The FlyUtils.CnDES Encrypt ECB function may indicate the use of a custom encryption routine potentially used for data exfiltration or obfuscation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data manipulation or stealthy communication activities.
YARA Rule
rule FlyUtilsCnDES_ECB_Encrypt {
meta:
author = "_pusher_"
description = "Look for FlyUtils.CnDES Encrypt ECB function"
date = "2016-07"
strings:
$c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D E8 89 5D EC 8B D9 89 55 F8 89 45 FC 8B 7D 08 8B 75 20 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 80 7D 18 00 74 1A 0F B6 55 18 8D 4D EC 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 EC 8D 45 F8 E8 ?? ?? ?? ?? 80 7D 1C 00 74 1A 0F B6 55 1C 8D 4D E8 8B 45 FC E8 ?? ?? ?? ?? 8B 55 E8 8D 45 FC E8 ?? ?? ?? ?? 85 DB 75 07 E8 ?? ?? ?? ?? 8B D8 85 F6 75 07 E8 ?? ?? ?? ?? 8B F0 53 6A 00 8B 4D FC B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 8B 45 F4 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 6A 00 33 C9 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F0 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 56 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled Job Using FlyUtils.CnDES for Data Encryption
Description: A legitimate scheduled job runs to encrypt sensitive data using the FlyUtils.CnDES Encrypt ECB function as part of a data archiving process.
Filter/Exclusion: Exclude processes associated with the scheduled job by checking the ProcessName or CommandLine for known job identifiers (e.g., DataArchiveJob.exe or EncryptDataJob.bat).
Scenario: System Administration Task Using FlyUtils.CnDES
Description: An admin task uses the FlyUtils.CnDES Encrypt ECB function to secure configuration files or credentials during system setup or migration.
Filter/Exclusion: Exclude processes initiated by the local admin account or those with User field matching the admin username (e.g., Administrator or DomainAdmin).
Scenario: Development Environment Testing
Description: A developer is testing the FlyUtils.CnDES Encrypt ECB function in a development environment to ensure encryption logic works correctly.
Filter/Exclusion: Exclude processes running in a development environment by checking the ProcessPath or WorkingDirectory for known dev directories (e.g., C:\Dev\Project\ or D:\Code\).
Scenario: Third-Party Tool Integration
Description: A third-party tool or API integration uses FlyUtils.CnDES Encrypt ECB to encrypt data before sending it to an external service.
Filter/Exclusion: Exclude processes that are part of known third-party integrations by checking the ProcessName or ParentProcess for known integration services (e.g., ThirdPartyAPI.exe or IntegrationService.exe).
Scenario: Legacy System Migration
Description: During a legacy system migration, FlyUtils.CnDES Encrypt ECB is used to encrypt old data files before transferring them to a