SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bandook (Back to overview)

Bandook

aka: Bandok

Actor(s): Dark Caracal

There is no description at this point.

References
2021-07-19ProofpointJoe Wise, Konstantin Klinger, Selena Larson, Proofpoint Threat Research Team
@online{wise:20210719:new:cb02a85, author = {Joe Wise and Konstantin Klinger and Selena Larson and Proofpoint Threat Research Team}, title = {{New Threat Actor Uses Spanish Language Lures to Distribute Seldom Observed Bandook Malware}}, date = {2021-07-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook}, language = {English}, urldate = {2021-07-26} } New Threat Actor Uses Spanish Language Lures to Distribute Seldom Observed Bandook Malware
Bandook
2021-07-07ESET ResearchFernando Tavella, Matías Porolli
@online{tavella:20210707:bandidos:f734d08, author = {Fernando Tavella and Matías Porolli}, title = {{Bandidos at large: A spying campaign in Latin America}}, date = {2021-07-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/}, language = {English}, urldate = {2021-07-09} } Bandidos at large: A spying campaign in Latin America
Bandook
2020-12-10Electronic Frontier FoundationCooper Quintin, Eva Galperin
@online{quintin:20201210:dark:8ea58ac, author = {Cooper Quintin and Eva Galperin}, title = {{Dark Caracal: You Missed a Spot}}, date = {2020-12-10}, organization = {Electronic Frontier Foundation}, url = {https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot}, language = {English}, urldate = {2020-12-11} } Dark Caracal: You Missed a Spot
Bandook
2020-11-26CheckpointCheck Point Research
@online{research:20201126:bandook:7796023, author = {Check Point Research}, title = {{Bandook: Signed & Delivered}}, date = {2020-11-26}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/bandook-signed-delivered/}, language = {English}, urldate = {2020-12-01} } Bandook: Signed & Delivered
Bandook
2018-01-18LookoutAndrew Blaich, Apurva Kumar, Jeremy Richards, Michael Flossman, Cooper Quintin, Eva Galperin
@techreport{blaich:20180118:dark:31c31f6, author = {Andrew Blaich and Apurva Kumar and Jeremy Richards and Michael Flossman and Cooper Quintin and Eva Galperin}, title = {{Dark Caracal: Cyber-espionage at a Global Scal}}, date = {2018-01-18}, institution = {Lookout}, url = {https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf}, language = {English}, urldate = {2020-06-08} } Dark Caracal: Cyber-espionage at a Global Scal
CrossRAT Bandook Dark Caracal
2016-08Electronic Frontier FoundationEva Galperin, Cooper Quintin, Morgan Marquis-Boire, Claudio Guarnieri
@techreport{galperin:201608:operation:38ba7ff, author = {Eva Galperin and Cooper Quintin and Morgan Marquis-Boire and Claudio Guarnieri}, title = {{Operation Manul}}, date = {2016-08}, institution = {Electronic Frontier Foundation}, url = {https://www.eff.org/files/2018/01/29/operation-manul.pdf}, language = {English}, urldate = {2020-06-08} } Operation Manul
jRAT Bandook
Yara Rules
[TLP:WHITE] win_bandook_auto (20211008 | Detects win.bandook.)
rule win_bandook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.bandook."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b940420f00 f7f9 8d8dbcfdffff 83c264 e8???????? 50 8d95ecfdffff }
            // n = 7, score = 100
            //   b940420f00           | mov                 ecx, 0xf4240
            //   f7f9                 | idiv                ecx
            //   8d8dbcfdffff         | lea                 ecx, dword ptr [ebp - 0x244]
            //   83c264               | add                 edx, 0x64
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d95ecfdffff         | lea                 edx, dword ptr [ebp - 0x214]

        $sequence_1 = { ff15???????? ff35???????? 8d45cc 50 ff15???????? 8d45cc 50 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   8d45cc               | lea                 eax, dword ptr [ebp - 0x34]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d45cc               | lea                 eax, dword ptr [ebp - 0x34]
            //   50                   | push                eax

        $sequence_2 = { 8bd8 83c404 85db 7418 57 53 6aff }
            // n = 7, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   83c404               | add                 esp, 4
            //   85db                 | test                ebx, ebx
            //   7418                 | je                  0x1a
            //   57                   | push                edi
            //   53                   | push                ebx
            //   6aff                 | push                -1

        $sequence_3 = { e9???????? 6a02 ff35???????? ffd3 ff35???????? ffd6 6810270000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   6a02                 | push                2
            //   ff35????????         |                     
            //   ffd3                 | call                ebx
            //   ff35????????         |                     
            //   ffd6                 | call                esi
            //   6810270000           | push                0x2710

        $sequence_4 = { 5f 57 50 8dbde4fdffff b847657453 ab b879737465 }
            // n = 7, score = 100
            //   5f                   | pop                 edi
            //   57                   | push                edi
            //   50                   | push                eax
            //   8dbde4fdffff         | lea                 edi, dword ptr [ebp - 0x21c]
            //   b847657453           | mov                 eax, 0x53746547
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   b879737465           | mov                 eax, 0x65747379

        $sequence_5 = { 8b048d74ad1913 ffe0 f7c703000000 7413 }
            // n = 4, score = 100
            //   8b048d74ad1913       | mov                 eax, dword ptr [ecx*4 + 0x1319ad74]
            //   ffe0                 | jmp                 eax
            //   f7c703000000         | test                edi, 3
            //   7413                 | je                  0x15

        $sequence_6 = { 0f4345bc 03f0 56 e8???????? 83c40c c6043e00 eb24 }
            // n = 7, score = 100
            //   0f4345bc             | cmovae              eax, dword ptr [ebp - 0x44]
            //   03f0                 | add                 esi, eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c6043e00             | mov                 byte ptr [esi + edi], 0
            //   eb24                 | jmp                 0x26

        $sequence_7 = { e8???????? 83c40c 8d8dd8fbffff e8???????? 50 68???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d8dd8fbffff         | lea                 ecx, dword ptr [ebp - 0x428]
            //   e8????????           |                     
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_8 = { 4f 8a4f01 47 84c9 75f8 8b9decfdffff 8bc8 }
            // n = 7, score = 100
            //   4f                   | dec                 edi
            //   8a4f01               | mov                 cl, byte ptr [edi + 1]
            //   47                   | inc                 edi
            //   84c9                 | test                cl, cl
            //   75f8                 | jne                 0xfffffffa
            //   8b9decfdffff         | mov                 ebx, dword ptr [ebp - 0x214]
            //   8bc8                 | mov                 ecx, eax

        $sequence_9 = { 56 8b7508 57 752c ff35???????? 8b1e 8d4598 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   752c                 | jne                 0x2e
            //   ff35????????         |                     
            //   8b1e                 | mov                 ebx, dword ptr [esi]
            //   8d4598               | lea                 eax, dword ptr [ebp - 0x68]

    condition:
        7 of them and filesize < 23088128
}
Download all Yara Rules