SYMBOLCOMMON_NAMEaka. SYNONYMS
win.applejeus (Back to overview)

AppleJeus

Actor(s): Lazarus Group

There is no description at this point.

References
2023-04-18MandiantMandiant
@online{mandiant:20230418:mtrends:af1a28e, author = {Mandiant}, title = {{M-Trends 2023}}, date = {2023-04-18}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023}, language = {English}, urldate = {2023-04-18} } M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2022-12-16SekoiaThreat & Detection Research Team, Jamila B.
@online{team:20221216:dprk:4abe047, author = {Threat & Detection Research Team and Jamila B.}, title = {{The DPRK delicate sound of cyber}}, date = {2022-12-16}, organization = {Sekoia}, url = {https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/}, language = {English}, urldate = {2023-09-18} } The DPRK delicate sound of cyber
AppleJeus AppleJeus SnatchCrypto
2022-05-09cocomelonccocomelonc
@online{cocomelonc:20220509:malware:1cdee23, author = {cocomelonc}, title = {{Malware development: persistence - part 4. Windows services. Simple C++ example.}}, date = {2022-05-09}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2021-10-11TelsyTelsy
@online{telsy:20211011:lazarus:7e07a1e, author = {Telsy}, title = {{Lazarus Group continues AppleJeus Operation}}, date = {2021-10-11}, organization = {Telsy}, url = {https://www.telsy.com/download/5394/?uid=28b0a4577e}, language = {English}, urldate = {2021-10-26} } Lazarus Group continues AppleJeus Operation
AppleJeus
2021-10-08Virus BulletinSeongsu Park
@techreport{park:20211008:multiuniverse:87fc078, author = {Seongsu Park}, title = {{Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections}}, date = {2021-10-08}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2021-Park.pdf}, language = {English}, urldate = {2023-07-24} } Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Dacls AppleJeus AppleJeus Bankshot BookCodes RAT Dacls DRATzarus LCPDot LPEClient
2021-02-18SymantecThreat Hunter Team
@online{team:20210218:lazarus:f98481c, author = {Threat Hunter Team}, title = {{Lazarus: Three North Koreans Charged for Financially Motivated Attacks}}, date = {2021-02-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment}, language = {English}, urldate = {2023-08-21} } Lazarus: Three North Koreans Charged for Financially Motivated Attacks
AppleJeus POOLRAT Unidentified macOS 001 (UnionCryptoTrader) AppleJeus Unidentified 077 (Lazarus Downloader)
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:47648b1, author = {CISA}, title = {{Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5113e30, author = {CISA}, title = {{Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:59e2d5d, author = {CISA}, title = {{Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet
AppleJeus AppleJeus
2021-02-17US-CERTUS-CERT
@online{uscert:20210217:alert:3d0afe3, author = {US-CERT}, title = {{Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-048a}, language = {English}, urldate = {2021-02-20} } Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:18c1b8e, author = {CISA}, title = {{Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5fa5db6, author = {CISA}, title = {{Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c}, language = {English}, urldate = {2023-06-29} } Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto
AppleJeus Unidentified macOS 001 (UnionCryptoTrader) AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:39df9f4, author = {CISA}, title = {{Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:191d7ae, author = {CISA}, title = {{Malware Analysis Report (AR21-048F): AppleJeus: Dorusio}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f}, language = {English}, urldate = {2023-06-29} } Malware Analysis Report (AR21-048F): AppleJeus: Dorusio
AppleJeus AppleJeus Unidentified 077 (Lazarus Downloader)
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-10-17Vitali Kremez
@online{kremez:20191017:lets:d41b75a, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator}}, date = {2019-10-17}, url = {https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
AppleJeus
2019-10-11Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191011:possible:3be065d, author = {Vitali Kremez}, title = {{Possible Lazarus x86 Malware (AppleJeus)}}, date = {2019-10-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1182730637016481793}, language = {English}, urldate = {2019-11-23} } Possible Lazarus x86 Malware (AppleJeus)
AppleJeus
Yara Rules
[TLP:WHITE] win_applejeus_auto (20230715 | Detects win.applejeus.)
rule win_applejeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.applejeus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f035 88856cf6ffff 8b8560f6ffff 0409 83f02e 88856df6ffff 8b8560f6ffff }
            // n = 7, score = 100
            //   83f035               | xor                 eax, 0x35
            //   88856cf6ffff         | mov                 byte ptr [ebp - 0x994], al
            //   8b8560f6ffff         | mov                 eax, dword ptr [ebp - 0x9a0]
            //   0409                 | add                 al, 9
            //   83f02e               | xor                 eax, 0x2e
            //   88856df6ffff         | mov                 byte ptr [ebp - 0x993], al
            //   8b8560f6ffff         | mov                 eax, dword ptr [ebp - 0x9a0]

        $sequence_1 = { 6690 668b844d78ecffff 0fb7c0 83c0f6 6689844d78ecffff 41 }
            // n = 6, score = 100
            //   6690                 | nop                 
            //   668b844d78ecffff     | mov                 ax, word ptr [ebp + ecx*2 - 0x1388]
            //   0fb7c0               | movzx               eax, ax
            //   83c0f6               | add                 eax, -0xa
            //   6689844d78ecffff     | mov                 word ptr [ebp + ecx*2 - 0x1388], ax
            //   41                   | inc                 ecx

        $sequence_2 = { 0411 83f074 8885f1fcffff 8b85dcfcffff 0412 83f05c 8885f2fcffff }
            // n = 7, score = 100
            //   0411                 | add                 al, 0x11
            //   83f074               | xor                 eax, 0x74
            //   8885f1fcffff         | mov                 byte ptr [ebp - 0x30f], al
            //   8b85dcfcffff         | mov                 eax, dword ptr [ebp - 0x324]
            //   0412                 | add                 al, 0x12
            //   83f05c               | xor                 eax, 0x5c
            //   8885f2fcffff         | mov                 byte ptr [ebp - 0x30e], al

        $sequence_3 = { 58 668906 8b048d38f14800 668955e0 6a0a 8854072a 8b0c8d38f14800 }
            // n = 7, score = 100
            //   58                   | pop                 eax
            //   668906               | mov                 word ptr [esi], ax
            //   8b048d38f14800       | mov                 eax, dword ptr [ecx*4 + 0x48f138]
            //   668955e0             | mov                 word ptr [ebp - 0x20], dx
            //   6a0a                 | push                0xa
            //   8854072a             | mov                 byte ptr [edi + eax + 0x2a], dl
            //   8b0c8d38f14800       | mov                 ecx, dword ptr [ecx*4 + 0x48f138]

        $sequence_4 = { 8d4ddc e9???????? 8d8d60ffffff e9???????? 8d8d64ffffff e9???????? 8d8d68ffffff }
            // n = 7, score = 100
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   e9????????           |                     
            //   8d8d60ffffff         | lea                 ecx, [ebp - 0xa0]
            //   e9????????           |                     
            //   8d8d64ffffff         | lea                 ecx, [ebp - 0x9c]
            //   e9????????           |                     
            //   8d8d68ffffff         | lea                 ecx, [ebp - 0x98]

        $sequence_5 = { 8b8de4f6ffff 83c404 8985e0f6ffff f30f7e85ccf7ffff 660fd64004 c700???????? 89700c }
            // n = 7, score = 100
            //   8b8de4f6ffff         | mov                 ecx, dword ptr [ebp - 0x91c]
            //   83c404               | add                 esp, 4
            //   8985e0f6ffff         | mov                 dword ptr [ebp - 0x920], eax
            //   f30f7e85ccf7ffff     | movq                xmm0, qword ptr [ebp - 0x834]
            //   660fd64004           | movq                qword ptr [eax + 4], xmm0
            //   c700????????         |                     
            //   89700c               | mov                 dword ptr [eax + 0xc], esi

        $sequence_6 = { 85c0 0f8428070000 50 c70002000000 ff15???????? 6a00 6a0c }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f8428070000         | je                  0x72e
            //   50                   | push                eax
            //   c70002000000         | mov                 dword ptr [eax], 2
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a0c                 | push                0xc

        $sequence_7 = { c685c8fcffff01 c685c9fcffff1a c685cafcffff07 c685cbfcffff06 c685ccfcffff05 c685cdfcffff0d c685cefcffff06 }
            // n = 7, score = 100
            //   c685c8fcffff01       | mov                 byte ptr [ebp - 0x338], 1
            //   c685c9fcffff1a       | mov                 byte ptr [ebp - 0x337], 0x1a
            //   c685cafcffff07       | mov                 byte ptr [ebp - 0x336], 7
            //   c685cbfcffff06       | mov                 byte ptr [ebp - 0x335], 6
            //   c685ccfcffff05       | mov                 byte ptr [ebp - 0x334], 5
            //   c685cdfcffff0d       | mov                 byte ptr [ebp - 0x333], 0xd
            //   c685cefcffff06       | mov                 byte ptr [ebp - 0x332], 6

        $sequence_8 = { 8b8510e9ffff 038514e9ffff 50 e8???????? 8d8dd8fdffff 83c40c 8d5101 }
            // n = 7, score = 100
            //   8b8510e9ffff         | mov                 eax, dword ptr [ebp - 0x16f0]
            //   038514e9ffff         | add                 eax, dword ptr [ebp - 0x16ec]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8dd8fdffff         | lea                 ecx, [ebp - 0x228]
            //   83c40c               | add                 esp, 0xc
            //   8d5101               | lea                 edx, [ecx + 1]

        $sequence_9 = { 33852cdfffff d1f9 660fd68514dfffff 89852cdfffff 898d2cdfffff c78514dfffff00000000 }
            // n = 6, score = 100
            //   33852cdfffff         | xor                 eax, dword ptr [ebp - 0x20d4]
            //   d1f9                 | sar                 ecx, 1
            //   660fd68514dfffff     | movq                qword ptr [ebp - 0x20ec], xmm0
            //   89852cdfffff         | mov                 dword ptr [ebp - 0x20d4], eax
            //   898d2cdfffff         | mov                 dword ptr [ebp - 0x20d4], ecx
            //   c78514dfffff00000000     | mov    dword ptr [ebp - 0x20ec], 0

    condition:
        7 of them and filesize < 1245184
}
Download all Yara Rules