SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bubblewrap (Back to overview)

BUBBLEWRAP

Actor(s): Temper Panda

BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.

References
2019MITREMITRE ATT&CK
@online{attck:2019:tool:ae50919, author = {MITRE ATT&CK}, title = {{Tool description: BUBBLEWRAP}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0043/}, language = {English}, urldate = {2019-12-20} } Tool description: BUBBLEWRAP
BUBBLEWRAP
2015-12-01FireEyeFireEye Threat Intelligence
@online{intelligence:20151201:chinabased:8836a81, author = {FireEye Threat Intelligence}, title = {{China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets}}, date = {2015-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html}, language = {English}, urldate = {2019-12-20} } China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets
BUBBLEWRAP LOWBALL TEMPER PANDA
Yara Rules
[TLP:WHITE] win_bubblewrap_auto (20230715 | Detects win.bubblewrap.)
rule win_bubblewrap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.bubblewrap."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 750b c1ed0a 892d???????? eb0c c1ed0a }
            // n = 5, score = 100
            //   750b                 | jne                 0xd
            //   c1ed0a               | shr                 ebp, 0xa
            //   892d????????         |                     
            //   eb0c                 | jmp                 0xe
            //   c1ed0a               | shr                 ebp, 0xa

        $sequence_1 = { b988130000 f7f1 81c2e8030000 52 ffd5 43 }
            // n = 6, score = 100
            //   b988130000           | mov                 ecx, 0x1388
            //   f7f1                 | div                 ecx
            //   81c2e8030000         | add                 edx, 0x3e8
            //   52                   | push                edx
            //   ffd5                 | call                ebp
            //   43                   | inc                 ebx

        $sequence_2 = { 8b9384010000 83c404 8d441019 50 e8???????? 8b4c2418 83c408 }
            // n = 7, score = 100
            //   8b9384010000         | mov                 edx, dword ptr [ebx + 0x184]
            //   83c404               | add                 esp, 4
            //   8d441019             | lea                 eax, [eax + edx + 0x19]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   83c408               | add                 esp, 8

        $sequence_3 = { 8d4c2420 50 51 ff15???????? 8b542434 8b442432 }
            // n = 6, score = 100
            //   8d4c2420             | lea                 ecx, [esp + 0x20]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b542434             | mov                 edx, dword ptr [esp + 0x34]
            //   8b442432             | mov                 eax, dword ptr [esp + 0x32]

        $sequence_4 = { b099 884c2441 b910000000 8d74240c 8d7c240c c644240c2c c644240e15 }
            // n = 7, score = 100
            //   b099                 | mov                 al, 0x99
            //   884c2441             | mov                 byte ptr [esp + 0x41], cl
            //   b910000000           | mov                 ecx, 0x10
            //   8d74240c             | lea                 esi, [esp + 0xc]
            //   8d7c240c             | lea                 edi, [esp + 0xc]
            //   c644240c2c           | mov                 byte ptr [esp + 0xc], 0x2c
            //   c644240e15           | mov                 byte ptr [esp + 0xe], 0x15

        $sequence_5 = { 56 57 a1???????? 83c005 8945fc 6a00 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   a1????????           |                     
            //   83c005               | add                 eax, 5
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   6a00                 | push                0

        $sequence_6 = { 8d542464 68???????? 52 ffd7 85c0 }
            // n = 5, score = 100
            //   8d542464             | lea                 edx, [esp + 0x64]
            //   68????????           |                     
            //   52                   | push                edx
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax

        $sequence_7 = { c6442413b9 c644241546 c6442416d2 c644241755 c6442418c4 c644241979 c644241b8d }
            // n = 7, score = 100
            //   c6442413b9           | mov                 byte ptr [esp + 0x13], 0xb9
            //   c644241546           | mov                 byte ptr [esp + 0x15], 0x46
            //   c6442416d2           | mov                 byte ptr [esp + 0x16], 0xd2
            //   c644241755           | mov                 byte ptr [esp + 0x17], 0x55
            //   c6442418c4           | mov                 byte ptr [esp + 0x18], 0xc4
            //   c644241979           | mov                 byte ptr [esp + 0x19], 0x79
            //   c644241b8d           | mov                 byte ptr [esp + 0x1b], 0x8d

        $sequence_8 = { ffd6 68???????? ffd6 8b5c241c }
            // n = 4, score = 100
            //   ffd6                 | call                esi
            //   68????????           |                     
            //   ffd6                 | call                esi
            //   8b5c241c             | mov                 ebx, dword ptr [esp + 0x1c]

        $sequence_9 = { c1e902 f3a5 8bca 83e103 f3a4 e8???????? 8b0d???????? }
            // n = 7, score = 100
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bca                 | mov                 ecx, edx
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   e8????????           |                     
            //   8b0d????????         |                     

    condition:
        7 of them and filesize < 57136
}
Download all Yara Rules