SYMBOLCOMMON_NAMEaka. SYNONYMS
win.appleseed (Back to overview)

Appleseed

Actor(s): Kimsuky


There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-12-15KISAKrCERT
@techreport{krcert:20201215:operation:4784750, author = {KrCERT}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2020-12-16} } Operation MUZABI
Appleseed
Yara Rules
[TLP:WHITE] win_appleseed_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_appleseed_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b4c2478 e8???????? 48c745900f000000 48895d88 c644247800 48837c246810 720a }
            // n = 7, score = 100
            //   488b4c2478           | nop                 
            //   e8????????           |                     
            //   48c745900f000000     | dec                 eax
            //   48895d88             | mov                 dword ptr [ebp - 0x60], 0xf
            //   c644247800           | dec                 esp
            //   48837c246810         | mov                 dword ptr [ebp - 0x68], esi
            //   720a                 | dec                 eax

        $sequence_1 = { 4883c420 5b c3 488d15c2c70100 488bcb }
            // n = 5, score = 100
            //   4883c420             | ret                 
            //   5b                   | dec                 eax
            //   c3                   | lea                 ecx, [0x26d1d]
            //   488d15c2c70100       | int3                
            //   488bcb               | ret                 

        $sequence_2 = { 57 4156 488d6c24c0 4881ec40010000 48c7442460feffffff 488b05???????? 4833c4 }
            // n = 7, score = 100
            //   57                   | mov                 dword ptr [ebp + 0x68], 0xf
            //   4156                 | mov                 byte ptr [ebp - 0x10], 0
            //   488d6c24c0           | dec                 ecx
            //   4881ec40010000       | or                  ecx, 0xffffffff
            //   48c7442460feffffff     | inc    ebp
            //   488b05????????       |                     
            //   4833c4               | xor                 eax, eax

        $sequence_3 = { e8???????? 90 488d542460 488d4c2440 e8???????? 90 4c8d05cb670200 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   90                   | cmp                 dword ptr [ebp + 0x60], 0x10
            //   488d542460           | jb                  0x428
            //   488d4c2440           | inc                 ecx
            //   e8????????           |                     
            //   90                   | mov                 ecx, 0x104
            //   4c8d05cb670200       | dec                 esp

        $sequence_4 = { 48c745a00f000000 48897d98 c6458800 48837d0010 7209 }
            // n = 5, score = 100
            //   48c745a00f000000     | dec                 eax
            //   48897d98             | arpl                bx, cx
            //   c6458800             | dec                 esp
            //   48837d0010           | mov                 edi, eax
            //   7209                 | inc                 esp

        $sequence_5 = { 488945f8 488bf2 488bd9 4533ed 44896db0 }
            // n = 5, score = 100
            //   488945f8             | inc                 ebp
            //   488bf2               | xor                 eax, eax
            //   488bd9               | dec                 eax
            //   4533ed               | mov                 edx, eax
            //   44896db0             | mov                 byte ptr [ebp + 0xc0], 0

        $sequence_6 = { 488bcb 488bc3 488d15326f0100 48c1f805 83e11f 488b04c2 486bc958 }
            // n = 7, score = 100
            //   488bcb               | lea                 ecx, [ebp + 0x148]
            //   488bc3               | dec                 eax
            //   488d15326f0100       | mov                 dword ptr [ebp + 0x160], 0xf
            //   48c1f805             | dec                 eax
            //   83e11f               | mov                 dword ptr [ebp + 0x158], esi
            //   488b04c2             | mov                 byte ptr [ebp + 0x148], 0
            //   486bc958             | dec                 eax

        $sequence_7 = { 488b5c2430 4883c420 5f c3 488d0d1d6d0200 e8???????? }
            // n = 6, score = 100
            //   488b5c2430           | dec                 eax
            //   4883c420             | mov                 dword ptr [ecx + 0x6aff0], eax
            //   5f                   | jl                  0x32a
            //   c3                   | dec                 esp
            //   488d0d1d6d0200       | mov                 dword ptr [ebp - 0x60], eax
            //   e8????????           |                     

        $sequence_8 = { 488d1d89520100 488b0b ff15???????? ffc7 488903 4863c7 488d5b08 }
            // n = 7, score = 100
            //   488d1d89520100       | lea                 ecx, [ebp - 0x78]
            //   488b0b               | dec                 eax
            //   ff15????????         |                     
            //   ffc7                 | lea                 ecx, [ebp + 0x10]
            //   488903               | dec                 eax
            //   4863c7               | cmp                 dword ptr [ebp + 0x28], 0x10
            //   488d5b08             | dec                 esp

        $sequence_9 = { 8a45d8 4b8b8cea00670300 88440e09 8a45d9 }
            // n = 4, score = 100
            //   8a45d8               | nop                 
            //   4b8b8cea00670300     | dec                 eax
            //   88440e09             | lea                 edx, [ebp - 0x50]
            //   8a45d9               | dec                 eax

    condition:
        7 of them and filesize < 497664
}
[TLP:WHITE] win_appleseed_w0   (20201015 | No description)
rule win_appleseed_w0 {
    meta:
        author = "KrCERT/CC Profound Analysis Team"
        date = "2020-12-4"
        info = "Operation MUZABI"
        hash = "43cc6d190238e851d33066cbe9be9ac8"
        hash = "fd10bd6013aabadbcb9edb8a23ba7331"
        hash = "16231e2e8991c60a42f293e0c33ff801"
        hash = "89fff6645013008cda57f88639b92990"
        hash = "030e2f992cbc4e61f0d5c994779caf3b"
        hash = "3620c22671641fbf32cf496b118b85f6"
        hash = "4876fc88c361743a1220a7b161f8f06f"
        hash = "94b8a0e4356d0202dc61046e3d8bdfe0"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed"
        malpedia_rule_date = "20201015"
        malpedia_version = "20201015"
        malpedia_license = "CC NC-BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $appleseed_str1 = {0f 8? ?? (00|01) 00 00 [0-1] 83 f? 20 0f 8? (01|00) 00 00}
        $appleseed_str2 = {88 45 [0-15] 0f b6 44 ?? 01}
        $appleseed_str3 = {83 f? 10 [0-5] 83 e? 10}
        $appleseed_key1 = {89 04 ?9 [0-6] ff 34 ?? e8 [10-16] 89 0c 98 8b ?? 0c [0-3] ff 34 98}
        $appleseed_key2 = {83 f? 10 [0-10] 32 4c 05 ?? ?? 88 4c ?? 0f}
        $appleseed_key3 = {89 04 ?9 49 83 ?? 04 48 ?? ?? 10 8b 0c a8 e8 [0-10] 48 8b ?? ?8}
        $seed_str1 = {44 0f b6 44 3d c0 45 32 c7 44 32 45 d4}
        $seed_str2 = {0f b6 44 3? ?? [0-25] 83 c4 0c}
        $seed_str3 = {32 45 c? ?? ?? ?? 32 45 e?}

    condition: 
            uint16(0) == 0x5a4d
        and
            filesize < 400KB
        and
            (2 of ($appleseed_str*))
        and
            (1 of ($seed_str*))
        and
            (1 of ($appleseed_key*))
}
Download all Yara Rules