SYMBOLCOMMON_NAMEaka. SYNONYMS
win.daserf (Back to overview)

Daserf

aka: Muirim, Nioupale

Actor(s): Tick


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:ef493d6, author = {SecureWorks}, title = {{BRONZE BUTLER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-butler}, language = {English}, urldate = {2020-05-23} } BRONZE BUTLER
Daserf xxmm Tick
2017-11-07Trend MicroTrendmicro
@online{trendmicro:20171107:redbaldknightbronze:f7c817f, author = {Trendmicro}, title = {{REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography}}, date = {2017-11-07}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/}, language = {English}, urldate = {2019-11-27} } REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography
Daserf Datper xxmm
2017-10-12SecureworksCTU Research Team
@online{team:20171012:bronze:7b9ae02, author = {CTU Research Team}, title = {{BRONZE BUTLER Targets Japanese Enterprises}}, date = {2017-10-12}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses}, language = {English}, urldate = {2020-01-07} } BRONZE BUTLER Targets Japanese Enterprises
Daserf Datper rarstar xxmm Tick
2017-07-25Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170725:tick:d89ab89, author = {Kaoru Hayashi}, title = {{“Tick” Group Continues Attacks}}, date = {2017-07-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/}, language = {English}, urldate = {2019-12-20} } “Tick” Group Continues Attacks
Daserf Tick
Yara Rules
[TLP:WHITE] win_daserf_auto (20230125 | Detects win.daserf.)
rule win_daserf_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.daserf."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? 8d85dccfffff 50 8b35???????? ffd6 }
            // n = 5, score = 100
            //   68????????           |                     
            //   8d85dccfffff         | lea                 eax, [ebp - 0x3024]
            //   50                   | push                eax
            //   8b35????????         |                     
            //   ffd6                 | call                esi

        $sequence_1 = { 8b842440f3ffff 81c333498833 8bdb 81c3ff14e0af 7500 81c37ba0afab f7d7 }
            // n = 7, score = 100
            //   8b842440f3ffff       | mov                 eax, dword ptr [esp - 0xcc0]
            //   81c333498833         | add                 ebx, 0x33884933
            //   8bdb                 | mov                 ebx, ebx
            //   81c3ff14e0af         | add                 ebx, 0xafe014ff
            //   7500                 | jne                 2
            //   81c37ba0afab         | add                 ebx, 0xabafa07b
            //   f7d7                 | not                 edi

        $sequence_2 = { 899c2420f4ffff 8bd8 8b842420f4ffff 81c388f110b7 8bc0 }
            // n = 5, score = 100
            //   899c2420f4ffff       | mov                 dword ptr [esp - 0xbe0], ebx
            //   8bd8                 | mov                 ebx, eax
            //   8b842420f4ffff       | mov                 eax, dword ptr [esp - 0xbe0]
            //   81c388f110b7         | add                 ebx, 0xb710f188
            //   8bc0                 | mov                 eax, eax

        $sequence_3 = { 057b491060 81ebbd9a8d1d 81ebe03c5af4 81eb47b5cea5 81eb53f193e1 }
            // n = 5, score = 100
            //   057b491060           | add                 eax, 0x6010497b
            //   81ebbd9a8d1d         | sub                 ebx, 0x1d8d9abd
            //   81ebe03c5af4         | sub                 ebx, 0xf45a3ce0
            //   81eb47b5cea5         | sub                 ebx, 0xa5ceb547
            //   81eb53f193e1         | sub                 ebx, 0xe193f153

        $sequence_4 = { e9???????? 2dc9036315 e9???????? 81ebe6c71481 87d2 2d5f3afb49 }
            // n = 6, score = 100
            //   e9????????           |                     
            //   2dc9036315           | sub                 eax, 0x156303c9
            //   e9????????           |                     
            //   81ebe6c71481         | sub                 ebx, 0x8114c7e6
            //   87d2                 | xchg                edx, edx
            //   2d5f3afb49           | sub                 eax, 0x49fb3a5f

        $sequence_5 = { 81c3cc3c3014 81ebf5cf155e 2da3aa429d 81c3ee310d48 }
            // n = 4, score = 100
            //   81c3cc3c3014         | add                 ebx, 0x14303ccc
            //   81ebf5cf155e         | sub                 ebx, 0x5e15cff5
            //   2da3aa429d           | sub                 eax, 0x9d42aaa3
            //   81c3ee310d48         | add                 ebx, 0x480d31ee

        $sequence_6 = { 8d45fc 90 6a00 95 89ac2400f2ffff 8be8 8b842400f2ffff }
            // n = 7, score = 100
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   90                   | nop                 
            //   6a00                 | push                0
            //   95                   | xchg                eax, ebp
            //   89ac2400f2ffff       | mov                 dword ptr [esp - 0xe00], ebp
            //   8be8                 | mov                 ebp, eax
            //   8b842400f2ffff       | mov                 eax, dword ptr [esp - 0xe00]

        $sequence_7 = { f7d1 81eb6a892938 8d00 2deadbabc4 9b 0517d5bc9d }
            // n = 6, score = 100
            //   f7d1                 | not                 ecx
            //   81eb6a892938         | sub                 ebx, 0x3829896a
            //   8d00                 | lea                 eax, [eax]
            //   2deadbabc4           | sub                 eax, 0xc4abdbea
            //   9b                   | wait                
            //   0517d5bc9d           | add                 eax, 0x9dbcd517

        $sequence_8 = { 8b842430f1ffff 81c389eaec01 7500 81eb58d4b1b9 8bc9 }
            // n = 5, score = 100
            //   8b842430f1ffff       | mov                 eax, dword ptr [esp - 0xed0]
            //   81c389eaec01         | add                 ebx, 0x1ecea89
            //   7500                 | jne                 2
            //   81eb58d4b1b9         | sub                 ebx, 0xb9b1d458
            //   8bc9                 | mov                 ecx, ecx

        $sequence_9 = { 81eb76322a2c 2d31853faa 81eb62173d6e 2da24df472 81ebbaa457d6 81c3161ade8a }
            // n = 6, score = 100
            //   81eb76322a2c         | sub                 ebx, 0x2c2a3276
            //   2d31853faa           | sub                 eax, 0xaa3f8531
            //   81eb62173d6e         | sub                 ebx, 0x6e3d1762
            //   2da24df472           | sub                 eax, 0x72f44da2
            //   81ebbaa457d6         | sub                 ebx, 0xd657a4ba
            //   81c3161ade8a         | add                 ebx, 0x8ade1a16

        $sequence_10 = { 8945e0 8d8568efffff 50 ffd7 8d8568efffff 68???????? }
            // n = 6, score = 100
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8d8568efffff         | lea                 eax, [ebp - 0x1098]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8d8568efffff         | lea                 eax, [ebp - 0x1098]
            //   68????????           |                     

        $sequence_11 = { 53 51 50 ff75fc 56 ff15???????? }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_12 = { 50 7542 68???????? eb40 8d45ec }
            // n = 5, score = 100
            //   50                   | push                eax
            //   7542                 | jne                 0x44
            //   68????????           |                     
            //   eb40                 | jmp                 0x42
            //   8d45ec               | lea                 eax, [ebp - 0x14]

        $sequence_13 = { 8d36 053a51eeaa f7d3 f7d3 81c3829a7887 }
            // n = 5, score = 100
            //   8d36                 | lea                 esi, [esi]
            //   053a51eeaa           | add                 eax, 0xaaee513a
            //   f7d3                 | not                 ebx
            //   f7d3                 | not                 ebx
            //   81c3829a7887         | add                 ebx, 0x87789a82

        $sequence_14 = { 81c3ec0e650c 05442ce0e8 052ef19f14 2dec0a99d5 81c3727fae60 053106bd10 }
            // n = 6, score = 100
            //   81c3ec0e650c         | add                 ebx, 0xc650eec
            //   05442ce0e8           | add                 eax, 0xe8e02c44
            //   052ef19f14           | add                 eax, 0x149ff12e
            //   2dec0a99d5           | sub                 eax, 0xd5990aec
            //   81c3727fae60         | add                 ebx, 0x60ae7f72
            //   053106bd10           | add                 eax, 0x10bd0631

        $sequence_15 = { 899c2420f5ffff 8bd8 8b842420f5ffff 2d791619bf 7500 81eb260de893 95 }
            // n = 7, score = 100
            //   899c2420f5ffff       | mov                 dword ptr [esp - 0xae0], ebx
            //   8bd8                 | mov                 ebx, eax
            //   8b842420f5ffff       | mov                 eax, dword ptr [esp - 0xae0]
            //   2d791619bf           | sub                 eax, 0xbf191679
            //   7500                 | jne                 2
            //   81eb260de893         | sub                 ebx, 0x93e80d26
            //   95                   | xchg                eax, ebp

    condition:
        7 of them and filesize < 245760
}
Download all Yara Rules