108 50 ffd2 ff15???????? 8b8568ffffff }
            // n = 6, score = 400
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   50                   | push                eax
            //   ffd2                 | call                edx
            //   ff15????????         |                     
            //   8b8568ffffff         | mov                 eax, dword ptr [ebp - 0x98]

        $sequence_19 = { 2ad1 80ea04 b904000000 eb34 8a1402 }
            // n = 5, score = 400
            //   2ad1                 | sub                 dl, cl
            //   80ea04               | sub                 dl, 4
            //   b904000000           | mov                 ecx, 4
            //   eb34                 | jmp                 0x36
            //   8a1402               | mov                 dl, byte ptr [edx + eax]

        $sequence_20 = { 50 e8???????? 83c404 be08000000 }
            // n = 4, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   be08000000           | mov                 esi, 8

        $sequence_21 = { 8b06 8930 c745fc01000000 c7461807000000 }
            // n = 4, score = 300
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8930                 | mov                 dword ptr [eax], esi
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   c7461807000000       | mov                 dword ptr [esi + 0x18], 7

        $sequence_22 = { 6a6d 56 ff15???????? 8b3d???????? 6a00 6a00 6a00 }
            // n = 7, score = 300
            //   6a6d                 | push                0x6d
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_23 = { 68f4010000 50 e8???????? 83c40c }
            // n = 4, score = 300
            //   68f4010000           | push                0x1f4
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_24 = { 8ad1 c0ea02 8ac4 80e20f c0e004 }
            // n = 5, score = 300
            //   8ad1                 | mov                 dl, cl
            //   c0ea02               | shr                 dl, 2
            //   8ac4                 | mov                 al, ah
            //   80e20f               | and                 dl, 0xf
            //   c0e004               | shl                 al, 4

        $sequence_25 = { 8b4c1938 895dd4 85c9 7405 8b01 ff5004 c745fc00000000 }
            // n = 7, score = 200
            //   8b4c1938             | mov                 ecx, dword ptr [ecx + ebx + 0x38]
            //   895dd4               | mov                 dword ptr [ebp - 0x2c], ebx
            //   85c9                 | test                ecx, ecx
            //   7405                 | je                  7
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5004               | call                dword ptr [eax + 4]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_26 = { 8d8318010000 83c414 5b 5e c3 }
            // n = 5, score = 100
            //   8d8318010000         | lea                 eax, [ebx + 0x118]
            //   83c414               | add                 esp, 0x14
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   c3                   | ret                 

        $sequence_27 = { c1f806 03348560cb4300 f6462d01 7415 e8???????? c70016000000 e8???????? }
            // n = 7, score = 100
            //   c1f806               | sar                 eax, 6
            //   03348560cb4300       | add                 esi, dword ptr [eax*4 + 0x43cb60]
            //   f6462d01             | test                byte ptr [esi + 0x2d], 1
            //   7415                 | je                  0x17
            //   e8????????           |                     
            //   c70016000000         | mov                 dword ptr [eax], 0x16
            //   e8????????           |                     

        $sequence_28 = { c70424???????? e8???????? a3???????? c745f400000000 }
            // n = 4, score = 100
            //   c70424????????       |                     
            //   e8????????           |                     
            //   a3????????           |                     
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0

        $sequence_29 = { 8d5001 8b4508 01d0 0fb600 }
            // n = 4, score = 100
            //   8d5001               | lea                 edx, [eax + 1]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   01d0                 | add                 eax, edx
            //   0fb600               | movzx               eax, byte ptr [eax]

        $sequence_30 = { ff2485c8a64100 8b4dfc 8b5110 0fbe02 }
            // n = 4, score = 100
            //   ff2485c8a64100       | jmp                 dword ptr [eax*4 + 0x41a6c8]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b5110               | mov                 edx, dword ptr [ecx + 0x10]
            //   0fbe02               | movsx               eax, byte ptr [edx]

        $sequence_31 = { b9???????? e8???????? 85c0 743b }
            // n = 4, score = 100
            //   b9????????           |                     
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   743b                 | je                  0x3d

        $sequence_32 = { ff75d8 e8???????? 83c40c 8d4dd4 c745ec0f000000 }
            // n = 5, score = 100
            //   ff75d8               | push                dword ptr [ebp - 0x28]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   c745ec0f000000       | mov                 dword ptr [ebp - 0x14], 0xf

        $sequence_33 = { c786d000000018cf4200 c786ac00000001000000 33c0 8b4dfc 5f 5e }
            // n = 6, score = 100
            //   c786d000000018cf4200     | mov    dword ptr [esi + 0xd0], 0x42cf18
            //   c786ac00000001000000     | mov    dword ptr [esi + 0xac], 1
            //   33c0                 | xor                 eax, eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_34 = { 52 8b4508 50 e8???????? 8945f8 c745e000000000 8b45f8 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_35 = { 68???????? e8???????? 68???????? ff15???????? 8b7508 c7465c28c14200 83660800 }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   c7465c28c14200       | mov                 dword ptr [esi + 0x5c], 0x42c128
            //   83660800             | and                 dword ptr [esi + 8], 0

        $sequence_36 = { 8b15???????? a1???????? 01d0 0505010000 8945f4 eb20 }
            // n = 6, score = 100
            //   8b15????????         |                     
            //   a1????????           |                     
            //   01d0                 | add                 eax, edx
            //   0505010000           | add                 eax, 0x105
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   eb20                 | jmp                 0x22

        $sequence_37 = { 66c785eafeffff0000 c7442404fa000000 8d85bafeffff 890424 e8???????? }
            // n = 5, score = 100
            //   66c785eafeffff0000     | mov    word ptr [ebp - 0x116], 0
            //   c7442404fa000000     | mov                 dword ptr [esp + 4], 0xfa
            //   8d85bafeffff         | lea                 eax, [ebp - 0x146]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_38 = { 7777 8d9dfcfbffff 33c9 8a8104b04200 88840dfcfbffff 41 84c0 }
            // n = 7, score = 100
            //   7777                 | ja                  0x79
            //   8d9dfcfbffff         | lea                 ebx, [ebp - 0x404]
            //   33c9                 | xor                 ecx, ecx
            //   8a8104b04200         | mov                 al, byte ptr [ecx + 0x42b004]
            //   88840dfcfbffff       | mov                 byte ptr [ebp + ecx - 0x404], al
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al

        $sequence_39 = { e8???????? 85ff 7473 837e1808 7234 8b4e04 eb32 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85ff                 | test                edi, edi
            //   7473                 | je                  0x75
            //   837e1808             | cmp                 dword ptr [esi + 0x18], 8
            //   7234                 | jb                  0x36
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   eb32                 | jmp                 0x34

        $sequence_40 = { c785bafeffff62624a78 c785befeffff6f7c6b4a c785c2feffff677a6762 c785c6feffff624c6f72 c785cafeffff6b796262 c785cefeffff69726f79 }
            // n = 6, score = 100
            //   c785bafeffff62624a78     | mov    dword ptr [ebp - 0x146], 0x784a6262
            //   c785befeffff6f7c6b4a     | mov    dword ptr [ebp - 0x142], 0x4a6b7c6f
            //   c785c2feffff677a6762     | mov    dword ptr [ebp - 0x13e], 0x62677a67
            //   c785c6feffff624c6f72     | mov    dword ptr [ebp - 0x13a], 0x726f4c62
            //   c785cafeffff6b796262     | mov    dword ptr [ebp - 0x136], 0x6262796b
            //   c785cefeffff69726f79     | mov    dword ptr [ebp - 0x132], 0x796f7269

        $sequence_41 = { 85f6 0f84b9000000 8975e0 8b04bda0244300 }
            // n = 4, score = 100
            //   85f6                 | test                esi, esi
            //   0f84b9000000         | je                  0xbf
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   8b04bda0244300       | mov                 eax, dword ptr [edi*4 + 0x4324a0]

        $sequence_42 = { 890424 e8???????? 8d8562feffff 890424 e8???????? }
            // n = 5, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   8d8562feffff         | lea                 eax, [ebp - 0x19e]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_43 = { 6bd10b 898278a04600 68???????? 8b45fc 50 ff15???????? }
            // n = 6, score = 100
            //   6bd10b               | imul                edx, ecx, 0xb
            //   898278a04600         | mov                 dword ptr [edx + 0x46a078], eax
            //   68????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_44 = { 8d41f8 89840d84feffff 8d85f0feffff c645fc02 }
            // n = 4, score = 100
            //   8d41f8               | lea                 eax, [ecx - 8]
            //   89840d84feffff       | mov                 dword ptr [ebp + ecx - 0x17c], eax
            //   8d85f0feffff         | lea                 eax, [ebp - 0x110]
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2

        $sequence_45 = { 0f848a000000 837de800 0f8480000000 8b4df8 6a0a 8b048d60cb4300 }
            // n = 6, score = 100
            //   0f848a000000         | je                  0x90
            //   837de800             | cmp                 dword ptr [ebp - 0x18], 0
            //   0f8480000000         | je                  0x86
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   6a0a                 | push                0xa
            //   8b048d60cb4300       | mov                 eax, dword ptr [ecx*4 + 0x43cb60]

        $sequence_46 = { 896c2404 893c24 e8???????? 80be2c02000000 7439 c74424042f000000 }
            // n = 6, score = 100
            //   896c2404             | mov                 dword ptr [esp + 4], ebp
            //   893c24               | mov                 dword ptr [esp], edi
            //   e8????????           |                     
            //   80be2c02000000       | cmp                 byte ptr [esi + 0x22c], 0
            //   7439                 | je                  0x3b
            //   c74424042f000000     | mov                 dword ptr [esp + 4], 0x2f

        $sequence_47 = { 5d c3 8b04cd34f04200 5d c3 }
            // n = 5, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b04cd34f04200       | mov                 eax, dword ptr [ecx*8 + 0x42f034]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_48 = { 89857cfcffff 898580fcffff 8bf4 6804010000 8d85e8feffff 50 }
            // n = 6, score = 100
            //   89857cfcffff         | mov                 dword ptr [ebp - 0x384], eax
            //   898580fcffff         | mov                 dword ptr [ebp - 0x380], eax
            //   8bf4                 | mov                 esi, esp
            //   6804010000           | push                0x104
            //   8d85e8feffff         | lea                 eax, [ebp - 0x118]
            //   50                   | push                eax

        $sequence_49 = { 8b0c8d00b04600 0fb6540128 81e280000000 741b 8d8568ffffff 50 8b4de0 }
            // n = 7, score = 100
            //   8b0c8d00b04600       | mov                 ecx, dword ptr [ecx*4 + 0x46b000]
            //   0fb6540128           | movzx               edx, byte ptr [ecx + eax + 0x28]
            //   81e280000000         | and                 edx, 0x80
            //   741b                 | je                  0x1d
            //   8d8568ffffff         | lea                 eax, [ebp - 0x98]
            //   50                   | push                eax
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]

        $sequence_50 = { 741d 8bc7 c1f805 83e71f c1e706 8b0485a0244300 }
            // n = 6, score = 100
            //   741d                 | je                  0x1f
            //   8bc7                 | mov                 eax, edi
            //   c1f805               | sar                 eax, 5
            //   83e71f               | and                 edi, 0x1f
            //   c1e706               | shl                 edi, 6
            //   8b0485a0244300       | mov                 eax, dword ptr [eax*4 + 0x4324a0]

        $sequence_51 = { 8d8d8cefffff c785a0efffff00000000 66898590efffff e8???????? }
            // n = 4, score = 100
            //   8d8d8cefffff         | lea                 ecx, [ebp - 0x1074]
            //   c785a0efffff00000000     | mov    dword ptr [ebp - 0x1060], 0
            //   66898590efffff       | mov                 word ptr [ebp - 0x1070], ax
            //   e8????????           |                     

        $sequence_52 = { 89840dd0bbf0ff c645fc1d 8d8544bcf0ff c78544bcf0ff9c734300 }
            // n = 4, score = 100
            //   89840dd0bbf0ff       | mov                 dword ptr [ebp + ecx - 0xf4430], eax
            //   c645fc1d             | mov                 byte ptr [ebp - 4], 0x1d
            //   8d8544bcf0ff         | lea                 eax, [ebp - 0xf43bc]
            //   c78544bcf0ff9c734300     | mov    dword ptr [ebp - 0xf43bc], 0x43739c

        $sequence_53 = { 7541 d9ec d9c9 d9f1 833d????????00 0f85ac79ffff 8d0d70664300 }
            // n = 7, score = 100
            //   7541                 | jne                 0x43
            //   d9ec                 | fldlg2              
            //   d9c9                 | fxch                st(1)
            //   d9f1                 | fyl2x               
            //   833d????????00       |                     
            //   0f85ac79ffff         | jne                 0xffff79b2
            //   8d0d70664300         | lea                 ecx, [0x436670]

    condition:
        7 of them and filesize < 1097728
}
[TLP:WHITE] win_yty_w0   (20180312 | Modular malware framework with similarities to EHDevel)
import "pe"

rule win_yty_w0 {
    meta:
        author = "James E.C, ProofPoint"
        description = "Modular malware framework with similarities to EHDevel"
        hash = "1e0c1b97925e1ed90562d2c68971e038d8506b354dd6c1d2bcc252d2a48bc31c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty"
        malpedia_version = "20180312"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "/football/download2/" ascii wide
        $x2 = "/football/download/" ascii wide
        $x3 = "Caption: Xp>" wide

        $x_c2 = "5.135.199.0" ascii fullword

        $a1 = "getGoogle" ascii fullword
        $a2 = "/q /noretstart" wide
        $a3 = "IsInSandbox" ascii fullword
        $a4 = "syssystemnew" ascii fullword
        $a5 = "ytyinfo" ascii fullword
        $a6 = "\\ytyboth\\yty " ascii

        $s1 = "SELECT Name FROM Win32_Processor" wide
        $s2 = "SELECT Caption FROM Win32_OperatingSystem" wide
        $s3 = "SELECT SerialNumber FROM Win32_DiskDrive" wide
        $s4 = "VM: Yes" wide fullword
        $s5 = "VM: No" wide fullword
        $s6 = "helpdll.dll" ascii fullword
        $s7 = "boothelp.exe" ascii fullword
        $s8 = "SbieDll.dll" wide fullword
        $s9 = "dbghelp.dll" wide fullword
        $s10 = "YesNoMaybe" ascii fullword
        $s11 = "saveData" ascii fullword
        $s12 = "saveLogs" ascii fullword
    condition:
        pe.imphash() == "87775285899fa860b9963b11596a2ded" or 1 of ($x*) or 3 of ($a*) or 6 of ($s*)
}
Download all Yara Rules