SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bandook (Back to overview)

Bandook

aka: Bandok

Actor(s): Dark Caracal


Bandook malware is a remote access trojan (RAT) first seen in 2007 and has been active for several years. Written in both Delphi and C++, it was first seen as a commercial RAT developed by a Lebanese creator named PrinceAli. Over the years, several variants of Bandook were leaked online, and the malware became available for public download.

References
2021-07-19ProofpointJoe Wise, Konstantin Klinger, Selena Larson, Proofpoint Threat Research Team
@online{wise:20210719:new:cb02a85, author = {Joe Wise and Konstantin Klinger and Selena Larson and Proofpoint Threat Research Team}, title = {{New Threat Actor Uses Spanish Language Lures to Distribute Seldom Observed Bandook Malware}}, date = {2021-07-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook}, language = {English}, urldate = {2021-07-26} } New Threat Actor Uses Spanish Language Lures to Distribute Seldom Observed Bandook Malware
Bandook
2021-07-07ESET ResearchFernando Tavella, Matías Porolli
@online{tavella:20210707:bandidos:f734d08, author = {Fernando Tavella and Matías Porolli}, title = {{Bandidos at large: A spying campaign in Latin America}}, date = {2021-07-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/}, language = {English}, urldate = {2021-07-09} } Bandidos at large: A spying campaign in Latin America
Bandook
2020-12-10Electronic Frontier FoundationCooper Quintin, Eva Galperin
@online{quintin:20201210:dark:8ea58ac, author = {Cooper Quintin and Eva Galperin}, title = {{Dark Caracal: You Missed a Spot}}, date = {2020-12-10}, organization = {Electronic Frontier Foundation}, url = {https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot}, language = {English}, urldate = {2020-12-11} } Dark Caracal: You Missed a Spot
Bandook
2020-11-26CheckpointCheck Point Research
@online{research:20201126:bandook:7796023, author = {Check Point Research}, title = {{Bandook: Signed & Delivered}}, date = {2020-11-26}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/bandook-signed-delivered/}, language = {English}, urldate = {2020-12-01} } Bandook: Signed & Delivered
Bandook
2020-11-26Check PointCheckpoint Research
@online{research:20201126:bandook:c06ea4b, author = {Checkpoint Research}, title = {{Bandook: Signed & Delivered}}, date = {2020-11-26}, organization = {Check Point}, url = {https://research.checkpoint.com/2020/bandook-signed-delivered}, language = {English}, urldate = {2022-07-13} } Bandook: Signed & Delivered
Bandook Dark Caracal
2018-01-18LookoutAndrew Blaich, Apurva Kumar, Jeremy Richards, Michael Flossman, Cooper Quintin, Eva Galperin
@techreport{blaich:20180118:dark:31c31f6, author = {Andrew Blaich and Apurva Kumar and Jeremy Richards and Michael Flossman and Cooper Quintin and Eva Galperin}, title = {{Dark Caracal: Cyber-espionage at a Global Scal}}, date = {2018-01-18}, institution = {Lookout}, url = {https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf}, language = {English}, urldate = {2020-06-08} } Dark Caracal: Cyber-espionage at a Global Scal
CrossRAT Bandook Dark Caracal
2016-08Electronic Frontier FoundationEva Galperin, Cooper Quintin, Morgan Marquis-Boire, Claudio Guarnieri
@techreport{galperin:201608:operation:38ba7ff, author = {Eva Galperin and Cooper Quintin and Morgan Marquis-Boire and Claudio Guarnieri}, title = {{Operation Manul}}, date = {2016-08}, institution = {Electronic Frontier Foundation}, url = {https://www.eff.org/files/2018/01/29/operation-manul.pdf}, language = {English}, urldate = {2020-06-08} } Operation Manul
jRAT Bandook
Yara Rules
[TLP:WHITE] win_bandook_auto (20221125 | Detects win.bandook.)
rule win_bandook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.bandook."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 5b 56 ff15???????? 8b4dfc b001 5f }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   5b                   | pop                 ebx
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   b001                 | mov                 al, 1
            //   5f                   | pop                 edi

        $sequence_1 = { 53 56 8b35???????? 57 ffd6 8bc8 }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b35????????         |                     
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   8bc8                 | mov                 ecx, eax

        $sequence_2 = { a1???????? 0510270000 a3???????? 8b45f8 6810270000 a3???????? 890d???????? }
            // n = 7, score = 100
            //   a1????????           |                     
            //   0510270000           | add                 eax, 0x2710
            //   a3????????           |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   6810270000           | push                0x2710
            //   a3????????           |                     
            //   890d????????         |                     

        $sequence_3 = { 0f45ca 8d55e8 2bd1 8a01 8d4901 88440aff 84c0 }
            // n = 7, score = 100
            //   0f45ca               | cmovne              ecx, edx
            //   8d55e8               | lea                 edx, [ebp - 0x18]
            //   2bd1                 | sub                 edx, ecx
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   8d4901               | lea                 ecx, [ecx + 1]
            //   88440aff             | mov                 byte ptr [edx + ecx - 1], al
            //   84c0                 | test                al, al

        $sequence_4 = { 7408 3a81f8f91c13 7542 8b07 8a10 40 41 }
            // n = 7, score = 100
            //   7408                 | je                  0xa
            //   3a81f8f91c13         | cmp                 al, byte ptr [ecx + 0x131cf9f8]
            //   7542                 | jne                 0x44
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   40                   | inc                 eax
            //   41                   | inc                 ecx

        $sequence_5 = { 59 85c0 7810 3de4000000 7309 8b04c570631d13 5d }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   7810                 | js                  0x12
            //   3de4000000           | cmp                 eax, 0xe4
            //   7309                 | jae                 0xb
            //   8b04c570631d13       | mov                 eax, dword ptr [eax*8 + 0x131d6370]
            //   5d                   | pop                 ebp

        $sequence_6 = { 8d8df4feffff 8b4614 0f438df4feffff 8b5610 2bc2 8bbd04ffffff 3bf8 }
            // n = 7, score = 100
            //   8d8df4feffff         | lea                 ecx, [ebp - 0x10c]
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   0f438df4feffff       | cmovae              ecx, dword ptr [ebp - 0x10c]
            //   8b5610               | mov                 edx, dword ptr [esi + 0x10]
            //   2bc2                 | sub                 eax, edx
            //   8bbd04ffffff         | mov                 edi, dword ptr [ebp - 0xfc]
            //   3bf8                 | cmp                 edi, eax

        $sequence_7 = { 8b4508 ba???????? 53 56 57 8b08 8b5804 }
            // n = 7, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ba????????           |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b5804               | mov                 ebx, dword ptr [eax + 4]

        $sequence_8 = { 33c0 eb05 1bc0 83c801 85c0 0f857d000000 8d8df8fbffff }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   eb05                 | jmp                 7
            //   1bc0                 | sbb                 eax, eax
            //   83c801               | or                  eax, 1
            //   85c0                 | test                eax, eax
            //   0f857d000000         | jne                 0x83
            //   8d8df8fbffff         | lea                 ecx, [ebp - 0x408]

        $sequence_9 = { 3935???????? 7510 a1???????? 40 a3???????? a3???????? 8d4de8 }
            // n = 7, score = 100
            //   3935????????         |                     
            //   7510                 | jne                 0x12
            //   a1????????           |                     
            //   40                   | inc                 eax
            //   a3????????           |                     
            //   a3????????           |                     
            //   8d4de8               | lea                 ecx, [ebp - 0x18]

    condition:
        7 of them and filesize < 23088128
}
Download all Yara Rules