SYMBOLCOMMON_NAMEaka. SYNONYMS
win.alphanc (Back to overview)

AlphaNC

Actor(s): Lazarus Group


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:bd4482a, author = {SecureWorks}, title = {{NICKEL GLADSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone}, language = {English}, urldate = {2020-05-23} } NICKEL GLADSTONE
AlphaNC Bankshot Ratankba Lazarus Group
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
Yara Rules
[TLP:WHITE] win_alphanc_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_alphanc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bc6 2bde 8a0c18 8a10 32d1 8810 40 }
            // n = 7, score = 100
            //   8bc6                 | mov                 eax, esi
            //   2bde                 | sub                 ebx, esi
            //   8a0c18               | mov                 cl, byte ptr [eax + ebx]
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   32d1                 | xor                 dl, cl
            //   8810                 | mov                 byte ptr [eax], dl
            //   40                   | inc                 eax

        $sequence_1 = { 8b7308 6a00 56 8d5c1810 89442434 53 e8???????? }
            // n = 7, score = 100
            //   8b7308               | mov                 esi, dword ptr [ebx + 8]
            //   6a00                 | push                0
            //   56                   | push                esi
            //   8d5c1810             | lea                 ebx, [eax + ebx + 0x10]
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_2 = { e8???????? 83c404 c74424fc00000000 014424fc 83ec04 2bc7 58 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   c74424fc00000000     | mov                 dword ptr [esp - 4], 0
            //   014424fc             | add                 dword ptr [esp - 4], eax
            //   83ec04               | sub                 esp, 4
            //   2bc7                 | sub                 eax, edi
            //   58                   | pop                 eax

        $sequence_3 = { 896f18 896f1c 51 8b4e24 52 50 51 }
            // n = 7, score = 100
            //   896f18               | mov                 dword ptr [edi + 0x18], ebp
            //   896f1c               | mov                 dword ptr [edi + 0x1c], ebp
            //   51                   | push                ecx
            //   8b4e24               | mov                 ecx, dword ptr [esi + 0x24]
            //   52                   | push                edx
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_4 = { 8bee 898280010000 8b442410 85c0 75aa 8b442420 33c9 }
            // n = 7, score = 100
            //   8bee                 | mov                 ebp, esi
            //   898280010000         | mov                 dword ptr [edx + 0x180], eax
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   85c0                 | test                eax, eax
            //   75aa                 | jne                 0xffffffac
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   33c9                 | xor                 ecx, ecx

        $sequence_5 = { f7f1 85d2 0f85c7000000 ff86d0000000 e9???????? 688e000000 68???????? }
            // n = 7, score = 100
            //   f7f1                 | div                 ecx
            //   85d2                 | test                edx, edx
            //   0f85c7000000         | jne                 0xcd
            //   ff86d0000000         | inc                 dword ptr [esi + 0xd0]
            //   e9????????           |                     
            //   688e000000           | push                0x8e
            //   68????????           |                     

        $sequence_6 = { 13c2 03cf 13c2 8b542414 03ca 6a02 }
            // n = 6, score = 100
            //   13c2                 | adc                 eax, edx
            //   03cf                 | add                 ecx, edi
            //   13c2                 | adc                 eax, edx
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   03ca                 | add                 ecx, edx
            //   6a02                 | push                2

        $sequence_7 = { e8???????? 8bf0 83c410 85f6 0f84b7010000 8b4f1c 8d542424 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c410               | add                 esp, 0x10
            //   85f6                 | test                esi, esi
            //   0f84b7010000         | je                  0x1bd
            //   8b4f1c               | mov                 ecx, dword ptr [edi + 0x1c]
            //   8d542424             | lea                 edx, [esp + 0x24]

        $sequence_8 = { 50 6a72 e8???????? 83c418 85c0 7f2a 68d8070000 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   6a72                 | push                0x72
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   85c0                 | test                eax, eax
            //   7f2a                 | jg                  0x2c
            //   68d8070000           | push                0x7d8

        $sequence_9 = { e8???????? 83c408 85c0 74a3 89442410 eb9d 68e8000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   74a3                 | je                  0xffffffa5
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   eb9d                 | jmp                 0xffffff9f
            //   68e8000000           | push                0xe8

    condition:
        7 of them and filesize < 2015232
}
Download all Yara Rules