SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cloud_duke (Back to overview)

Cloud Duke

Actor(s): APT 29


There is no description at this point.

References
2015-07-22F-SecureArtturi Lehtiö
@online{lehti:20150722:duke:8f54e8b, author = {Artturi Lehtiö}, title = {{Duke APT group's latest tools: cloud services and Linux support}}, date = {2015-07-22}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002822.html}, language = {English}, urldate = {2019-10-15} } Duke APT group's latest tools: cloud services and Linux support
Cloud Duke
Yara Rules
[TLP:WHITE] win_cloud_duke_auto (20220411 | Detects win.cloud_duke.)
rule win_cloud_duke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.cloud_duke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 880c3e 46 8b85d8f0ffff 05ffc8ffff 3bf0 72b3 }
            // n = 6, score = 100
            //   880c3e               | mov                 byte ptr [esi + edi], cl
            //   46                   | inc                 esi
            //   8b85d8f0ffff         | mov                 eax, dword ptr [ebp - 0xf28]
            //   05ffc8ffff           | add                 eax, 0xffffc8ff
            //   3bf0                 | cmp                 esi, eax
            //   72b3                 | jb                  0xffffffb5

        $sequence_1 = { 8b16 eb02 8bd6 85ff 0f840e020000 8d043f 50 }
            // n = 7, score = 100
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   eb02                 | jmp                 4
            //   8bd6                 | mov                 edx, esi
            //   85ff                 | test                edi, edi
            //   0f840e020000         | je                  0x214
            //   8d043f               | lea                 eax, dword ptr [edi + edi]
            //   50                   | push                eax

        $sequence_2 = { 6a00 6800000008 6a00 6a00 8d44241c 0f4344241c }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   6800000008           | push                0x8000000
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d44241c             | lea                 eax, dword ptr [esp + 0x1c]
            //   0f4344241c           | cmovae              eax, dword ptr [esp + 0x1c]

        $sequence_3 = { 85c0 7518 ffb424dc000000 8d8c2424010000 e8???????? e9???????? 8bce }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   7518                 | jne                 0x1a
            //   ffb424dc000000       | push                dword ptr [esp + 0xdc]
            //   8d8c2424010000       | lea                 ecx, dword ptr [esp + 0x124]
            //   e8????????           |                     
            //   e9????????           |                     
            //   8bce                 | mov                 ecx, esi

        $sequence_4 = { 83c410 8b0485986fa500 3b740128 0f85b9010000 3b54012c 0f85af010000 53 }
            // n = 7, score = 100
            //   83c410               | add                 esp, 0x10
            //   8b0485986fa500       | mov                 eax, dword ptr [eax*4 + 0xa56f98]
            //   3b740128             | cmp                 esi, dword ptr [ecx + eax + 0x28]
            //   0f85b9010000         | jne                 0x1bf
            //   3b54012c             | cmp                 edx, dword ptr [ecx + eax + 0x2c]
            //   0f85af010000         | jne                 0x1b5
            //   53                   | push                ebx

        $sequence_5 = { c0e102 80e203 02d1 c0e004 8855e4 8a55ea }
            // n = 6, score = 100
            //   c0e102               | shl                 cl, 2
            //   80e203               | and                 dl, 3
            //   02d1                 | add                 dl, cl
            //   c0e004               | shl                 al, 4
            //   8855e4               | mov                 byte ptr [ebp - 0x1c], dl
            //   8a55ea               | mov                 dl, byte ptr [ebp - 0x16]

        $sequence_6 = { 85c0 0f88f20b0000 8b8424ec000000 8d94243c010000 52 50 }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   0f88f20b0000         | js                  0xbf8
            //   8b8424ec000000       | mov                 eax, dword ptr [esp + 0xec]
            //   8d94243c010000       | lea                 edx, dword ptr [esp + 0x13c]
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_7 = { 8b0485986fa500 ff3418 ff15???????? 85c0 7518 ff15???????? }
            // n = 6, score = 100
            //   8b0485986fa500       | mov                 eax, dword ptr [eax*4 + 0xa56f98]
            //   ff3418               | push                dword ptr [eax + ebx]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7518                 | jne                 0x1a
            //   ff15????????         |                     

        $sequence_8 = { 50 8b85ccf0ffff 0501370000 50 57 e8???????? 8b85d8f0ffff }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8b85ccf0ffff         | mov                 eax, dword ptr [ebp - 0xf34]
            //   0501370000           | add                 eax, 0x3701
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     
            //   8b85d8f0ffff         | mov                 eax, dword ptr [ebp - 0xf28]

        $sequence_9 = { 894df4 895ddc 8b148d986fa500 8a441a04 a801 }
            // n = 5, score = 100
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   895ddc               | mov                 dword ptr [ebp - 0x24], ebx
            //   8b148d986fa500       | mov                 edx, dword ptr [ecx*4 + 0xa56f98]
            //   8a441a04             | mov                 al, byte ptr [edx + ebx + 4]
            //   a801                 | test                al, 1

    condition:
        7 of them and filesize < 360448
}
[TLP:WHITE] win_cloud_duke_w0   (20170521 | Detects CloudDuke Malware)
rule win_cloud_duke_w0 {
	meta:
		description = "Detects CloudDuke Malware"
		author = "Florian Roth"
		reference = "https://www.f-secure.com/weblog/archives/00002822.html"
		date = "2015-07-22"
		score = 60
		hash = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
		hash = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f"
		hash = "1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7"
		hash = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46"
		hash = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145"
		hash = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004"
		hash = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke"
        malpedia_version = "20170521"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$s1 = "ProcDataWrap" fullword ascii
		$s2 = "imagehlp.dll" fullword ascii
		$s3 = "dnlibsh" fullword ascii
		$s4 = "%ws_out%ws" fullword wide
		$s5 = "Akernel32.dll" fullword wide

		$op0 = { 0f b6 80 68 0e 41 00 0b c8 c1 e1 08 0f b6 c2 8b } /* Opcode */
		$op1 = { 8b ce e8 f8 01 00 00 85 c0 74 41 83 7d f8 00 0f } /* Opcode */
		$op2 = { e8 2f a2 ff ff 83 20 00 83 c8 ff 5f 5e 5d c3 55 } /* Opcode */
	condition:
		filesize < 720KB and 4 of ($s*) and 1 of ($op*)
}
Download all Yara Rules