SYMBOLCOMMON_NAMEaka. SYNONYMS
win.applejeus (Back to overview)

AppleJeus

Actor(s): Lazarus Group

There is no description at this point.

References
2021-10-11TelsyTelsy
@online{telsy:20211011:lazarus:7e07a1e, author = {Telsy}, title = {{Lazarus Group continues AppleJeus Operation}}, date = {2021-10-11}, organization = {Telsy}, url = {https://www.telsy.com/download/5394/?uid=28b0a4577e}, language = {English}, urldate = {2021-10-26} } Lazarus Group continues AppleJeus Operation
AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:39df9f4, author = {CISA}, title = {{Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:47648b1, author = {CISA}, title = {{Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale
AppleJeus AppleJeus
2021-02-17US-CERTUS-CERT
@online{uscert:20210217:alert:3d0afe3, author = {US-CERT}, title = {{Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-048a}, language = {English}, urldate = {2021-02-20} } Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5fa5db6, author = {CISA}, title = {{Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:59e2d5d, author = {CISA}, title = {{Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:18c1b8e, author = {CISA}, title = {{Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:191d7ae, author = {CISA}, title = {{Malware Analysis Report (AR21-048F): AppleJeus: Dorusio}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048F): AppleJeus: Dorusio
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5113e30, author = {CISA}, title = {{Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade
AppleJeus AppleJeus
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-10-17Vitali Kremez
@online{kremez:20191017:lets:d41b75a, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator}}, date = {2019-10-17}, url = {https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
AppleJeus
2019-10-11Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191011:possible:3be065d, author = {Vitali Kremez}, title = {{Possible Lazarus x86 Malware (AppleJeus)}}, date = {2019-10-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1182730637016481793}, language = {English}, urldate = {2019-11-23} } Possible Lazarus x86 Malware (AppleJeus)
AppleJeus
Yara Rules
[TLP:WHITE] win_applejeus_auto (20211008 | Detects win.applejeus.)
rule win_applejeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.applejeus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c785d8e8ffff00000000 c78544e7ffff00000000 8b7004 c785dce8ffff00000000 c78548e7ffff00000000 c785e0e8ffff00000000 c7854ce7ffff00000000 }
            // n = 7, score = 100
            //   c785d8e8ffff00000000     | mov    dword ptr [ebp - 0x1728], 0
            //   c78544e7ffff00000000     | mov    dword ptr [ebp - 0x18bc], 0
            //   8b7004               | mov                 esi, dword ptr [eax + 4]
            //   c785dce8ffff00000000     | mov    dword ptr [ebp - 0x1724], 0
            //   c78548e7ffff00000000     | mov    dword ptr [ebp - 0x18b8], 0
            //   c785e0e8ffff00000000     | mov    dword ptr [ebp - 0x1720], 0
            //   c7854ce7ffff00000000     | mov    dword ptr [ebp - 0x18b4], 0

        $sequence_1 = { 8bec 51 c745fc00000000 c745fcdf070000 8b55fc 56 8bf1 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   c745fcdf070000       | mov                 dword ptr [ebp - 4], 0x7df
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx

        $sequence_2 = { 8b0b 8bc1 83e13f c1f806 6bc930 8b048538f14800 80640828fe }
            // n = 7, score = 100
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8bc1                 | mov                 eax, ecx
            //   83e13f               | and                 ecx, 0x3f
            //   c1f806               | sar                 eax, 6
            //   6bc930               | imul                ecx, ecx, 0x30
            //   8b048538f14800       | mov                 eax, dword ptr [eax*4 + 0x48f138]
            //   80640828fe           | and                 byte ptr [eax + ecx + 0x28], 0xfe

        $sequence_3 = { 43 00602c 43 00b05b4300b0 354300905c 43 00602c }
            // n = 7, score = 100
            //   43                   | inc                 ebx
            //   00602c               | add                 byte ptr [eax + 0x2c], ah
            //   43                   | inc                 ebx
            //   00b05b4300b0         | add                 byte ptr [eax - 0x4fffbca5], dh
            //   354300905c           | xor                 eax, 0x5c900043
            //   43                   | inc                 ebx
            //   00602c               | add                 byte ptr [eax + 0x2c], ah

        $sequence_4 = { 8b442408 35490f0000 8b0e 351b090000 50 8d442414 50 }
            // n = 7, score = 100
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   35490f0000           | xor                 eax, 0xf49
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   351b090000           | xor                 eax, 0x91b
            //   50                   | push                eax
            //   8d442414             | lea                 eax, dword ptr [esp + 0x14]
            //   50                   | push                eax

        $sequence_5 = { 8d4e10 e8???????? c745fc01000000 8b45b8 85c0 7419 a801 }
            // n = 7, score = 100
            //   8d4e10               | lea                 ecx, dword ptr [esi + 0x10]
            //   e8????????           |                     
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   8b45b8               | mov                 eax, dword ptr [ebp - 0x48]
            //   85c0                 | test                eax, eax
            //   7419                 | je                  0x1b
            //   a801                 | test                al, 1

        $sequence_6 = { 81f2490f0000 c7854cffffff01090000 80f2a0 8b8d4cffffff 8b07 81f1490f0000 }
            // n = 6, score = 100
            //   81f2490f0000         | xor                 edx, 0xf49
            //   c7854cffffff01090000     | mov    dword ptr [ebp - 0xb4], 0x901
            //   80f2a0               | xor                 dl, 0xa0
            //   8b8d4cffffff         | mov                 ecx, dword ptr [ebp - 0xb4]
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   81f1490f0000         | xor                 ecx, 0xf49

        $sequence_7 = { 83f077 88855bfeffff 8b8538feffff 0420 83f050 88855cfeffff 8b8538feffff }
            // n = 7, score = 100
            //   83f077               | xor                 eax, 0x77
            //   88855bfeffff         | mov                 byte ptr [ebp - 0x1a5], al
            //   8b8538feffff         | mov                 eax, dword ptr [ebp - 0x1c8]
            //   0420                 | add                 al, 0x20
            //   83f050               | xor                 eax, 0x50
            //   88855cfeffff         | mov                 byte ptr [ebp - 0x1a4], al
            //   8b8538feffff         | mov                 eax, dword ptr [ebp - 0x1c8]

        $sequence_8 = { 0f84d3000000 8b048d74db4500 8985a4f8ffff 85c0 0f8498000000 83f801 0f84b5000000 }
            // n = 7, score = 100
            //   0f84d3000000         | je                  0xd9
            //   8b048d74db4500       | mov                 eax, dword ptr [ecx*4 + 0x45db74]
            //   8985a4f8ffff         | mov                 dword ptr [ebp - 0x75c], eax
            //   85c0                 | test                eax, eax
            //   0f8498000000         | je                  0x9e
            //   83f801               | cmp                 eax, 1
            //   0f84b5000000         | je                  0xbb

        $sequence_9 = { c706???????? 0f114604 897e14 89b5f0feffff e8???????? 8b8d24ffffff 83c40c }
            // n = 7, score = 100
            //   c706????????         |                     
            //   0f114604             | movups              xmmword ptr [esi + 4], xmm0
            //   897e14               | mov                 dword ptr [esi + 0x14], edi
            //   89b5f0feffff         | mov                 dword ptr [ebp - 0x110], esi
            //   e8????????           |                     
            //   8b8d24ffffff         | mov                 ecx, dword ptr [ebp - 0xdc]
            //   83c40c               | add                 esp, 0xc

    condition:
        7 of them and filesize < 1245184
}
Download all Yara Rules