Emdivi malware is being executed through a self-extracting archive, leveraging SFX techniques to evade basic detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that use SFX archives as a delivery mechanism.
YARA Rule
rule Emdivi_SFX
{
meta:
description = "Detects Emdivi malware in SFX Archive"
author = "Florian Roth @Cyber0ps"
reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
date = "2015-08-20"
score = 70
hash1 = "7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196"
hash2 = "8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b"
strings:
$x1 = "Setup=unsecess.exe" fullword ascii
$x2 = "Setup=leassnp.exe" fullword ascii
$s1 = "&Enter password for the encrypted file:" fullword wide
$s2 = ";The comment below contains SFX script commands" fullword ascii
$s3 = "Path=%temp%" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 740KB and (1 of ($x*) and all of ($s*))
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A system administrator is using 7-Zip to extract a legitimate SFX archive containing a software update.
Filter/Exclusion: Check for process.name containing “7-Zip” or “7z” and ensure the file path is within a known software update directory (e.g., C:\SoftwareUpdates\).
Scenario: A Windows Task Scheduler job is configured to run a legitimate SFX archive as part of a routine maintenance task.
Filter/Exclusion: Filter by process.parent_process matching schtasks.exe and verify the file path is within a known system maintenance directory (e.g., C:\ScheduledTasks\).
Scenario: An IT admin is using PowerShell to deploy a script that includes an SFX archive as part of a deployment package.
Filter/Exclusion: Check for process.name containing “powershell.exe” and ensure the file path is within a known deployment directory (e.g., C:\DeploymentPackages\).
Scenario: A Windows Update installation process includes an SFX archive as part of the update package.
Filter/Exclusion: Filter by process.parent_process matching “wuauclt.exe” or “svchost.exe” and check the file path against known Windows update directories (e.g., C:\Windows\SoftwareDistribution\).
Scenario: A backup tool like Veeam or Acronis includes an SFX archive as part of its backup or restore process.
Filter/Exclusion: Check for process.name containing “Veeam” or “Acronis” and ensure the file path is within a known backup directory (e.g., C:\Backup\ or D:\Backup\).