SYMBOLCOMMON_NAMEaka. SYNONYMS
win.agfspy (Back to overview)

AgfSpy


The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.

References
2020-10-28Trend MicroWilliam Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph C Chen, John Zhang
@online{sanchez:20201028:operation:7f4b906, author = {William Gamazo Sanchez and Aliakbar Zahravi and Elliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C Chen and John Zhang}, title = {{Operation Earth Kitsune: A Dance of Two New Backdoors}}, date = {2020-10-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html}, language = {English}, urldate = {2020-10-29} } Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB
Yara Rules
[TLP:WHITE] win_agfspy_auto (20230715 | Detects win.agfspy.)
rule win_agfspy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.agfspy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3b06 75c4 c6459801 8b4e7c 85c9 7e06 8d4101 }
            // n = 7, score = 300
            //   3b06                 | cmp                 eax, dword ptr [esi]
            //   75c4                 | jne                 0xffffffc6
            //   c6459801             | mov                 byte ptr [ebp - 0x68], 1
            //   8b4e7c               | mov                 ecx, dword ptr [esi + 0x7c]
            //   85c9                 | test                ecx, ecx
            //   7e06                 | jle                 8
            //   8d4101               | lea                 eax, [ecx + 1]

        $sequence_1 = { 040c 3452 888528fdffff 8b8518fdffff 040d 888529fdffff 8b8518fdffff }
            // n = 7, score = 300
            //   040c                 | add                 al, 0xc
            //   3452                 | xor                 al, 0x52
            //   888528fdffff         | mov                 byte ptr [ebp - 0x2d8], al
            //   8b8518fdffff         | mov                 eax, dword ptr [ebp - 0x2e8]
            //   040d                 | add                 al, 0xd
            //   888529fdffff         | mov                 byte ptr [ebp - 0x2d7], al
            //   8b8518fdffff         | mov                 eax, dword ptr [ebp - 0x2e8]

        $sequence_2 = { e9???????? 8d41d0 6683f809 0f87cb000000 83e930 8bda 894df0 }
            // n = 7, score = 300
            //   e9????????           |                     
            //   8d41d0               | lea                 eax, [ecx - 0x30]
            //   6683f809             | cmp                 ax, 9
            //   0f87cb000000         | ja                  0xd1
            //   83e930               | sub                 ecx, 0x30
            //   8bda                 | mov                 ebx, edx
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx

        $sequence_3 = { 8bd9 56 57 8b4b10 8b5308 8d4101 3bd0 }
            // n = 7, score = 300
            //   8bd9                 | mov                 ebx, ecx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b4b10               | mov                 ecx, dword ptr [ebx + 0x10]
            //   8b5308               | mov                 edx, dword ptr [ebx + 8]
            //   8d4101               | lea                 eax, [ecx + 1]
            //   3bd0                 | cmp                 edx, eax

        $sequence_4 = { 8b4604 a803 7437 8b0e 894dd0 85c9 742e }
            // n = 7, score = 300
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   a803                 | test                al, 3
            //   7437                 | je                  0x39
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   894dd0               | mov                 dword ptr [ebp - 0x30], ecx
            //   85c9                 | test                ecx, ecx
            //   742e                 | je                  0x30

        $sequence_5 = { 6804010000 50 e8???????? 83c40c 8d85d0fdffff 6a5c }
            // n = 6, score = 300
            //   6804010000           | push                0x104
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d85d0fdffff         | lea                 eax, [ebp - 0x230]
            //   6a5c                 | push                0x5c

        $sequence_6 = { 8d4df0 50 8975f0 c745f400000000 e8???????? 8975e8 c745ec00000000 }
            // n = 7, score = 300
            //   8d4df0               | lea                 ecx, [ebp - 0x10]
            //   50                   | push                eax
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0
            //   e8????????           |                     
            //   8975e8               | mov                 dword ptr [ebp - 0x18], esi
            //   c745ec00000000       | mov                 dword ptr [ebp - 0x14], 0

        $sequence_7 = { 50 8d45f4 64a300000000 8bf9 8b5d08 8bcb 895db8 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8bf9                 | mov                 edi, ecx
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   8bcb                 | mov                 ecx, ebx
            //   895db8               | mov                 dword ptr [ebp - 0x48], ebx

        $sequence_8 = { 81c65d020000 037338 8bc6 f77338 8b470c 2bc2 03c6 }
            // n = 7, score = 300
            //   81c65d020000         | add                 esi, 0x25d
            //   037338               | add                 esi, dword ptr [ebx + 0x38]
            //   8bc6                 | mov                 eax, esi
            //   f77338               | div                 dword ptr [ebx + 0x38]
            //   8b470c               | mov                 eax, dword ptr [edi + 0xc]
            //   2bc2                 | sub                 eax, edx
            //   03c6                 | add                 eax, esi

        $sequence_9 = { 8b8568fdffff 0408 3472 888574fdffff 8b8568fdffff 0409 888575fdffff }
            // n = 7, score = 300
            //   8b8568fdffff         | mov                 eax, dword ptr [ebp - 0x298]
            //   0408                 | add                 al, 8
            //   3472                 | xor                 al, 0x72
            //   888574fdffff         | mov                 byte ptr [ebp - 0x28c], al
            //   8b8568fdffff         | mov                 eax, dword ptr [ebp - 0x298]
            //   0409                 | add                 al, 9
            //   888575fdffff         | mov                 byte ptr [ebp - 0x28b], al

    condition:
        7 of them and filesize < 1482752
}
Download all Yara Rules