SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus_sphinx (Back to overview)

Zeus Sphinx


This family describes the vanilla Zeus-variant that includes TOR (and Polipo proxy). It has an almost 90% overlap with Zeus v2.0.8.9.
Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase")
- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)
- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)
- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase")
- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)
- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)
- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

References
2015-08-26Security AffairsPierluigi Paganini
@online{paganini:20150826:sphinx:dfbcee8, author = {Pierluigi Paganini}, title = {{Sphinx, a new variant of Zeus available for sale in the underground}}, date = {2015-08-26}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html}, language = {English}, urldate = {2020-01-08} } Sphinx, a new variant of Zeus available for sale in the underground
Zeus Sphinx
2015-08-24DarkMattersBev Robb
@online{robb:20150824:sphinx:314a7b9, author = {Bev Robb}, title = {{Sphinx: New Zeus Variant for Sale on the Black Market}}, date = {2015-08-24}, organization = {DarkMatters}, url = {https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/}, language = {English}, urldate = {2020-01-13} } Sphinx: New Zeus Variant for Sale on the Black Market
Zeus Sphinx
Yara Rules
[TLP:WHITE] win_zeus_sphinx_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_zeus_sphinx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 837b1000 790d 8b430c 2b4314 39c8 7503 894310 }
            // n = 7, score = 300
            //   837b1000             | cmp                 dword ptr [ebx + 0x10], 0
            //   790d                 | jns                 0xf
            //   8b430c               | mov                 eax, dword ptr [ebx + 0xc]
            //   2b4314               | sub                 eax, dword ptr [ebx + 0x14]
            //   39c8                 | cmp                 eax, ecx
            //   7503                 | jne                 5
            //   894310               | mov                 dword ptr [ebx + 0x10], eax

        $sequence_1 = { 09c2 0fb6448b19 c1e008 09c2 89548db4 41 83f910 }
            // n = 7, score = 300
            //   09c2                 | or                  edx, eax
            //   0fb6448b19           | movzx               eax, byte ptr [ebx + ecx*4 + 0x19]
            //   c1e008               | shl                 eax, 8
            //   09c2                 | or                  edx, eax
            //   89548db4             | mov                 dword ptr [ebp + ecx*4 - 0x4c], edx
            //   41                   | inc                 ecx
            //   83f910               | cmp                 ecx, 0x10

        $sequence_2 = { 8b4df0 89b528ffffff 234dd8 89fe 21de 09f1 8bb528ffffff }
            // n = 7, score = 300
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   89b528ffffff         | mov                 dword ptr [ebp - 0xd8], esi
            //   234dd8               | and                 ecx, dword ptr [ebp - 0x28]
            //   89fe                 | mov                 esi, edi
            //   21de                 | and                 esi, ebx
            //   09f1                 | or                  ecx, esi
            //   8bb528ffffff         | mov                 esi, dword ptr [ebp - 0xd8]

        $sequence_3 = { 7555 eb5a b8f1884200 81fa2e010000 746e 7f59 eb50 }
            // n = 7, score = 300
            //   7555                 | jne                 0x57
            //   eb5a                 | jmp                 0x5c
            //   b8f1884200           | mov                 eax, 0x4288f1
            //   81fa2e010000         | cmp                 edx, 0x12e
            //   746e                 | je                  0x70
            //   7f59                 | jg                  0x5b
            //   eb50                 | jmp                 0x52

        $sequence_4 = { 83ec0c 53 e8???????? a1???????? 894724 a1???????? 894728 }
            // n = 7, score = 300
            //   83ec0c               | sub                 esp, 0xc
            //   53                   | push                ebx
            //   e8????????           |                     
            //   a1????????           |                     
            //   894724               | mov                 dword ptr [edi + 0x24], eax
            //   a1????????           |                     
            //   894728               | mov                 dword ptr [edi + 0x28], eax

        $sequence_5 = { 83c40c ff35???????? 68bb010000 68bb010000 e8???????? 83c40c ff35???????? }
            // n = 7, score = 300
            //   83c40c               | add                 esp, 0xc
            //   ff35????????         |                     
            //   68bb010000           | push                0x1bb
            //   68bb010000           | push                0x1bb
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   ff35????????         |                     

        $sequence_6 = { 740e 50 52 ff750c 51 e8???????? 83c410 }
            // n = 7, score = 300
            //   740e                 | je                  0x10
            //   50                   | push                eax
            //   52                   | push                edx
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_7 = { 89c6 a1???????? 83f802 7470 85c0 7514 eb20 }
            // n = 7, score = 300
            //   89c6                 | mov                 esi, eax
            //   a1????????           |                     
            //   83f802               | cmp                 eax, 2
            //   7470                 | je                  0x72
            //   85c0                 | test                eax, eax
            //   7514                 | jne                 0x16
            //   eb20                 | jmp                 0x22

        $sequence_8 = { ff7308 e8???????? 83c410 85c0 7923 e8???????? 56 }
            // n = 7, score = 300
            //   ff7308               | push                dword ptr [ebx + 8]
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   7923                 | jns                 0x25
            //   e8????????           |                     
            //   56                   | push                esi

        $sequence_9 = { 51 685ca94200 8b45e0 f7d8 50 e8???????? 50 }
            // n = 7, score = 300
            //   51                   | push                ecx
            //   685ca94200           | push                0x42a95c
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   f7d8                 | neg                 eax
            //   50                   | push                eax
            //   e8????????           |                     
            //   50                   | push                eax

    condition:
        7 of them
}
Download all Yara Rules