SYMBOLCOMMON_NAMEaka. SYNONYMS
win.applejeus (Back to overview)

AppleJeus

Actor(s): Lazarus Group

There is no description at this point.

References
2022-05-09cocomelonccocomelonc
@online{cocomelonc:20220509:malware:1cdee23, author = {cocomelonc}, title = {{Malware development: persistence - part 4. Windows services. Simple C++ example.}}, date = {2022-05-09}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2021-10-11TelsyTelsy
@online{telsy:20211011:lazarus:7e07a1e, author = {Telsy}, title = {{Lazarus Group continues AppleJeus Operation}}, date = {2021-10-11}, organization = {Telsy}, url = {https://www.telsy.com/download/5394/?uid=28b0a4577e}, language = {English}, urldate = {2021-10-26} } Lazarus Group continues AppleJeus Operation
AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:47648b1, author = {CISA}, title = {{Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5113e30, author = {CISA}, title = {{Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:59e2d5d, author = {CISA}, title = {{Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet
AppleJeus AppleJeus
2021-02-17US-CERTUS-CERT
@online{uscert:20210217:alert:3d0afe3, author = {US-CERT}, title = {{Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-048a}, language = {English}, urldate = {2021-02-20} } Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:18c1b8e, author = {CISA}, title = {{Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5fa5db6, author = {CISA}, title = {{Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:39df9f4, author = {CISA}, title = {{Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:191d7ae, author = {CISA}, title = {{Malware Analysis Report (AR21-048F): AppleJeus: Dorusio}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048F): AppleJeus: Dorusio
AppleJeus AppleJeus
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-10-17Vitali Kremez
@online{kremez:20191017:lets:d41b75a, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator}}, date = {2019-10-17}, url = {https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
AppleJeus
2019-10-11Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191011:possible:3be065d, author = {Vitali Kremez}, title = {{Possible Lazarus x86 Malware (AppleJeus)}}, date = {2019-10-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1182730637016481793}, language = {English}, urldate = {2019-11-23} } Possible Lazarus x86 Malware (AppleJeus)
AppleJeus
Yara Rules
[TLP:WHITE] win_applejeus_auto (20221125 | Detects win.applejeus.)
rule win_applejeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.applejeus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3945bc 727d ff7734 8b03 6a04 6800100000 03c2 }
            // n = 7, score = 100
            //   3945bc               | cmp                 dword ptr [ebp - 0x44], eax
            //   727d                 | jb                  0x7f
            //   ff7734               | push                dword ptr [edi + 0x34]
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   6a04                 | push                4
            //   6800100000           | push                0x1000
            //   03c2                 | add                 eax, edx

        $sequence_1 = { 8b048518034700 ffd0 8b75e4 83c410 0bf0 c745d8d4b24500 8d45dc }
            // n = 7, score = 100
            //   8b048518034700       | mov                 eax, dword ptr [eax*4 + 0x470318]
            //   ffd0                 | call                eax
            //   8b75e4               | mov                 esi, dword ptr [ebp - 0x1c]
            //   83c410               | add                 esp, 0x10
            //   0bf0                 | or                  esi, eax
            //   c745d8d4b24500       | mov                 dword ptr [ebp - 0x28], 0x45b2d4
            //   8d45dc               | lea                 eax, [ebp - 0x24]

        $sequence_2 = { e8???????? 8b8d44ffffff 83c40c 89853cffffff 898530ffffff c700???????? 897004 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b8d44ffffff         | mov                 ecx, dword ptr [ebp - 0xbc]
            //   83c40c               | add                 esp, 0xc
            //   89853cffffff         | mov                 dword ptr [ebp - 0xc4], eax
            //   898530ffffff         | mov                 dword ptr [ebp - 0xd0], eax
            //   c700????????         |                     
            //   897004               | mov                 dword ptr [eax + 4], esi

        $sequence_3 = { 897704 c7442418d5030000 c744241c00000000 8b17 8b7704 8b442418 2bd0 }
            // n = 7, score = 100
            //   897704               | mov                 dword ptr [edi + 4], esi
            //   c7442418d5030000     | mov                 dword ptr [esp + 0x18], 0x3d5
            //   c744241c00000000     | mov                 dword ptr [esp + 0x1c], 0
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   8b7704               | mov                 esi, dword ptr [edi + 4]
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   2bd0                 | sub                 edx, eax

        $sequence_4 = { 81e100f00000 81f900300000 750b 8b4dc4 25ff0f0000 010c38 8b03 }
            // n = 7, score = 100
            //   81e100f00000         | and                 ecx, 0xf000
            //   81f900300000         | cmp                 ecx, 0x3000
            //   750b                 | jne                 0xd
            //   8b4dc4               | mov                 ecx, dword ptr [ebp - 0x3c]
            //   25ff0f0000           | and                 eax, 0xfff
            //   010c38               | add                 dword ptr [eax + edi], ecx
            //   8b03                 | mov                 eax, dword ptr [ebx]

        $sequence_5 = { 0f57c0 c745e421070000 8b45e4 3302 8902 c745e421070000 8b45e4 }
            // n = 7, score = 100
            //   0f57c0               | xorps               xmm0, xmm0
            //   c745e421070000       | mov                 dword ptr [ebp - 0x1c], 0x721
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   3302                 | xor                 eax, dword ptr [edx]
            //   8902                 | mov                 dword ptr [edx], eax
            //   c745e421070000       | mov                 dword ptr [ebp - 0x1c], 0x721
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_6 = { 8955c8 e8???????? f30f7e45c4 8bf8 83c418 897de0 897dd4 }
            // n = 7, score = 100
            //   8955c8               | mov                 dword ptr [ebp - 0x38], edx
            //   e8????????           |                     
            //   f30f7e45c4           | movq                xmm0, qword ptr [ebp - 0x3c]
            //   8bf8                 | mov                 edi, eax
            //   83c418               | add                 esp, 0x18
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi
            //   897dd4               | mov                 dword ptr [ebp - 0x2c], edi

        $sequence_7 = { 81f6660c0000 8902 8b4104 8930 8b4108 5e 8b00 }
            // n = 7, score = 100
            //   81f6660c0000         | xor                 esi, 0xc66
            //   8902                 | mov                 dword ptr [edx], eax
            //   8b4104               | mov                 eax, dword ptr [ecx + 4]
            //   8930                 | mov                 dword ptr [eax], esi
            //   8b4108               | mov                 eax, dword ptr [ecx + 8]
            //   5e                   | pop                 esi
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_8 = { c745fc00000000 c745fcf3150000 8b55fc 8b4608 81f2490f0000 8b4e04 81f2fa0a0000 }
            // n = 7, score = 100
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   c745fcf3150000       | mov                 dword ptr [ebp - 4], 0x15f3
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   81f2490f0000         | xor                 edx, 0xf49
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   81f2fa0a0000         | xor                 edx, 0xafa

        $sequence_9 = { 83f055 888575e8ffff 8b8570e8ffff 0402 83f056 888576e8ffff 8b8570e8ffff }
            // n = 7, score = 100
            //   83f055               | xor                 eax, 0x55
            //   888575e8ffff         | mov                 byte ptr [ebp - 0x178b], al
            //   8b8570e8ffff         | mov                 eax, dword ptr [ebp - 0x1790]
            //   0402                 | add                 al, 2
            //   83f056               | xor                 eax, 0x56
            //   888576e8ffff         | mov                 byte ptr [ebp - 0x178a], al
            //   8b8570e8ffff         | mov                 eax, dword ptr [ebp - 0x1790]

    condition:
        7 of them and filesize < 1245184
}
Download all Yara Rules