SYMBOLCOMMON_NAMEaka. SYNONYMS
win.applejeus (Back to overview)

AppleJeus

Actor(s): Lazarus Group

There is no description at this point.

References
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-10-17Vitali Kremez
@online{kremez:20191017:lets:d41b75a, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator}}, date = {2019-10-17}, url = {https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
AppleJeus
2019-10-11Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191011:possible:3be065d, author = {Vitali Kremez}, title = {{Possible Lazarus x86 Malware (AppleJeus)}}, date = {2019-10-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1182730637016481793}, language = {English}, urldate = {2019-11-23} } Possible Lazarus x86 Malware (AppleJeus)
AppleJeus
Yara Rules
[TLP:WHITE] win_applejeus_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_applejeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745ec00000000 8938 c745fc00000000 8b7304 c745c400000000 c745c800000000 c745cc00000000 }
            // n = 7, score = 100
            //   c745ec00000000       | mov                 dword ptr [ebp - 0x14], 0
            //   8938                 | mov                 dword ptr [eax], edi
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   8b7304               | mov                 esi, dword ptr [ebx + 4]
            //   c745c400000000       | mov                 dword ptr [ebp - 0x3c], 0
            //   c745c800000000       | mov                 dword ptr [ebp - 0x38], 0
            //   c745cc00000000       | mov                 dword ptr [ebp - 0x34], 0

        $sequence_1 = { 33c8 888c1564f6ffff 42 83fa73 72df c685d7f6ffff00 8d8d64f6ffff }
            // n = 7, score = 100
            //   33c8                 | xor                 ecx, eax
            //   888c1564f6ffff       | mov                 byte ptr [ebp + edx - 0x99c], cl
            //   42                   | inc                 edx
            //   83fa73               | cmp                 edx, 0x73
            //   72df                 | jb                  0xffffffe1
            //   c685d7f6ffff00       | mov                 byte ptr [ebp - 0x929], 0
            //   8d8d64f6ffff         | lea                 ecx, [ebp - 0x99c]

        $sequence_2 = { c745e400000000 8b410c 50 6a00 51 8b04856cfc4600 ffd0 }
            // n = 7, score = 100
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   8b410c               | mov                 eax, dword ptr [ecx + 0xc]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   8b04856cfc4600       | mov                 eax, dword ptr [eax*4 + 0x46fc6c]
            //   ffd0                 | call                eax

        $sequence_3 = { 0f1f840000000000 8a841570e7ffff 0fbe8d6ce7ffff 0fbec0 33c1 88841570e7ffff 42 }
            // n = 7, score = 100
            //   0f1f840000000000     | nop                 dword ptr [eax + eax]
            //   8a841570e7ffff       | mov                 al, byte ptr [ebp + edx - 0x1890]
            //   0fbe8d6ce7ffff       | movsx               ecx, byte ptr [ebp - 0x1894]
            //   0fbec0               | movsx               eax, al
            //   33c1                 | xor                 eax, ecx
            //   88841570e7ffff       | mov                 byte ptr [ebp + edx - 0x1890], al
            //   42                   | inc                 edx

        $sequence_4 = { 0420 83f064 8885ace8ffff 8b8588e8ffff 0421 83f061 8885ade8ffff }
            // n = 7, score = 100
            //   0420                 | add                 al, 0x20
            //   83f064               | xor                 eax, 0x64
            //   8885ace8ffff         | mov                 byte ptr [ebp - 0x1754], al
            //   8b8588e8ffff         | mov                 eax, dword ptr [ebp - 0x1778]
            //   0421                 | add                 al, 0x21
            //   83f061               | xor                 eax, 0x61
            //   8885ade8ffff         | mov                 byte ptr [ebp - 0x1753], al

        $sequence_5 = { 6a08 e8???????? 8d8de4f7ffff 8985e4f6ffff 83c404 898580f4ffff }
            // n = 6, score = 100
            //   6a08                 | push                8
            //   e8????????           |                     
            //   8d8de4f7ffff         | lea                 ecx, [ebp - 0x81c]
            //   8985e4f6ffff         | mov                 dword ptr [ebp - 0x91c], eax
            //   83c404               | add                 esp, 4
            //   898580f4ffff         | mov                 dword ptr [ebp - 0xb80], eax

        $sequence_6 = { c68568fbffff2a c68569fbffff24 c6856afbffff05 88856bfbffff 8a8560fbffff 6690 }
            // n = 6, score = 100
            //   c68568fbffff2a       | mov                 byte ptr [ebp - 0x498], 0x2a
            //   c68569fbffff24       | mov                 byte ptr [ebp - 0x497], 0x24
            //   c6856afbffff05       | mov                 byte ptr [ebp - 0x496], 5
            //   88856bfbffff         | mov                 byte ptr [ebp - 0x495], al
            //   8a8560fbffff         | mov                 al, byte ptr [ebp - 0x4a0]
            //   6690                 | nop                 

        $sequence_7 = { c7470400000000 e8???????? 8d442410 897c2410 50 e8???????? 8b742410 }
            // n = 7, score = 100
            //   c7470400000000       | mov                 dword ptr [edi + 4], 0
            //   e8????????           |                     
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   897c2410             | mov                 dword ptr [esp + 0x10], edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b742410             | mov                 esi, dword ptr [esp + 0x10]

        $sequence_8 = { e9???????? 8d8d5ce7ffff e9???????? 8d8d70e9ffff e9???????? 8d8d50e7ffff e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8d8d5ce7ffff         | lea                 ecx, [ebp - 0x18a4]
            //   e9????????           |                     
            //   8d8d70e9ffff         | lea                 ecx, [ebp - 0x1690]
            //   e9????????           |                     
            //   8d8d50e7ffff         | lea                 ecx, [ebp - 0x18b0]
            //   e9????????           |                     

        $sequence_9 = { c645fc03 e8???????? 8945e4 8945d4 c700???????? 897004 c645fc04 }
            // n = 7, score = 100
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   e8????????           |                     
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   c700????????         |                     
            //   897004               | mov                 dword ptr [eax + 4], esi
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4

    condition:
        7 of them and filesize < 1245184
}
Download all Yara Rules