SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bubblewrap (Back to overview)

BUBBLEWRAP

Actor(s): Temper Panda

VTCollection    

BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.

References
2019-01-01MITREMITRE ATT&CK
Tool description: BUBBLEWRAP
BUBBLEWRAP
2015-12-01FireEyeFireEye Threat Intelligence
China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets
BUBBLEWRAP LOWBALL TEMPER PANDA
Yara Rules
[TLP:WHITE] win_bubblewrap_auto (20230808 | Detects win.bubblewrap.)
rule win_bubblewrap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.bubblewrap."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? 68???????? e8???????? 8b08 83c408 890d???????? 8b5004 }
            // n = 7, score = 100
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   83c408               | add                 esp, 8
            //   890d????????         |                     
            //   8b5004               | mov                 edx, dword ptr [eax + 4]

        $sequence_1 = { ffd6 8d542464 68???????? 52 ffd6 b900020000 }
            // n = 6, score = 100
            //   ffd6                 | call                esi
            //   8d542464             | lea                 edx, [esp + 0x64]
            //   68????????           |                     
            //   52                   | push                edx
            //   ffd6                 | call                esi
            //   b900020000           | mov                 ecx, 0x200

        $sequence_2 = { 56 57 6a02 8d442418 33f6 55 50 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a02                 | push                2
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   33f6                 | xor                 esi, esi
            //   55                   | push                ebp
            //   50                   | push                eax

        $sequence_3 = { 880c1a 83c9ff f2ae f7d1 49 8d7c1a01 8bd1 }
            // n = 7, score = 100
            //   880c1a               | mov                 byte ptr [edx + ebx], cl
            //   83c9ff               | or                  ecx, 0xffffffff
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   f7d1                 | not                 ecx
            //   49                   | dec                 ecx
            //   8d7c1a01             | lea                 edi, [edx + ebx + 1]
            //   8bd1                 | mov                 edx, ecx

        $sequence_4 = { 81ec08020000 53 56 57 ff15???????? }
            // n = 5, score = 100
            //   81ec08020000         | sub                 esp, 0x208
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_5 = { f3a5 6870010000 e8???????? 8d442448 50 6870010000 }
            // n = 6, score = 100
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   6870010000           | push                0x170
            //   e8????????           |                     
            //   8d442448             | lea                 eax, [esp + 0x48]
            //   50                   | push                eax
            //   6870010000           | push                0x170

        $sequence_6 = { 8d6ced00 89542418 c1e503 8bc5 8bdd 25ff030000 }
            // n = 6, score = 100
            //   8d6ced00             | lea                 ebp, [ebp + ebp*8]
            //   89542418             | mov                 dword ptr [esp + 0x18], edx
            //   c1e503               | shl                 ebp, 3
            //   8bc5                 | mov                 eax, ebp
            //   8bdd                 | mov                 ebx, ebp
            //   25ff030000           | and                 eax, 0x3ff

        $sequence_7 = { 880f 8810 7c89 5d 5f 5e 5b }
            // n = 7, score = 100
            //   880f                 | mov                 byte ptr [edi], cl
            //   8810                 | mov                 byte ptr [eax], dl
            //   7c89                 | jl                  0xffffff8b
            //   5d                   | pop                 ebp
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_8 = { c644241f78 c644242011 c644242106 c644242274 }
            // n = 4, score = 100
            //   c644241f78           | mov                 byte ptr [esp + 0x1f], 0x78
            //   c644242011           | mov                 byte ptr [esp + 0x20], 0x11
            //   c644242106           | mov                 byte ptr [esp + 0x21], 6
            //   c644242274           | mov                 byte ptr [esp + 0x22], 0x74

        $sequence_9 = { 83c404 a801 740d 8d54240c 52 e8???????? 83c404 }
            // n = 7, score = 100
            //   83c404               | add                 esp, 4
            //   a801                 | test                al, 1
            //   740d                 | je                  0xf
            //   8d54240c             | lea                 edx, [esp + 0xc]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

    condition:
        7 of them and filesize < 57136
}
Download all Yara Rules