SYMBOLCOMMON_NAMEaka. SYNONYMS
win.daserf (Back to overview)

Daserf

aka: Muirim, Nioupale

Actor(s): Tick


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:ef493d6, author = {SecureWorks}, title = {{BRONZE BUTLER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-butler}, language = {English}, urldate = {2020-05-23} } BRONZE BUTLER
Daserf xxmm Tick
2017-11-07Trend MicroTrendmicro
@online{trendmicro:20171107:redbaldknightbronze:f7c817f, author = {Trendmicro}, title = {{REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography}}, date = {2017-11-07}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/}, language = {English}, urldate = {2019-11-27} } REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography
Daserf Datper xxmm
2017-10-12SecureworksCTU Research Team
@online{team:20171012:bronze:7b9ae02, author = {CTU Research Team}, title = {{BRONZE BUTLER Targets Japanese Enterprises}}, date = {2017-10-12}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses}, language = {English}, urldate = {2020-01-07} } BRONZE BUTLER Targets Japanese Enterprises
Daserf Datper rarstar xxmm Tick
2017-07-25Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170725:tick:d89ab89, author = {Kaoru Hayashi}, title = {{“Tick” Group Continues Attacks}}, date = {2017-07-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/}, language = {English}, urldate = {2019-12-20} } “Tick” Group Continues Attacks
Daserf Tick
Yara Rules
[TLP:WHITE] win_daserf_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_daserf_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 05a7219db8 0553dccba5 81eb1263da55 81eb5352c6d6 2d40306f35 2d006acb4b 81c31939738c }
            // n = 7, score = 100
            //   05a7219db8           | add                 eax, 0xb89d21a7
            //   0553dccba5           | add                 eax, 0xa5cbdc53
            //   81eb1263da55         | sub                 ebx, 0x55da6312
            //   81eb5352c6d6         | sub                 ebx, 0xd6c65253
            //   2d40306f35           | sub                 eax, 0x356f3040
            //   2d006acb4b           | sub                 eax, 0x4bcb6a00
            //   81c31939738c         | add                 ebx, 0x8c733919

        $sequence_1 = { 2dc037d40f 050816e86d 2da352f187 81ebea7db77f }
            // n = 4, score = 100
            //   2dc037d40f           | sub                 eax, 0xfd437c0
            //   050816e86d           | add                 eax, 0x6de81608
            //   2da352f187           | sub                 eax, 0x87f152a3
            //   81ebea7db77f         | sub                 ebx, 0x7fb77dea

        $sequence_2 = { 05c1bdf63c 2dd0891176 2df36ad2d7 0528f19584 052e6d711c 81c3b333bd49 }
            // n = 6, score = 100
            //   05c1bdf63c           | add                 eax, 0x3cf6bdc1
            //   2dd0891176           | sub                 eax, 0x761189d0
            //   2df36ad2d7           | sub                 eax, 0xd7d26af3
            //   0528f19584           | add                 eax, 0x8495f128
            //   052e6d711c           | add                 eax, 0x1c716d2e
            //   81c3b333bd49         | add                 ebx, 0x49bd33b3

        $sequence_3 = { 81c37508bc5f 8d36 05f0e03df5 f7d1 f7d1 81c36003e51c 9b }
            // n = 7, score = 100
            //   81c37508bc5f         | add                 ebx, 0x5fbc0875
            //   8d36                 | lea                 esi, [esi]
            //   05f0e03df5           | add                 eax, 0xf53de0f0
            //   f7d1                 | not                 ecx
            //   f7d1                 | not                 ecx
            //   81c36003e51c         | add                 ebx, 0x1ce50360
            //   9b                   | wait                

        $sequence_4 = { 81c3d6659b48 81eb3e24cc02 05bb9b4196 81eb944686e1 81eb84d90d01 }
            // n = 5, score = 100
            //   81c3d6659b48         | add                 ebx, 0x489b65d6
            //   81eb3e24cc02         | sub                 ebx, 0x2cc243e
            //   05bb9b4196           | add                 eax, 0x96419bbb
            //   81eb944686e1         | sub                 ebx, 0xe1864694
            //   81eb84d90d01         | sub                 ebx, 0x10dd984

        $sequence_5 = { 81c36e29911f 2da46f1d75 2de4acc3a1 81eb8e1bdfee 05ba268e1d }
            // n = 5, score = 100
            //   81c36e29911f         | add                 ebx, 0x1f91296e
            //   2da46f1d75           | sub                 eax, 0x751d6fa4
            //   2de4acc3a1           | sub                 eax, 0xa1c3ace4
            //   81eb8e1bdfee         | sub                 ebx, 0xeedf1b8e
            //   05ba268e1d           | add                 eax, 0x1d8e26ba

        $sequence_6 = { ff15???????? 3d00001800 7f52 8d4df8 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   3d00001800           | cmp                 eax, 0x180000
            //   7f52                 | jg                  0x54
            //   8d4df8               | lea                 ecx, [ebp - 8]

        $sequence_7 = { 05e62902ad f7d7 f7d7 81c359659207 9b 052b6840f2 9b }
            // n = 7, score = 100
            //   05e62902ad           | add                 eax, 0xad0229e6
            //   f7d7                 | not                 edi
            //   f7d7                 | not                 edi
            //   81c359659207         | add                 ebx, 0x7926559
            //   9b                   | wait                
            //   052b6840f2           | add                 eax, 0xf240682b
            //   9b                   | wait                

        $sequence_8 = { 054d03130d 8d09 81eb7264b6b3 8bf6 81c3696ebfab 8d1b }
            // n = 6, score = 100
            //   054d03130d           | add                 eax, 0xd13034d
            //   8d09                 | lea                 ecx, [ecx]
            //   81eb7264b6b3         | sub                 ebx, 0xb3b66472
            //   8bf6                 | mov                 esi, esi
            //   81c3696ebfab         | add                 ebx, 0xabbf6e69
            //   8d1b                 | lea                 ebx, [ebx]

        $sequence_9 = { 91 898c2420f5ffff 8bc8 8b842420f5ffff 81eb46692dd4 90 }
            // n = 6, score = 100
            //   91                   | xchg                eax, ecx
            //   898c2420f5ffff       | mov                 dword ptr [esp - 0xae0], ecx
            //   8bc8                 | mov                 ecx, eax
            //   8b842420f5ffff       | mov                 eax, dword ptr [esp - 0xae0]
            //   81eb46692dd4         | sub                 ebx, 0xd42d6946
            //   90                   | nop                 

        $sequence_10 = { 81c33a0c7b7f 81c3b996ec35 2d4de4cd72 2d607c1f45 }
            // n = 4, score = 100
            //   81c33a0c7b7f         | add                 ebx, 0x7f7b0c3a
            //   81c3b996ec35         | add                 ebx, 0x35ec96b9
            //   2d4de4cd72           | sub                 eax, 0x72cde44d
            //   2d607c1f45           | sub                 eax, 0x451f7c60

        $sequence_11 = { f7d6 f7d6 2d3eaa1f60 90 2db8cf538f 8bc0 }
            // n = 6, score = 100
            //   f7d6                 | not                 esi
            //   f7d6                 | not                 esi
            //   2d3eaa1f60           | sub                 eax, 0x601faa3e
            //   90                   | nop                 
            //   2db8cf538f           | sub                 eax, 0x8f53cfb8
            //   8bc0                 | mov                 eax, eax

        $sequence_12 = { 0508b0600b 90 89842440f5ffff 8bc0 8b842440f5ffff 0552185fbf }
            // n = 6, score = 100
            //   0508b0600b           | add                 eax, 0xb60b008
            //   90                   | nop                 
            //   89842440f5ffff       | mov                 dword ptr [esp - 0xac0], eax
            //   8bc0                 | mov                 eax, eax
            //   8b842440f5ffff       | mov                 eax, dword ptr [esp - 0xac0]
            //   0552185fbf           | add                 eax, 0xbf5f1852

        $sequence_13 = { 56 8b35???????? 83c007 57 }
            // n = 4, score = 100
            //   56                   | push                esi
            //   8b35????????         |                     
            //   83c007               | add                 eax, 7
            //   57                   | push                edi

        $sequence_14 = { 8d3f 05309b0a52 90 81c3285861b0 9b 81eb78f231ca 8bd2 }
            // n = 7, score = 100
            //   8d3f                 | lea                 edi, [edi]
            //   05309b0a52           | add                 eax, 0x520a9b30
            //   90                   | nop                 
            //   81c3285861b0         | add                 ebx, 0xb0615828
            //   9b                   | wait                
            //   81eb78f231ca         | sub                 ebx, 0xca31f278
            //   8bd2                 | mov                 edx, edx

        $sequence_15 = { ff15???????? f7d5 f7d5 8b35???????? }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   f7d5                 | not                 ebp
            //   f7d5                 | not                 ebp
            //   8b35????????         |                     

    condition:
        7 of them and filesize < 245760
}
Download all Yara Rules