【辞書】
◆Adhubllka (Malpedia)
https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka
【ニュース】
◆The Week in Ransomware - October 16th 2020 - The weekend is upon us (BleepingComputer, 2020/10/16 19:13)
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-16th-2020-the-weekend-is-upon-us/
⇒ https://malware-log.hatenablog.com/entry/2020/10/16/000000_1
【ブログ】
◆TA547 Pivots from Ursnif Banking Trojan to Ransomware in Australian Campaign (Proofpoint, 2020/07/17)
https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign
【関連情報】
◆TA547 (まとめ)
https://malware-log.hatenablog.com/entry/TA547
【関連まとめ記事】
◆ランサムウェア (まとめ)
https://malware-log.hatenablog.com/entry/Ransomware
【Yara Rule】
rule win_adhubllka_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2020-10-14"
version = "1"
description = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.5.0"
tool_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka"
malpedia_rule_date = "20201014"
malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
malpedia_version = "20201014"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 660fd4d1 0f2805???????? 0f29a550ffffff 660fd4c1 0f28e2 0f29b5f0feffff 660f62e0 }
// n = 7, score = 400
// 660fd4d1 | paddq xmm2, xmm1
// 0f2805???????? |
// 0f29a550ffffff | movaps xmmword ptr [ebp - 0xb0], xmm4
// 660fd4c1 | paddq xmm0, xmm1
// 0f28e2 | movaps xmm4, xmm2
// 0f29b5f0feffff | movaps xmmword ptr [ebp - 0x110], xmm6
// 660f62e0 | punpckldq xmm4, xmm0
$sequence_1 = { 890e 8b4dac 2b4e08 894604 8b45b0 1b460c 894e08 }
// n = 7, score = 400
// 890e | mov dword ptr [esi], ecx
// 8b4dac | mov ecx, dword ptr [ebp - 0x54]
// 2b4e08 | sub ecx, dword ptr [esi + 8]
// 894604 | mov dword ptr [esi + 4], eax
// 8b45b0 | mov eax, dword ptr [ebp - 0x50]
// 1b460c | sbb eax, dword ptr [esi + 0xc]
// 894e08 | mov dword ptr [esi + 8], ecx
$sequence_2 = { 0f108568feffff 0f118578fdffff e8???????? 8d8d28feffff e8???????? 8d8d28feffff e8???????? }
// n = 7, score = 400
// 0f108568feffff | movups xmm0, xmmword ptr [ebp - 0x198]
// 0f118578fdffff | movups xmmword ptr [ebp - 0x288], xmm0
// e8???????? |
// 8d8d28feffff | lea ecx, [ebp - 0x1d8]
// e8???????? |
// 8d8d28feffff | lea ecx, [ebp - 0x1d8]
// e8???????? |
$sequence_3 = { 83c120 0fb617 46 8d42bf 83f819 7703 83c220 }
// n = 7, score = 400
// 83c120 | add ecx, 0x20
// 0fb617 | movzx edx, byte ptr [edi]
// 46 | inc esi
// 8d42bf | lea eax, [edx - 0x41]
// 83f819 | cmp eax, 0x19
// 7703 | ja 5
// 83c220 | add edx, 0x20
$sequence_4 = { 8b7df0 660ffe6580 660fefc8 8345f010 0f28d4 }
// n = 5, score = 400
// 8b7df0 | mov edi, dword ptr [ebp - 0x10]
// 660ffe6580 | paddd xmm4, xmmword ptr [ebp - 0x80]
// 660fefc8 | pxor xmm1, xmm0
// 8345f010 | add dword ptr [ebp - 0x10], 0x10
// 0f28d4 | movaps xmm2, xmm4
$sequence_5 = { 8bb5a0fdffff 8d85a4fdffff 50 ffb58cfdffff ff15???????? }
// n = 5, score = 400
// 8bb5a0fdffff | mov esi, dword ptr [ebp - 0x260]
// 8d85a4fdffff | lea eax, [ebp - 0x25c]
// 50 | push eax
// ffb58cfdffff | push dword ptr [ebp - 0x274]
// ff15???????? |
$sequence_6 = { 894818 89701c 0fb6470f 99 8bc8 8bf2 0fb6470e }
// n = 7, score = 400
// 894818 | mov dword ptr [eax + 0x18], ecx
// 89701c | mov dword ptr [eax + 0x1c], esi
// 0fb6470f | movzx eax, byte ptr [edi + 0xf]
// 99 | cdq
// 8bc8 | mov ecx, eax
// 8bf2 | mov esi, edx
// 0fb6470e | movzx eax, byte ptr [edi + 0xe]
$sequence_7 = { 0f104590 0f1185f0feffff 0f1045a0 0f118500ffffff 0f1f00 }
// n = 5, score = 400
// 0f104590 | movups xmm0, xmmword ptr [ebp - 0x70]
// 0f1185f0feffff | movups xmmword ptr [ebp - 0x110], xmm0
// 0f1045a0 | movups xmm0, xmmword ptr [ebp - 0x60]
// 0f118500ffffff | movups xmmword ptr [ebp - 0x100], xmm0
// 0f1f00 | nop dword ptr [eax]
$sequence_8 = { 660fefd3 660fefc8 0f110c01 0f11540110 0f104c1020 0f105c1030 0f104620 }
// n = 7, score = 400
// 660fefd3 | pxor xmm2, xmm3
// 660fefc8 | pxor xmm1, xmm0
// 0f110c01 | movups xmmword ptr [ecx + eax], xmm1
// 0f11540110 | movups xmmword ptr [ecx + eax + 0x10], xmm2
// 0f104c1020 | movups xmm1, xmmword ptr [eax + edx + 0x20]
// 0f105c1030 | movups xmm3, xmmword ptr [eax + edx + 0x30]
// 0f104620 | movups xmm0, xmmword ptr [esi + 0x20]
$sequence_9 = { 83e805 7415 83e801 0f8595010000 c745e4e8724100 e9???????? }
// n = 6, score = 400
// 83e805 | sub eax, 5
// 7415 | je 0x17
// 83e801 | sub eax, 1
// 0f8595010000 | jne 0x19b
// c745e4e8724100 | mov dword ptr [ebp - 0x1c], 0x4172e8
// e9???????? |
condition:
7 of them and filesize < 253952
}出典: https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka
