SYMBOLCOMMON_NAMEaka. SYNONYMS
win.backbend (Back to overview)

BACKBEND

Actor(s): APT 30


FireEye describes BACKBEND as a secondary downloader used as a backup mechanism in the case the primary backdoor is removed. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware exits.

References
2015-04FireEyeFireEye
@techreport{fireeye:201504:apt30:0129bf7, author = {FireEye}, title = {{APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION}}, date = {2015-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf}, language = {English}, urldate = {2020-01-07} } APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30
Yara Rules
[TLP:WHITE] win_backbend_auto (20230125 | Detects win.backbend.)
rule win_backbend_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.backbend."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.backbend"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 8b442404 8a08 84c9 7408 80e904 }
            // n = 6, score = 100
            //   c3                   | ret                 
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   84c9                 | test                cl, cl
            //   7408                 | je                  0xa
            //   80e904               | sub                 cl, 4

        $sequence_1 = { 50 ff15???????? 85c0 7416 8d8500fbffff 6a00 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7416                 | je                  0x18
            //   8d8500fbffff         | lea                 eax, [ebp - 0x500]
            //   6a00                 | push                0

        $sequence_2 = { 6800020000 50 e8???????? 8d8500fbffff 53 50 e8???????? }
            // n = 7, score = 100
            //   6800020000           | push                0x200
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8500fbffff         | lea                 eax, [ebp - 0x500]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_3 = { 84c9 7408 80e904 8808 40 ebf2 c3 }
            // n = 7, score = 100
            //   84c9                 | test                cl, cl
            //   7408                 | je                  0xa
            //   80e904               | sub                 cl, 4
            //   8808                 | mov                 byte ptr [eax], cl
            //   40                   | inc                 eax
            //   ebf2                 | jmp                 0xfffffff4
            //   c3                   | ret                 

        $sequence_4 = { 80e904 8808 40 ebf2 }
            // n = 4, score = 100
            //   80e904               | sub                 cl, 4
            //   8808                 | mov                 byte ptr [eax], cl
            //   40                   | inc                 eax
            //   ebf2                 | jmp                 0xfffffff4

        $sequence_5 = { 8d8500ffffff 50 8d8500f9ffff 50 e8???????? 8d8500f9ffff 50 }
            // n = 7, score = 100
            //   8d8500ffffff         | lea                 eax, [ebp - 0x100]
            //   50                   | push                eax
            //   8d8500f9ffff         | lea                 eax, [ebp - 0x700]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8500f9ffff         | lea                 eax, [ebp - 0x700]
            //   50                   | push                eax

        $sequence_6 = { 56 57 68???????? c605????????4b c605????????43 }
            // n = 5, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   68????????           |                     
            //   c605????????4b       |                     
            //   c605????????43       |                     

        $sequence_7 = { 50 8d8500ffffff 50 ff15???????? 85c0 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   8d8500ffffff         | lea                 eax, [ebp - 0x100]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_8 = { 8d8500feffff 6800010000 50 ff15???????? 8d8500feffff 68???????? }
            // n = 6, score = 100
            //   8d8500feffff         | lea                 eax, [ebp - 0x200]
            //   6800010000           | push                0x100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d8500feffff         | lea                 eax, [ebp - 0x200]
            //   68????????           |                     

        $sequence_9 = { 8bec 81ec00070000 53 56 57 }
            // n = 5, score = 100
            //   8bec                 | mov                 ebp, esp
            //   81ec00070000         | sub                 esp, 0x700
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi

    condition:
        7 of them and filesize < 49152
}
Download all Yara Rules