SYMBOLCOMMON_NAMEaka. SYNONYMS
win.clambling (Back to overview)

Clambling


Clambling was discovered by Trend Micro and TalentJump. It is a custom malware used by an actor they refer to as DRBControl, which targets gambling and betting companies in Southeast Asia. One version of Clambling uses Dropbox as C&C channel to hide its communication.

References
2020-02-18Trend MicroDaniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@techreport{lunghi:20200218:uncovering:d96f725, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl}}, date = {2020-02-18}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf}, language = {English}, urldate = {2020-04-01} } Uncovering DRBControl
Clambling
Yara Rules
[TLP:WHITE] win_clambling_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_clambling_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clambling"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b940000000 ff15???????? 448b8c24a0000000 488b8c24b0000000 }
            // n = 4, score = 300
            //   b940000000           | inc                 esp
            //   ff15????????         |                     
            //   448b8c24a0000000     | mov                 dword ptr [ebx + 0xc], esi
            //   488b8c24b0000000     | mov                 dword ptr [ebx + 8], eax

        $sequence_1 = { 4803c9 488b0ccf ff15???????? 3bc3 }
            // n = 4, score = 300
            //   4803c9               | xor                 edx, edx
            //   488b0ccf             | dec                 eax
            //   ff15????????         |                     
            //   3bc3                 | mov                 ecx, ebx

        $sequence_2 = { 4c896820 44886810 44886811 44886812 44886813 }
            // n = 5, score = 300
            //   4c896820             | inc                 eax
            //   44886810             | mov                 byte ptr [eax + 0x1c], dh
            //   44886811             | dec                 eax
            //   44886812             | mov                 dword ptr [eax + 0x20], esi
            //   44886813             | mov                 byte ptr [eax + 0x1d], 5

        $sequence_3 = { 85c0 7448 4c8d442434 488bd7 33c9 }
            // n = 5, score = 300
            //   85c0                 | jne                 0x144b
            //   7448                 | dec                 eax
            //   4c8d442434           | lea                 edx, [0xc61b]
            //   488bd7               | dec                 eax
            //   33c9                 | cmp                 ecx, eax

        $sequence_4 = { 893d???????? ff15???????? 3bc7 7507 66893d???????? 488b0d???????? 488d542430 }
            // n = 7, score = 300
            //   893d????????         |                     
            //   ff15????????         |                     
            //   3bc7                 | test                edi, edi
            //   7507                 | jne                 0x1234
            //   66893d????????       |                     
            //   488b0d????????       |                     
            //   488d542430           | mov                 edx, dword ptr [esi + 0x4110]

        $sequence_5 = { 7508 ff15???????? eb27 488b4c2450 }
            // n = 4, score = 300
            //   7508                 | mov                 edi, ecx
            //   ff15????????         |                     
            //   eb27                 | dec                 eax
            //   488b4c2450           | lea                 edx, [ecx + 0x60]

        $sequence_6 = { 488d442430 4c8d8c2490100000 488d542470 41b800100000 }
            // n = 4, score = 300
            //   488d442430           | dec                 eax
            //   4c8d8c2490100000     | mov                 eax, dword ptr [ecx + 8]
            //   488d542470           | dec                 eax
            //   41b800100000         | test                ecx, ecx

        $sequence_7 = { c70701000000 eb13 bb4f050000 eb0c 211f eb08 }
            // n = 6, score = 300
            //   c70701000000         | inc                 esp
            //   eb13                 | mov                 ecx, dword ptr [esp + 0x7e0]
            //   bb4f050000           | dec                 eax
            //   eb0c                 | mov                 ecx, dword ptr [esp + 0x40]
            //   211f                 | dec                 eax
            //   eb08                 | lea                 eax, [esp + 0x7e0]

        $sequence_8 = { ff15???????? 3bc3 7409 39ac2490020000 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   3bc3                 | dec                 esp
            //   7409                 | lea                 ecx, [0xebd8]
            //   39ac2490020000       | dec                 esp

        $sequence_9 = { ff15???????? 33c0 4c8d9c2480000000 498b5b30 498b6b38 }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   33c0                 | add                 edx, edi
            //   4c8d9c2480000000     | dec                 eax
            //   498b5b30             | mov                 eax, dword ptr [ebx + 0x58]
            //   498b6b38             | dec                 eax

    condition:
        7 of them and filesize < 412672
}
Download all Yara Rules