SYMBOLCOMMON_NAMEaka. SYNONYMS
win.agfspy (Back to overview)

AgfSpy


The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.

References
2020-10-28Trend MicroWilliam Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph C Chen, John Zhang
@online{sanchez:20201028:operation:7f4b906, author = {William Gamazo Sanchez and Aliakbar Zahravi and Elliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C Chen and John Zhang}, title = {{Operation Earth Kitsune: A Dance of Two New Backdoors}}, date = {2020-10-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html}, language = {English}, urldate = {2020-10-29} } Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB
Yara Rules
[TLP:WHITE] win_agfspy_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_agfspy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7527 83fefd 7431 8a4101 3a4201 751a 83fefe }
            // n = 7, score = 300
            //   7527                 | jne                 0x29
            //   83fefd               | cmp                 esi, -3
            //   7431                 | je                  0x33
            //   8a4101               | mov                 al, byte ptr [ecx + 1]
            //   3a4201               | cmp                 al, byte ptr [edx + 1]
            //   751a                 | jne                 0x1c
            //   83fefe               | cmp                 esi, -2

        $sequence_1 = { 83c41c 84c0 0f840dfaffff 56 57 bb???????? 53 }
            // n = 7, score = 300
            //   83c41c               | add                 esp, 0x1c
            //   84c0                 | test                al, al
            //   0f840dfaffff         | je                  0xfffffa13
            //   56                   | push                esi
            //   57                   | push                edi
            //   bb????????           |                     
            //   53                   | push                ebx

        $sequence_2 = { 8bec 8b4508 8d5001 0f1f8000000000 8a08 40 84c9 }
            // n = 7, score = 300
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8d5001               | lea                 edx, [eax + 1]
            //   0f1f8000000000       | nop                 dword ptr [eax]
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl

        $sequence_3 = { 83f8ff 7406 c6460400 eb0a c70600000000 c6460401 8b5dec }
            // n = 7, score = 300
            //   83f8ff               | cmp                 eax, -1
            //   7406                 | je                  8
            //   c6460400             | mov                 byte ptr [esi + 4], 0
            //   eb0a                 | jmp                 0xc
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   c6460401             | mov                 byte ptr [esi + 4], 1
            //   8b5dec               | mov                 ebx, dword ptr [ebp - 0x14]

        $sequence_4 = { 8d4101 894610 8bc6 83fa10 7202 8b06 ff75d0 }
            // n = 7, score = 300
            //   8d4101               | lea                 eax, [ecx + 1]
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   8bc6                 | mov                 eax, esi
            //   83fa10               | cmp                 edx, 0x10
            //   7202                 | jb                  4
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   ff75d0               | push                dword ptr [ebp - 0x30]

        $sequence_5 = { f7465000001000 0f847f020000 837e4c2d 0fb7c0 0f8529010000 8b06 8b4e08 }
            // n = 7, score = 300
            //   f7465000001000       | test                dword ptr [esi + 0x50], 0x100000
            //   0f847f020000         | je                  0x285
            //   837e4c2d             | cmp                 dword ptr [esi + 0x4c], 0x2d
            //   0fb7c0               | movzx               eax, ax
            //   0f8529010000         | jne                 0x12f
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]

        $sequence_6 = { 8945dc 8945e8 8b45d0 2bc1 50 51 56 }
            // n = 7, score = 300
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   2bc1                 | sub                 eax, ecx
            //   50                   | push                eax
            //   51                   | push                ecx
            //   56                   | push                esi

        $sequence_7 = { 8942fc 3bcf 75e7 8b45f8 8b7df4 8b08 85c9 }
            // n = 7, score = 300
            //   8942fc               | mov                 dword ptr [edx - 4], eax
            //   3bcf                 | cmp                 ecx, edi
            //   75e7                 | jne                 0xffffffe9
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   85c9                 | test                ecx, ecx

        $sequence_8 = { 33ff f7a4bd30feffff 0385b4f8ffff 8984bd30feffff 8b85a8f8ffff 83d200 }
            // n = 6, score = 300
            //   33ff                 | xor                 edi, edi
            //   f7a4bd30feffff       | mul                 dword ptr [ebp + edi*4 - 0x1d0]
            //   0385b4f8ffff         | add                 eax, dword ptr [ebp - 0x74c]
            //   8984bd30feffff       | mov                 dword ptr [ebp + edi*4 - 0x1d0], eax
            //   8b85a8f8ffff         | mov                 eax, dword ptr [ebp - 0x758]
            //   83d200               | adc                 edx, 0

        $sequence_9 = { eb0e 50 51 8d4c243a e8???????? 83c408 33c9 }
            // n = 7, score = 300
            //   eb0e                 | jmp                 0x10
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8d4c243a             | lea                 ecx, [esp + 0x3a]
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   33c9                 | xor                 ecx, ecx

    condition:
        7 of them and filesize < 1482752
}
Download all Yara Rules