SYMBOLCOMMON_NAMEaka. SYNONYMS
win.agfspy (Back to overview)

AgfSpy


The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.

References
2020-10-28Trend MicroWilliam Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph C Chen, John Zhang
@online{sanchez:20201028:operation:7f4b906, author = {William Gamazo Sanchez and Aliakbar Zahravi and Elliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C Chen and John Zhang}, title = {{Operation Earth Kitsune: A Dance of Two New Backdoors}}, date = {2020-10-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html}, language = {English}, urldate = {2020-10-29} } Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB
Yara Rules
[TLP:WHITE] win_agfspy_auto (20230407 | Detects win.agfspy.)
rule win_agfspy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.agfspy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c40c 85c0 7407 2bc6 83f8ff 750f 6a02 }
            // n = 7, score = 300
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   2bc6                 | sub                 eax, esi
            //   83f8ff               | cmp                 eax, -1
            //   750f                 | jne                 0x11
            //   6a02                 | push                2

        $sequence_1 = { 8b5730 8b00 8b32 8945fc 8d0c70 85c0 }
            // n = 6, score = 300
            //   8b5730               | mov                 edx, dword ptr [edi + 0x30]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b32                 | mov                 esi, dword ptr [edx]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d0c70               | lea                 ecx, [eax + esi*2]
            //   85c0                 | test                eax, eax

        $sequence_2 = { 3bca 72d9 c745ec0f000000 c745e801000000 66c745d82200 57 }
            // n = 6, score = 300
            //   3bca                 | cmp                 ecx, edx
            //   72d9                 | jb                  0xffffffdb
            //   c745ec0f000000       | mov                 dword ptr [ebp - 0x14], 0xf
            //   c745e801000000       | mov                 dword ptr [ebp - 0x18], 1
            //   66c745d82200         | mov                 word ptr [ebp - 0x28], 0x22
            //   57                   | push                edi

        $sequence_3 = { 7408 8b10 8bc8 6a01 ff12 8b4dc8 8d550c }
            // n = 7, score = 300
            //   7408                 | je                  0xa
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8bc8                 | mov                 ecx, eax
            //   6a01                 | push                1
            //   ff12                 | call                dword ptr [edx]
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   8d550c               | lea                 edx, [ebp + 0xc]

        $sequence_4 = { 33c0 897db0 c745d400000000 c7471000000000 c7471407000000 668907 8945fc }
            // n = 7, score = 300
            //   33c0                 | xor                 eax, eax
            //   897db0               | mov                 dword ptr [ebp - 0x50], edi
            //   c745d400000000       | mov                 dword ptr [ebp - 0x2c], 0
            //   c7471000000000       | mov                 dword ptr [edi + 0x10], 0
            //   c7471407000000       | mov                 dword ptr [edi + 0x14], 7
            //   668907               | mov                 word ptr [edi], ax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_5 = { 8d4510 8bcf 8b17 50 ff5214 837d2000 c745fc00000000 }
            // n = 7, score = 300
            //   8d4510               | lea                 eax, [ebp + 0x10]
            //   8bcf                 | mov                 ecx, edi
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   50                   | push                eax
            //   ff5214               | call                dword ptr [edx + 0x14]
            //   837d2000             | cmp                 dword ptr [ebp + 0x20], 0
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_6 = { b801000000 5f 5e 5b c3 83f85b 0f85cd000000 }
            // n = 7, score = 300
            //   b801000000           | mov                 eax, 1
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   83f85b               | cmp                 eax, 0x5b
            //   0f85cd000000         | jne                 0xd3

        $sequence_7 = { 6685c0 0f84f8000000 6a00 50 8d4e24 e8???????? eb3a }
            // n = 7, score = 300
            //   6685c0               | test                ax, ax
            //   0f84f8000000         | je                  0xfe
            //   6a00                 | push                0
            //   50                   | push                eax
            //   8d4e24               | lea                 ecx, [esi + 0x24]
            //   e8????????           |                     
            //   eb3a                 | jmp                 0x3c

        $sequence_8 = { 5d 5b 5f 5e 59 c20400 83ff10 }
            // n = 7, score = 300
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   59                   | pop                 ecx
            //   c20400               | ret                 4
            //   83ff10               | cmp                 edi, 0x10

        $sequence_9 = { e8???????? 8d8550f8ffff 50 8d8de8f9ffff e8???????? 8d8d50f8ffff 8b7010 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8d8550f8ffff         | lea                 eax, [ebp - 0x7b0]
            //   50                   | push                eax
            //   8d8de8f9ffff         | lea                 ecx, [ebp - 0x618]
            //   e8????????           |                     
            //   8d8d50f8ffff         | lea                 ecx, [ebp - 0x7b0]
            //   8b7010               | mov                 esi, dword ptr [eax + 0x10]

    condition:
        7 of them and filesize < 1482752
}
Download all Yara Rules