SYMBOLCOMMON_NAMEaka. SYNONYMS
win.applejeus (Back to overview)

AppleJeus

Actor(s): Lazarus Group


There is no description at this point.

References
2021-10-11TelsyTelsy
@online{telsy:20211011:lazarus:7e07a1e, author = {Telsy}, title = {{Lazarus Group continues AppleJeus Operation}}, date = {2021-10-11}, organization = {Telsy}, url = {https://www.telsy.com/download/5394/?uid=28b0a4577e}, language = {English}, urldate = {2021-10-26} } Lazarus Group continues AppleJeus Operation
AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:39df9f4, author = {CISA}, title = {{Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:47648b1, author = {CISA}, title = {{Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale
AppleJeus AppleJeus
2021-02-17US-CERTUS-CERT
@online{uscert:20210217:alert:3d0afe3, author = {US-CERT}, title = {{Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-048a}, language = {English}, urldate = {2021-02-20} } Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5fa5db6, author = {CISA}, title = {{Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:59e2d5d, author = {CISA}, title = {{Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:18c1b8e, author = {CISA}, title = {{Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:191d7ae, author = {CISA}, title = {{Malware Analysis Report (AR21-048F): AppleJeus: Dorusio}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048F): AppleJeus: Dorusio
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5113e30, author = {CISA}, title = {{Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade
AppleJeus AppleJeus
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-10-17Vitali Kremez
@online{kremez:20191017:lets:d41b75a, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator}}, date = {2019-10-17}, url = {https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
AppleJeus
2019-10-11Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191011:possible:3be065d, author = {Vitali Kremez}, title = {{Possible Lazarus x86 Malware (AppleJeus)}}, date = {2019-10-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1182730637016481793}, language = {English}, urldate = {2019-11-23} } Possible Lazarus x86 Malware (AppleJeus)
AppleJeus
Yara Rules
[TLP:WHITE] win_applejeus_auto (20220516 | Detects win.applejeus.)
rule win_applejeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.applejeus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8945dc 8945c0 c700???????? 897004 897808 8b75e4 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   c700????????         |                     
            //   897004               | mov                 dword ptr [eax + 4], esi
            //   897808               | mov                 dword ptr [eax + 8], edi
            //   8b75e4               | mov                 esi, dword ptr [ebp - 0x1c]

        $sequence_1 = { ffb424fc010000 ffb424fc010000 ffd3 5f 5e 5b 8b8c2468020000 }
            // n = 7, score = 100
            //   ffb424fc010000       | push                dword ptr [esp + 0x1fc]
            //   ffb424fc010000       | push                dword ptr [esp + 0x1fc]
            //   ffd3                 | call                ebx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8b8c2468020000       | mov                 ecx, dword ptr [esp + 0x268]

        $sequence_2 = { c700???????? 894804 897008 e8???????? 898540eeffff 8d8de0efffff 8985ececffff }
            // n = 7, score = 100
            //   c700????????         |                     
            //   894804               | mov                 dword ptr [eax + 4], ecx
            //   897008               | mov                 dword ptr [eax + 8], esi
            //   e8????????           |                     
            //   898540eeffff         | mov                 dword ptr [ebp - 0x11c0], eax
            //   8d8de0efffff         | lea                 ecx, [ebp - 0x1020]
            //   8985ececffff         | mov                 dword ptr [ebp - 0x1314], eax

        $sequence_3 = { 040a 83f030 88856ef6ffff 8b8560f6ffff 040b 83f020 88856ff6ffff }
            // n = 7, score = 100
            //   040a                 | add                 al, 0xa
            //   83f030               | xor                 eax, 0x30
            //   88856ef6ffff         | mov                 byte ptr [ebp - 0x992], al
            //   8b8560f6ffff         | mov                 eax, dword ptr [ebp - 0x9a0]
            //   040b                 | add                 al, 0xb
            //   83f020               | xor                 eax, 0x20
            //   88856ff6ffff         | mov                 byte ptr [ebp - 0x991], al

        $sequence_4 = { 50 6865010000 56 8d9518ffffff 8d4d98 e8???????? 8b759c }
            // n = 7, score = 100
            //   50                   | push                eax
            //   6865010000           | push                0x165
            //   56                   | push                esi
            //   8d9518ffffff         | lea                 edx, [ebp - 0xe8]
            //   8d4d98               | lea                 ecx, [ebp - 0x68]
            //   e8????????           |                     
            //   8b759c               | mov                 esi, dword ptr [ebp - 0x64]

        $sequence_5 = { 888504feffff 8b85fcfdffff 0405 83f065 888505feffff 8b85fcfdffff 0406 }
            // n = 7, score = 100
            //   888504feffff         | mov                 byte ptr [ebp - 0x1fc], al
            //   8b85fcfdffff         | mov                 eax, dword ptr [ebp - 0x204]
            //   0405                 | add                 al, 5
            //   83f065               | xor                 eax, 0x65
            //   888505feffff         | mov                 byte ptr [ebp - 0x1fb], al
            //   8b85fcfdffff         | mov                 eax, dword ptr [ebp - 0x204]
            //   0406                 | add                 al, 6

        $sequence_6 = { 8a45af 0f57c0 8845e8 8b45e8 8945dc 8d45d0 c745d0e0994200 }
            // n = 7, score = 100
            //   8a45af               | mov                 al, byte ptr [ebp - 0x51]
            //   0f57c0               | xorps               xmm0, xmm0
            //   8845e8               | mov                 byte ptr [ebp - 0x18], al
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   c745d0e0994200       | mov                 dword ptr [ebp - 0x30], 0x4299e0

        $sequence_7 = { 83f061 88856af6ffff 8b8560f6ffff 0407 83f02f 88856bf6ffff 8b8560f6ffff }
            // n = 7, score = 100
            //   83f061               | xor                 eax, 0x61
            //   88856af6ffff         | mov                 byte ptr [ebp - 0x996], al
            //   8b8560f6ffff         | mov                 eax, dword ptr [ebp - 0x9a0]
            //   0407                 | add                 al, 7
            //   83f02f               | xor                 eax, 0x2f
            //   88856bf6ffff         | mov                 byte ptr [ebp - 0x995], al
            //   8b8560f6ffff         | mov                 eax, dword ptr [ebp - 0x9a0]

        $sequence_8 = { 88857bfcffff 8b8568fcffff 0410 83f028 88857cfcffff 8b8568fcffff 0411 }
            // n = 7, score = 100
            //   88857bfcffff         | mov                 byte ptr [ebp - 0x385], al
            //   8b8568fcffff         | mov                 eax, dword ptr [ebp - 0x398]
            //   0410                 | add                 al, 0x10
            //   83f028               | xor                 eax, 0x28
            //   88857cfcffff         | mov                 byte ptr [ebp - 0x384], al
            //   8b8568fcffff         | mov                 eax, dword ptr [ebp - 0x398]
            //   0411                 | add                 al, 0x11

        $sequence_9 = { 8a8500eeffff 90 8a841500eeffff 8b8dfcedffff 02ca 0fbec0 33c8 }
            // n = 7, score = 100
            //   8a8500eeffff         | mov                 al, byte ptr [ebp - 0x1200]
            //   90                   | nop                 
            //   8a841500eeffff       | mov                 al, byte ptr [ebp + edx - 0x1200]
            //   8b8dfcedffff         | mov                 ecx, dword ptr [ebp - 0x1204]
            //   02ca                 | add                 cl, dl
            //   0fbec0               | movsx               eax, al
            //   33c8                 | xor                 ecx, eax

    condition:
        7 of them and filesize < 1245184
}
Download all Yara Rules