SYMBOLCOMMON_NAMEaka. SYNONYMS
win.badaudio (Back to overview)

BADAUDIO

Actor(s): APT24

VTCollection    

According to Google, BADAUDIO is a custom first-stage downloader written in C++ that downloads, decrypts, and executes an AES-encrypted payload from a hard-coded command and control (C2) server. The malware collects basic system information, encrypts it using a hard-coded AES key, and sends it as a cookie value with the GET request to fetch the payload. The payload, in one case identified as Cobalt Strike Beacon, is decrypted with the same key and executed in memory.

References
2026-02-22Securite360.netMuffin
OPSEC on a Budget: What BadAudio Reveals About APT24
BADAUDIO
2025-11-20GoogleDan Perez, Harsh Parashar, Tierra Duncan
Beyond the Watering Hole: APT24's Pivot to Multi-Vector Attacks
BADAUDIO Cobalt Strike
Yara Rules
[TLP:WHITE] win_badaudio_auto (20260504 | Detects win.badaudio.)
rule win_badaudio_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.badaudio."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badaudio"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c7417800000000 c7417c0f000000 c6416800 c7818000000000000000 c7819000000000000000 c781940000000f000000 c6818000000000 }
            // n = 7, score = 300
            //   c7417800000000       | mov                 dword ptr [ecx + 0x78], 0
            //   c7417c0f000000       | mov                 dword ptr [ecx + 0x7c], 0xf
            //   c6416800             | mov                 byte ptr [ecx + 0x68], 0
            //   c7818000000000000000     | mov    dword ptr [ecx + 0x80], 0
            //   c7819000000000000000     | mov    dword ptr [ecx + 0x90], 0
            //   c781940000000f000000     | mov    dword ptr [ecx + 0x94], 0xf
            //   c6818000000000       | mov                 byte ptr [ecx + 0x80], 0

        $sequence_1 = { 89d7 c1c70f 8b74840c 89d3 c1c30d }
            // n = 5, score = 300
            //   89d7                 | mov                 edi, edx
            //   c1c70f               | rol                 edi, 0xf
            //   8b74840c             | mov                 esi, dword ptr [esp + eax*4 + 0xc]
            //   89d3                 | mov                 ebx, edx
            //   c1c30d               | rol                 ebx, 0xd

        $sequence_2 = { 89f2 eb17 8902 894204 894208 89c1 eb22 }
            // n = 7, score = 300
            //   89f2                 | mov                 edx, esi
            //   eb17                 | jmp                 0x19
            //   8902                 | mov                 dword ptr [edx], eax
            //   894204               | mov                 dword ptr [edx + 4], eax
            //   894208               | mov                 dword ptr [edx + 8], eax
            //   89c1                 | mov                 ecx, eax
            //   eb22                 | jmp                 0x24

        $sequence_3 = { 81fa00100000 721c 8b51fc 83c1fc 8955e0 }
            // n = 5, score = 300
            //   81fa00100000         | cmp                 edx, 0x1000
            //   721c                 | jb                  0x1e
            //   8b51fc               | mov                 edx, dword ptr [ecx - 4]
            //   83c1fc               | add                 ecx, -4
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx

        $sequence_4 = { 8baea8000000 8b4644 83f810 722c }
            // n = 4, score = 300
            //   8baea8000000         | mov                 ebp, dword ptr [esi + 0xa8]
            //   8b4644               | mov                 eax, dword ptr [esi + 0x44]
            //   83f810               | cmp                 eax, 0x10
            //   722c                 | jb                  0x2e

        $sequence_5 = { 732b 83c023 89d1 50 }
            // n = 4, score = 300
            //   732b                 | jae                 0x2d
            //   83c023               | add                 eax, 0x23
            //   89d1                 | mov                 ecx, edx
            //   50                   | push                eax

        $sequence_6 = { 83c414 5d c3 e8???????? 55 83ec14 8db524ffffff }
            // n = 7, score = 300
            //   83c414               | add                 esp, 0x14
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   e8????????           |                     
            //   55                   | push                ebp
            //   83ec14               | sub                 esp, 0x14
            //   8db524ffffff         | lea                 esi, [ebp - 0xdc]

        $sequence_7 = { c745f001000000 8d4dd4 8d45b8 50 56 }
            // n = 5, score = 300
            //   c745f001000000       | mov                 dword ptr [ebp - 0x10], 1
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   8d45b8               | lea                 eax, [ebp - 0x48]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_8 = { 30dd 30fd 886c06fa 88cd 00cd c0f907 }
            // n = 6, score = 300
            //   30dd                 | xor                 ch, bl
            //   30fd                 | xor                 ch, bh
            //   886c06fa             | mov                 byte ptr [esi + eax - 6], ch
            //   88cd                 | mov                 ch, cl
            //   00cd                 | add                 ch, cl
            //   c0f907               | sar                 cl, 7

        $sequence_9 = { 7218 8b79fc 83c1fc 29f9 83f920 0f83a6010000 83c024 }
            // n = 7, score = 300
            //   7218                 | jb                  0x1a
            //   8b79fc               | mov                 edi, dword ptr [ecx - 4]
            //   83c1fc               | add                 ecx, -4
            //   29f9                 | sub                 ecx, edi
            //   83f920               | cmp                 ecx, 0x20
            //   0f83a6010000         | jae                 0x1ac
            //   83c024               | add                 eax, 0x24

    condition:
        7 of them and filesize < 1420288
}
Download all Yara Rules