SYMBOLCOMMON_NAMEaka. SYNONYMS
win.daserf (Back to overview)

Daserf

aka: Muirim, Nioupale

Actor(s): Tick


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:ef493d6, author = {SecureWorks}, title = {{BRONZE BUTLER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-butler}, language = {English}, urldate = {2020-05-23} } BRONZE BUTLER
Daserf xxmm Tick
2017-11-07Trend MicroTrendmicro
@online{trendmicro:20171107:redbaldknightbronze:f7c817f, author = {Trendmicro}, title = {{REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography}}, date = {2017-11-07}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/}, language = {English}, urldate = {2019-11-27} } REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography
Daserf Datper xxmm
2017-10-12SecureworksCTU Research Team
@online{team:20171012:bronze:7b9ae02, author = {CTU Research Team}, title = {{BRONZE BUTLER Targets Japanese Enterprises}}, date = {2017-10-12}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses}, language = {English}, urldate = {2020-01-07} } BRONZE BUTLER Targets Japanese Enterprises
Daserf Datper rarstar xxmm Tick
2017-07-25Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170725:tick:d89ab89, author = {Kaoru Hayashi}, title = {{“Tick” Group Continues Attacks}}, date = {2017-07-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/}, language = {English}, urldate = {2019-12-20} } “Tick” Group Continues Attacks
Daserf Tick
Yara Rules
[TLP:WHITE] win_daserf_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_daserf_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 050c2eb86e 81c37b79c2a6 81ebf584af5d 81ebc2e489bf 81eb56326bfc 2dcecdb4d5 }
            // n = 6, score = 100
            //   050c2eb86e           | add                 eax, 0x6eb82e0c
            //   81c37b79c2a6         | add                 ebx, 0xa6c2797b
            //   81ebf584af5d         | sub                 ebx, 0x5daf84f5
            //   81ebc2e489bf         | sub                 ebx, 0xbf89e4c2
            //   81eb56326bfc         | sub                 ebx, 0xfc6b3256
            //   2dcecdb4d5           | sub                 eax, 0xd5b4cdce

        $sequence_1 = { 05b14819ae 81c39689d0d1 05fee5b22c 2d191bf639 2db9d68353 05ea860856 81c38fc69e77 }
            // n = 7, score = 100
            //   05b14819ae           | add                 eax, 0xae1948b1
            //   81c39689d0d1         | add                 ebx, 0xd1d08996
            //   05fee5b22c           | add                 eax, 0x2cb2e5fe
            //   2d191bf639           | sub                 eax, 0x39f61b19
            //   2db9d68353           | sub                 eax, 0x5383d6b9
            //   05ea860856           | add                 eax, 0x560886ea
            //   81c38fc69e77         | add                 ebx, 0x779ec68f

        $sequence_2 = { 8bff 81eba91f820d 87f6 2d46e6757d 93 899c2420f5ffff 8bd8 }
            // n = 7, score = 100
            //   8bff                 | mov                 edi, edi
            //   81eba91f820d         | sub                 ebx, 0xd821fa9
            //   87f6                 | xchg                esi, esi
            //   2d46e6757d           | sub                 eax, 0x7d75e646
            //   93                   | xchg                eax, ebx
            //   899c2420f5ffff       | mov                 dword ptr [esp - 0xae0], ebx
            //   8bd8                 | mov                 ebx, eax

        $sequence_3 = { 2d2e219b93 95 89ac2400f2ffff 8be8 8b842400f2ffff 052e765f24 }
            // n = 6, score = 100
            //   2d2e219b93           | sub                 eax, 0x939b212e
            //   95                   | xchg                eax, ebp
            //   89ac2400f2ffff       | mov                 dword ptr [esp - 0xe00], ebp
            //   8be8                 | mov                 ebp, eax
            //   8b842400f2ffff       | mov                 eax, dword ptr [esp - 0xe00]
            //   052e765f24           | add                 eax, 0x245f762e

        $sequence_4 = { 90 8d85f4faffff f7d0 f7d0 68???????? 9b }
            // n = 6, score = 100
            //   90                   | nop                 
            //   8d85f4faffff         | lea                 eax, [ebp - 0x50c]
            //   f7d0                 | not                 eax
            //   f7d0                 | not                 eax
            //   68????????           |                     
            //   9b                   | wait                

        $sequence_5 = { 0528ac0878 87f6 2d02472495 8d36 81ebac240a37 }
            // n = 5, score = 100
            //   0528ac0878           | add                 eax, 0x7808ac28
            //   87f6                 | xchg                esi, esi
            //   2d02472495           | sub                 eax, 0x95244702
            //   8d36                 | lea                 esi, [esi]
            //   81ebac240a37         | sub                 ebx, 0x370a24ac

        $sequence_6 = { 93 899c2430f3ffff 8bd8 8b842430f3ffff }
            // n = 4, score = 100
            //   93                   | xchg                eax, ebx
            //   899c2430f3ffff       | mov                 dword ptr [esp - 0xcd0], ebx
            //   8bd8                 | mov                 ebx, eax
            //   8b842430f3ffff       | mov                 eax, dword ptr [esp - 0xcd0]

        $sequence_7 = { 81ebb2b937ac 9b 81ebceca9bb1 93 899c2430f4ffff 8bd8 }
            // n = 6, score = 100
            //   81ebb2b937ac         | sub                 ebx, 0xac37b9b2
            //   9b                   | wait                
            //   81ebceca9bb1         | sub                 ebx, 0xb19bcace
            //   93                   | xchg                eax, ebx
            //   899c2430f4ffff       | mov                 dword ptr [esp - 0xbd0], ebx
            //   8bd8                 | mov                 ebx, eax

        $sequence_8 = { 81eb49ae0110 0573664faa 052d4ed3ec 05ee84d6db 05fa1bd32e 2de9d4a475 81c332cf524d }
            // n = 7, score = 100
            //   81eb49ae0110         | sub                 ebx, 0x1001ae49
            //   0573664faa           | add                 eax, 0xaa4f6673
            //   052d4ed3ec           | add                 eax, 0xecd34e2d
            //   05ee84d6db           | add                 eax, 0xdbd684ee
            //   05fa1bd32e           | add                 eax, 0x2ed31bfa
            //   2de9d4a475           | sub                 eax, 0x75a4d4e9
            //   81c332cf524d         | add                 ebx, 0x4d52cf32

        $sequence_9 = { c785a841ffffc0c54000 c7856814ffffb4c54000 c7855414ffffa8c54000 c785c87fffff9cc54000 c785bc53ffff90c54000 c7855814ffff38c44000 c785d4a7ffff18c44000 }
            // n = 7, score = 100
            //   c785a841ffffc0c54000     | mov    dword ptr [ebp - 0xbe58], 0x40c5c0
            //   c7856814ffffb4c54000     | mov    dword ptr [ebp - 0xeb98], 0x40c5b4
            //   c7855414ffffa8c54000     | mov    dword ptr [ebp - 0xebac], 0x40c5a8
            //   c785c87fffff9cc54000     | mov    dword ptr [ebp - 0x8038], 0x40c59c
            //   c785bc53ffff90c54000     | mov    dword ptr [ebp - 0xac44], 0x40c590
            //   c7855814ffff38c44000     | mov    dword ptr [ebp - 0xeba8], 0x40c438
            //   c785d4a7ffff18c44000     | mov    dword ptr [ebp - 0x582c], 0x40c418

        $sequence_10 = { 7500 05c72ac635 8d3f 059c41d94a }
            // n = 4, score = 100
            //   7500                 | jne                 2
            //   05c72ac635           | add                 eax, 0x35c62ac7
            //   8d3f                 | lea                 edi, [edi]
            //   059c41d94a           | add                 eax, 0x4ad9419c

        $sequence_11 = { 6a00 ff15???????? 898520fffeff 85c0 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   898520fffeff         | mov                 dword ptr [ebp - 0x100e0], eax
            //   85c0                 | test                eax, eax

        $sequence_12 = { 81c323b9d528 05cae5f3fc 05b42c1c06 81ebe611574c 81ebf3f4ba8d 054b949e47 }
            // n = 6, score = 100
            //   81c323b9d528         | add                 ebx, 0x28d5b923
            //   05cae5f3fc           | add                 eax, 0xfcf3e5ca
            //   05b42c1c06           | add                 eax, 0x61c2cb4
            //   81ebe611574c         | sub                 ebx, 0x4c5711e6
            //   81ebf3f4ba8d         | sub                 ebx, 0x8dbaf4f3
            //   054b949e47           | add                 eax, 0x479e944b

        $sequence_13 = { 81c3b5947905 81ebd59016d1 81c30fa0cade 057cc633f1 81eb7b2a504a }
            // n = 5, score = 100
            //   81c3b5947905         | add                 ebx, 0x57994b5
            //   81ebd59016d1         | sub                 ebx, 0xd11690d5
            //   81c30fa0cade         | add                 ebx, 0xdecaa00f
            //   057cc633f1           | add                 eax, 0xf133c67c
            //   81eb7b2a504a         | sub                 ebx, 0x4a502a7b

        $sequence_14 = { 9b 81eb5d0145e3 9b 81eb1f7ea08a 9b }
            // n = 5, score = 100
            //   9b                   | wait                
            //   81eb5d0145e3         | sub                 ebx, 0xe345015d
            //   9b                   | wait                
            //   81eb1f7ea08a         | sub                 ebx, 0x8aa07e1f
            //   9b                   | wait                

        $sequence_15 = { 81eb0b621210 05b65ac1c5 2df8c69715 81c311d8f1ce 81ebac23dcc6 0542734e5e }
            // n = 6, score = 100
            //   81eb0b621210         | sub                 ebx, 0x1012620b
            //   05b65ac1c5           | add                 eax, 0xc5c15ab6
            //   2df8c69715           | sub                 eax, 0x1597c6f8
            //   81c311d8f1ce         | add                 ebx, 0xcef1d811
            //   81ebac23dcc6         | sub                 ebx, 0xc6dc23ac
            //   0542734e5e           | add                 eax, 0x5e4e7342

    condition:
        7 of them and filesize < 245760
}
Download all Yara Rules