SYMBOLCOMMON_NAMEaka. SYNONYMS
win.agfspy (Back to overview)

AgfSpy


The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.

References
2020-10-28Trend MicroWilliam Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph C Chen, John Zhang
@online{sanchez:20201028:operation:7f4b906, author = {William Gamazo Sanchez and Aliakbar Zahravi and Elliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C Chen and John Zhang}, title = {{Operation Earth Kitsune: A Dance of Two New Backdoors}}, date = {2020-10-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html}, language = {English}, urldate = {2020-10-29} } Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB
Yara Rules
[TLP:WHITE] win_agfspy_auto (20230125 | Detects win.agfspy.)
rule win_agfspy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.agfspy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7408 85c0 0f85e4feffff 53 8d4e14 e8???????? }
            // n = 6, score = 300
            //   7408                 | je                  0xa
            //   85c0                 | test                eax, eax
            //   0f85e4feffff         | jne                 0xfffffeea
            //   53                   | push                ebx
            //   8d4e14               | lea                 ecx, [esi + 0x14]
            //   e8????????           |                     

        $sequence_1 = { 8b06 8b4804 03ce 83790c00 0f94c0 eb02 b001 }
            // n = 7, score = 300
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   03ce                 | add                 ecx, esi
            //   83790c00             | cmp                 dword ptr [ecx + 0xc], 0
            //   0f94c0               | sete                al
            //   eb02                 | jmp                 4
            //   b001                 | mov                 al, 1

        $sequence_2 = { 8be5 5d c20400 6a01 8d8d2cffffff e8???????? 8d852cffffff }
            // n = 7, score = 300
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   6a01                 | push                1
            //   8d8d2cffffff         | lea                 ecx, [ebp - 0xd4]
            //   e8????????           |                     
            //   8d852cffffff         | lea                 eax, [ebp - 0xd4]

        $sequence_3 = { 8d4dc0 51 50 e8???????? 8a45bb 83c40c 8806 }
            // n = 7, score = 300
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8a45bb               | mov                 al, byte ptr [ebp - 0x45]
            //   83c40c               | add                 esp, 0xc
            //   8806                 | mov                 byte ptr [esi], al

        $sequence_4 = { ff5020 ff750c 0fb7f0 8b430c 8b4804 8b01 }
            // n = 6, score = 300
            //   ff5020               | call                dword ptr [eax + 0x20]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   0fb7f0               | movzx               esi, ax
            //   8b430c               | mov                 eax, dword ptr [ebx + 0xc]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   8b01                 | mov                 eax, dword ptr [ecx]

        $sequence_5 = { 51 8d4dd4 e8???????? 6a00 83ec08 8d8d00ffffff e8???????? }
            // n = 7, score = 300
            //   51                   | push                ecx
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   e8????????           |                     
            //   6a00                 | push                0
            //   83ec08               | sub                 esp, 8
            //   8d8d00ffffff         | lea                 ecx, [ebp - 0x100]
            //   e8????????           |                     

        $sequence_6 = { 3bc8 7410 0f1f4000 663919 7456 83c102 3bc8 }
            // n = 7, score = 300
            //   3bc8                 | cmp                 ecx, eax
            //   7410                 | je                  0x12
            //   0f1f4000             | nop                 dword ptr [eax]
            //   663919               | cmp                 word ptr [ecx], bx
            //   7456                 | je                  0x58
            //   83c102               | add                 ecx, 2
            //   3bc8                 | cmp                 ecx, eax

        $sequence_7 = { 8b5dec 89480c 8b4de4 894810 8a4df3 884818 8945a8 }
            // n = 7, score = 300
            //   8b5dec               | mov                 ebx, dword ptr [ebp - 0x14]
            //   89480c               | mov                 dword ptr [eax + 0xc], ecx
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   894810               | mov                 dword ptr [eax + 0x10], ecx
            //   8a4df3               | mov                 cl, byte ptr [ebp - 0xd]
            //   884818               | mov                 byte ptr [eax + 0x18], cl
            //   8945a8               | mov                 dword ptr [ebp - 0x58], eax

        $sequence_8 = { e8???????? 83c404 8d4d40 8b10 51 68???????? 68???????? }
            // n = 7, score = 300
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8d4d40               | lea                 ecx, [ebp + 0x40]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   51                   | push                ecx
            //   68????????           |                     
            //   68????????           |                     

        $sequence_9 = { 57 8b7d0c 83f804 0f84be000000 85c0 755e 8b4508 }
            // n = 7, score = 300
            //   57                   | push                edi
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   83f804               | cmp                 eax, 4
            //   0f84be000000         | je                  0xc4
            //   85c0                 | test                eax, eax
            //   755e                 | jne                 0x60
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

    condition:
        7 of them and filesize < 1482752
}
Download all Yara Rules