SYMBOLCOMMON_NAMEaka. SYNONYMS
win.applejeus (Back to overview)

AppleJeus

Actor(s): Lazarus Group

VTCollection    

There is no description at this point.

References
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2022-12-16SekoiaJamila B., Threat & Detection Research Team
The DPRK delicate sound of cyber
AppleJeus AppleJeus SnatchCrypto
2022-05-09cocomelonccocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2021-10-11TelsyTelsy
Lazarus Group continues AppleJeus Operation
AppleJeus
2021-10-08Virus BulletinSeongsu Park
Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Dacls AppleJeus AppleJeus Bankshot BookCodes RAT Dacls DRATzarus LCPDot LPEClient
2021-02-18SymantecThreat Hunter Team
Lazarus: Three North Koreans Charged for Financially Motivated Attacks
AppleJeus POOLRAT Unidentified macOS 001 (UnionCryptoTrader) AppleJeus Unidentified 077 (Lazarus Downloader)
2021-02-17US-CERTCISA
Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade
AppleJeus POOLRAT AppleJeus
2021-02-17US-CERTCISA
Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto
AppleJeus Unidentified macOS 001 (UnionCryptoTrader) AppleJeus
2021-02-17US-CERTCISA
Malware Analysis Report (AR21-048F): AppleJeus: Dorusio
AppleJeus AppleJeus Unidentified 077 (Lazarus Downloader)
2021-02-17US-CERTCISA
Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale
AppleJeus AppleJeus
2021-02-17US-CERTCISA
Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet
AppleJeus AppleJeus
2021-02-17US-CERTCISA
Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading
AppleJeus AppleJeus
2021-02-17US-CERTCISA
Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro
AppleJeus AppleJeus
2021-02-17US-CERTUS-CERT
Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
AppleJeus AppleJeus Lazarus Group
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-10-17Vitali Kremez
Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
AppleJeus
2019-10-11Twitter (@VK_intel)Vitali Kremez
Possible Lazarus x86 Malware (AppleJeus)
AppleJeus
Yara Rules
[TLP:WHITE] win_applejeus_auto (20230808 | Detects win.applejeus.)
rule win_applejeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.applejeus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8902 8b4608 8b08 8b4604 810044f3ffff 8100bc0c0000 }
            // n = 6, score = 100
            //   8902                 | mov                 dword ptr [edx], eax
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   810044f3ffff         | add                 dword ptr [eax], 0xfffff344
            //   8100bc0c0000         | add                 dword ptr [eax], 0xcbc

        $sequence_1 = { 8b4604 8b00 33c2 0f8583000000 c745f45b000000 8b45f4 83f032 }
            // n = 7, score = 100
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   33c2                 | xor                 eax, edx
            //   0f8583000000         | jne                 0x89
            //   c745f45b000000       | mov                 dword ptr [ebp - 0xc], 0x5b
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   83f032               | xor                 eax, 0x32

        $sequence_2 = { 8945dc 8d45d0 c745d0a08e4200 897dd4 8975d8 0f1145b0 }
            // n = 6, score = 100
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   c745d0a08e4200       | mov                 dword ptr [ebp - 0x30], 0x428ea0
            //   897dd4               | mov                 dword ptr [ebp - 0x2c], edi
            //   8975d8               | mov                 dword ptr [ebp - 0x28], esi
            //   0f1145b0             | movups              xmmword ptr [ebp - 0x50], xmm0

        $sequence_3 = { 8b4a04 50 0f1145c8 c745a8e0294200 0f1145d8 897dac 8975b0 }
            // n = 7, score = 100
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]
            //   50                   | push                eax
            //   0f1145c8             | movups              xmmword ptr [ebp - 0x38], xmm0
            //   c745a8e0294200       | mov                 dword ptr [ebp - 0x58], 0x4229e0
            //   0f1145d8             | movups              xmmword ptr [ebp - 0x28], xmm0
            //   897dac               | mov                 dword ptr [ebp - 0x54], edi
            //   8975b0               | mov                 dword ptr [ebp - 0x50], esi

        $sequence_4 = { e8???????? 8b4dc8 83c414 8945cc 89851cffffff c700???????? 897004 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   83c414               | add                 esp, 0x14
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax
            //   89851cffffff         | mov                 dword ptr [ebp - 0xe4], eax
            //   c700????????         |                     
            //   897004               | mov                 dword ptr [eax + 4], esi

        $sequence_5 = { c745e400000000 8b410c 50 6a00 51 8b04851cfb4600 ffd0 }
            // n = 7, score = 100
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   8b410c               | mov                 eax, dword ptr [ecx + 0xc]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   8b04851cfb4600       | mov                 eax, dword ptr [eax*4 + 0x46fb1c]
            //   ffd0                 | call                eax

        $sequence_6 = { c68589f5ffff7d c6858af5ffff85 c6858bf5ffff72 c6858cf5ffff83 c6858df5ffff59 c6858ef5ffff3a c6858ff5ffff77 }
            // n = 7, score = 100
            //   c68589f5ffff7d       | mov                 byte ptr [ebp - 0xa77], 0x7d
            //   c6858af5ffff85       | mov                 byte ptr [ebp - 0xa76], 0x85
            //   c6858bf5ffff72       | mov                 byte ptr [ebp - 0xa75], 0x72
            //   c6858cf5ffff83       | mov                 byte ptr [ebp - 0xa74], 0x83
            //   c6858df5ffff59       | mov                 byte ptr [ebp - 0xa73], 0x59
            //   c6858ef5ffff3a       | mov                 byte ptr [ebp - 0xa72], 0x3a
            //   c6858ff5ffff77       | mov                 byte ptr [ebp - 0xa71], 0x77

        $sequence_7 = { 8d4db0 e9???????? 8d4db4 e9???????? 8d4dac e9???????? 8b542408 }
            // n = 7, score = 100
            //   8d4db0               | lea                 ecx, [ebp - 0x50]
            //   e9????????           |                     
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]
            //   e9????????           |                     
            //   8d4dac               | lea                 ecx, [ebp - 0x54]
            //   e9????????           |                     
            //   8b542408             | mov                 edx, dword ptr [esp + 8]

        $sequence_8 = { e8???????? 8b7588 8d4d94 83c418 e8???????? c78568ffffffd5030000 8b8568ffffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b7588               | mov                 esi, dword ptr [ebp - 0x78]
            //   8d4d94               | lea                 ecx, [ebp - 0x6c]
            //   83c418               | add                 esp, 0x18
            //   e8????????           |                     
            //   c78568ffffffd5030000     | mov    dword ptr [ebp - 0x98], 0x3d5
            //   8b8568ffffff         | mov                 eax, dword ptr [ebp - 0x98]

        $sequence_9 = { 8d85d42e0000 50 ff15???????? 57 ff15???????? e9???????? ff15???????? }
            // n = 7, score = 100
            //   8d85d42e0000         | lea                 eax, [ebp + 0x2ed4]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   57                   | push                edi
            //   ff15????????         |                     
            //   e9????????           |                     
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 1245184
}
Download all Yara Rules