SYMBOLCOMMON_NAMEaka. SYNONYMS
win.daserf (Back to overview)

Daserf

aka: Muirim, Nioupale

Actor(s): Tick


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:ef493d6, author = {SecureWorks}, title = {{BRONZE BUTLER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-butler}, language = {English}, urldate = {2020-05-23} } BRONZE BUTLER
Daserf xxmm Tick
2017-11-07Trend MicroTrendmicro
@online{trendmicro:20171107:redbaldknightbronze:f7c817f, author = {Trendmicro}, title = {{REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography}}, date = {2017-11-07}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/}, language = {English}, urldate = {2019-11-27} } REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography
Daserf Datper xxmm
2017-10-12SecureworksCTU Research Team
@online{team:20171012:bronze:7b9ae02, author = {CTU Research Team}, title = {{BRONZE BUTLER Targets Japanese Enterprises}}, date = {2017-10-12}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses}, language = {English}, urldate = {2020-01-07} } BRONZE BUTLER Targets Japanese Enterprises
Daserf Datper rarstar xxmm Tick
2017-07-25Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170725:tick:d89ab89, author = {Kaoru Hayashi}, title = {{“Tick” Group Continues Attacks}}, date = {2017-07-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/}, language = {English}, urldate = {2019-12-20} } “Tick” Group Continues Attacks
Daserf Tick
Yara Rules
[TLP:WHITE] win_daserf_auto (20211008 | Detects win.daserf.)
rule win_daserf_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.daserf."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 05a76d6f80 2d1588942f 81eba1baec0e 81c3542a8d1e 81eb5e17a468 2de508366a }
            // n = 6, score = 100
            //   05a76d6f80           | add                 eax, 0x806f6da7
            //   2d1588942f           | sub                 eax, 0x2f948815
            //   81eba1baec0e         | sub                 ebx, 0xeecbaa1
            //   81c3542a8d1e         | add                 ebx, 0x1e8d2a54
            //   81eb5e17a468         | sub                 ebx, 0x68a4175e
            //   2de508366a           | sub                 eax, 0x6a3608e5

        $sequence_1 = { 81c3b7c2f7e6 2df3af433d 2da013b87f 81c3d145a55f 81ebb86e602d 81c33e65de95 }
            // n = 6, score = 100
            //   81c3b7c2f7e6         | add                 ebx, 0xe6f7c2b7
            //   2df3af433d           | sub                 eax, 0x3d43aff3
            //   2da013b87f           | sub                 eax, 0x7fb813a0
            //   81c3d145a55f         | add                 ebx, 0x5fa545d1
            //   81ebb86e602d         | sub                 ebx, 0x2d606eb8
            //   81c33e65de95         | add                 ebx, 0x95de653e

        $sequence_2 = { 81ebb384522e 81c3b480372d 81ebbd336e73 81c33ec69dd2 058b84f961 81c3c72aa02b }
            // n = 6, score = 100
            //   81ebb384522e         | sub                 ebx, 0x2e5284b3
            //   81c3b480372d         | add                 ebx, 0x2d3780b4
            //   81ebbd336e73         | sub                 ebx, 0x736e33bd
            //   81c33ec69dd2         | add                 ebx, 0xd29dc63e
            //   058b84f961           | add                 eax, 0x61f9848b
            //   81c3c72aa02b         | add                 ebx, 0x2ba02ac7

        $sequence_3 = { 81c3b123131a 90 89842430f3ffff 8bc0 8b842430f3ffff }
            // n = 5, score = 100
            //   81c3b123131a         | add                 ebx, 0x1a1323b1
            //   90                   | nop                 
            //   89842430f3ffff       | mov                 dword ptr [esp - 0xcd0], eax
            //   8bc0                 | mov                 eax, eax
            //   8b842430f3ffff       | mov                 eax, dword ptr [esp - 0xcd0]

        $sequence_4 = { f7d0 81eb431a27d2 f7d5 f7d5 81eb6562e145 }
            // n = 5, score = 100
            //   f7d0                 | not                 eax
            //   81eb431a27d2         | sub                 ebx, 0xd2271a43
            //   f7d5                 | not                 ebp
            //   f7d5                 | not                 ebp
            //   81eb6562e145         | sub                 ebx, 0x45e16265

        $sequence_5 = { 7500 81c381b8519a 87ed 81eb010bd426 e9???????? }
            // n = 5, score = 100
            //   7500                 | jne                 2
            //   81c381b8519a         | add                 ebx, 0x9a51b881
            //   87ed                 | xchg                ebp, ebp
            //   81eb010bd426         | sub                 ebx, 0x26d40b01
            //   e9????????           |                     

        $sequence_6 = { 90 2da7394548 7500 81ebc5b0441a }
            // n = 4, score = 100
            //   90                   | nop                 
            //   2da7394548           | sub                 eax, 0x484539a7
            //   7500                 | jne                 2
            //   81ebc5b0441a         | sub                 ebx, 0x1a44b0c5

        $sequence_7 = { 81c38f95dc89 8bc9 81ebdab028a4 7500 }
            // n = 4, score = 100
            //   81c38f95dc89         | add                 ebx, 0x89dc958f
            //   8bc9                 | mov                 ecx, ecx
            //   81ebdab028a4         | sub                 ebx, 0xa428b0da
            //   7500                 | jne                 2

        $sequence_8 = { 8b45e8 d3f8 85c0 0f8419010000 a801 }
            // n = 5, score = 100
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   d3f8                 | sar                 eax, cl
            //   85c0                 | test                eax, eax
            //   0f8419010000         | je                  0x11f
            //   a801                 | test                al, 1

        $sequence_9 = { bf007f0000 33f6 57 56 c745b430000000 c745b803000000 }
            // n = 6, score = 100
            //   bf007f0000           | mov                 edi, 0x7f00
            //   33f6                 | xor                 esi, esi
            //   57                   | push                edi
            //   56                   | push                esi
            //   c745b430000000       | mov                 dword ptr [ebp - 0x4c], 0x30
            //   c745b803000000       | mov                 dword ptr [ebp - 0x48], 3

        $sequence_10 = { f7d6 ffd6 9b 8b3d???????? 90 8d85f4faffff 8d00 }
            // n = 7, score = 100
            //   f7d6                 | not                 esi
            //   ffd6                 | call                esi
            //   9b                   | wait                
            //   8b3d????????         |                     
            //   90                   | nop                 
            //   8d85f4faffff         | lea                 eax, dword ptr [ebp - 0x50c]
            //   8d00                 | lea                 eax, dword ptr [eax]

        $sequence_11 = { c745fc00010000 c785d8feffff14010000 e8???????? 59 8d45fc }
            // n = 5, score = 100
            //   c745fc00010000       | mov                 dword ptr [ebp - 4], 0x100
            //   c785d8feffff14010000     | mov    dword ptr [ebp - 0x128], 0x114
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]

        $sequence_12 = { 2d2fe48597 05cf9f13b1 059b4ca0ac 2ddb883ec7 81ebcea2c19c 2dc95936ad }
            // n = 6, score = 100
            //   2d2fe48597           | sub                 eax, 0x9785e42f
            //   05cf9f13b1           | add                 eax, 0xb1139fcf
            //   059b4ca0ac           | add                 eax, 0xaca04c9b
            //   2ddb883ec7           | sub                 eax, 0xc73e88db
            //   81ebcea2c19c         | sub                 ebx, 0x9cc1a2ce
            //   2dc95936ad           | sub                 eax, 0xad3659c9

        $sequence_13 = { f7d0 81c3c85bc4e6 9b 81c3402fa99b 90 81c34fe5b167 }
            // n = 6, score = 100
            //   f7d0                 | not                 eax
            //   81c3c85bc4e6         | add                 ebx, 0xe6c45bc8
            //   9b                   | wait                
            //   81c3402fa99b         | add                 ebx, 0x9ba92f40
            //   90                   | nop                 
            //   81c34fe5b167         | add                 ebx, 0x67b1e54f

        $sequence_14 = { 96 89b42410f2ffff 8bf0 8b842410f2ffff 2de164128a }
            // n = 5, score = 100
            //   96                   | xchg                eax, esi
            //   89b42410f2ffff       | mov                 dword ptr [esp - 0xdf0], esi
            //   8bf0                 | mov                 esi, eax
            //   8b842410f2ffff       | mov                 eax, dword ptr [esp - 0xdf0]
            //   2de164128a           | sub                 eax, 0x8a1264e1

        $sequence_15 = { 05d848c354 2df13f033a 81eb657f2411 81ebd1c35df5 81eb73e503c0 }
            // n = 5, score = 100
            //   05d848c354           | add                 eax, 0x54c348d8
            //   2df13f033a           | sub                 eax, 0x3a033ff1
            //   81eb657f2411         | sub                 ebx, 0x11247f65
            //   81ebd1c35df5         | sub                 ebx, 0xf55dc3d1
            //   81eb73e503c0         | sub                 ebx, 0xc003e573

    condition:
        7 of them and filesize < 245760
}
Download all Yara Rules