SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cannon (Back to overview)

Cannon

Actor(s): APT28

VTCollection    

There is no description at this point.

References
2022-07-18Palo Alto Networks Unit 42Unit 42
Fighting Ursa
Cannon Zebrocy APT28
2018-11-27Vitali Kremez BlogVitali Kremez
Let's Learn: In-Depth on Sofacy Cannon Loader/Backdoor Review
Cannon
2018-11-20Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan
Cannon
Yara Rules
[TLP:WHITE] win_cannon_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_cannon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannon"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff08 0891ff080891 ff08 0891ff080891 ff08 0891ff080891 ff01 }
            // n = 7, score = 100
            //   ff08                 | dec                 dword ptr [eax]
            //   0891ff080891         | or                  byte ptr [ecx - 0x6ef7f701], dl
            //   ff08                 | dec                 dword ptr [eax]
            //   0891ff080891         | or                  byte ptr [ecx - 0x6ef7f701], dl
            //   ff08                 | dec                 dword ptr [eax]
            //   0891ff080891         | or                  byte ptr [ecx - 0x6ef7f701], dl
            //   ff01                 | inc                 dword ptr [ecx]

        $sequence_1 = { e1fe e7e5 e1ff e7e5 e1ff e7e5 }
            // n = 6, score = 100
            //   e1fe                 | loope               0
            //   e7e5                 | out                 0xe5, eax
            //   e1ff                 | loope               1
            //   e7e5                 | out                 0xe5, eax
            //   e1ff                 | loope               1
            //   e7e5                 | out                 0xe5, eax

        $sequence_2 = { c2c2c2 c2c2c2 c2c2a9 c2c2a9 c2c2a9 c2c2a9 }
            // n = 6, score = 100
            //   c2c2c2               | ret                 0xc2c2
            //   c2c2c2               | ret                 0xc2c2
            //   c2c2a9               | ret                 0xa9c2
            //   c2c2a9               | ret                 0xa9c2
            //   c2c2a9               | ret                 0xa9c2
            //   c2c2a9               | ret                 0xa9c2

        $sequence_3 = { e7e5 e1ff e7e5 e1fe e7e5 e1ff e7e5 }
            // n = 7, score = 100
            //   e7e5                 | out                 0xe5, eax
            //   e1ff                 | loope               1
            //   e7e5                 | out                 0xe5, eax
            //   e1fe                 | loope               0
            //   e7e5                 | out                 0xe5, eax
            //   e1ff                 | loope               1
            //   e7e5                 | out                 0xe5, eax

        $sequence_4 = { e1fe e7e5 e1ff e7e5 e1ff }
            // n = 5, score = 100
            //   e1fe                 | loope               0
            //   e7e5                 | out                 0xe5, eax
            //   e1ff                 | loope               1
            //   e7e5                 | out                 0xe5, eax
            //   e1ff                 | loope               1

        $sequence_5 = { ff08 0891ff080891 ff08 0891ff080891 ff08 }
            // n = 5, score = 100
            //   ff08                 | dec                 dword ptr [eax]
            //   0891ff080891         | or                  byte ptr [ecx - 0x6ef7f701], dl
            //   ff08                 | dec                 dword ptr [eax]
            //   0891ff080891         | or                  byte ptr [ecx - 0x6ef7f701], dl
            //   ff08                 | dec                 dword ptr [eax]

        $sequence_6 = { e1ff e7e5 e1ff e7e5 }
            // n = 4, score = 100
            //   e1ff                 | loope               1
            //   e7e5                 | out                 0xe5, eax
            //   e1ff                 | loope               1
            //   e7e5                 | out                 0xe5, eax

        $sequence_7 = { e1ff e7e5 e1fe e7e5 e1ff }
            // n = 5, score = 100
            //   e1ff                 | loope               1
            //   e7e5                 | out                 0xe5, eax
            //   e1fe                 | loope               0
            //   e7e5                 | out                 0xe5, eax
            //   e1ff                 | loope               1

        $sequence_8 = { ff08 0891ff080891 ff01 018eff00008d ff8180bfffed }
            // n = 5, score = 100
            //   ff08                 | dec                 dword ptr [eax]
            //   0891ff080891         | or                  byte ptr [ecx - 0x6ef7f701], dl
            //   ff01                 | inc                 dword ptr [ecx]
            //   018eff00008d         | add                 dword ptr [esi - 0x72ffff01], ecx
            //   ff8180bfffed         | inc                 dword ptr [ecx - 0x12004080]

        $sequence_9 = { e1ff e7e5 e1fe e7e5 e1ff e7e5 e1ff }
            // n = 7, score = 100
            //   e1ff                 | loope               1
            //   e7e5                 | out                 0xe5, eax
            //   e1fe                 | loope               0
            //   e7e5                 | out                 0xe5, eax
            //   e1ff                 | loope               1
            //   e7e5                 | out                 0xe5, eax
            //   e1ff                 | loope               1

    condition:
        7 of them and filesize < 704512
}
[TLP:WHITE] win_cannon_w0   (20190106 | Detects Sofacy Cannon Loader)
rule win_cannon_w0 {
    meta:
        description = "Detects Sofacy Cannon Loader"
        author = "@VK_Intel"
        date = "2018-11-24"
        hash = "61a1f3b4fb4dbd2877c91e81db4b1af8395547eab199bf920e9dd11a1127221e"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannon"
        malpedia_version = "20190106"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings:

    $pdb = "c:\\Users\\Garry\\Desktop\\cannon\\obj\\x86\\Debug\\wsslc.pdb" fullword ascii
    $exe = "wsslc.exe" fullword ascii wide

    $s0 = "cannon" fullword ascii wide
    $s1 = "cannon.Form1.resources" fullword ascii wide
    $s2 = "cannon.Properties.Resources.resources" fullword ascii wide

    $c0 = "Form1" fullword ascii wide
    $c1 = "Lenor" fullword ascii wide
    $c2 = "MDat" fullword ascii wide
    $c3 = "AUTH" fullword ascii wide
    $c4 = "Program" fullword ascii wide

    $f0 = "start_Tick" fullword ascii wide
    $f1 = "inf_Tick" fullword ascii wide
    $f2 = "screen_Tick" fullword ascii wide
    $f3 = "txt_Tick" fullword ascii wide
    $f4 = "load_Tick" fullword ascii wide
    $f5 = "subject_Tick" fullword ascii wide
    $f6 = "run_Tick" fullword ascii wide
    $f7 = "eTim_Tick" fullword ascii wide

    condition:
        ((2 of ($c*) and 4 of ($f*)) or (1 of ($s*) and ($pdb or $exe))) or (all of them)
}
Download all Yara Rules