SYMBOLCOMMON_NAMEaka. SYNONYMS
win.badcall (Back to overview)

BADCALL

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-09-09CISACISA
@online{cisa:20190909:malware:f266520, author = {CISA}, title = {{Malware Analysis Report (AR19-252A)}}, date = {2019-09-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-252a}, language = {English}, urldate = {2020-01-07} } Malware Analysis Report (AR19-252A)
BADCALL BADCALL
Yara Rules
[TLP:WHITE] win_badcall_auto (20220516 | Detects win.badcall.)
rule win_badcall_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.badcall."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c20800 53 8b5c2410 57 53 }
            // n = 5, score = 300
            //   c20800               | ret                 8
            //   53                   | push                ebx
            //   8b5c2410             | mov                 ebx, dword ptr [esp + 0x10]
            //   57                   | push                edi
            //   53                   | push                ebx

        $sequence_1 = { 83c40c 85c0 7e06 03f0 3bf7 7ce1 }
            // n = 6, score = 300
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   7e06                 | jle                 8
            //   03f0                 | add                 esi, eax
            //   3bf7                 | cmp                 esi, edi
            //   7ce1                 | jl                  0xffffffe3

        $sequence_2 = { 51 8bce e8???????? 85c0 7407 5f }
            // n = 6, score = 300
            //   51                   | push                ecx
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   5f                   | pop                 edi

        $sequence_3 = { 68???????? a3???????? a3???????? a3???????? a1???????? 50 c705????????04000000 }
            // n = 7, score = 300
            //   68????????           |                     
            //   a3????????           |                     
            //   a3????????           |                     
            //   a3????????           |                     
            //   a1????????           |                     
            //   50                   | push                eax
            //   c705????????04000000     |     

        $sequence_4 = { 52 c744241800000000 ffd3 5e 5d }
            // n = 5, score = 300
            //   52                   | push                edx
            //   c744241800000000     | mov                 dword ptr [esp + 0x18], 0
            //   ffd3                 | call                ebx
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

        $sequence_5 = { 8b442404 48 7455 48 }
            // n = 4, score = 300
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   48                   | dec                 eax
            //   7455                 | je                  0x57
            //   48                   | dec                 eax

        $sequence_6 = { 68ffff0000 50 66c74424180100 66c744241a0000 ff15???????? }
            // n = 5, score = 300
            //   68ffff0000           | push                0xffff
            //   50                   | push                eax
            //   66c74424180100       | mov                 word ptr [esp + 0x18], 1
            //   66c744241a0000       | mov                 word ptr [esp + 0x1a], 0
            //   ff15????????         |                     

        $sequence_7 = { ff15???????? c20400 c705????????01000000 a1???????? 68???????? }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   c20400               | ret                 4
            //   c705????????01000000     |     
            //   a1????????           |                     
            //   68????????           |                     

        $sequence_8 = { 89542412 6689542416 ff15???????? 8b4e04 6689442406 8d442404 }
            // n = 6, score = 300
            //   89542412             | mov                 dword ptr [esp + 0x12], edx
            //   6689542416           | mov                 word ptr [esp + 0x16], dx
            //   ff15????????         |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   6689442406           | mov                 word ptr [esp + 6], ax
            //   8d442404             | lea                 eax, [esp + 4]

        $sequence_9 = { 50 c705????????04000000 ff15???????? c20400 a1???????? 68???????? }
            // n = 6, score = 300
            //   50                   | push                eax
            //   c705????????04000000     |     
            //   ff15????????         |                     
            //   c20400               | ret                 4
            //   a1????????           |                     
            //   68????????           |                     

        $sequence_10 = { 83e803 7557 33c0 68???????? a3???????? a3???????? }
            // n = 6, score = 300
            //   83e803               | sub                 eax, 3
            //   7557                 | jne                 0x59
            //   33c0                 | xor                 eax, eax
            //   68????????           |                     
            //   a3????????           |                     
            //   a3????????           |                     

        $sequence_11 = { 7455 48 7434 83e803 }
            // n = 4, score = 300
            //   7455                 | je                  0x57
            //   48                   | dec                 eax
            //   7434                 | je                  0x36
            //   83e803               | sub                 eax, 3

        $sequence_12 = { e8???????? 8b4604 8bcf 50 e8???????? 5f b801000000 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   8bcf                 | mov                 ecx, edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   b801000000           | mov                 eax, 1

        $sequence_13 = { 8d7c2411 895c2408 f3ab 66ab aa }
            // n = 5, score = 300
            //   8d7c2411             | lea                 edi, [esp + 0x11]
            //   895c2408             | mov                 dword ptr [esp + 8], ebx
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al

        $sequence_14 = { 2bfd 83c408 d1ff 66c7847c3e0100000000 }
            // n = 4, score = 200
            //   2bfd                 | sub                 edi, ebp
            //   83c408               | add                 esp, 8
            //   d1ff                 | sar                 edi, 1
            //   66c7847c3e0100000000     | mov    word ptr [esp + edi*2 + 0x13e], 0

        $sequence_15 = { 83c408 53 e8???????? 83c404 85c0 7426 53 }
            // n = 7, score = 200
            //   83c408               | add                 esp, 8
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7426                 | je                  0x28
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules