SYMBOLCOMMON_NAMEaka. SYNONYMS
win.badcall (Back to overview)

BADCALL

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-09-09CISACISA
@online{cisa:20190909:malware:f266520, author = {CISA}, title = {{Malware Analysis Report (AR19-252A)}}, date = {2019-09-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-252a}, language = {English}, urldate = {2020-01-07} } Malware Analysis Report (AR19-252A)
BADCALL BADCALL
Yara Rules
[TLP:WHITE] win_badcall_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_badcall_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 52 50 ff15???????? 8b4c2410 51 ffd6 8b54240c }
            // n = 7, score = 300
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]

        $sequence_1 = { 894608 85c0 7509 b801000000 5e c20400 8b4c2408 }
            // n = 7, score = 300
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   85c0                 | test                eax, eax
            //   7509                 | jne                 0xb
            //   b801000000           | mov                 eax, 1
            //   5e                   | pop                 esi
            //   c20400               | ret                 4
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]

        $sequence_2 = { 8d7e2c 8bcf e8???????? 8b4604 }
            // n = 4, score = 300
            //   8d7e2c               | lea                 edi, [esi + 0x2c]
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8b4604               | mov                 eax, dword ptr [esi + 4]

        $sequence_3 = { 50 51 ff15???????? 5e 83c410 c20800 83c8ff }
            // n = 7, score = 300
            //   50                   | push                eax
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   83c410               | add                 esp, 0x10
            //   c20800               | ret                 8
            //   83c8ff               | or                  eax, 0xffffffff

        $sequence_4 = { 8b442404 48 7455 48 7434 83e803 7557 }
            // n = 7, score = 300
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   48                   | dec                 eax
            //   7455                 | je                  0x57
            //   48                   | dec                 eax
            //   7434                 | je                  0x36
            //   83e803               | sub                 eax, 3
            //   7557                 | jne                 0x59

        $sequence_5 = { 50 c705????????04000000 ff15???????? c20400 a1???????? 68???????? 50 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   c705????????04000000     |     
            //   ff15????????         |                     
            //   c20400               | ret                 4
            //   a1????????           |                     
            //   68????????           |                     
            //   50                   | push                eax

        $sequence_6 = { 6a00 50 68???????? 6a00 6a00 ffd6 6aff }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   50                   | push                eax
            //   68????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ffd6                 | call                esi
            //   6aff                 | push                -1

        $sequence_7 = { ff15???????? c20400 c705????????01000000 a1???????? 68???????? 50 }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   c20400               | ret                 4
            //   c705????????01000000     |     
            //   a1????????           |                     
            //   68????????           |                     
            //   50                   | push                eax

        $sequence_8 = { 5d b801000000 5b 81c414020000 c20c00 8bce e8???????? }
            // n = 7, score = 300
            //   5d                   | pop                 ebp
            //   b801000000           | mov                 eax, 1
            //   5b                   | pop                 ebx
            //   81c414020000         | add                 esp, 0x214
            //   c20c00               | ret                 0xc
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_9 = { 7557 33c0 68???????? a3???????? a3???????? a3???????? }
            // n = 6, score = 300
            //   7557                 | jne                 0x59
            //   33c0                 | xor                 eax, eax
            //   68????????           |                     
            //   a3????????           |                     
            //   a3????????           |                     
            //   a3????????           |                     

        $sequence_10 = { 8b542408 83c108 8901 8b44240c 895104 8b542410 }
            // n = 6, score = 300
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   83c108               | add                 ecx, 8
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   895104               | mov                 dword ptr [ecx + 4], edx
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]

        $sequence_11 = { a3???????? a3???????? a3???????? a1???????? 50 c705????????04000000 ff15???????? }
            // n = 7, score = 300
            //   a3????????           |                     
            //   a3????????           |                     
            //   a3????????           |                     
            //   a1????????           |                     
            //   50                   | push                eax
            //   c705????????04000000     |     
            //   ff15????????         |                     

        $sequence_12 = { 8d4c243c e8???????? 56 ff15???????? b907000000 33c0 }
            // n = 6, score = 300
            //   8d4c243c             | lea                 ecx, [esp + 0x3c]
            //   e8????????           |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   b907000000           | mov                 ecx, 7
            //   33c0                 | xor                 eax, eax

        $sequence_13 = { 83f801 0f85f7000000 8b4e3c 8b4658 8b16 03cf }
            // n = 6, score = 200
            //   83f801               | cmp                 eax, 1
            //   0f85f7000000         | jne                 0xfd
            //   8b4e3c               | mov                 ecx, dword ptr [esi + 0x3c]
            //   8b4658               | mov                 eax, dword ptr [esi + 0x58]
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   03cf                 | add                 ecx, edi

        $sequence_14 = { 8b0e 8bd7 2bd1 6afc 03c2 }
            // n = 5, score = 200
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8bd7                 | mov                 edx, edi
            //   2bd1                 | sub                 edx, ecx
            //   6afc                 | push                -4
            //   03c2                 | add                 eax, edx

        $sequence_15 = { 89542418 894b04 0f8594040000 8b4318 f7d8 1bc0 }
            // n = 6, score = 200
            //   89542418             | mov                 dword ptr [esp + 0x18], edx
            //   894b04               | mov                 dword ptr [ebx + 4], ecx
            //   0f8594040000         | jne                 0x49a
            //   8b4318               | mov                 eax, dword ptr [ebx + 0x18]
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules