SYMBOLCOMMON_NAMEaka. SYNONYMS
win.backbend (Back to overview)

BACKBEND

Actor(s): APT 30


FireEye describes BACKBEND as a secondary downloader used as a backup mechanism in the case the primary backdoor is removed. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware exits.

References
2015-04FireEyeFireEye
@techreport{fireeye:201504:apt30:0129bf7, author = {FireEye}, title = {{APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION}}, date = {2015-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf}, language = {English}, urldate = {2020-01-07} } APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30
Yara Rules
[TLP:WHITE] win_backbend_auto (20221125 | Detects win.backbend.)
rule win_backbend_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.backbend."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.backbend"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 e8???????? c70424???????? e8???????? be???????? }
            // n = 5, score = 100
            //   57                   | push                edi
            //   e8????????           |                     
            //   c70424????????       |                     
            //   e8????????           |                     
            //   be????????           |                     

        $sequence_1 = { 84c9 7408 80e904 8808 40 ebf2 }
            // n = 6, score = 100
            //   84c9                 | test                cl, cl
            //   7408                 | je                  0xa
            //   80e904               | sub                 cl, 4
            //   8808                 | mov                 byte ptr [eax], cl
            //   40                   | inc                 eax
            //   ebf2                 | jmp                 0xfffffff4

        $sequence_2 = { 8d8500fbffff 50 ffd3 33c0 5f 5e 5b }
            // n = 7, score = 100
            //   8d8500fbffff         | lea                 eax, [ebp - 0x500]
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_3 = { 57 ffd6 85c0 750d 68???????? 50 57 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf
            //   68????????           |                     
            //   50                   | push                eax
            //   57                   | push                edi

        $sequence_4 = { 6a00 56 ff15???????? 56 ffd3 6a00 8d8500ffffff }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   56                   | push                esi
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ffd3                 | call                ebx
            //   6a00                 | push                0
            //   8d8500ffffff         | lea                 eax, [ebp - 0x100]

        $sequence_5 = { 68???????? e8???????? 83c420 e8???????? 85c0 7508 6a01 }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   83c420               | add                 esp, 0x20
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   6a01                 | push                1

        $sequence_6 = { c605????????43 ff15???????? 8bf0 68???????? 56 ff15???????? }
            // n = 6, score = 100
            //   c605????????43       |                     
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   68????????           |                     
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_7 = { ff15???????? 80a40500ffffff00 8d8500ffffff 56 50 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   80a40500ffffff00     | and                 byte ptr [ebp + eax - 0x100], 0
            //   8d8500ffffff         | lea                 eax, [ebp - 0x100]
            //   56                   | push                esi
            //   50                   | push                eax

        $sequence_8 = { 57 68???????? bf01001f00 6a00 57 ffd6 85c0 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   68????????           |                     
            //   bf01001f00           | mov                 edi, 0x1f0001
            //   6a00                 | push                0
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax

        $sequence_9 = { ff15???????? 8d8500fbffff 50 8d8500ffffff 50 ff15???????? }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8d8500fbffff         | lea                 eax, [ebp - 0x500]
            //   50                   | push                eax
            //   8d8500ffffff         | lea                 eax, [ebp - 0x100]
            //   50                   | push                eax
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 49152
}
Download all Yara Rules