SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zitmo (Back to overview)

ZitMo

aka: ZeuS-in-the-Mobile

There is no description at this point.

References
2011-10-06Kaspersky LabsDenis Maslennikov
@online{maslennikov:20111006:zeusinthemobile:ea34d2e, author = {Denis Maslennikov}, title = {{ZeuS-in-the-Mobile – Facts and Theories}}, date = {2011-10-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/}, language = {English}, urldate = {2020-02-04} } ZeuS-in-the-Mobile – Facts and Theories
ZitMo
Yara Rules
[TLP:WHITE] win_zitmo_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_zitmo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zitmo"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745d831353700 47 4f f7d6 83658834 ffb5fcfeffff ffb594feffff }
            // n = 7, score = 200
            //   c745d831353700       | mov                 dword ptr [ebp - 0x28], 0x373531
            //   47                   | inc                 edi
            //   4f                   | dec                 edi
            //   f7d6                 | not                 esi
            //   83658834             | and                 dword ptr [ebp - 0x78], 0x34
            //   ffb5fcfeffff         | push                dword ptr [ebp - 0x104]
            //   ffb594feffff         | push                dword ptr [ebp - 0x16c]

        $sequence_1 = { 838d7cffffff37 c78570ffffff31373431 097dd0 6834313600 8d9538feffff 52 8d9584feffff }
            // n = 7, score = 200
            //   838d7cffffff37       | or                  dword ptr [ebp - 0x84], 0x37
            //   c78570ffffff31373431     | mov    dword ptr [ebp - 0x90], 0x31343731
            //   097dd0               | or                  dword ptr [ebp - 0x30], edi
            //   6834313600           | push                0x363134
            //   8d9538feffff         | lea                 edx, [ebp - 0x1c8]
            //   52                   | push                edx
            //   8d9584feffff         | lea                 edx, [ebp - 0x17c]

        $sequence_2 = { 23f8 81659436320000 8175cc33380000 8bd7 }
            // n = 4, score = 200
            //   23f8                 | and                 edi, eax
            //   81659436320000       | and                 dword ptr [ebp - 0x6c], 0x3236
            //   8175cc33380000       | xor                 dword ptr [ebp - 0x34], 0x3833
            //   8bd7                 | mov                 edx, edi

        $sequence_3 = { c7458400000000 31b560ffffff 8d8d28feffff 51 6833373400 }
            // n = 5, score = 200
            //   c7458400000000       | mov                 dword ptr [ebp - 0x7c], 0
            //   31b560ffffff         | xor                 dword ptr [ebp - 0xa0], esi
            //   8d8d28feffff         | lea                 ecx, [ebp - 0x1d8]
            //   51                   | push                ecx
            //   6833373400           | push                0x343733

        $sequence_4 = { 6873130100 6831350000 57 e8???????? 83ec04 c7042400000000 50 }
            // n = 7, score = 200
            //   6873130100           | push                0x11373
            //   6831350000           | push                0x3531
            //   57                   | push                edi
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   50                   | push                eax

        $sequence_5 = { 8bde ff4dcc 53 ffb550ffffff ff75f8 }
            // n = 5, score = 200
            //   8bde                 | mov                 ebx, esi
            //   ff4dcc               | dec                 dword ptr [ebp - 0x34]
            //   53                   | push                ebx
            //   ffb550ffffff         | push                dword ptr [ebp - 0xb0]
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_6 = { 43 68ba641fc7 e8???????? 23c7 }
            // n = 4, score = 200
            //   43                   | inc                 ebx
            //   68ba641fc7           | push                0xc71f64ba
            //   e8????????           |                     
            //   23c7                 | and                 eax, edi

        $sequence_7 = { 8bec 81c404ffffff f7d8 8bf1 ff8520ffffff c9 c20c00 }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   81c404ffffff         | add                 esp, 0xffffff04
            //   f7d8                 | neg                 eax
            //   8bf1                 | mov                 esi, ecx
            //   ff8520ffffff         | inc                 dword ptr [ebp - 0xe0]
            //   c9                   | leave               
            //   c20c00               | ret                 0xc

        $sequence_8 = { 42 4e f7df 03d7 48 40 }
            // n = 6, score = 200
            //   42                   | inc                 edx
            //   4e                   | dec                 esi
            //   f7df                 | neg                 edi
            //   03d7                 | add                 edx, edi
            //   48                   | dec                 eax
            //   40                   | inc                 eax

        $sequence_9 = { 81c454ffffff 43 0955e8 895db0 c9 c20c00 }
            // n = 6, score = 200
            //   81c454ffffff         | add                 esp, 0xffffff54
            //   43                   | inc                 ebx
            //   0955e8               | or                  dword ptr [ebp - 0x18], edx
            //   895db0               | mov                 dword ptr [ebp - 0x50], ebx
            //   c9                   | leave               
            //   c20c00               | ret                 0xc

    condition:
        7 of them and filesize < 843776
}
Download all Yara Rules