SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bandook (Back to overview)

Bandook

aka: Bandok

Actor(s): Dark Caracal

There is no description at this point.

References
2020-12-10Electronic Frontier FoundationCooper Quintin, Eva Galperin
@online{quintin:20201210:dark:8ea58ac, author = {Cooper Quintin and Eva Galperin}, title = {{Dark Caracal: You Missed a Spot}}, date = {2020-12-10}, organization = {Electronic Frontier Foundation}, url = {https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot}, language = {English}, urldate = {2020-12-11} } Dark Caracal: You Missed a Spot
Bandook
2020-11-26CheckpointCheck Point Research
@online{research:20201126:bandook:7796023, author = {Check Point Research}, title = {{Bandook: Signed & Delivered}}, date = {2020-11-26}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/bandook-signed-delivered/}, language = {English}, urldate = {2020-12-01} } Bandook: Signed & Delivered
Bandook
2018-01-18LookoutAndrew Blaich, Apurva Kumar, Jeremy Richards, Michael Flossman, Cooper Quintin, Eva Galperin
@techreport{blaich:20180118:dark:31c31f6, author = {Andrew Blaich and Apurva Kumar and Jeremy Richards and Michael Flossman and Cooper Quintin and Eva Galperin}, title = {{Dark Caracal: Cyber-espionage at a Global Scal}}, date = {2018-01-18}, institution = {Lookout}, url = {https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf}, language = {English}, urldate = {2020-06-08} } Dark Caracal: Cyber-espionage at a Global Scal
CrossRAT Bandook Dark Caracal
2016-08Electronic Frontier FoundationEva Galperin, Cooper Quintin, Morgan Marquis-Boire, Claudio Guarnieri
@techreport{galperin:201608:operation:38ba7ff, author = {Eva Galperin and Cooper Quintin and Morgan Marquis-Boire and Claudio Guarnieri}, title = {{Operation Manul}}, date = {2016-08}, institution = {Electronic Frontier Foundation}, url = {https://www.eff.org/files/2018/01/29/operation-manul.pdf}, language = {English}, urldate = {2020-06-08} } Operation Manul
jRAT Bandook
Yara Rules
[TLP:WHITE] win_bandook_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_bandook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff15???????? 6a00 8bf0 8d8550f6ffff 50 53 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   8bf0                 | mov                 esi, eax
            //   8d8550f6ffff         | lea                 eax, [ebp - 0x9b0]
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_1 = { 50 8d45f4 64a300000000 8bf1 c745fc00000000 8b8624010000 8b8e28010000 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8bf1                 | mov                 esi, ecx
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   8b8624010000         | mov                 eax, dword ptr [esi + 0x124]
            //   8b8e28010000         | mov                 ecx, dword ptr [esi + 0x128]

        $sequence_2 = { 895c2420 332cc591bb1e13 8b0ccd94bb1e13 0fb6c2 8b542410 896c2414 }
            // n = 6, score = 100
            //   895c2420             | mov                 dword ptr [esp + 0x20], ebx
            //   332cc591bb1e13       | xor                 ebp, dword ptr [eax*8 + 0x131ebb91]
            //   8b0ccd94bb1e13       | mov                 ecx, dword ptr [ecx*8 + 0x131ebb94]
            //   0fb6c2               | movzx               eax, dl
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   896c2414             | mov                 dword ptr [esp + 0x14], ebp

        $sequence_3 = { ba???????? 0f44ca 51 eb05 68???????? 68???????? 68???????? }
            // n = 7, score = 100
            //   ba????????           |                     
            //   0f44ca               | cmove               ecx, edx
            //   51                   | push                ecx
            //   eb05                 | jmp                 7
            //   68????????           |                     
            //   68????????           |                     
            //   68????????           |                     

        $sequence_4 = { 8b4e18 85c9 743e 837e1400 7438 8b7e20 33db }
            // n = 7, score = 100
            //   8b4e18               | mov                 ecx, dword ptr [esi + 0x18]
            //   85c9                 | test                ecx, ecx
            //   743e                 | je                  0x40
            //   837e1400             | cmp                 dword ptr [esi + 0x14], 0
            //   7438                 | je                  0x3a
            //   8b7e20               | mov                 edi, dword ptr [esi + 0x20]
            //   33db                 | xor                 ebx, ebx

        $sequence_5 = { 0f118514feffff b8???????? 8a08 3a0e 751a 84c9 7412 }
            // n = 7, score = 100
            //   0f118514feffff       | movups              xmmword ptr [ebp - 0x1ec], xmm0
            //   b8????????           |                     
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   3a0e                 | cmp                 cl, byte ptr [esi]
            //   751a                 | jne                 0x1c
            //   84c9                 | test                cl, cl
            //   7412                 | je                  0x14

        $sequence_6 = { 8d8544feffff c645fc02 8b8d38feffff 50 e8???????? 50 51 }
            // n = 7, score = 100
            //   8d8544feffff         | lea                 eax, [ebp - 0x1bc]
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   8b8d38feffff         | mov                 ecx, dword ptr [ebp - 0x1c8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_7 = { 6800020000 8d85f8fdffff 6a00 50 e8???????? 83c40c c785f4f7ffff00020000 }
            // n = 7, score = 100
            //   6800020000           | push                0x200
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c785f4f7ffff00020000     | mov    dword ptr [ebp - 0x80c], 0x200

        $sequence_8 = { 8b461c 8b4e18 3bc7 7706 7216 3bca 7212 }
            // n = 7, score = 100
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   8b4e18               | mov                 ecx, dword ptr [esi + 0x18]
            //   3bc7                 | cmp                 eax, edi
            //   7706                 | ja                  8
            //   7216                 | jb                  0x18
            //   3bca                 | cmp                 ecx, edx
            //   7212                 | jb                  0x14

        $sequence_9 = { 83c40c 8d85f4fdffff ff7604 ff36 68???????? 68???????? }
            // n = 6, score = 100
            //   83c40c               | add                 esp, 0xc
            //   8d85f4fdffff         | lea                 eax, [ebp - 0x20c]
            //   ff7604               | push                dword ptr [esi + 4]
            //   ff36                 | push                dword ptr [esi]
            //   68????????           |                     
            //   68????????           |                     

    condition:
        7 of them and filesize < 23088128
}
Download all Yara Rules