SYMBOLCOMMON_NAMEaka. SYNONYMS
win.boxcaon (Back to overview)

BoxCaon


According to Checkpoint Research, this malware family has the ability to download and upload files, run commands and send the attackers the results. It has been observed being used by threat actor IndigoZebra.

References
2021-07-01Check PointCheck Point Research
@online{research:20210701:indigozebra:b9e8c55, author = {Check Point Research}, title = {{IndigoZebra APT continues to attack Central Asia with evolving tools}}, date = {2021-07-01}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/}, language = {English}, urldate = {2021-08-03} } IndigoZebra APT continues to attack Central Asia with evolving tools
BoxCaon xCaon
Yara Rules
[TLP:WHITE] win_boxcaon_auto (20230125 | Detects win.boxcaon.)
rule win_boxcaon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.boxcaon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.boxcaon"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3d01010000 7d0d 8a4c181c 8888b8024100 }
            // n = 4, score = 100
            //   3d01010000           | cmp                 eax, 0x101
            //   7d0d                 | jge                 0xf
            //   8a4c181c             | mov                 cl, byte ptr [eax + ebx + 0x1c]
            //   8888b8024100         | mov                 byte ptr [eax + 0x4102b8], cl

        $sequence_1 = { 8d542454 8d4c2434 c784243401000061007000 c784243801000069002e00 c784243c01000064007200 c78424400100006f007000 c784244401000062006f00 }
            // n = 7, score = 100
            //   8d542454             | lea                 edx, [esp + 0x54]
            //   8d4c2434             | lea                 ecx, [esp + 0x34]
            //   c784243401000061007000     | mov    dword ptr [esp + 0x134], 0x700061
            //   c784243801000069002e00     | mov    dword ptr [esp + 0x138], 0x2e0069
            //   c784243c01000064007200     | mov    dword ptr [esp + 0x13c], 0x720064
            //   c78424400100006f007000     | mov    dword ptr [esp + 0x140], 0x70006f
            //   c784244401000062006f00     | mov    dword ptr [esp + 0x144], 0x6f0062

        $sequence_2 = { 7202 8b00 51 52 56 eb16 8b85d8afffff }
            // n = 7, score = 100
            //   7202                 | jb                  4
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   56                   | push                esi
            //   eb16                 | jmp                 0x18
            //   8b85d8afffff         | mov                 eax, dword ptr [ebp - 0x5028]

        $sequence_3 = { 8b4508 66833e00 741f 8b4dfc }
            // n = 4, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   66833e00             | cmp                 word ptr [esi], 0
            //   741f                 | je                  0x21
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_4 = { 5a 6a70 66899424f4000000 8bd0 }
            // n = 4, score = 100
            //   5a                   | pop                 edx
            //   6a70                 | push                0x70
            //   66899424f4000000     | mov                 word ptr [esp + 0xf4], dx
            //   8bd0                 | mov                 edx, eax

        $sequence_5 = { 8b09 57 56 c60100 e8???????? }
            // n = 5, score = 100
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   57                   | push                edi
            //   56                   | push                esi
            //   c60100               | mov                 byte ptr [ecx], 0
            //   e8????????           |                     

        $sequence_6 = { 8be5 5d c3 55 8bec 85db }
            // n = 6, score = 100
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   85db                 | test                ebx, ebx

        $sequence_7 = { be07000000 33c9 89b42490000000 899c248c000000 66894c247c }
            // n = 5, score = 100
            //   be07000000           | mov                 esi, 7
            //   33c9                 | xor                 ecx, ecx
            //   89b42490000000       | mov                 dword ptr [esp + 0x90], esi
            //   899c248c000000       | mov                 dword ptr [esp + 0x8c], ebx
            //   66894c247c           | mov                 word ptr [esp + 0x7c], cx

        $sequence_8 = { 0fb7c1 83e868 7441 48 7423 8b5514 }
            // n = 6, score = 100
            //   0fb7c1               | movzx               eax, cx
            //   83e868               | sub                 eax, 0x68
            //   7441                 | je                  0x43
            //   48                   | dec                 eax
            //   7423                 | je                  0x25
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]

        $sequence_9 = { 83c41c 8bf8 8db42498000000 c68424481d00000f }
            // n = 4, score = 100
            //   83c41c               | add                 esp, 0x1c
            //   8bf8                 | mov                 edi, eax
            //   8db42498000000       | lea                 esi, [esp + 0x98]
            //   c68424481d00000f     | mov                 byte ptr [esp + 0x1d48], 0xf

    condition:
        7 of them and filesize < 256000
}
Download all Yara Rules