SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bubblewrap (Back to overview)

BUBBLEWRAP

Actor(s): Temper Panda


BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.

References
2019MITREMITRE ATT&CK
@online{attck:2019:tool:ae50919, author = {MITRE ATT&CK}, title = {{Tool description: BUBBLEWRAP}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0043/}, language = {English}, urldate = {2019-12-20} } Tool description: BUBBLEWRAP
BUBBLEWRAP
2015-12-01FireEyeFireEye Threat Intelligence
@online{intelligence:20151201:chinabased:8836a81, author = {FireEye Threat Intelligence}, title = {{China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets}}, date = {2015-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html}, language = {English}, urldate = {2019-12-20} } China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets
BUBBLEWRAP LOWBALL TEMPER PANDA
Yara Rules
[TLP:WHITE] win_bubblewrap_auto (20230125 | Detects win.bubblewrap.)
rule win_bubblewrap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.bubblewrap."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 751f 6804010000 68???????? 68???????? }
            // n = 4, score = 100
            //   751f                 | jne                 0x21
            //   6804010000           | push                0x104
            //   68????????           |                     
            //   68????????           |                     

        $sequence_1 = { 68???????? 56 a3???????? ffd7 8b2d???????? a3???????? }
            // n = 6, score = 100
            //   68????????           |                     
            //   56                   | push                esi
            //   a3????????           |                     
            //   ffd7                 | call                edi
            //   8b2d????????         |                     
            //   a3????????           |                     

        $sequence_2 = { 6804010000 aa ff15???????? 8dbc24a8000000 83c9ff }
            // n = 5, score = 100
            //   6804010000           | push                0x104
            //   aa                   | stosb               byte ptr es:[edi], al
            //   ff15????????         |                     
            //   8dbc24a8000000       | lea                 edi, [esp + 0xa8]
            //   83c9ff               | or                  ecx, 0xffffffff

        $sequence_3 = { c644244400 f3ab 66ab aa 53 }
            // n = 5, score = 100
            //   c644244400           | mov                 byte ptr [esp + 0x44], 0
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   53                   | push                ebx

        $sequence_4 = { ff15???????? 85c0 0f8495010000 8b442424 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8495010000         | je                  0x19b
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]

        $sequence_5 = { 83e103 68???????? f3a4 891d???????? c605????????ee }
            // n = 5, score = 100
            //   83e103               | and                 ecx, 3
            //   68????????           |                     
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   891d????????         |                     
            //   c605????????ee       |                     

        $sequence_6 = { 8b4c2410 bf???????? 8bc1 c1e902 f3a5 }
            // n = 5, score = 100
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   bf????????           |                     
            //   8bc1                 | mov                 eax, ecx
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]

        $sequence_7 = { 81c408020000 c21000 e8???????? 68???????? e8???????? 83c404 b941000000 }
            // n = 7, score = 100
            //   81c408020000         | add                 esp, 0x208
            //   c21000               | ret                 0x10
            //   e8????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   b941000000           | mov                 ecx, 0x41

        $sequence_8 = { 68???????? 52 ffd6 b900020000 33c0 }
            // n = 5, score = 100
            //   68????????           |                     
            //   52                   | push                edx
            //   ffd6                 | call                esi
            //   b900020000           | mov                 ecx, 0x200
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { 51 aa e8???????? 83c40c b801000000 5f 5e }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   aa                   | stosb               byte ptr es:[edi], al
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   b801000000           | mov                 eax, 1
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 57136
}
Download all Yara Rules