SYMBOLCOMMON_NAMEaka. SYNONYMS
win.badcall (Back to overview)

BADCALL

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-09-09CISACISA
@online{cisa:20190909:malware:f266520, author = {CISA}, title = {{Malware Analysis Report (AR19-252A)}}, date = {2019-09-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-252a}, language = {English}, urldate = {2020-01-07} } Malware Analysis Report (AR19-252A)
BADCALL BADCALL
Yara Rules
[TLP:WHITE] win_badcall_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_badcall_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7e3b 8b4604 8d542418 52 }
            // n = 4, score = 200
            //   7e3b                 | jle                 0x3d
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   8d542418             | lea                 edx, [esp + 0x18]
            //   52                   | push                edx

        $sequence_1 = { 68ffff0000 50 66c74424180100 66c744241a0000 ff15???????? 8b5604 }
            // n = 6, score = 200
            //   68ffff0000           | push                0xffff
            //   50                   | push                eax
            //   66c74424180100       | mov                 word ptr [esp + 0x18], 1
            //   66c744241a0000       | mov                 word ptr [esp + 0x1a], 0
            //   ff15????????         |                     
            //   8b5604               | mov                 edx, dword ptr [esi + 4]

        $sequence_2 = { ff15???????? c20400 c705????????01000000 a1???????? 68???????? }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   c20400               | ret                 4
            //   c705????????01000000     |     
            //   a1????????           |                     
            //   68????????           |                     

        $sequence_3 = { 7557 33c0 68???????? a3???????? a3???????? }
            // n = 5, score = 200
            //   7557                 | jne                 0x59
            //   33c0                 | xor                 eax, eax
            //   68????????           |                     
            //   a3????????           |                     
            //   a3????????           |                     

        $sequence_4 = { 48 7455 48 7434 }
            // n = 4, score = 200
            //   48                   | dec                 eax
            //   7455                 | je                  0x57
            //   48                   | dec                 eax
            //   7434                 | je                  0x36

        $sequence_5 = { 8d4e2c c744241000000000 e8???????? 8d4e18 c7442410ffffffff e8???????? }
            // n = 6, score = 200
            //   8d4e2c               | lea                 ecx, [esi + 0x2c]
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   e8????????           |                     
            //   8d4e18               | lea                 ecx, [esi + 0x18]
            //   c7442410ffffffff     | mov                 dword ptr [esp + 0x10], 0xffffffff
            //   e8????????           |                     

        $sequence_6 = { 80c228 881408 40 3bc6 7cef }
            // n = 5, score = 200
            //   80c228               | add                 dl, 0x28
            //   881408               | mov                 byte ptr [eax + ecx], dl
            //   40                   | inc                 eax
            //   3bc6                 | cmp                 eax, esi
            //   7cef                 | jl                  0xfffffff1

        $sequence_7 = { 48 7434 83e803 7557 33c0 }
            // n = 5, score = 200
            //   48                   | dec                 eax
            //   7434                 | je                  0x36
            //   83e803               | sub                 eax, 3
            //   7557                 | jne                 0x59
            //   33c0                 | xor                 eax, eax

        $sequence_8 = { e8???????? 50 ff15???????? 8bf0 83feff 7450 6a14 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   7450                 | je                  0x52
            //   6a14                 | push                0x14

        $sequence_9 = { ff15???????? c20400 a1???????? 68???????? 50 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   c20400               | ret                 4
            //   a1????????           |                     
            //   68????????           |                     
            //   50                   | push                eax

        $sequence_10 = { a3???????? a3???????? a1???????? 50 c705????????04000000 ff15???????? }
            // n = 6, score = 200
            //   a3????????           |                     
            //   a3????????           |                     
            //   a1????????           |                     
            //   50                   | push                eax
            //   c705????????04000000     |     
            //   ff15????????         |                     

        $sequence_11 = { e8???????? 83f801 750d 8d4c242c 51 e8???????? }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83f801               | cmp                 eax, 1
            //   750d                 | jne                 0xf
            //   8d4c242c             | lea                 ecx, [esp + 0x2c]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_12 = { c784243001000001000000 ff15???????? 85c0 7e3b }
            // n = 4, score = 200
            //   c784243001000001000000     | mov    dword ptr [esp + 0x130], 1
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7e3b                 | jle                 0x3d

        $sequence_13 = { 51 8d8c241c010000 51 6a01 8d542420 }
            // n = 5, score = 200
            //   51                   | push                ecx
            //   8d8c241c010000       | lea                 ecx, [esp + 0x11c]
            //   51                   | push                ecx
            //   6a01                 | push                1
            //   8d542420             | lea                 edx, [esp + 0x20]

        $sequence_14 = { 83c004 50 8d44240c 50 e8???????? a1???????? 83c40c }
            // n = 7, score = 100
            //   83c004               | add                 eax, 4
            //   50                   | push                eax
            //   8d44240c             | lea                 eax, [esp + 0xc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   a1????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_15 = { b0e5 33ed 88442415 88442420 b98b000000 33c0 8dbc242c010000 }
            // n = 7, score = 100
            //   b0e5                 | mov                 al, 0xe5
            //   33ed                 | xor                 ebp, ebp
            //   88442415             | mov                 byte ptr [esp + 0x15], al
            //   88442420             | mov                 byte ptr [esp + 0x20], al
            //   b98b000000           | mov                 ecx, 0x8b
            //   33c0                 | xor                 eax, eax
            //   8dbc242c010000       | lea                 edi, [esp + 0x12c]

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules