SYMBOLCOMMON_NAMEaka. SYNONYMS
win.applejeus (Back to overview)

AppleJeus

Actor(s): Lazarus Group

There is no description at this point.

References
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:39df9f4, author = {CISA}, title = {{Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:47648b1, author = {CISA}, title = {{Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale
AppleJeus AppleJeus
2021-02-17US-CERTUS-CERT
@online{uscert:20210217:alert:3d0afe3, author = {US-CERT}, title = {{Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-048a}, language = {English}, urldate = {2021-02-20} } Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5fa5db6, author = {CISA}, title = {{Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:59e2d5d, author = {CISA}, title = {{Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:18c1b8e, author = {CISA}, title = {{Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:191d7ae, author = {CISA}, title = {{Malware Analysis Report (AR21-048F): AppleJeus: Dorusio}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048F): AppleJeus: Dorusio
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5113e30, author = {CISA}, title = {{Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade
AppleJeus AppleJeus
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-10-17Vitali Kremez
@online{kremez:20191017:lets:d41b75a, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator}}, date = {2019-10-17}, url = {https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
AppleJeus
2019-10-11Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191011:possible:3be065d, author = {Vitali Kremez}, title = {{Possible Lazarus x86 Malware (AppleJeus)}}, date = {2019-10-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1182730637016481793}, language = {English}, urldate = {2019-11-23} } Possible Lazarus x86 Malware (AppleJeus)
AppleJeus
Yara Rules
[TLP:WHITE] win_applejeus_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_applejeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d75dc c78548ffffff00000000 c7854cffffff00000000 c78550ffffff00000000 6a0c c645fc18 e8???????? }
            // n = 7, score = 100
            //   8d75dc               | lea                 esi, [ebp - 0x24]
            //   c78548ffffff00000000     | mov    dword ptr [ebp - 0xb8], 0
            //   c7854cffffff00000000     | mov    dword ptr [ebp - 0xb4], 0
            //   c78550ffffff00000000     | mov    dword ptr [ebp - 0xb0], 0
            //   6a0c                 | push                0xc
            //   c645fc18             | mov                 byte ptr [ebp - 4], 0x18
            //   e8????????           |                     

        $sequence_1 = { 81f291020000 8b4e04 c745fc21070000 8b01 3345fc 8901 c745fc21070000 }
            // n = 7, score = 100
            //   81f291020000         | xor                 edx, 0x291
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   c745fc21070000       | mov                 dword ptr [ebp - 4], 0x721
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   3345fc               | xor                 eax, dword ptr [ebp - 4]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   c745fc21070000       | mov                 dword ptr [ebp - 4], 0x721

        $sequence_2 = { c785dcf5ffff01000000 898588f5ffff 83c430 8d85e0fdffff c785c8f5ffff00000000 89858cf5ffff 8d85d4fbffff }
            // n = 7, score = 100
            //   c785dcf5ffff01000000     | mov    dword ptr [ebp - 0xa24], 1
            //   898588f5ffff         | mov                 dword ptr [ebp - 0xa78], eax
            //   83c430               | add                 esp, 0x30
            //   8d85e0fdffff         | lea                 eax, [ebp - 0x220]
            //   c785c8f5ffff00000000     | mov    dword ptr [ebp - 0xa38], 0
            //   89858cf5ffff         | mov                 dword ptr [ebp - 0xa74], eax
            //   8d85d4fbffff         | lea                 eax, [ebp - 0x42c]

        $sequence_3 = { 8d8d50ffffff e9???????? 8d8d48ffffff e9???????? 8d4dc8 e9???????? 8d8d64ffffff }
            // n = 7, score = 100
            //   8d8d50ffffff         | lea                 ecx, [ebp - 0xb0]
            //   e9????????           |                     
            //   8d8d48ffffff         | lea                 ecx, [ebp - 0xb8]
            //   e9????????           |                     
            //   8d4dc8               | lea                 ecx, [ebp - 0x38]
            //   e9????????           |                     
            //   8d8d64ffffff         | lea                 ecx, [ebp - 0x9c]

        $sequence_4 = { 8945ac 660fd645c0 c745c000000000 c745c400000000 c78554ffffff00000000 c78558ffffff00000000 c7855cffffff00000000 }
            // n = 7, score = 100
            //   8945ac               | mov                 dword ptr [ebp - 0x54], eax
            //   660fd645c0           | movq                qword ptr [ebp - 0x40], xmm0
            //   c745c000000000       | mov                 dword ptr [ebp - 0x40], 0
            //   c745c400000000       | mov                 dword ptr [ebp - 0x3c], 0
            //   c78554ffffff00000000     | mov    dword ptr [ebp - 0xac], 0
            //   c78558ffffff00000000     | mov    dword ptr [ebp - 0xa8], 0
            //   c7855cffffff00000000     | mov    dword ptr [ebp - 0xa4], 0

        $sequence_5 = { c68591fdffff65 c68592fdffff4a c68593fdffff45 c68594fdffff73 c68595fdffff54 c68596fdffff61 c68597fdffff4e }
            // n = 7, score = 100
            //   c68591fdffff65       | mov                 byte ptr [ebp - 0x26f], 0x65
            //   c68592fdffff4a       | mov                 byte ptr [ebp - 0x26e], 0x4a
            //   c68593fdffff45       | mov                 byte ptr [ebp - 0x26d], 0x45
            //   c68594fdffff73       | mov                 byte ptr [ebp - 0x26c], 0x73
            //   c68595fdffff54       | mov                 byte ptr [ebp - 0x26b], 0x54
            //   c68596fdffff61       | mov                 byte ptr [ebp - 0x26a], 0x61
            //   c68597fdffff4e       | mov                 byte ptr [ebp - 0x269], 0x4e

        $sequence_6 = { c6850df5ffff62 c6850ef5ffff68 c6850ff5ffff66 c68510f5ffff30 c68511f5ffff79 c68512f5ffff2e c68513f5ffff79 }
            // n = 7, score = 100
            //   c6850df5ffff62       | mov                 byte ptr [ebp - 0xaf3], 0x62
            //   c6850ef5ffff68       | mov                 byte ptr [ebp - 0xaf2], 0x68
            //   c6850ff5ffff66       | mov                 byte ptr [ebp - 0xaf1], 0x66
            //   c68510f5ffff30       | mov                 byte ptr [ebp - 0xaf0], 0x30
            //   c68511f5ffff79       | mov                 byte ptr [ebp - 0xaef], 0x79
            //   c68512f5ffff2e       | mov                 byte ptr [ebp - 0xaee], 0x2e
            //   c68513f5ffff79       | mov                 byte ptr [ebp - 0xaed], 0x79

        $sequence_7 = { 8b30 8b4104 2b32 810044f3ffff 8100bc0c0000 8b4104 8930 }
            // n = 7, score = 100
            //   8b30                 | mov                 esi, dword ptr [eax]
            //   8b4104               | mov                 eax, dword ptr [ecx + 4]
            //   2b32                 | sub                 esi, dword ptr [edx]
            //   810044f3ffff         | add                 dword ptr [eax], 0xfffff344
            //   8100bc0c0000         | add                 dword ptr [eax], 0xcbc
            //   8b4104               | mov                 eax, dword ptr [ecx + 4]
            //   8930                 | mov                 dword ptr [eax], esi

        $sequence_8 = { 0f84a2000000 8b03 0345d4 56 6a00 50 8943fc }
            // n = 7, score = 100
            //   0f84a2000000         | je                  0xa8
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   0345d4               | add                 eax, dword ptr [ebp - 0x2c]
            //   56                   | push                esi
            //   6a00                 | push                0
            //   50                   | push                eax
            //   8943fc               | mov                 dword ptr [ebx - 4], eax

        $sequence_9 = { c745d830564200 897ddc 8975e0 0f1145b8 50 0f1145c8 0f1045d8 }
            // n = 7, score = 100
            //   c745d830564200       | mov                 dword ptr [ebp - 0x28], 0x425630
            //   897ddc               | mov                 dword ptr [ebp - 0x24], edi
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   0f1145b8             | movups              xmmword ptr [ebp - 0x48], xmm0
            //   50                   | push                eax
            //   0f1145c8             | movups              xmmword ptr [ebp - 0x38], xmm0
            //   0f1045d8             | movups              xmm0, xmmword ptr [ebp - 0x28]

    condition:
        7 of them and filesize < 1245184
}
Download all Yara Rules