SYMBOLCOMMON_NAMEaka. SYNONYMS
win.agfspy (Back to overview)

AgfSpy


The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.

References
2020-10-28Trend MicroWilliam Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph C Chen, John Zhang
@online{sanchez:20201028:operation:7f4b906, author = {William Gamazo Sanchez and Aliakbar Zahravi and Elliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C Chen and John Zhang}, title = {{Operation Earth Kitsune: A Dance of Two New Backdoors}}, date = {2020-10-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html}, language = {English}, urldate = {2020-10-29} } Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB
Yara Rules
[TLP:WHITE] win_agfspy_auto (20220808 | Detects win.agfspy.)
rule win_agfspy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.agfspy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4d08 6a30 e8???????? e9???????? 8b45fc 8b5008 8b480c }
            // n = 7, score = 300
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   6a30                 | push                0x30
            //   e8????????           |                     
            //   e9????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b5008               | mov                 edx, dword ptr [eax + 8]
            //   8b480c               | mov                 ecx, dword ptr [eax + 0xc]

        $sequence_1 = { 50 8d4520 50 e8???????? 83c408 84c0 0f85c2000000 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   8d4520               | lea                 eax, [ebp + 0x20]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   84c0                 | test                al, al
            //   0f85c2000000         | jne                 0xc8

        $sequence_2 = { c745fc03000000 8b45c8 85c0 7419 a801 7515 83e0fe }
            // n = 7, score = 300
            //   c745fc03000000       | mov                 dword ptr [ebp - 4], 3
            //   8b45c8               | mov                 eax, dword ptr [ebp - 0x38]
            //   85c0                 | test                eax, eax
            //   7419                 | je                  0x1b
            //   a801                 | test                al, 1
            //   7515                 | jne                 0x17
            //   83e0fe               | and                 eax, 0xfffffffe

        $sequence_3 = { e8???????? 83c408 84c0 0f85a9000000 807d1000 8b550c 7537 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   84c0                 | test                al, al
            //   0f85a9000000         | jne                 0xaf
            //   807d1000             | cmp                 byte ptr [ebp + 0x10], 0
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   7537                 | jne                 0x39

        $sequence_4 = { e8???????? 8be5 5d c20c00 53 8bdc 83ec08 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20c00               | ret                 0xc
            //   53                   | push                ebx
            //   8bdc                 | mov                 ebx, esp
            //   83ec08               | sub                 esp, 8

        $sequence_5 = { 2bc1 83c0fc 83f81f 7724 e9???????? 32c0 8b4df4 }
            // n = 7, score = 300
            //   2bc1                 | sub                 eax, ecx
            //   83c0fc               | add                 eax, -4
            //   83f81f               | cmp                 eax, 0x1f
            //   7724                 | ja                  0x26
            //   e9????????           |                     
            //   32c0                 | xor                 al, al
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_6 = { a820 0f84d7000000 837b4c3f 0f85cd000000 8b0b 8b5308 3bca }
            // n = 7, score = 300
            //   a820                 | test                al, 0x20
            //   0f84d7000000         | je                  0xdd
            //   837b4c3f             | cmp                 dword ptr [ebx + 0x4c], 0x3f
            //   0f85cd000000         | jne                 0xd3
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8b5308               | mov                 edx, dword ptr [ebx + 8]
            //   3bca                 | cmp                 ecx, edx

        $sequence_7 = { 8bca ff501c 83f8ff 7406 c6451000 eb0b c7450c00000000 }
            // n = 7, score = 300
            //   8bca                 | mov                 ecx, edx
            //   ff501c               | call                dword ptr [eax + 0x1c]
            //   83f8ff               | cmp                 eax, -1
            //   7406                 | je                  8
            //   c6451000             | mov                 byte ptr [ebp + 0x10], 0
            //   eb0b                 | jmp                 0xd
            //   c7450c00000000       | mov                 dword ptr [ebp + 0xc], 0

        $sequence_8 = { c6400800 5b 83c410 c20c00 e8???????? 84c0 7454 }
            // n = 7, score = 300
            //   c6400800             | mov                 byte ptr [eax + 8], 0
            //   5b                   | pop                 ebx
            //   83c410               | add                 esp, 0x10
            //   c20c00               | ret                 0xc
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7454                 | je                  0x56

        $sequence_9 = { 0f85ad000000 c787a400000000000000 33d2 8b4114 33f6 0545020000 8945e8 }
            // n = 7, score = 300
            //   0f85ad000000         | jne                 0xb3
            //   c787a400000000000000     | mov    dword ptr [edi + 0xa4], 0
            //   33d2                 | xor                 edx, edx
            //   8b4114               | mov                 eax, dword ptr [ecx + 0x14]
            //   33f6                 | xor                 esi, esi
            //   0545020000           | add                 eax, 0x245
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

    condition:
        7 of them and filesize < 1482752
}
Download all Yara Rules