SYMBOLCOMMON_NAMEaka. SYNONYMS
win.applejeus (Back to overview)

AppleJeus

Actor(s): Lazarus Group

VTCollection    

There is no description at this point.

References
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2022-12-16SekoiaJamila B., Threat & Detection Research Team
The DPRK delicate sound of cyber
AppleJeus AppleJeus SnatchCrypto
2022-08-15BrandefenseBrandefense
Lazarus APT Group (APT38)
AppleJeus AppleJeus BADCALL Bankshot BLINDINGCAN DRATzarus Dtrack KEYMARBLE Sierra(Alfa,Bravo, ...) Torisma WannaCryptor
2022-05-09cocomelonccocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2021-10-11TelsyTelsy
Lazarus Group continues AppleJeus Operation
AppleJeus
2021-10-08Virus BulletinSeongsu Park
Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Dacls AppleJeus AppleJeus Bankshot BookCodes RAT Dacls DRATzarus LCPDot LPEClient
2021-02-18SymantecThreat Hunter Team
Lazarus: Three North Koreans Charged for Financially Motivated Attacks
AppleJeus POOLRAT Unidentified macOS 001 (UnionCryptoTrader) AppleJeus Unidentified 077 (Lazarus Downloader)
2021-02-17US-CERTCISA
Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro
AppleJeus AppleJeus
2021-02-17US-CERTCISA
Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading
AppleJeus AppleJeus
2021-02-17US-CERTCISA
Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet
AppleJeus AppleJeus
2021-02-17US-CERTCISA
Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale
AppleJeus AppleJeus
2021-02-17US-CERTUS-CERT
Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
AppleJeus AppleJeus Lazarus Group
2021-02-17US-CERTCISA
Malware Analysis Report (AR21-048F): AppleJeus: Dorusio
AppleJeus AppleJeus Unidentified 077 (Lazarus Downloader)
2021-02-17US-CERTCISA
Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto
AppleJeus Unidentified macOS 001 (UnionCryptoTrader) AppleJeus
2021-02-17US-CERTCISA
Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade
AppleJeus POOLRAT AppleJeus
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-10-17Vitali Kremez
Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
AppleJeus
2019-10-11Twitter (@VK_intel)Vitali Kremez
Possible Lazarus x86 Malware (AppleJeus)
AppleJeus
Yara Rules
[TLP:WHITE] win_applejeus_auto (20260504 | Detects win.applejeus.)
rule win_applejeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.applejeus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f84f2000000 8b07 0f57c0 8b4f08 8b570c 894594 8b4704 }
            // n = 7, score = 200
            //   0f84f2000000         | je                  0xf8
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   0f57c0               | xorps               xmm0, xmm0
            //   8b4f08               | mov                 ecx, dword ptr [edi + 8]
            //   8b570c               | mov                 edx, dword ptr [edi + 0xc]
            //   894594               | mov                 dword ptr [ebp - 0x6c], eax
            //   8b4704               | mov                 eax, dword ptr [edi + 4]

        $sequence_1 = { 8b0f 8901 ffd6 8b4f04 0f57c0 660fd645e0 c745e000000000 }
            // n = 7, score = 200
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   ffd6                 | call                esi
            //   8b4f04               | mov                 ecx, dword ptr [edi + 4]
            //   0f57c0               | xorps               xmm0, xmm0
            //   660fd645e0           | movq                qword ptr [ebp - 0x20], xmm0
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0

        $sequence_2 = { ffd0 84c0 7406 8b06 8bce eb04 }
            // n = 6, score = 200
            //   ffd0                 | call                eax
            //   84c0                 | test                al, al
            //   7406                 | je                  8
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8bce                 | mov                 ecx, esi
            //   eb04                 | jmp                 6

        $sequence_3 = { 8b4e08 81f2490f0000 c745fcd5030000 81f289060000 8b01 0345fc 8901 }
            // n = 7, score = 200
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   81f2490f0000         | xor                 edx, 0xf49
            //   c745fcd5030000       | mov                 dword ptr [ebp - 4], 0x3d5
            //   81f289060000         | xor                 edx, 0x689
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   0345fc               | add                 eax, dword ptr [ebp - 4]
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_4 = { e9???????? 8d8de4ecffff e9???????? 8d8df8eeffff e9???????? 8d8d3cefffff e9???????? }
            // n = 7, score = 200
            //   e9????????           |                     
            //   8d8de4ecffff         | lea                 ecx, [ebp - 0x131c]
            //   e9????????           |                     
            //   8d8df8eeffff         | lea                 ecx, [ebp - 0x1108]
            //   e9????????           |                     
            //   8d8d3cefffff         | lea                 ecx, [ebp - 0x10c4]
            //   e9????????           |                     

        $sequence_5 = { 6a08 0f118560eeffff c78590efffff00000000 8b7008 8b7804 660fd68580efffff c78594efffff00000000 }
            // n = 7, score = 200
            //   6a08                 | push                8
            //   0f118560eeffff       | movups              xmmword ptr [ebp - 0x11a0], xmm0
            //   c78590efffff00000000     | mov    dword ptr [ebp - 0x1070], 0
            //   8b7008               | mov                 esi, dword ptr [eax + 8]
            //   8b7804               | mov                 edi, dword ptr [eax + 4]
            //   660fd68580efffff     | movq                qword ptr [ebp - 0x1080], xmm0
            //   c78594efffff00000000     | mov    dword ptr [ebp - 0x106c], 0

        $sequence_6 = { 5e 8b0a 8908 c70200000000 5d c3 83f802 }
            // n = 7, score = 200
            //   5e                   | pop                 esi
            //   8b0a                 | mov                 ecx, dword ptr [edx]
            //   8908                 | mov                 dword ptr [eax], ecx
            //   c70200000000         | mov                 dword ptr [edx], 0
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   83f802               | cmp                 eax, 2

        $sequence_7 = { 8b7e04 894604 8b45e8 8906 c745fc00000000 85ff 7421 }
            // n = 7, score = 200
            //   8b7e04               | mov                 edi, dword ptr [esi + 4]
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8906                 | mov                 dword ptr [esi], eax
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   85ff                 | test                edi, edi
            //   7421                 | je                  0x23

        $sequence_8 = { c68548ffffff1b c68549ffffff3e c6854affffff2b c6854bffffff3e c6854cffffff03 c6854dffffff13 c6854effffff30 }
            // n = 7, score = 200
            //   c68548ffffff1b       | mov                 byte ptr [ebp - 0xb8], 0x1b
            //   c68549ffffff3e       | mov                 byte ptr [ebp - 0xb7], 0x3e
            //   c6854affffff2b       | mov                 byte ptr [ebp - 0xb6], 0x2b
            //   c6854bffffff3e       | mov                 byte ptr [ebp - 0xb5], 0x3e
            //   c6854cffffff03       | mov                 byte ptr [ebp - 0xb4], 3
            //   c6854dffffff13       | mov                 byte ptr [ebp - 0xb3], 0x13
            //   c6854effffff30       | mov                 byte ptr [ebp - 0xb2], 0x30

        $sequence_9 = { 8d8dc0feffff e9???????? 8d8dc4feffff e9???????? 8d8dc8feffff e9???????? 8d8dc0feffff }
            // n = 7, score = 200
            //   8d8dc0feffff         | lea                 ecx, [ebp - 0x140]
            //   e9????????           |                     
            //   8d8dc4feffff         | lea                 ecx, [ebp - 0x13c]
            //   e9????????           |                     
            //   8d8dc8feffff         | lea                 ecx, [ebp - 0x138]
            //   e9????????           |                     
            //   8d8dc0feffff         | lea                 ecx, [ebp - 0x140]

    condition:
        7 of them and filesize < 1245184
}
Download all Yara Rules