SYMBOLCOMMON_NAMEaka. SYNONYMS
win.agfspy (Back to overview)

AgfSpy


The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.

References
2020-10-28Trend MicroWilliam Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph C Chen, John Zhang
@online{sanchez:20201028:operation:7f4b906, author = {William Gamazo Sanchez and Aliakbar Zahravi and Elliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C Chen and John Zhang}, title = {{Operation Earth Kitsune: A Dance of Two New Backdoors}}, date = {2020-10-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html}, language = {English}, urldate = {2020-10-29} } Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB
Yara Rules
[TLP:WHITE] win_agfspy_auto (20211008 | Detects win.agfspy.)
rule win_agfspy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.agfspy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945c0 e9???????? 3d00000100 0f829e010000 6a02 2d00000100 8d4dc0 }
            // n = 7, score = 300
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   e9????????           |                     
            //   3d00000100           | cmp                 eax, 0x10000
            //   0f829e010000         | jb                  0x1a4
            //   6a02                 | push                2
            //   2d00000100           | sub                 eax, 0x10000
            //   8d4dc0               | lea                 ecx, dword ptr [ebp - 0x40]

        $sequence_1 = { 83c002 3b45f4 72eb b800010000 663bf0 7328 837f1800 }
            // n = 7, score = 300
            //   83c002               | add                 eax, 2
            //   3b45f4               | cmp                 eax, dword ptr [ebp - 0xc]
            //   72eb                 | jb                  0xffffffed
            //   b800010000           | mov                 eax, 0x100
            //   663bf0               | cmp                 si, ax
            //   7328                 | jae                 0x2a
            //   837f1800             | cmp                 dword ptr [edi + 0x18], 0

        $sequence_2 = { b901000000 0f45c1 8945e8 8b0e c6451b01 85c9 7438 }
            // n = 7, score = 300
            //   b901000000           | mov                 ecx, 1
            //   0f45c1               | cmovne              eax, ecx
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   c6451b01             | mov                 byte ptr [ebp + 0x1b], 1
            //   85c9                 | test                ecx, ecx
            //   7438                 | je                  0x3a

        $sequence_3 = { 50 8d8de8f9ffff e8???????? 33c9 8b4010 }
            // n = 5, score = 300
            //   50                   | push                eax
            //   8d8de8f9ffff         | lea                 ecx, dword ptr [ebp - 0x618]
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   8b4010               | mov                 eax, dword ptr [eax + 0x10]

        $sequence_4 = { 33ff 8945fc 8d7003 39450c 0f8eeb000000 8b5d08 0fbe141f }
            // n = 7, score = 300
            //   33ff                 | xor                 edi, edi
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d7003               | lea                 esi, dword ptr [eax + 3]
            //   39450c               | cmp                 dword ptr [ebp + 0xc], eax
            //   0f8eeb000000         | jle                 0xf1
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   0fbe141f             | movsx               edx, byte ptr [edi + ebx]

        $sequence_5 = { 5d c20800 83ec08 c6432c01 57 e8???????? 8ac8 }
            // n = 7, score = 300
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8
            //   83ec08               | sub                 esp, 8
            //   c6432c01             | mov                 byte ptr [ebx + 0x2c], 1
            //   57                   | push                edi
            //   e8????????           |                     
            //   8ac8                 | mov                 cl, al

        $sequence_6 = { 8bd6 c1ea02 23d1 83e603 5f }
            // n = 5, score = 300
            //   8bd6                 | mov                 edx, esi
            //   c1ea02               | shr                 edx, 2
            //   23d1                 | and                 edx, ecx
            //   83e603               | and                 esi, 3
            //   5f                   | pop                 edi

        $sequence_7 = { 8bec 83ec30 56 57 8bf9 c645f801 6a00 }
            // n = 7, score = 300
            //   8bec                 | mov                 ebp, esp
            //   83ec30               | sub                 esp, 0x30
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   c645f801             | mov                 byte ptr [ebp - 8], 1
            //   6a00                 | push                0

        $sequence_8 = { 85c9 0f8569ffffff 8b450c 2b44240c 8b4d10 1bca }
            // n = 6, score = 300
            //   85c9                 | test                ecx, ecx
            //   0f8569ffffff         | jne                 0xffffff6f
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   2b44240c             | sub                 eax, dword ptr [esp + 0xc]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   1bca                 | sbb                 ecx, edx

        $sequence_9 = { 8b4508 8b10 8a421c 8b4a04 034a08 884508 8d420c }
            // n = 7, score = 300
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8a421c               | mov                 al, byte ptr [edx + 0x1c]
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]
            //   034a08               | add                 ecx, dword ptr [edx + 8]
            //   884508               | mov                 byte ptr [ebp + 8], al
            //   8d420c               | lea                 eax, dword ptr [edx + 0xc]

    condition:
        7 of them and filesize < 1482752
}
Download all Yara Rules