SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zitmo (Back to overview)

ZitMo

aka: ZeuS-in-the-Mobile

There is no description at this point.

References
2021-05-14MOBISECYanick Fratantonio
@online{fratantonio:20210514:slides:116b0b3, author = {Yanick Fratantonio}, title = {{Slides & Recordings for Mobile security trainings}}, date = {2021-05-14}, organization = {MOBISEC}, url = {https://mobisec.reyammer.io/slides}, language = {English}, urldate = {2021-05-25} } Slides & Recordings for Mobile security trainings
FlexiSpy ZitMo
2011-10-06Kaspersky LabsDenis Maslennikov
@online{maslennikov:20111006:zeusinthemobile:ea34d2e, author = {Denis Maslennikov}, title = {{ZeuS-in-the-Mobile – Facts and Theories}}, date = {2011-10-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/}, language = {English}, urldate = {2020-02-04} } ZeuS-in-the-Mobile – Facts and Theories
ZitMo
Yara Rules
[TLP:WHITE] win_zitmo_auto (20230125 | Detects win.zitmo.)
rule win_zitmo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.zitmo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zitmo"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 03d7 8bde f7de ffb544feffff 53 e8???????? c9 }
            // n = 7, score = 200
            //   03d7                 | add                 edx, edi
            //   8bde                 | mov                 ebx, esi
            //   f7de                 | neg                 esi
            //   ffb544feffff         | push                dword ptr [ebp - 0x1bc]
            //   53                   | push                ebx
            //   e8????????           |                     
            //   c9                   | leave               

        $sequence_1 = { 55 8bec 81c47cffffff 317588 f7d7 f7df }
            // n = 6, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81c47cffffff         | add                 esp, 0xffffff7c
            //   317588               | xor                 dword ptr [ebp - 0x78], esi
            //   f7d7                 | not                 edi
            //   f7df                 | neg                 edi

        $sequence_2 = { 23d0 f7d9 8bd6 23d8 }
            // n = 4, score = 200
            //   23d0                 | and                 edx, eax
            //   f7d9                 | neg                 ecx
            //   8bd6                 | mov                 edx, esi
            //   23d8                 | and                 ebx, eax

        $sequence_3 = { c20400 55 8bec 81c410ffffff }
            // n = 4, score = 200
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81c410ffffff         | add                 esp, 0xffffff10

        $sequence_4 = { 55 8bec 81c45cffffff 23cb 8bd6 f7d2 }
            // n = 6, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81c45cffffff         | add                 esp, 0xffffff5c
            //   23cb                 | and                 ecx, ebx
            //   8bd6                 | mov                 edx, esi
            //   f7d2                 | not                 edx

        $sequence_5 = { 314dd8 f7d9 48 f7d2 03c1 ffb504ffffff }
            // n = 6, score = 200
            //   314dd8               | xor                 dword ptr [ebp - 0x28], ecx
            //   f7d9                 | neg                 ecx
            //   48                   | dec                 eax
            //   f7d2                 | not                 edx
            //   03c1                 | add                 eax, ecx
            //   ffb504ffffff         | push                dword ptr [ebp - 0xfc]

        $sequence_6 = { 4a f7d9 23c6 8bcb 46 }
            // n = 5, score = 200
            //   4a                   | dec                 edx
            //   f7d9                 | neg                 ecx
            //   23c6                 | and                 eax, esi
            //   8bcb                 | mov                 ecx, ebx
            //   46                   | inc                 esi

        $sequence_7 = { 4f e8???????? 8bca 03f7 e8???????? 23d7 }
            // n = 6, score = 200
            //   4f                   | dec                 edi
            //   e8????????           |                     
            //   8bca                 | mov                 ecx, edx
            //   03f7                 | add                 esi, edi
            //   e8????????           |                     
            //   23d7                 | and                 edx, edi

        $sequence_8 = { 81856cffffff36360000 03df f7d1 8bf8 }
            // n = 4, score = 200
            //   81856cffffff36360000     | add    dword ptr [ebp - 0x94], 0x3636
            //   03df                 | add                 ebx, edi
            //   f7d1                 | not                 ecx
            //   8bf8                 | mov                 edi, eax

        $sequence_9 = { 6a36 6a36 51 ffb550feffff 6834340000 57 8d4d88 }
            // n = 7, score = 200
            //   6a36                 | push                0x36
            //   6a36                 | push                0x36
            //   51                   | push                ecx
            //   ffb550feffff         | push                dword ptr [ebp - 0x1b0]
            //   6834340000           | push                0x3434
            //   57                   | push                edi
            //   8d4d88               | lea                 ecx, [ebp - 0x78]

    condition:
        7 of them and filesize < 843776
}
Download all Yara Rules