SYMBOLCOMMON_NAMEaka. SYNONYMS
win.applejeus (Back to overview)

AppleJeus

Actor(s): Lazarus Group

There is no description at this point.

References
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-10-17Vitali Kremez
@online{kremez:20191017:lets:d41b75a, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator}}, date = {2019-10-17}, url = {https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
AppleJeus
2019-10-11Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191011:possible:3be065d, author = {Vitali Kremez}, title = {{Possible Lazarus x86 Malware (AppleJeus)}}, date = {2019-10-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1182730637016481793}, language = {English}, urldate = {2019-11-23} } Possible Lazarus x86 Malware (AppleJeus)
AppleJeus
Yara Rules
[TLP:WHITE] win_applejeus_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_applejeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c685e9fcffff27 c685eafcffff32 c685ebfcffff0e c685ecfcffff2e 8a85bcfcffff c685edfcffff00 0f1f840000000000 }
            // n = 7, score = 100
            //   c685e9fcffff27       | mov                 byte ptr [ebp - 0x317], 0x27
            //   c685eafcffff32       | mov                 byte ptr [ebp - 0x316], 0x32
            //   c685ebfcffff0e       | mov                 byte ptr [ebp - 0x315], 0xe
            //   c685ecfcffff2e       | mov                 byte ptr [ebp - 0x314], 0x2e
            //   8a85bcfcffff         | mov                 al, byte ptr [ebp - 0x344]
            //   c685edfcffff00       | mov                 byte ptr [ebp - 0x313], 0
            //   0f1f840000000000     | nop                 dword ptr [eax + eax]

        $sequence_1 = { c745fccd060000 8b55fc 56 8bf1 81f2490f0000 81f286090000 8b4e04 }
            // n = 7, score = 100
            //   c745fccd060000       | mov                 dword ptr [ebp - 4], 0x6cd
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   81f2490f0000         | xor                 edx, 0xf49
            //   81f286090000         | xor                 edx, 0x986
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]

        $sequence_2 = { 8b442444 0410 83f069 88442458 8b442444 0411 83f070 }
            // n = 7, score = 100
            //   8b442444             | mov                 eax, dword ptr [esp + 0x44]
            //   0410                 | add                 al, 0x10
            //   83f069               | xor                 eax, 0x69
            //   88442458             | mov                 byte ptr [esp + 0x58], al
            //   8b442444             | mov                 eax, dword ptr [esp + 0x44]
            //   0411                 | add                 al, 0x11
            //   83f070               | xor                 eax, 0x70

        $sequence_3 = { 59 2bc8 33c0 d3c8 3305???????? 3905???????? 0f858e100000 }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   2bc8                 | sub                 ecx, eax
            //   33c0                 | xor                 eax, eax
            //   d3c8                 | ror                 eax, cl
            //   3305????????         |                     
            //   3905????????         |                     
            //   0f858e100000         | jne                 0x1094

        $sequence_4 = { 0f57c0 8b37 8b7f08 898534ffffff b8???????? 0541020000 c78514ffffff02000000 }
            // n = 7, score = 100
            //   0f57c0               | xorps               xmm0, xmm0
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   8b7f08               | mov                 edi, dword ptr [edi + 8]
            //   898534ffffff         | mov                 dword ptr [ebp - 0xcc], eax
            //   b8????????           |                     
            //   0541020000           | add                 eax, 0x241
            //   c78514ffffff02000000     | mov    dword ptr [ebp - 0xec], 2

        $sequence_5 = { 33d2 c68590feffff3b c68591feffff42 c68592feffff24 c68593feffff2d c68594feffff0b c68595feffff1d }
            // n = 7, score = 100
            //   33d2                 | xor                 edx, edx
            //   c68590feffff3b       | mov                 byte ptr [ebp - 0x170], 0x3b
            //   c68591feffff42       | mov                 byte ptr [ebp - 0x16f], 0x42
            //   c68592feffff24       | mov                 byte ptr [ebp - 0x16e], 0x24
            //   c68593feffff2d       | mov                 byte ptr [ebp - 0x16d], 0x2d
            //   c68594feffff0b       | mov                 byte ptr [ebp - 0x16c], 0xb
            //   c68595feffff1d       | mov                 byte ptr [ebp - 0x16b], 0x1d

        $sequence_6 = { 888575fcffff 8b8568fcffff 040a 83f020 888576fcffff 8b8568fcffff 040b }
            // n = 7, score = 100
            //   888575fcffff         | mov                 byte ptr [ebp - 0x38b], al
            //   8b8568fcffff         | mov                 eax, dword ptr [ebp - 0x398]
            //   040a                 | add                 al, 0xa
            //   83f020               | xor                 eax, 0x20
            //   888576fcffff         | mov                 byte ptr [ebp - 0x38a], al
            //   8b8568fcffff         | mov                 eax, dword ptr [ebp - 0x398]
            //   040b                 | add                 al, 0xb

        $sequence_7 = { e8???????? 8bc8 e8???????? 8d4c241c 51 8d4c2440 0fb600 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   51                   | push                ecx
            //   8d4c2440             | lea                 ecx, [esp + 0x40]
            //   0fb600               | movzx               eax, byte ptr [eax]

        $sequence_8 = { c700???????? 897004 897808 8b4de4 c645fc04 6a1c }
            // n = 6, score = 100
            //   c700????????         |                     
            //   897004               | mov                 dword ptr [eax + 4], esi
            //   897808               | mov                 dword ptr [eax + 8], edi
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4
            //   6a1c                 | push                0x1c

        $sequence_9 = { 0403 83f04f 88857bffffff 8b8574ffffff 0404 83f049 88857cffffff }
            // n = 7, score = 100
            //   0403                 | add                 al, 3
            //   83f04f               | xor                 eax, 0x4f
            //   88857bffffff         | mov                 byte ptr [ebp - 0x85], al
            //   8b8574ffffff         | mov                 eax, dword ptr [ebp - 0x8c]
            //   0404                 | add                 al, 4
            //   83f049               | xor                 eax, 0x49
            //   88857cffffff         | mov                 byte ptr [ebp - 0x84], al

    condition:
        7 of them and filesize < 1245184
}
Download all Yara Rules