SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bandook (Back to overview)

Bandook

aka: Bandok

Actor(s): Dark Caracal

There is no description at this point.

References
2021-07-07ESET ResearchFernando Tavella, Matías Porolli
@online{tavella:20210707:bandidos:f734d08, author = {Fernando Tavella and Matías Porolli}, title = {{Bandidos at large: A spying campaign in Latin America}}, date = {2021-07-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/}, language = {English}, urldate = {2021-07-09} } Bandidos at large: A spying campaign in Latin America
Bandook
2020-12-10Electronic Frontier FoundationCooper Quintin, Eva Galperin
@online{quintin:20201210:dark:8ea58ac, author = {Cooper Quintin and Eva Galperin}, title = {{Dark Caracal: You Missed a Spot}}, date = {2020-12-10}, organization = {Electronic Frontier Foundation}, url = {https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot}, language = {English}, urldate = {2020-12-11} } Dark Caracal: You Missed a Spot
Bandook
2020-11-26CheckpointCheck Point Research
@online{research:20201126:bandook:7796023, author = {Check Point Research}, title = {{Bandook: Signed & Delivered}}, date = {2020-11-26}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/bandook-signed-delivered/}, language = {English}, urldate = {2020-12-01} } Bandook: Signed & Delivered
Bandook
2018-01-18LookoutAndrew Blaich, Apurva Kumar, Jeremy Richards, Michael Flossman, Cooper Quintin, Eva Galperin
@techreport{blaich:20180118:dark:31c31f6, author = {Andrew Blaich and Apurva Kumar and Jeremy Richards and Michael Flossman and Cooper Quintin and Eva Galperin}, title = {{Dark Caracal: Cyber-espionage at a Global Scal}}, date = {2018-01-18}, institution = {Lookout}, url = {https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf}, language = {English}, urldate = {2020-06-08} } Dark Caracal: Cyber-espionage at a Global Scal
CrossRAT Bandook Dark Caracal
2016-08Electronic Frontier FoundationEva Galperin, Cooper Quintin, Morgan Marquis-Boire, Claudio Guarnieri
@techreport{galperin:201608:operation:38ba7ff, author = {Eva Galperin and Cooper Quintin and Morgan Marquis-Boire and Claudio Guarnieri}, title = {{Operation Manul}}, date = {2016-08}, institution = {Electronic Frontier Foundation}, url = {https://www.eff.org/files/2018/01/29/operation-manul.pdf}, language = {English}, urldate = {2020-06-08} } Operation Manul
jRAT Bandook
Yara Rules
[TLP:WHITE] win_bandook_auto (20210616 | Detects win.bandook.)
rule win_bandook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.bandook."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 57 8b08 8b5808 6a00 6a00 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b5808               | mov                 ebx, dword ptr [eax + 8]
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_1 = { 50 e8???????? 8b0d???????? 8d95f0fbffff 83c414 e8???????? 6a00 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   8d95f0fbffff         | lea                 edx, dword ptr [ebp - 0x410]
            //   83c414               | add                 esp, 0x14
            //   e8????????           |                     
            //   6a00                 | push                0

        $sequence_2 = { 50 6a00 68ff0f1f00 ffd7 6a00 50 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   6a00                 | push                0
            //   68ff0f1f00           | push                0x1f0fff
            //   ffd7                 | call                edi
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_3 = { 8bf1 6a00 50 e8???????? 56 8d85fcfeffff 68???????? }
            // n = 7, score = 100
            //   8bf1                 | mov                 esi, ecx
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   56                   | push                esi
            //   8d85fcfeffff         | lea                 eax, dword ptr [ebp - 0x104]
            //   68????????           |                     

        $sequence_4 = { e8???????? 83c408 8d4c2421 c7461000000000 c746140f000000 c60600 3bc1 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8d4c2421             | lea                 ecx, dword ptr [esp + 0x21]
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0
            //   c746140f000000       | mov                 dword ptr [esi + 0x14], 0xf
            //   c60600               | mov                 byte ptr [esi], 0
            //   3bc1                 | cmp                 eax, ecx

        $sequence_5 = { 53 ffd7 b9???????? 8bc6 90 }
            // n = 5, score = 100
            //   53                   | push                ebx
            //   ffd7                 | call                edi
            //   b9????????           |                     
            //   8bc6                 | mov                 eax, esi
            //   90                   | nop                 

        $sequence_6 = { 8b5310 0fb680789d1c13 3334c5a2c31e13 8b45f0 0fb600 0fb680789d1c13 3334c5a3c31e13 }
            // n = 7, score = 100
            //   8b5310               | mov                 edx, dword ptr [ebx + 0x10]
            //   0fb680789d1c13       | movzx               eax, byte ptr [eax + 0x131c9d78]
            //   3334c5a2c31e13       | xor                 esi, dword ptr [eax*8 + 0x131ec3a2]
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   0fb600               | movzx               eax, byte ptr [eax]
            //   0fb680789d1c13       | movzx               eax, byte ptr [eax + 0x131c9d78]
            //   3334c5a3c31e13       | xor                 esi, dword ptr [eax*8 + 0x131ec3a3]

        $sequence_7 = { 8d85f4fbffff 68???????? 50 e8???????? 83c410 8d85f4fbffff 50 }
            // n = 7, score = 100
            //   8d85f4fbffff         | lea                 eax, dword ptr [ebp - 0x40c]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8d85f4fbffff         | lea                 eax, dword ptr [ebp - 0x40c]
            //   50                   | push                eax

        $sequence_8 = { 8bec 83e4f8 b8d49d0400 e8???????? a1???????? 33c4 898424d09d0400 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83e4f8               | and                 esp, 0xfffffff8
            //   b8d49d0400           | mov                 eax, 0x49dd4
            //   e8????????           |                     
            //   a1????????           |                     
            //   33c4                 | xor                 eax, esp
            //   898424d09d0400       | mov                 dword ptr [esp + 0x49dd0], eax

        $sequence_9 = { 8d41e0 6683f85a 770f 0fb7c1 0fb688b8ea1c13 83e10f eb02 }
            // n = 7, score = 100
            //   8d41e0               | lea                 eax, dword ptr [ecx - 0x20]
            //   6683f85a             | cmp                 ax, 0x5a
            //   770f                 | ja                  0x11
            //   0fb7c1               | movzx               eax, cx
            //   0fb688b8ea1c13       | movzx               ecx, byte ptr [eax + 0x131ceab8]
            //   83e10f               | and                 ecx, 0xf
            //   eb02                 | jmp                 4

    condition:
        7 of them and filesize < 23088128
}
Download all Yara Rules