SYMBOLCOMMON_NAMEaka. SYNONYMS
win.badcall (Back to overview)

BADCALL

Actor(s): Lazarus Group

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-09-09CISACISA
@online{cisa:20190909:malware:f266520, author = {CISA}, title = {{Malware Analysis Report (AR19-252A)}}, date = {2019-09-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-252a}, language = {English}, urldate = {2020-01-07} } Malware Analysis Report (AR19-252A)
BADCALL BADCALL
Yara Rules
[TLP:WHITE] win_badcall_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_badcall_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { aa b940000000 33c0 8d7c2411 895c2408 f3ab }
            // n = 6, score = 300
            //   aa                   | stosb               byte ptr es:[edi], al
            //   b940000000           | mov                 ecx, 0x40
            //   33c0                 | xor                 eax, eax
            //   8d7c2411             | lea                 edi, [esp + 0x11]
            //   895c2408             | mov                 dword ptr [esp + 8], ebx
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax

        $sequence_1 = { 8bf1 e8???????? 8b442408 894610 e8???????? }
            // n = 5, score = 300
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   e8????????           |                     

        $sequence_2 = { f7d1 49 be???????? 8bc1 8bd1 }
            // n = 5, score = 300
            //   f7d1                 | not                 ecx
            //   49                   | dec                 ecx
            //   be????????           |                     
            //   8bc1                 | mov                 eax, ecx
            //   8bd1                 | mov                 edx, ecx

        $sequence_3 = { 7615 8a4c2408 8a542420 3aca }
            // n = 4, score = 300
            //   7615                 | jbe                 0x17
            //   8a4c2408             | mov                 cl, byte ptr [esp + 8]
            //   8a542420             | mov                 dl, byte ptr [esp + 0x20]
            //   3aca                 | cmp                 cl, dl

        $sequence_4 = { 8b442404 48 7455 48 }
            // n = 4, score = 300
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   48                   | dec                 eax
            //   7455                 | je                  0x57
            //   48                   | dec                 eax

        $sequence_5 = { 7455 48 7434 83e803 7557 }
            // n = 5, score = 300
            //   7455                 | je                  0x57
            //   48                   | dec                 eax
            //   7434                 | je                  0x36
            //   83e803               | sub                 eax, 3
            //   7557                 | jne                 0x59

        $sequence_6 = { 7557 33c0 68???????? a3???????? a3???????? }
            // n = 5, score = 300
            //   7557                 | jne                 0x59
            //   33c0                 | xor                 eax, eax
            //   68????????           |                     
            //   a3????????           |                     
            //   a3????????           |                     

        $sequence_7 = { a1???????? 50 c705????????04000000 ff15???????? c20400 }
            // n = 5, score = 300
            //   a1????????           |                     
            //   50                   | push                eax
            //   c705????????04000000     |     
            //   ff15????????         |                     
            //   c20400               | ret                 4

        $sequence_8 = { ff15???????? c20400 c705????????01000000 a1???????? }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   c20400               | ret                 4
            //   c705????????01000000     |     
            //   a1????????           |                     

        $sequence_9 = { 8b5604 8d4c2408 6a10 51 }
            // n = 4, score = 300
            //   8b5604               | mov                 edx, dword ptr [esi + 4]
            //   8d4c2408             | lea                 ecx, [esp + 8]
            //   6a10                 | push                0x10
            //   51                   | push                ecx

        $sequence_10 = { ff15???????? c20400 a1???????? 68???????? 50 }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   c20400               | ret                 4
            //   a1????????           |                     
            //   68????????           |                     
            //   50                   | push                eax

        $sequence_11 = { 8bf0 83feff 7450 6a14 6a40 }
            // n = 5, score = 300
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   7450                 | je                  0x52
            //   6a14                 | push                0x14
            //   6a40                 | push                0x40

        $sequence_12 = { 6a32 ffd7 eb87 8d4c2424 e8???????? }
            // n = 5, score = 300
            //   6a32                 | push                0x32
            //   ffd7                 | call                edi
            //   eb87                 | jmp                 0xffffff89
            //   8d4c2424             | lea                 ecx, [esp + 0x24]
            //   e8????????           |                     

        $sequence_13 = { 83f8ff 740d 5f b801000000 }
            // n = 4, score = 300
            //   83f8ff               | cmp                 eax, -1
            //   740d                 | je                  0xf
            //   5f                   | pop                 edi
            //   b801000000           | mov                 eax, 1

        $sequence_14 = { 89563c 89777c 5f 5e }
            // n = 4, score = 200
            //   89563c               | mov                 dword ptr [esi + 0x3c], edx
            //   89777c               | mov                 dword ptr [edi + 0x7c], esi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_15 = { 8b5628 51 52 ff5624 8b442420 83c408 }
            // n = 6, score = 200
            //   8b5628               | mov                 edx, dword ptr [esi + 0x28]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   ff5624               | call                dword ptr [esi + 0x24]
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   83c408               | add                 esp, 8

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules