Actor(s): APT-C-35, Donot Team, Viceroy Tiger
There is no description at this point.
rule win_yty_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.yty." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b45d8 83e001 0f840c000000 8365d8fe 8b7508 } // n = 5, score = 500 // 8b45d8 | mov eax, dword ptr [ebp - 0x28] // 83e001 | and eax, 1 // 0f840c000000 | je 0x12 // 8365d8fe | and dword ptr [ebp - 0x28], 0xfffffffe // 8b7508 | mov esi, dword ptr [ebp + 8] $sequence_1 = { 8365d8fe 8b7508 e9???????? c3 } // n = 4, score = 500 // 8365d8fe | and dword ptr [ebp - 0x28], 0xfffffffe // 8b7508 | mov esi, dword ptr [ebp + 8] // e9???????? | // c3 | ret $sequence_2 = { 50 8d45f4 64a300000000 8b7508 33ff 897dd8 } // n = 6, score = 500 // 50 | push eax // 8d45f4 | lea eax, [ebp - 0xc] // 64a300000000 | mov dword ptr fs:[0], eax // 8b7508 | mov esi, dword ptr [ebp + 8] // 33ff | xor edi, edi // 897dd8 | mov dword ptr [ebp - 0x28], edi $sequence_3 = { b903000000 eb69 8a1402 2ad1 } // n = 4, score = 400 // b903000000 | mov ecx, 3 // eb69 | jmp 0x6b // 8a1402 | mov dl, byte ptr [edx + eax] // 2ad1 | sub dl, cl $sequence_4 = { 83c40c 8d8de8fdffff 51 53 53 6a28 } // n = 6, score = 400 // 83c40c | add esp, 0xc // 8d8de8fdffff | lea ecx, [ebp - 0x218] // 51 | push ecx // 53 | push ebx // 53 | push ebx // 6a28 | push 0x28 $sequence_5 = { 33c9 33c0 8d7910 85d2 0f8425010000 } // n = 5, score = 400 // 33c9 | xor ecx, ecx // 33c0 | xor eax, eax // 8d7910 | lea edi, [ecx + 0x10] // 85d2 | test edx, edx // 0f8425010000 | je 0x12b $sequence_6 = { eb34 8a1402 2ad1 8bfe 80ea04 } // n = 5, score = 400 // eb34 | jmp 0x36 // 8a1402 | mov dl, byte ptr [edx + eax] // 2ad1 | sub dl, cl // 8bfe | mov edi, esi // 80ea04 | sub dl, 4 $sequence_7 = { 8bf9 8b7508 8b06 8b4804 8b4c3138 } // n = 5, score = 400 // 8bf9 | mov edi, ecx // 8b7508 | mov esi, dword ptr [ebp + 8] // 8b06 | mov eax, dword ptr [esi] // 8b4804 | mov ecx, dword ptr [eax + 4] // 8b4c3138 | mov ecx, dword ptr [ecx + esi + 0x38] $sequence_8 = { 57 50 8d45f4 64a300000000 8d8524ffffff 50 } // n = 6, score = 400 // 57 | push edi // 50 | push eax // 8d45f4 | lea eax, [ebp - 0xc] // 64a300000000 | mov dword ptr fs:[0], eax // 8d8524ffffff | lea eax, [ebp - 0xdc] // 50 | push eax $sequence_9 = { c645fc01 e8???????? 8b10 8b4a04 03c8 8b410c 2406 } // n = 7, score = 400 // c645fc01 | mov byte ptr [ebp - 4], 1 // e8???????? | // 8b10 | mov edx, dword ptr [eax] // 8b4a04 | mov ecx, dword ptr [edx + 4] // 03c8 | add ecx, eax // 8b410c | mov eax, dword ptr [ecx + 0xc] // 2406 | and al, 6 $sequence_10 = { 50 ffd2 8b8568ffffff 8b08 } // n = 4, score = 400 // 50 | push eax // ffd2 | call edx // 8b8568ffffff | mov eax, dword ptr [ebp - 0x98] // 8b08 | mov ecx, dword ptr [eax] $sequence_11 = { 397e14 7214 8a1402 8b3e 2ad1 } // n = 5, score = 400 // 397e14 | cmp dword ptr [esi + 0x14], edi // 7214 | jb 0x16 // 8a1402 | mov dl, byte ptr [edx + eax] // 8b3e | mov edi, dword ptr [esi] // 2ad1 | sub dl, cl $sequence_12 = { 2ad1 80ea13 33c9 881407 bf10000000 40 } // n = 6, score = 400 // 2ad1 | sub dl, cl // 80ea13 | sub dl, 0x13 // 33c9 | xor ecx, ecx // 881407 | mov byte ptr [edi + eax], dl // bf10000000 | mov edi, 0x10 // 40 | inc eax $sequence_13 = { 8b8570ffffff 8b08 8b5108 50 } // n = 4, score = 400 // 8b8570ffffff | mov eax, dword ptr [ebp - 0x90] // 8b08 | mov ecx, dword ptr [eax] // 8b5108 | mov edx, dword ptr [ecx + 8] // 50 | push eax $sequence_14 = { 668910 8bc6 5b 8be5 5d c20400 } // n = 6, score = 400 // 668910 | mov word ptr [eax], dx // 8bc6 | mov eax, esi // 5b | pop ebx // 8be5 | mov esp, ebp // 5d | pop ebp // c20400 | ret 4 $sequence_15 = { 8b8570ffffff 8b10 50 8b4208 } // n = 4, score = 400 // 8b8570ffffff | mov eax, dword ptr [ebp - 0x90] // 8b10 | mov edx, dword ptr [eax] // 50 | push eax // 8b4208 | mov eax, dword ptr [edx + 8] $sequence_16 = { 895de8 885def 8975e0 85c9 7407 8b11 8b4204 } // n = 7, score = 400 // 895de8 | mov dword ptr [ebp - 0x18], ebx // 885def | mov byte ptr [ebp - 0x11], bl // 8975e0 | mov dword ptr [ebp - 0x20], esi // 85c9 | test ecx, ecx // 7407 | je 9 // 8b11 | mov edx, dword ptr [ecx] // 8b4204 | mov eax, dword ptr [edx + 4] $sequence_17 = { 8d85e8fdffff 53 50 e8???????? 83c40c 8d8de8fdffff 51 } // n = 7, score = 400 // 8d85e8fdffff | lea eax, [ebp - 0x218] // 53 | push ebx // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc // 8d8de8fdffff | lea ecx, [ebp - 0x218] // 51 | push ecx $sequence_18 = { 7303 8d5508 8b4e10 397e14 7204 8b3e } // n = 6, score = 400 // 7303 | jae 5 // 8d5508 | lea edx, [ebp + 8] // 8b4e10 | mov ecx, dword ptr [esi + 0x10] // 397e14 | cmp dword ptr [esi + 0x14], edi // 7204 | jb 6 // 8b3e | mov edi, dword ptr [esi] $sequence_19 = { c745f000000000 6aff c745fc00000000 6a00 8d4508 c746140f000000 c7461000000000 } // n = 7, score = 400 // c745f000000000 | mov dword ptr [ebp - 0x10], 0 // 6aff | push -1 // c745fc00000000 | mov dword ptr [ebp - 4], 0 // 6a00 | push 0 // 8d4508 | lea eax, [ebp + 8] // c746140f000000 | mov dword ptr [esi + 0x14], 0xf // c7461000000000 | mov dword ptr [esi + 0x10], 0 $sequence_20 = { 8bfe 80ea13 b902000000 e9???????? 8b5508 397d1c } // n = 6, score = 400 // 8bfe | mov edi, esi // 80ea13 | sub dl, 0x13 // b902000000 | mov ecx, 2 // e9???????? | // 8b5508 | mov edx, dword ptr [ebp + 8] // 397d1c | cmp dword ptr [ebp + 0x1c], edi $sequence_21 = { 50 8b410c ffd0 8d4f08 51 } // n = 5, score = 400 // 50 | push eax // 8b410c | mov eax, dword ptr [ecx + 0xc] // ffd0 | call eax // 8d4f08 | lea ecx, [edi + 8] // 51 | push ecx $sequence_22 = { 8ad1 c0ea02 8ac4 80e20f } // n = 4, score = 300 // 8ad1 | mov dl, cl // c0ea02 | shr dl, 2 // 8ac4 | mov al, ah // 80e20f | and dl, 0xf $sequence_23 = { 56 ff15???????? 8b3d???????? 6a00 6a00 6a00 } // n = 6, score = 300 // 56 | push esi // ff15???????? | // 8b3d???????? | // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 $sequence_24 = { 8b4c1938 895dd4 85c9 7405 8b01 ff5004 c745fc00000000 } // n = 7, score = 200 // 8b4c1938 | mov ecx, dword ptr [ecx + ebx + 0x38] // 895dd4 | mov dword ptr [ebp - 0x2c], ebx // 85c9 | test ecx, ecx // 7405 | je 7 // 8b01 | mov eax, dword ptr [ecx] // ff5004 | call dword ptr [eax + 4] // c745fc00000000 | mov dword ptr [ebp - 4], 0 $sequence_25 = { 57 8d8d38ffffff e8???????? 8d4da0 e8???????? 8d45a0 c745fc01000000 } // n = 7, score = 100 // 57 | push edi // 8d8d38ffffff | lea ecx, [ebp - 0xc8] // e8???????? | // 8d4da0 | lea ecx, [ebp - 0x60] // e8???????? | // 8d45a0 | lea eax, [ebp - 0x60] // c745fc01000000 | mov dword ptr [ebp - 4], 1 $sequence_26 = { 8d50ff 8b4508 01d0 c60000 836d0c01 837d0c00 } // n = 6, score = 100 // 8d50ff | lea edx, [eax - 1] // 8b4508 | mov eax, dword ptr [ebp + 8] // 01d0 | add eax, edx // c60000 | mov byte ptr [eax], 0 // 836d0c01 | sub dword ptr [ebp + 0xc], 1 // 837d0c00 | cmp dword ptr [ebp + 0xc], 0 $sequence_27 = { e8???????? 89049d60cb4300 85c0 742f 8305????????40 8bfb } // n = 6, score = 100 // e8???????? | // 89049d60cb4300 | mov dword ptr [ebx*4 + 0x43cb60], eax // 85c0 | test eax, eax // 742f | je 0x31 // 8305????????40 | // 8bfb | mov edi, ebx $sequence_28 = { b9???????? 0f43c7 0f1f00 8a10 3a11 751a 84d2 } // n = 7, score = 100 // b9???????? | // 0f43c7 | cmovae eax, edi // 0f1f00 | nop dword ptr [eax] // 8a10 | mov dl, byte ptr [eax] // 3a11 | cmp dl, byte ptr [ecx] // 751a | jne 0x1c // 84d2 | test dl, dl $sequence_29 = { eb0c 891c24 e8???????? 85c0 7439 3bb328020000 } // n = 6, score = 100 // eb0c | jmp 0xe // 891c24 | mov dword ptr [esp], ebx // e8???????? | // 85c0 | test eax, eax // 7439 | je 0x3b // 3bb328020000 | cmp esi, dword ptr [ebx + 0x228] $sequence_30 = { c7858cfcffff00000000 6a40 6a00 8d8590fcffff 50 } // n = 5, score = 100 // c7858cfcffff00000000 | mov dword ptr [ebp - 0x374], 0 // 6a40 | push 0x40 // 6a00 | push 0 // 8d8590fcffff | lea eax, [ebp - 0x370] // 50 | push eax $sequence_31 = { 8b7508 57 56 8975f8 e8???????? 8b15???????? 8bf8 } // n = 7, score = 100 // 8b7508 | mov esi, dword ptr [ebp + 8] // 57 | push edi // 56 | push esi // 8975f8 | mov dword ptr [ebp - 8], esi // e8???????? | // 8b15???????? | // 8bf8 | mov edi, eax $sequence_32 = { 0f84b9000000 8975e0 8b04bda0244300 0500080000 3bf0 0f8396000000 } // n = 6, score = 100 // 0f84b9000000 | je 0xbf // 8975e0 | mov dword ptr [ebp - 0x20], esi // 8b04bda0244300 | mov eax, dword ptr [edi*4 + 0x4324a0] // 0500080000 | add eax, 0x800 // 3bf0 | cmp esi, eax // 0f8396000000 | jae 0x9c $sequence_33 = { c70424???????? e8???????? a3???????? a1???????? 85c0 746d } // n = 6, score = 100 // c70424???????? | // e8???????? | // a3???????? | // a1???????? | // 85c0 | test eax, eax // 746d | je 0x6f $sequence_34 = { c60000 eb0d 8345f401 817df409020000 } // n = 4, score = 100 // c60000 | mov byte ptr [eax], 0 // eb0d | jmp 0xf // 8345f401 | add dword ptr [ebp - 0xc], 1 // 817df409020000 | cmp dword ptr [ebp - 0xc], 0x209 $sequence_35 = { 33c9 ff750c 668908 8bce ff7508 e8???????? 8bc6 } // n = 7, score = 100 // 33c9 | xor ecx, ecx // ff750c | push dword ptr [ebp + 0xc] // 668908 | mov word ptr [eax], cx // 8bce | mov ecx, esi // ff7508 | push dword ptr [ebp + 8] // e8???????? | // 8bc6 | mov eax, esi $sequence_36 = { 8bf4 68204e0000 ff15???????? 3bf4 e8???????? 5f } // n = 6, score = 100 // 8bf4 | mov esi, esp // 68204e0000 | push 0x4e20 // ff15???????? | // 3bf4 | cmp esi, esp // e8???????? | // 5f | pop edi $sequence_37 = { 50 8d8d44b8f0ff e8???????? c645fc22 8d8d90bcf0ff 83bda4bcf0ff10 ba???????? } // n = 7, score = 100 // 50 | push eax // 8d8d44b8f0ff | lea ecx, [ebp - 0xf47bc] // e8???????? | // c645fc22 | mov byte ptr [ebp - 4], 0x22 // 8d8d90bcf0ff | lea ecx, [ebp - 0xf4370] // 83bda4bcf0ff10 | cmp dword ptr [ebp - 0xf435c], 0x10 // ba???????? | $sequence_38 = { 7245 8b8dacfcffff 40 3d00100000 722e f6c11f 7405 } // n = 7, score = 100 // 7245 | jb 0x47 // 8b8dacfcffff | mov ecx, dword ptr [ebp - 0x354] // 40 | inc eax // 3d00100000 | cmp eax, 0x1000 // 722e | jb 0x30 // f6c11f | test cl, 0x1f // 7405 | je 7 $sequence_39 = { a1???????? 01d0 0505010000 0fb69820604000 8b75dc 8b4508 } // n = 6, score = 100 // a1???????? | // 01d0 | add eax, edx // 0505010000 | add eax, 0x105 // 0fb69820604000 | movzx ebx, byte ptr [eax + 0x406020] // 8b75dc | mov esi, dword ptr [ebp - 0x24] // 8b4508 | mov eax, dword ptr [ebp + 8] $sequence_40 = { 8d8d5cb8f0ff 50 e8???????? c645fc1b 8b853cb8f0ff 83f810 } // n = 6, score = 100 // 8d8d5cb8f0ff | lea ecx, [ebp - 0xf47a4] // 50 | push eax // e8???????? | // c645fc1b | mov byte ptr [ebp - 4], 0x1b // 8b853cb8f0ff | mov eax, dword ptr [ebp - 0xf47c4] // 83f810 | cmp eax, 0x10 $sequence_41 = { 50 e8???????? 8b0d???????? b893244992 } // n = 4, score = 100 // 50 | push eax // e8???????? | // 8b0d???????? | // b893244992 | mov eax, 0x92492493 $sequence_42 = { 6bd116 898278a04600 68???????? 8b45fc 50 ff15???????? 3305???????? } // n = 7, score = 100 // 6bd116 | imul edx, ecx, 0x16 // 898278a04600 | mov dword ptr [edx + 0x46a078], eax // 68???????? | // 8b45fc | mov eax, dword ptr [ebp - 4] // 50 | push eax // ff15???????? | // 3305???????? | $sequence_43 = { 8b7508 c7465c28c14200 83660800 33ff 47 } // n = 5, score = 100 // 8b7508 | mov esi, dword ptr [ebp + 8] // c7465c28c14200 | mov dword ptr [esi + 0x5c], 0x42c128 // 83660800 | and dword ptr [esi + 8], 0 // 33ff | xor edi, edi // 47 | inc edi $sequence_44 = { c705????????4b154100 8935???????? a3???????? ff15???????? a3???????? 83f8ff 0f84c1000000 } // n = 7, score = 100 // c705????????4b154100 | // 8935???????? | // a3???????? | // ff15???????? | // a3???????? | // 83f8ff | cmp eax, -1 // 0f84c1000000 | je 0xc7 $sequence_45 = { 8b45f8 0fb70c45cce14500 3bd1 7504 33c0 eb07 ebd8 } // n = 7, score = 100 // 8b45f8 | mov eax, dword ptr [ebp - 8] // 0fb70c45cce14500 | movzx ecx, word ptr [eax*2 + 0x45e1cc] // 3bd1 | cmp edx, ecx // 7504 | jne 6 // 33c0 | xor eax, eax // eb07 | jmp 9 // ebd8 | jmp 0xffffffda $sequence_46 = { c1fa05 c1e006 030495a0244300 eb05 } // n = 4, score = 100 // c1fa05 | sar edx, 5 // c1e006 | shl eax, 6 // 030495a0244300 | add eax, dword ptr [edx*4 + 0x4324a0] // eb05 | jmp 7 $sequence_47 = { 0505010000 0fb68020604000 3c5c 751e 8b15???????? a1???????? 01c2 } // n = 7, score = 100 // 0505010000 | add eax, 0x105 // 0fb68020604000 | movzx eax, byte ptr [eax + 0x406020] // 3c5c | cmp al, 0x5c // 751e | jne 0x20 // 8b15???????? | // a1???????? | // 01c2 | add edx, eax $sequence_48 = { 50 c78520efffffcc584600 e8???????? 83c404 } // n = 4, score = 100 // 50 | push eax // c78520efffffcc584600 | mov dword ptr [ebp - 0x10e0], 0x4658cc // e8???????? | // 83c404 | add esp, 4 $sequence_49 = { 8b55dc a1???????? 01c2 a1???????? 01d0 0505010000 } // n = 6, score = 100 // 8b55dc | mov edx, dword ptr [ebp - 0x24] // a1???????? | // 01c2 | add edx, eax // a1???????? | // 01d0 | add eax, edx // 0505010000 | add eax, 0x105 $sequence_50 = { 56 57 33ff ffb744fe4200 ff15???????? 898744fe4200 83c704 } // n = 7, score = 100 // 56 | push esi // 57 | push edi // 33ff | xor edi, edi // ffb744fe4200 | push dword ptr [edi + 0x42fe44] // ff15???????? | // 898744fe4200 | mov dword ptr [edi + 0x42fe44], eax // 83c704 | add edi, 4 $sequence_51 = { c78324020000ffffffff c7832802000000000000 83c418 5b c3 } // n = 5, score = 100 // c78324020000ffffffff | mov dword ptr [ebx + 0x224], 0xffffffff // c7832802000000000000 | mov dword ptr [ebx + 0x228], 0 // 83c418 | add esp, 0x18 // 5b | pop ebx // c3 | ret $sequence_52 = { 85c0 0f84ce000000 66660f1f840000000000 8b95f8fdffff 85d2 0f84b6000000 } // n = 6, score = 100 // 85c0 | test eax, eax // 0f84ce000000 | je 0xd4 // 66660f1f840000000000 | nop word ptr [eax + eax] // 8b95f8fdffff | mov edx, dword ptr [ebp - 0x208] // 85d2 | test edx, edx // 0f84b6000000 | je 0xbc $sequence_53 = { 8b4508 83f804 7709 8b048568b44200 5d c3 } // n = 6, score = 100 // 8b4508 | mov eax, dword ptr [ebp + 8] // 83f804 | cmp eax, 4 // 7709 | ja 0xb // 8b048568b44200 | mov eax, dword ptr [eax*4 + 0x42b468] // 5d | pop ebp // c3 | ret $sequence_54 = { ff15???????? b90180ffff 663bc1 75b6 8d8d90bcf0ff e8???????? 8bf0 } // n = 7, score = 100 // ff15???????? | // b90180ffff | mov ecx, 0xffff8001 // 663bc1 | cmp ax, cx // 75b6 | jne 0xffffffb8 // 8d8d90bcf0ff | lea ecx, [ebp - 0xf4370] // e8???????? | // 8bf0 | mov esi, eax condition: 7 of them and filesize < 1097728 }
import "pe" rule win_yty_w0 { meta: author = "James E.C, ProofPoint" description = "Modular malware framework with similarities to EHDevel" hash = "1e0c1b97925e1ed90562d2c68971e038d8506b354dd6c1d2bcc252d2a48bc31c" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty" malpedia_version = "20180312" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "/football/download2/" ascii wide $x2 = "/football/download/" ascii wide $x3 = "Caption: Xp>" wide $x_c2 = "5.135.199.0" ascii fullword $a1 = "getGoogle" ascii fullword $a2 = "/q /noretstart" wide $a3 = "IsInSandbox" ascii fullword $a4 = "syssystemnew" ascii fullword $a5 = "ytyinfo" ascii fullword $a6 = "\\ytyboth\\yty " ascii $s1 = "SELECT Name FROM Win32_Processor" wide $s2 = "SELECT Caption FROM Win32_OperatingSystem" wide $s3 = "SELECT SerialNumber FROM Win32_DiskDrive" wide $s4 = "VM: Yes" wide fullword $s5 = "VM: No" wide fullword $s6 = "helpdll.dll" ascii fullword $s7 = "boothelp.exe" ascii fullword $s8 = "SbieDll.dll" wide fullword $s9 = "dbghelp.dll" wide fullword $s10 = "YesNoMaybe" ascii fullword $s11 = "saveData" ascii fullword $s12 = "saveLogs" ascii fullword condition: pe.imphash() == "87775285899fa860b9963b11596a2ded" or 1 of ($x*) or 3 of ($a*) or 6 of ($s*) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY