SYMBOLCOMMON_NAMEaka. SYNONYMS
win.badcall (Back to overview)

BADCALL

Actor(s): Lazarus Group

There is no description at this point.

References
2021-09-04cocomelonccocomelonc
@online{cocomelonc:20210904:av:06b27c5, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 1}}, date = {2021-09-04}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html}, language = {English}, urldate = {2022-11-28} } AV engines evasion for C++ simple malware: part 1
4h_rat Azorult BADCALL BadNews BazarBackdoor Cardinal RAT
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-09-09CISACISA
@online{cisa:20190909:malware:f266520, author = {CISA}, title = {{Malware Analysis Report (AR19-252A)}}, date = {2019-09-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-252a}, language = {English}, urldate = {2020-01-07} } Malware Analysis Report (AR19-252A)
BADCALL BADCALL
Yara Rules
[TLP:WHITE] win_badcall_auto (20221125 | Detects win.badcall.)
rule win_badcall_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.badcall."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { a1???????? 50 c705????????04000000 ff15???????? }
            // n = 4, score = 300
            //   a1????????           |                     
            //   50                   | push                eax
            //   c705????????04000000     |     
            //   ff15????????         |                     

        $sequence_1 = { 50 e8???????? 83c404 8b7604 85f6 7409 }
            // n = 6, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b7604               | mov                 esi, dword ptr [esi + 4]
            //   85f6                 | test                esi, esi
            //   7409                 | je                  0xb

        $sequence_2 = { 83c408 8d4c2410 83c618 6a04 }
            // n = 4, score = 300
            //   83c408               | add                 esp, 8
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   83c618               | add                 esi, 0x18
            //   6a04                 | push                4

        $sequence_3 = { 66c744241a0000 ff15???????? 8b5604 6a02 52 ff15???????? 8b4604 }
            // n = 7, score = 300
            //   66c744241a0000       | mov                 word ptr [esp + 0x1a], 0
            //   ff15????????         |                     
            //   8b5604               | mov                 edx, dword ptr [esi + 4]
            //   6a02                 | push                2
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8b4604               | mov                 eax, dword ptr [esi + 4]

        $sequence_4 = { c705????????04000000 ff15???????? c20400 a1???????? 68???????? }
            // n = 5, score = 300
            //   c705????????04000000     |     
            //   ff15????????         |                     
            //   c20400               | ret                 4
            //   a1????????           |                     
            //   68????????           |                     

        $sequence_5 = { 7434 83e803 7557 33c0 }
            // n = 4, score = 300
            //   7434                 | je                  0x36
            //   83e803               | sub                 eax, 3
            //   7557                 | jne                 0x59
            //   33c0                 | xor                 eax, eax

        $sequence_6 = { c705????????01000000 a1???????? 68???????? 50 }
            // n = 4, score = 300
            //   c705????????01000000     |     
            //   a1????????           |                     
            //   68????????           |                     
            //   50                   | push                eax

        $sequence_7 = { 83c618 6a04 51 8bce e8???????? 85c0 }
            // n = 6, score = 300
            //   83c618               | add                 esi, 0x18
            //   6a04                 | push                4
            //   51                   | push                ecx
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_8 = { 83c408 8bce 57 53 e8???????? f7d8 }
            // n = 6, score = 300
            //   83c408               | add                 esp, 8
            //   8bce                 | mov                 ecx, esi
            //   57                   | push                edi
            //   53                   | push                ebx
            //   e8????????           |                     
            //   f7d8                 | neg                 eax

        $sequence_9 = { ff15???????? c20400 c705????????01000000 a1???????? }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   c20400               | ret                 4
            //   c705????????01000000     |     
            //   a1????????           |                     

        $sequence_10 = { 5f b801000000 5b 81c40c030000 c3 5f b801000000 }
            // n = 7, score = 300
            //   5f                   | pop                 edi
            //   b801000000           | mov                 eax, 1
            //   5b                   | pop                 ebx
            //   81c40c030000         | add                 esp, 0x30c
            //   c3                   | ret                 
            //   5f                   | pop                 edi
            //   b801000000           | mov                 eax, 1

        $sequence_11 = { 7557 33c0 68???????? a3???????? }
            // n = 4, score = 300
            //   7557                 | jne                 0x59
            //   33c0                 | xor                 eax, eax
            //   68????????           |                     
            //   a3????????           |                     

        $sequence_12 = { 7509 b801000000 5e c20400 8b4c2408 51 }
            // n = 6, score = 300
            //   7509                 | jne                 0xb
            //   b801000000           | mov                 eax, 1
            //   5e                   | pop                 esi
            //   c20400               | ret                 4
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   51                   | push                ecx

        $sequence_13 = { 8d442408 6a78 8d4c2410 50 51 8b4e04 }
            // n = 6, score = 300
            //   8d442408             | lea                 eax, [esp + 8]
            //   6a78                 | push                0x78
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]

        $sequence_14 = { 8b442404 48 7455 48 7434 }
            // n = 5, score = 300
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   48                   | dec                 eax
            //   7455                 | je                  0x57
            //   48                   | dec                 eax
            //   7434                 | je                  0x36

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules