SYMBOLCOMMON_NAMEaka. SYNONYMS
win.applejeus (Back to overview)

AppleJeus

Actor(s): Lazarus Group

There is no description at this point.

References
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:39df9f4, author = {CISA}, title = {{Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:47648b1, author = {CISA}, title = {{Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale
AppleJeus AppleJeus
2021-02-17US-CERTUS-CERT
@online{uscert:20210217:alert:3d0afe3, author = {US-CERT}, title = {{Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-048a}, language = {English}, urldate = {2021-02-20} } Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5fa5db6, author = {CISA}, title = {{Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:59e2d5d, author = {CISA}, title = {{Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:18c1b8e, author = {CISA}, title = {{Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:191d7ae, author = {CISA}, title = {{Malware Analysis Report (AR21-048F): AppleJeus: Dorusio}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048F): AppleJeus: Dorusio
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5113e30, author = {CISA}, title = {{Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade
AppleJeus AppleJeus
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-10-17Vitali Kremez
@online{kremez:20191017:lets:d41b75a, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator}}, date = {2019-10-17}, url = {https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
AppleJeus
2019-10-11Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191011:possible:3be065d, author = {Vitali Kremez}, title = {{Possible Lazarus x86 Malware (AppleJeus)}}, date = {2019-10-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1182730637016481793}, language = {English}, urldate = {2019-11-23} } Possible Lazarus x86 Malware (AppleJeus)
AppleJeus
Yara Rules
[TLP:WHITE] win_applejeus_auto (20210616 | Detects win.applejeus.)
rule win_applejeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.applejeus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d85eaefffff c68574edffff00 50 6a06 6a00 8d8568edffff 50 }
            // n = 7, score = 100
            //   8d85eaefffff         | lea                 eax, dword ptr [ebp - 0x1016]
            //   c68574edffff00       | mov                 byte ptr [ebp - 0x128c], 0
            //   50                   | push                eax
            //   6a06                 | push                6
            //   6a00                 | push                0
            //   8d8568edffff         | lea                 eax, dword ptr [ebp - 0x1298]
            //   50                   | push                eax

        $sequence_1 = { 8885b5fcffff 8b85acfcffff 0406 83f064 8885b6fcffff 8b85acfcffff }
            // n = 6, score = 100
            //   8885b5fcffff         | mov                 byte ptr [ebp - 0x34b], al
            //   8b85acfcffff         | mov                 eax, dword ptr [ebp - 0x354]
            //   0406                 | add                 al, 6
            //   83f064               | xor                 eax, 0x64
            //   8885b6fcffff         | mov                 byte ptr [ebp - 0x34a], al
            //   8b85acfcffff         | mov                 eax, dword ptr [ebp - 0x354]

        $sequence_2 = { c645fc03 e8???????? 8d8d70fdffff 898520fcffff 898514fcffff c700???????? 894804 }
            // n = 7, score = 100
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   e8????????           |                     
            //   8d8d70fdffff         | lea                 ecx, dword ptr [ebp - 0x290]
            //   898520fcffff         | mov                 dword ptr [ebp - 0x3e0], eax
            //   898514fcffff         | mov                 dword ptr [ebp - 0x3ec], eax
            //   c700????????         |                     
            //   894804               | mov                 dword ptr [eax + 4], ecx

        $sequence_3 = { 8b07 8b00 660fd645cc 8945dc c745cc00000000 c745d000000000 c745fc07000000 }
            // n = 7, score = 100
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   660fd645cc           | movq                qword ptr [ebp - 0x34], xmm0
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   c745cc00000000       | mov                 dword ptr [ebp - 0x34], 0
            //   c745d000000000       | mov                 dword ptr [ebp - 0x30], 0
            //   c745fc07000000       | mov                 dword ptr [ebp - 4], 7

        $sequence_4 = { c685dbf5ffff36 c685dcf5ffff4a c685ddf5ffff75 c685def5ffff72 c685dff5ffff7f c685e0f5ffff6e }
            // n = 6, score = 100
            //   c685dbf5ffff36       | mov                 byte ptr [ebp - 0xa25], 0x36
            //   c685dcf5ffff4a       | mov                 byte ptr [ebp - 0xa24], 0x4a
            //   c685ddf5ffff75       | mov                 byte ptr [ebp - 0xa23], 0x75
            //   c685def5ffff72       | mov                 byte ptr [ebp - 0xa22], 0x72
            //   c685dff5ffff7f       | mov                 byte ptr [ebp - 0xa21], 0x7f
            //   c685e0f5ffff6e       | mov                 byte ptr [ebp - 0xa20], 0x6e

        $sequence_5 = { 8b85fcfdffff 0446 83f050 888546feffff 8b85fcfdffff 0447 83f057 }
            // n = 7, score = 100
            //   8b85fcfdffff         | mov                 eax, dword ptr [ebp - 0x204]
            //   0446                 | add                 al, 0x46
            //   83f050               | xor                 eax, 0x50
            //   888546feffff         | mov                 byte ptr [ebp - 0x1ba], al
            //   8b85fcfdffff         | mov                 eax, dword ptr [ebp - 0x204]
            //   0447                 | add                 al, 0x47
            //   83f057               | xor                 eax, 0x57

        $sequence_6 = { 8985c0fdffff 8985c4fdffff e8???????? 8985b4fdffff 8d8db4fdffff 6aff 0f57c0 }
            // n = 7, score = 100
            //   8985c0fdffff         | mov                 dword ptr [ebp - 0x240], eax
            //   8985c4fdffff         | mov                 dword ptr [ebp - 0x23c], eax
            //   e8????????           |                     
            //   8985b4fdffff         | mov                 dword ptr [ebp - 0x24c], eax
            //   8d8db4fdffff         | lea                 ecx, dword ptr [ebp - 0x24c]
            //   6aff                 | push                -1
            //   0f57c0               | xorps               xmm0, xmm0

        $sequence_7 = { 83f802 745c 83f803 7548 56 8b750c 68???????? }
            // n = 7, score = 100
            //   83f802               | cmp                 eax, 2
            //   745c                 | je                  0x5e
            //   83f803               | cmp                 eax, 3
            //   7548                 | jne                 0x4a
            //   56                   | push                esi
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   68????????           |                     

        $sequence_8 = { 8b570c 8b4f08 e8???????? 8b5704 83c40c c744240c21070000 8bf0 }
            // n = 7, score = 100
            //   8b570c               | mov                 edx, dword ptr [edi + 0xc]
            //   8b4f08               | mov                 ecx, dword ptr [edi + 8]
            //   e8????????           |                     
            //   8b5704               | mov                 edx, dword ptr [edi + 4]
            //   83c40c               | add                 esp, 0xc
            //   c744240c21070000     | mov                 dword ptr [esp + 0xc], 0x721
            //   8bf0                 | mov                 esi, eax

        $sequence_9 = { 83f00a 8845f7 8b45bc 0438 83f063 8845f8 8b45bc }
            // n = 7, score = 100
            //   83f00a               | xor                 eax, 0xa
            //   8845f7               | mov                 byte ptr [ebp - 9], al
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]
            //   0438                 | add                 al, 0x38
            //   83f063               | xor                 eax, 0x63
            //   8845f8               | mov                 byte ptr [ebp - 8], al
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]

    condition:
        7 of them and filesize < 1245184
}
Download all Yara Rules