Actor(s): APT 29
There is no description at this point.
rule win_cloud_duke_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.cloud_duke." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 880c3e 46 8b85d8f0ffff 05ffc8ffff 3bf0 72b3 } // n = 6, score = 100 // 880c3e | mov byte ptr [esi + edi], cl // 46 | inc esi // 8b85d8f0ffff | mov eax, dword ptr [ebp - 0xf28] // 05ffc8ffff | add eax, 0xffffc8ff // 3bf0 | cmp esi, eax // 72b3 | jb 0xffffffb5 $sequence_1 = { 8b16 eb02 8bd6 85ff 0f840e020000 8d043f 50 } // n = 7, score = 100 // 8b16 | mov edx, dword ptr [esi] // eb02 | jmp 4 // 8bd6 | mov edx, esi // 85ff | test edi, edi // 0f840e020000 | je 0x214 // 8d043f | lea eax, dword ptr [edi + edi] // 50 | push eax $sequence_2 = { 6a00 6800000008 6a00 6a00 8d44241c 0f4344241c } // n = 6, score = 100 // 6a00 | push 0 // 6800000008 | push 0x8000000 // 6a00 | push 0 // 6a00 | push 0 // 8d44241c | lea eax, dword ptr [esp + 0x1c] // 0f4344241c | cmovae eax, dword ptr [esp + 0x1c] $sequence_3 = { 85c0 7518 ffb424dc000000 8d8c2424010000 e8???????? e9???????? 8bce } // n = 7, score = 100 // 85c0 | test eax, eax // 7518 | jne 0x1a // ffb424dc000000 | push dword ptr [esp + 0xdc] // 8d8c2424010000 | lea ecx, dword ptr [esp + 0x124] // e8???????? | // e9???????? | // 8bce | mov ecx, esi $sequence_4 = { 83c410 8b0485986fa500 3b740128 0f85b9010000 3b54012c 0f85af010000 53 } // n = 7, score = 100 // 83c410 | add esp, 0x10 // 8b0485986fa500 | mov eax, dword ptr [eax*4 + 0xa56f98] // 3b740128 | cmp esi, dword ptr [ecx + eax + 0x28] // 0f85b9010000 | jne 0x1bf // 3b54012c | cmp edx, dword ptr [ecx + eax + 0x2c] // 0f85af010000 | jne 0x1b5 // 53 | push ebx $sequence_5 = { c0e102 80e203 02d1 c0e004 8855e4 8a55ea } // n = 6, score = 100 // c0e102 | shl cl, 2 // 80e203 | and dl, 3 // 02d1 | add dl, cl // c0e004 | shl al, 4 // 8855e4 | mov byte ptr [ebp - 0x1c], dl // 8a55ea | mov dl, byte ptr [ebp - 0x16] $sequence_6 = { 85c0 0f88f20b0000 8b8424ec000000 8d94243c010000 52 50 } // n = 6, score = 100 // 85c0 | test eax, eax // 0f88f20b0000 | js 0xbf8 // 8b8424ec000000 | mov eax, dword ptr [esp + 0xec] // 8d94243c010000 | lea edx, dword ptr [esp + 0x13c] // 52 | push edx // 50 | push eax $sequence_7 = { 8b0485986fa500 ff3418 ff15???????? 85c0 7518 ff15???????? } // n = 6, score = 100 // 8b0485986fa500 | mov eax, dword ptr [eax*4 + 0xa56f98] // ff3418 | push dword ptr [eax + ebx] // ff15???????? | // 85c0 | test eax, eax // 7518 | jne 0x1a // ff15???????? | $sequence_8 = { 50 8b85ccf0ffff 0501370000 50 57 e8???????? 8b85d8f0ffff } // n = 7, score = 100 // 50 | push eax // 8b85ccf0ffff | mov eax, dword ptr [ebp - 0xf34] // 0501370000 | add eax, 0x3701 // 50 | push eax // 57 | push edi // e8???????? | // 8b85d8f0ffff | mov eax, dword ptr [ebp - 0xf28] $sequence_9 = { 894df4 895ddc 8b148d986fa500 8a441a04 a801 } // n = 5, score = 100 // 894df4 | mov dword ptr [ebp - 0xc], ecx // 895ddc | mov dword ptr [ebp - 0x24], ebx // 8b148d986fa500 | mov edx, dword ptr [ecx*4 + 0xa56f98] // 8a441a04 | mov al, byte ptr [edx + ebx + 4] // a801 | test al, 1 condition: 7 of them and filesize < 360448 }
rule win_cloud_duke_w0 { meta: description = "Detects CloudDuke Malware" author = "Florian Roth" reference = "https://www.f-secure.com/weblog/archives/00002822.html" date = "2015-07-22" score = 60 hash = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7" hash = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f" hash = "1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7" hash = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46" hash = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145" hash = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004" hash = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "ProcDataWrap" fullword ascii $s2 = "imagehlp.dll" fullword ascii $s3 = "dnlibsh" fullword ascii $s4 = "%ws_out%ws" fullword wide $s5 = "Akernel32.dll" fullword wide $op0 = { 0f b6 80 68 0e 41 00 0b c8 c1 e1 08 0f b6 c2 8b } /* Opcode */ $op1 = { 8b ce e8 f8 01 00 00 85 c0 74 41 83 7d f8 00 0f } /* Opcode */ $op2 = { e8 2f a2 ff ff 83 20 00 83 c8 ff 5f 5e 5d c3 55 } /* Opcode */ condition: filesize < 720KB and 4 of ($s*) and 1 of ($op*) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY