SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dadstache (Back to overview)

DADSTACHE

Actor(s): Leviathan


There is no description at this point.

References
2020-07-10ByteAtlasDaniel Plohmann
@online{plohmann:20200710:knowledge:358aef1, author = {Daniel Plohmann}, title = {{Knowledge Fragment: Casting Sandbox Necromancy on DADSTACHE}}, date = {2020-07-10}, organization = {ByteAtlas}, url = {https://danielplohmann.github.io/blog/2020/07/10/kf-sandbox-necromancy.html}, language = {English}, urldate = {2020-07-11} } Knowledge Fragment: Casting Sandbox Necromancy on DADSTACHE
DADSTACHE
2020-06-25ElasticSamir Bousseaden, Daniel Stepanic
@online{bousseaden:20200625:close:be8a8b2, author = {Samir Bousseaden and Daniel Stepanic}, title = {{A close look at the advanced techniques used in a Malaysian-focused APT campaign}}, date = {2020-06-25}, organization = {Elastic}, url = {https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign}, language = {English}, urldate = {2020-06-25} } A close look at the advanced techniques used in a Malaysian-focused APT campaign
DADSTACHE Leviathan
2020-03-15insomniacs(Medium)Asuna Amawaka
@online{amawaka:20200315:dad:5cad035, author = {Asuna Amawaka}, title = {{Dad! There’s A Rat In Here!}}, date = {2020-03-15}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a}, language = {English}, urldate = {2020-04-16} } Dad! There’s A Rat In Here!
DADSTACHE
2020-03-10insomniacs(Medium)Asuna Amawaka
@online{amawaka:20200310:apt40:2199052, author = {Asuna Amawaka}, title = {{APT40 goes from Template Injections to OLE-Linkings for payload delivery}}, date = {2020-03-10}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97}, language = {English}, urldate = {2020-04-16} } APT40 goes from Template Injections to OLE-Linkings for payload delivery
DADSTACHE
2019-11-28Twitter (@cyb3rops)Florian Roth
@online{roth:20191128:signature:1d30657, author = {Florian Roth}, title = {{Tweet on Signature Writing for DADJOKE}}, date = {2019-11-28}, organization = {Twitter (@cyb3rops)}, url = {https://twitter.com/cyb3rops/status/1199978327697694720}, language = {English}, urldate = {2020-01-09} } Tweet on Signature Writing for DADJOKE
DADSTACHE
2019-04-22Twitter (@killamjr)Suspicious Link
@online{link:20190422:dadstache:5444490, author = {Suspicious Link}, title = {{Tweet on DADSTACHE payload}}, date = {2019-04-22}, organization = {Twitter (@killamjr)}, url = {https://twitter.com/killamjr/status/1204584085395517440}, language = {English}, urldate = {2020-01-06} } Tweet on DADSTACHE payload
DADSTACHE
Yara Rules
[TLP:WHITE] win_dadstache_auto (20211008 | Detects win.dadstache.)
rule win_dadstache_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.dadstache."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 6a1f ff35???????? ff15???????? 803d????????00 }
            // n = 5, score = 500
            //   50                   | push                eax
            //   6a1f                 | push                0x1f
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   803d????????00       |                     

        $sequence_1 = { 6a00 f3a4 50 ff15???????? 85c0 7528 ff7304 }
            // n = 7, score = 500
            //   6a00                 | push                0
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7528                 | jne                 0x2a
            //   ff7304               | push                dword ptr [ebx + 4]

        $sequence_2 = { 0f1000 c745fc09000000 895508 0f1145e4 8b7df0 8bcf c1e908 }
            // n = 7, score = 500
            //   0f1000               | movups              xmm0, xmmword ptr [eax]
            //   c745fc09000000       | mov                 dword ptr [ebp - 4], 9
            //   895508               | mov                 dword ptr [ebp + 8], edx
            //   0f1145e4             | movups              xmmword ptr [ebp - 0x1c], xmm0
            //   8b7df0               | mov                 edi, dword ptr [ebp - 0x10]
            //   8bcf                 | mov                 ecx, edi
            //   c1e908               | shr                 ecx, 8

        $sequence_3 = { 55 8bec 51 56 8b7508 837e7000 0f84da000000 }
            // n = 7, score = 500
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   837e7000             | cmp                 dword ptr [esi + 0x70], 0
            //   0f84da000000         | je                  0xe0

        $sequence_4 = { ff35???????? ff15???????? 85c0 741f 6a00 }
            // n = 5, score = 500
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21
            //   6a00                 | push                0

        $sequence_5 = { 8d45fc c745fc00000000 50 6a00 51 6a00 6800130000 }
            // n = 7, score = 500
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   50                   | push                eax
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   6800130000           | push                0x1300

        $sequence_6 = { 0f1105???????? 0fb68699010000 50 0fb68698010000 50 0fb68697010000 }
            // n = 6, score = 500
            //   0f1105????????       |                     
            //   0fb68699010000       | movzx               eax, byte ptr [esi + 0x199]
            //   50                   | push                eax
            //   0fb68698010000       | movzx               eax, byte ptr [esi + 0x198]
            //   50                   | push                eax
            //   0fb68697010000       | movzx               eax, byte ptr [esi + 0x197]

        $sequence_7 = { 8b4704 314604 8b01 314608 8b470c 8bf9 31460c }
            // n = 7, score = 500
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   314604               | xor                 dword ptr [esi + 4], eax
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   314608               | xor                 dword ptr [esi + 8], eax
            //   8b470c               | mov                 eax, dword ptr [edi + 0xc]
            //   8bf9                 | mov                 edi, ecx
            //   31460c               | xor                 dword ptr [esi + 0xc], eax

        $sequence_8 = { 660f6e805cffffff 660febfc 660f62e8 660f6e8060ffffff }
            // n = 4, score = 200
            //   660f6e805cffffff     | movd                xmm0, dword ptr [eax - 0xa4]
            //   660febfc             | por                 xmm7, xmm4
            //   660f62e8             | punpckldq           xmm5, xmm0
            //   660f6e8060ffffff     | movd                xmm0, dword ptr [eax - 0xa0]

        $sequence_9 = { 8bf1 03c3 2bf0 0f1f8000000000 8a0c06 8d4001 8a50ff }
            // n = 7, score = 200
            //   8bf1                 | mov                 esi, ecx
            //   03c3                 | add                 eax, ebx
            //   2bf0                 | sub                 esi, eax
            //   0f1f8000000000       | nop                 dword ptr [eax]
            //   8a0c06               | mov                 cl, byte ptr [esi + eax]
            //   8d4001               | lea                 eax, dword ptr [eax + 1]
            //   8a50ff               | mov                 dl, byte ptr [eax - 1]

        $sequence_10 = { 750a 56 ff55ec 8bd8 85db 7459 }
            // n = 6, score = 200
            //   750a                 | jne                 0xc
            //   56                   | push                esi
            //   ff55ec               | call                dword ptr [ebp - 0x14]
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   7459                 | je                  0x5b

        $sequence_11 = { c7411806000000 33c0 5e c3 6a00 }
            // n = 5, score = 200
            //   c7411806000000       | mov                 dword ptr [ecx + 0x18], 6
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   6a00                 | push                0

        $sequence_12 = { 0f8401010000 6a20 6a40 ffd6 }
            // n = 4, score = 200
            //   0f8401010000         | je                  0x107
            //   6a20                 | push                0x20
            //   6a40                 | push                0x40
            //   ffd6                 | call                esi

        $sequence_13 = { 85f6 7418 8b06 85c0 7412 6a00 6a01 }
            // n = 7, score = 200
            //   85f6                 | test                esi, esi
            //   7418                 | je                  0x1a
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   85c0                 | test                eax, eax
            //   7412                 | je                  0x14
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_14 = { 660f62d9 0f57f6 660f6e8834ffffff 660ffedd 660f6ea80cffffff 660f62ca }
            // n = 6, score = 200
            //   660f62d9             | punpckldq           xmm3, xmm1
            //   0f57f6               | xorps               xmm6, xmm6
            //   660f6e8834ffffff     | movd                xmm1, dword ptr [eax - 0xcc]
            //   660ffedd             | paddd               xmm3, xmm5
            //   660f6ea80cffffff     | movd                xmm5, dword ptr [eax - 0xf4]
            //   660f62ca             | punpckldq           xmm1, xmm2

        $sequence_15 = { 8bf1 85f6 743b 8b460c 85c0 7434 837e1400 }
            // n = 7, score = 200
            //   8bf1                 | mov                 esi, ecx
            //   85f6                 | test                esi, esi
            //   743b                 | je                  0x3d
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   85c0                 | test                eax, eax
            //   7434                 | je                  0x36
            //   837e1400             | cmp                 dword ptr [esi + 0x14], 0

    condition:
        7 of them and filesize < 580608
}
[TLP:WHITE] win_dadstache_w0   (20200626 | APT40 second stage implant)
rule win_dadstache_w0 {
    meta:
        author =  "Elastic Security"
        description = "APT40 second stage implant"
        source = "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache"
        malpedia_version = "20200626"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a = "/list_direction" fullword wide
        $b = "/post_document" fullword wide
        $c = "/postlogin" fullword wide
        $d = "Download Read Path Failed %s" fullword ascii
        $e = "Open Pipe Failed %s" fullword ascii
        $f = "Open Remote File %s Failed For: %s" fullword ascii
        $g = "Download Read Path Failed %s" fullword ascii
        $h = "\\cmd.exe" fullword wide
    condition:
        all of them
}
Download all Yara Rules