SYMBOLCOMMON_NAMEaka. SYNONYMS
win.appleseed (Back to overview)

Appleseed

aka: JamBog

Actor(s): Kimsuky

There is no description at this point.

References
2021-10-07S2W Inc.Jaeki Kim, Sojun Ryu, Kyoung-ju Kwak
@online{kim:20211007:operation:6b8234f, author = {Jaeki Kim and Sojun Ryu and Kyoung-ju Kwak}, title = {{Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?}}, date = {2021-10-07}, organization = {S2W Inc.}, url = {https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/}, language = {English}, urldate = {2021-10-14} } Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?
Appleseed Kimsuky
2021-09-02ASECAhnLab ASEC Analysis Team
@online{team:20210902:attacks:39695ea, author = {AhnLab ASEC Analysis Team}, title = {{Attacks using metasploit meterpreter}}, date = {2021-09-02}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/26705/}, language = {Korean}, urldate = {2021-09-09} } Attacks using metasploit meterpreter
Appleseed Meterpreter
2021-06-11TEAMT5Linda Kuo, Zih-Cing Liao
@techreport{kuo:20210611:story:897e55c, author = {Linda Kuo and Zih-Cing Liao}, title = {{Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)}}, date = {2021-06-11}, institution = {TEAMT5}, url = {https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf}, language = {English}, urldate = {2021-06-22} } Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)
Appleseed BabyShark
2021-06-11YouTube (Hack In The Box Security Conference)Linda Kuo, Zih-Cing Liao
@online{kuo:20210611:dissecting:cd60a32, author = {Linda Kuo and Zih-Cing Liao}, title = {{Dissecting Phishing Techniques Of CloudDragon APT}}, date = {2021-06-11}, organization = {YouTube (Hack In The Box Security Conference)}, url = {https://www.youtube.com/watch?v=Dv2_DK3tRgI}, language = {English}, urldate = {2021-06-22} } Dissecting Phishing Techniques Of CloudDragon APT
Appleseed BabyShark
2021-06-01MalwarebytesHossein Jazi
@online{jazi:20210601:kimsuky:922141b, author = {Hossein Jazi}, title = {{Kimsuky APT continues to target South Korean government using AppleSeed backdoor}}, date = {2021-06-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/}, language = {English}, urldate = {2021-06-09} } Kimsuky APT continues to target South Korean government using AppleSeed backdoor
Appleseed
2021-05-07TEAMT5Jhih-Lin Kuo, Zih-Cing Liao
@techreport{kuo:20210507:we:cd620c1, author = {Jhih-Lin Kuo and Zih-Cing Liao}, title = {{"We Are About to Land": How CloudDragon Turns a Nightmare Into Reality}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf}, language = {English}, urldate = {2021-09-14} } "We Are About to Land": How CloudDragon Turns a Nightmare Into Reality
FlowerPower Appleseed BabyShark GoldDragon NavRAT
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-12-15KISAKrCERT
@techreport{krcert:20201215:operation:4784750, author = {KrCERT}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2021-06-04} } Operation MUZABI
Appleseed
Yara Rules
[TLP:WHITE] win_appleseed_auto (20211008 | Detects win.appleseed.)
rule win_appleseed_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.appleseed."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8945e0 4c894dd8 4983791810 7205 498b09 eb03 498bc9 }
            // n = 7, score = 100
            //   4c8945e0             | mov                 ecx, 1
            //   4c894dd8             | inc                 ebp
            //   4983791810           | xor                 eax, eax
            //   7205                 | dec                 eax
            //   498b09               | mov                 ecx, dword ptr [ebp + 0x40]
            //   eb03                 | mov                 eax, dword ptr [ebp + 0xc4]
            //   498bc9               | cmp                 eax, 3

        $sequence_1 = { 0f8414010000 488d15d2160200 488d4db8 e8???????? 90 488d55d8 488bc8 }
            // n = 7, score = 100
            //   0f8414010000         | dec                 eax
            //   488d15d2160200       | lea                 ecx, dword ptr [ebp + 0x30]
            //   488d4db8             | dec                 eax
            //   e8????????           |                     
            //   90                   | cmp                 dword ptr [ebp + 0x48], 0x10
            //   488d55d8             | dec                 eax
            //   488bc8               | cmovae              ecx, dword ptr [ebp + 0x30]

        $sequence_2 = { 488bfa 488bd9 488d059df80000 488981a0000000 83611000 c7411c01000000 c781c800000001000000 }
            // n = 7, score = 100
            //   488bfa               | dec                 eax
            //   488bd9               | mov                 ecx, eax
            //   488d059df80000       | dec                 eax
            //   488981a0000000       | add                 esp, 0x58
            //   83611000             | dec                 eax
            //   c7411c01000000       | mov                 dword ptr [esp + 0x30], 0xfffffffe
            //   c781c800000001000000     | dec    eax

        $sequence_3 = { 488d151d180200 488d4db8 e8???????? 90 488d55d8 488bc8 e8???????? }
            // n = 7, score = 100
            //   488d151d180200       | mov                 byte ptr [ebp + 0x38], 0
            //   488d4db8             | dec                 ecx
            //   e8????????           |                     
            //   90                   | or                  ecx, 0xffffffff
            //   488d55d8             | inc                 ebp
            //   488bc8               | xor                 eax, eax
            //   e8????????           |                     

        $sequence_4 = { 4885c0 74e7 4883c440 5b c3 488d05ef470100 488d542458 }
            // n = 7, score = 100
            //   4885c0               | dec                 eax
            //   74e7                 | lea                 edx, dword ptr [0x2180f]
            //   4883c440             | dec                 eax
            //   5b                   | lea                 ecx, dword ptr [ebp - 0x48]
            //   c3                   | nop                 
            //   488d05ef470100       | dec                 eax
            //   488d542458           | lea                 edx, dword ptr [ebp - 0x28]

        $sequence_5 = { e8???????? 90 488d542468 488d4c2448 e8???????? 488d4d00 48837d1810 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   90                   | xor                 eax, esp
            //   488d542468           | inc                 eax
            //   488d4c2448           | push                ebp
            //   e8????????           |                     
            //   488d4d00             | push                ebx
            //   48837d1810           | push                esi

        $sequence_6 = { 4c8bc2 3905???????? 89442420 488bd1 7509 488d0dd2480100 eb02 }
            // n = 7, score = 100
            //   4c8bc2               | dec                 eax
            //   3905????????         |                     
            //   89442420             | mov                 ecx, dword ptr [ebp - 0x28]
            //   488bd1               | dec                 eax
            //   7509                 | mov                 eax, esi
            //   488d0dd2480100       | nop                 
            //   eb02                 | dec                 eax

        $sequence_7 = { 48897c2430 c644242000 803a00 7505 4c8bc7 eb11 4983c8ff }
            // n = 7, score = 100
            //   48897c2430           | mov                 ebx, eax
            //   c644242000           | dec                 esp
            //   803a00               | lea                 eax, dword ptr [ebp + 0x140]
            //   7505                 | dec                 eax
            //   4c8bc7               | lea                 edx, dword ptr [0x1bedb]
            //   eb11                 | dec                 eax
            //   4983c8ff             | lea                 ecx, dword ptr [ebp - 0x58]

        $sequence_8 = { ff15???????? 4885c0 0f84a9010000 488bc8 ff15???????? 488d1505a10000 488bcb }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   4885c0               | jb                  0x4b9
            //   0f84a9010000         | dec                 ecx
            //   488bc8               | mov                 ecx, dword ptr [edi]
            //   ff15????????         |                     
            //   488d1505a10000       | dec                 ecx
            //   488bcb               | mov                 dword ptr [edi + 0x18], 0xf

        $sequence_9 = { 498bcd ff15???????? 4c8be0 4885c0 0f84b2000000 }
            // n = 5, score = 100
            //   498bcd               | dec                 eax
            //   ff15????????         |                     
            //   4c8be0               | lea                 ecx, dword ptr [0x9094]
            //   4885c0               | dec                 eax
            //   0f84b2000000         | sub                 esp, 0x48

    condition:
        7 of them and filesize < 497664
}
[TLP:WHITE] win_appleseed_w0   (20201015 | No description)
rule win_appleseed_w0 {
    meta:
        author = "KrCERT/CC Profound Analysis Team"
        date = "2020-12-4"
        info = "Operation MUZABI"
        hash = "43cc6d190238e851d33066cbe9be9ac8"
        hash = "fd10bd6013aabadbcb9edb8a23ba7331"
        hash = "16231e2e8991c60a42f293e0c33ff801"
        hash = "89fff6645013008cda57f88639b92990"
        hash = "030e2f992cbc4e61f0d5c994779caf3b"
        hash = "3620c22671641fbf32cf496b118b85f6"
        hash = "4876fc88c361743a1220a7b161f8f06f"
        hash = "94b8a0e4356d0202dc61046e3d8bdfe0"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed"
        malpedia_rule_date = "20201015"
        malpedia_version = "20201015"
        malpedia_license = "CC NC-BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $appleseed_str1 = {0f 8? ?? (00|01) 00 00 [0-1] 83 f? 20 0f 8? (01|00) 00 00}
        $appleseed_str2 = {88 45 [0-15] 0f b6 44 ?? 01}
        $appleseed_str3 = {83 f? 10 [0-5] 83 e? 10}
        $appleseed_key1 = {89 04 ?9 [0-6] ff 34 ?? e8 [10-16] 89 0c 98 8b ?? 0c [0-3] ff 34 98}
        $appleseed_key2 = {83 f? 10 [0-10] 32 4c 05 ?? ?? 88 4c ?? 0f}
        $appleseed_key3 = {89 04 ?9 49 83 ?? 04 48 ?? ?? 10 8b 0c a8 e8 [0-10] 48 8b ?? ?8}
        $seed_str1 = {44 0f b6 44 3d c0 45 32 c7 44 32 45 d4}
        $seed_str2 = {0f b6 44 3? ?? [0-25] 83 c4 0c}
        $seed_str3 = {32 45 c? ?? ?? ?? 32 45 e?}

    condition: 
            uint16(0) == 0x5a4d
        and
            filesize < 400KB
        and
            (2 of ($appleseed_str*))
        and
            (1 of ($seed_str*))
        and
            (1 of ($appleseed_key*))
}
Download all Yara Rules