SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus_sphinx (Back to overview)

Zeus Sphinx


This family describes the vanilla Zeus-variant that includes TOR (and Polipo proxy). It has an almost 90% overlap with Zeus v2.0.8.9.
Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase")
- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)
- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)
- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase")
- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)
- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)
- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

References
2015-08-26Security AffairsPierluigi Paganini
@online{paganini:20150826:sphinx:dfbcee8, author = {Pierluigi Paganini}, title = {{Sphinx, a new variant of Zeus available for sale in the underground}}, date = {2015-08-26}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html}, language = {English}, urldate = {2020-01-08} } Sphinx, a new variant of Zeus available for sale in the underground
Zeus Sphinx
2015-08-24DarkMattersBev Robb
@online{robb:20150824:sphinx:314a7b9, author = {Bev Robb}, title = {{Sphinx: New Zeus Variant for Sale on the Black Market}}, date = {2015-08-24}, organization = {DarkMatters}, url = {https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/}, language = {English}, urldate = {2020-01-13} } Sphinx: New Zeus Variant for Sale on the Black Market
Zeus Sphinx
Yara Rules
[TLP:WHITE] win_zeus_sphinx_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_zeus_sphinx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89ce 8b5108 8b4904 837e2c01 }
            // n = 4, score = 400
            //   89ce                 | mov                 esi, ecx
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   8b4904               | mov                 ecx, dword ptr [ecx + 4]
            //   837e2c01             | cmp                 dword ptr [esi + 0x2c], 1

        $sequence_1 = { 56 e8???????? 83c410 85db 7537 50 }
            // n = 6, score = 400
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85db                 | test                ebx, ebx
            //   7537                 | jne                 0x39
            //   50                   | push                eax

        $sequence_2 = { 8915???????? 2b4a04 b801000000 c1e90c d3e0 0902 }
            // n = 6, score = 400
            //   8915????????         |                     
            //   2b4a04               | sub                 ecx, dword ptr [edx + 4]
            //   b801000000           | mov                 eax, 1
            //   c1e90c               | shr                 ecx, 0xc
            //   d3e0                 | shl                 eax, cl
            //   0902                 | or                  dword ptr [edx], eax

        $sequence_3 = { 83c410 85c0 0f840d030000 894598 51 }
            // n = 5, score = 400
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   0f840d030000         | je                  0x313
            //   894598               | mov                 dword ptr [ebp - 0x68], eax
            //   51                   | push                ecx

        $sequence_4 = { 83c420 eb65 66837e1a00 740c 83ec0c 57 e8???????? }
            // n = 7, score = 400
            //   83c420               | add                 esp, 0x20
            //   eb65                 | jmp                 0x67
            //   66837e1a00           | cmp                 word ptr [esi + 0x1a], 0
            //   740c                 | je                  0xe
            //   83ec0c               | sub                 esp, 0xc
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_5 = { 50 50 6a01 ff7308 e8???????? }
            // n = 5, score = 400
            //   50                   | push                eax
            //   50                   | push                eax
            //   6a01                 | push                1
            //   ff7308               | push                dword ptr [ebx + 8]
            //   e8????????           |                     

        $sequence_6 = { 39d0 751d 8b415c 85c0 7407 c7405c00000000 }
            // n = 6, score = 400
            //   39d0                 | cmp                 eax, edx
            //   751d                 | jne                 0x1f
            //   8b415c               | mov                 eax, dword ptr [ecx + 0x5c]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   c7405c00000000       | mov                 dword ptr [eax + 0x5c], 0

        $sequence_7 = { 833d????????00 7553 83ec0c 6a00 6a00 68???????? 6a01 }
            // n = 7, score = 400
            //   833d????????00       |                     
            //   7553                 | jne                 0x55
            //   83ec0c               | sub                 esp, 0xc
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     
            //   6a01                 | push                1

        $sequence_8 = { bf80351954 fece 8b1424 b623 b551 f7d2 e9???????? }
            // n = 7, score = 100
            //   bf80351954           | mov                 edi, 0x54193580
            //   fece                 | dec                 dh
            //   8b1424               | mov                 edx, dword ptr [esp]
            //   b623                 | mov                 dh, 0x23
            //   b551                 | mov                 ch, 0x51
            //   f7d2                 | not                 edx
            //   e9????????           |                     

        $sequence_9 = { 368d28 c0ea75 f7d5 f7d5 f6d2 85f6 }
            // n = 6, score = 100
            //   368d28               | lea                 ebp, ss:[eax]
            //   c0ea75               | shr                 dl, 0x75
            //   f7d5                 | not                 ebp
            //   f7d5                 | not                 ebp
            //   f6d2                 | not                 dl
            //   85f6                 | test                esi, esi

        $sequence_10 = { e9???????? c0e9f6 c0ea73 f6d1 f7d6 c0e2e9 }
            // n = 6, score = 100
            //   e9????????           |                     
            //   c0e9f6               | shr                 cl, 0xf6
            //   c0ea73               | shr                 dl, 0x73
            //   f6d1                 | not                 cl
            //   f7d6                 | not                 esi
            //   c0e2e9               | shl                 dl, 0xe9

        $sequence_11 = { 8b1424 b2c9 b1fa 368d38 85c0 }
            // n = 5, score = 100
            //   8b1424               | mov                 edx, dword ptr [esp]
            //   b2c9                 | mov                 dl, 0xc9
            //   b1fa                 | mov                 cl, 0xfa
            //   368d38               | lea                 edi, ss:[eax]
            //   85c0                 | test                eax, eax

        $sequence_12 = { f6d3 f8 0f31 f7db }
            // n = 4, score = 100
            //   f6d3                 | not                 bl
            //   f8                   | clc                 
            //   0f31                 | rdtsc               
            //   f7db                 | neg                 ebx

        $sequence_13 = { 8b2c24 85d2 85c0 fc b50d f6d2 8b3c24 }
            // n = 7, score = 100
            //   8b2c24               | mov                 ebp, dword ptr [esp]
            //   85d2                 | test                edx, edx
            //   85c0                 | test                eax, eax
            //   fc                   | cld                 
            //   b50d                 | mov                 ch, 0xd
            //   f6d2                 | not                 dl
            //   8b3c24               | mov                 edi, dword ptr [esp]

        $sequence_14 = { fd f8 f7d0 c0e3b1 4d f7d3 }
            // n = 6, score = 100
            //   fd                   | std                 
            //   f8                   | clc                 
            //   f7d0                 | not                 eax
            //   c0e3b1               | shl                 bl, 0xb1
            //   4d                   | dec                 ebp
            //   f7d3                 | not                 ebx

        $sequence_15 = { 368d08 b9008b212e 368d08 c0e2c8 fd }
            // n = 5, score = 100
            //   368d08               | lea                 ecx, ss:[eax]
            //   b9008b212e           | mov                 ecx, 0x2e218b00
            //   368d08               | lea                 ecx, ss:[eax]
            //   c0e2c8               | shl                 dl, 0xc8
            //   fd                   | std                 

    condition:
        7 of them and filesize < 3268608
}
Download all Yara Rules