SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bubblewrap (Back to overview)

BUBBLEWRAP

Actor(s): Temper Panda


BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.

References
2019MITREMITRE ATT&CK
@online{attck:2019:tool:ae50919, author = {MITRE ATT&CK}, title = {{Tool description: BUBBLEWRAP}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0043/}, language = {English}, urldate = {2019-12-20} } Tool description: BUBBLEWRAP
BUBBLEWRAP
2015-12-01FireEyeFireEye Threat Intelligence
@online{intelligence:20151201:chinabased:8836a81, author = {FireEye Threat Intelligence}, title = {{China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets}}, date = {2015-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html}, language = {English}, urldate = {2019-12-20} } China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets
BUBBLEWRAP LOWBALL Temper Panda
Yara Rules
[TLP:WHITE] win_bubblewrap_auto (20220411 | Detects win.bubblewrap.)
rule win_bubblewrap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.bubblewrap."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b5c241c 03d7 8bee 89542420 8bd3 }
            // n = 5, score = 100
            //   8b5c241c             | mov                 ebx, dword ptr [esp + 0x1c]
            //   03d7                 | add                 edx, edi
            //   8bee                 | mov                 ebp, esi
            //   89542420             | mov                 dword ptr [esp + 0x20], edx
            //   8bd3                 | mov                 edx, ebx

        $sequence_1 = { 8b442418 83e103 f3a4 8bcd bf00040000 2bc8 }
            // n = 6, score = 100
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8bcd                 | mov                 ecx, ebp
            //   bf00040000           | mov                 edi, 0x400
            //   2bc8                 | sub                 ecx, eax

        $sequence_2 = { f3a5 b910000000 be???????? bf???????? 6a20 }
            // n = 5, score = 100
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   b910000000           | mov                 ecx, 0x10
            //   be????????           |                     
            //   bf????????           |                     
            //   6a20                 | push                0x20

        $sequence_3 = { e8???????? 83c414 85c0 0f8565020000 8bfd 83c9ff }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   85c0                 | test                eax, eax
            //   0f8565020000         | jne                 0x26b
            //   8bfd                 | mov                 edi, ebp
            //   83c9ff               | or                  ecx, 0xffffffff

        $sequence_4 = { c644243ca4 c644243dcd c644243eb6 c644243fee 885c2440 }
            // n = 5, score = 100
            //   c644243ca4           | mov                 byte ptr [esp + 0x3c], 0xa4
            //   c644243dcd           | mov                 byte ptr [esp + 0x3d], 0xcd
            //   c644243eb6           | mov                 byte ptr [esp + 0x3e], 0xb6
            //   c644243fee           | mov                 byte ptr [esp + 0x3f], 0xee
            //   885c2440             | mov                 byte ptr [esp + 0x40], bl

        $sequence_5 = { 83c408 50 57 8b3d???????? ffd7 68???????? }
            // n = 6, score = 100
            //   83c408               | add                 esp, 8
            //   50                   | push                eax
            //   57                   | push                edi
            //   8b3d????????         |                     
            //   ffd7                 | call                edi
            //   68????????           |                     

        $sequence_6 = { c1e902 f3a5 8bca 83e103 f3a4 be???????? b8???????? }
            // n = 7, score = 100
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bca                 | mov                 ecx, edx
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   be????????           |                     
            //   b8????????           |                     

        $sequence_7 = { 8bca 89442418 2bcb 8944241c }
            // n = 4, score = 100
            //   8bca                 | mov                 ecx, edx
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   2bcb                 | sub                 ecx, ebx
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax

        $sequence_8 = { 4f c1e902 f3a5 8bca b8???????? 83e103 }
            // n = 6, score = 100
            //   4f                   | dec                 edi
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bca                 | mov                 ecx, edx
            //   b8????????           |                     
            //   83e103               | and                 ecx, 3

        $sequence_9 = { 8d4c2448 68???????? 51 aa e8???????? }
            // n = 5, score = 100
            //   8d4c2448             | lea                 ecx, dword ptr [esp + 0x48]
            //   68????????           |                     
            //   51                   | push                ecx
            //   aa                   | stosb               byte ptr es:[edi], al
            //   e8????????           |                     

    condition:
        7 of them and filesize < 57136
}
Download all Yara Rules