SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ddkong (Back to overview)

DDKONG

Actor(s): RANCOR

VTCollection    

There is no description at this point.

References
2022-07-18Palo Alto Networks Unit 42Unit 42
Rancor Taurus
DDKONG KHRAT PLAINTEE RANCOR
2020-01-29nao_sec blognao_sec
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2020-01-01SecureworksSecureWorks
BRONZE OVERBROOK
Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK
2019-12-17Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT
2018-06-26Palo Alto Networks Unit 42Brittany Ash, Josh Grunzweig, Tom Lancaster
RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families
DDKONG PLAINTEE
Yara Rules
[TLP:WHITE] win_ddkong_auto (20230808 | Detects win.ddkong.)
rule win_ddkong_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.ddkong."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c6459765 c6459857 c645996f c6459a77 c6459b36 c6459c34 c6459d46 }
            // n = 7, score = 100
            //   c6459765             | mov                 byte ptr [ebp - 0x69], 0x65
            //   c6459857             | mov                 byte ptr [ebp - 0x68], 0x57
            //   c645996f             | mov                 byte ptr [ebp - 0x67], 0x6f
            //   c6459a77             | mov                 byte ptr [ebp - 0x66], 0x77
            //   c6459b36             | mov                 byte ptr [ebp - 0x65], 0x36
            //   c6459c34             | mov                 byte ptr [ebp - 0x64], 0x34
            //   c6459d46             | mov                 byte ptr [ebp - 0x63], 0x46

        $sequence_1 = { c68572ffffff62 c68573ffffff6a c68574ffffff65 c68575ffffff63 c68576ffffff74 889d77ffffff ffd7 }
            // n = 7, score = 100
            //   c68572ffffff62       | mov                 byte ptr [ebp - 0x8e], 0x62
            //   c68573ffffff6a       | mov                 byte ptr [ebp - 0x8d], 0x6a
            //   c68574ffffff65       | mov                 byte ptr [ebp - 0x8c], 0x65
            //   c68575ffffff63       | mov                 byte ptr [ebp - 0x8b], 0x63
            //   c68576ffffff74       | mov                 byte ptr [ebp - 0x8a], 0x74
            //   889d77ffffff         | mov                 byte ptr [ebp - 0x89], bl
            //   ffd7                 | call                edi

        $sequence_2 = { c645d36c c645d465 c645d54e c645d661 c645d76d c645d865 c645d941 }
            // n = 7, score = 100
            //   c645d36c             | mov                 byte ptr [ebp - 0x2d], 0x6c
            //   c645d465             | mov                 byte ptr [ebp - 0x2c], 0x65
            //   c645d54e             | mov                 byte ptr [ebp - 0x2b], 0x4e
            //   c645d661             | mov                 byte ptr [ebp - 0x2a], 0x61
            //   c645d76d             | mov                 byte ptr [ebp - 0x29], 0x6d
            //   c645d865             | mov                 byte ptr [ebp - 0x28], 0x65
            //   c645d941             | mov                 byte ptr [ebp - 0x27], 0x41

        $sequence_3 = { 5b 5d c20c00 ff25???????? ff25???????? 8b4c2404 85c9 }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c20c00               | ret                 0xc
            //   ff25????????         |                     
            //   ff25????????         |                     
            //   8b4c2404             | mov                 ecx, dword ptr [esp + 4]
            //   85c9                 | test                ecx, ecx

        $sequence_4 = { c645f470 ffd6 50 ffd7 8b5d0c bf04010000 }
            // n = 6, score = 100
            //   c645f470             | mov                 byte ptr [ebp - 0xc], 0x70
            //   ffd6                 | call                esi
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   bf04010000           | mov                 edi, 0x104

        $sequence_5 = { 6a04 e8???????? 83c418 eb2d 6a01 }
            // n = 5, score = 100
            //   6a04                 | push                4
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   eb2d                 | jmp                 0x2f
            //   6a01                 | push                1

        $sequence_6 = { 7427 837d08ff 7421 8d45dc 6a10 50 ff7508 }
            // n = 7, score = 100
            //   7427                 | je                  0x29
            //   837d08ff             | cmp                 dword ptr [ebp + 8], -1
            //   7421                 | je                  0x23
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   6a10                 | push                0x10
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_7 = { c6855affffff65 c6855bffffff4f c6855cffffff62 c6855dffffff6a c6855effffff65 }
            // n = 5, score = 100
            //   c6855affffff65       | mov                 byte ptr [ebp - 0xa6], 0x65
            //   c6855bffffff4f       | mov                 byte ptr [ebp - 0xa5], 0x4f
            //   c6855cffffff62       | mov                 byte ptr [ebp - 0xa4], 0x62
            //   c6855dffffff6a       | mov                 byte ptr [ebp - 0xa3], 0x6a
            //   c6855effffff65       | mov                 byte ptr [ebp - 0xa2], 0x65

        $sequence_8 = { c6459763 c6459874 c6459969 c6459a76 c6459b65 c6459c43 c6459d6f }
            // n = 7, score = 100
            //   c6459763             | mov                 byte ptr [ebp - 0x69], 0x63
            //   c6459874             | mov                 byte ptr [ebp - 0x68], 0x74
            //   c6459969             | mov                 byte ptr [ebp - 0x67], 0x69
            //   c6459a76             | mov                 byte ptr [ebp - 0x66], 0x76
            //   c6459b65             | mov                 byte ptr [ebp - 0x65], 0x65
            //   c6459c43             | mov                 byte ptr [ebp - 0x64], 0x43
            //   c6459d6f             | mov                 byte ptr [ebp - 0x63], 0x6f

        $sequence_9 = { c68574ffffff65 c68575ffffff63 c68576ffffff74 889d77ffffff }
            // n = 4, score = 100
            //   c68574ffffff65       | mov                 byte ptr [ebp - 0x8c], 0x65
            //   c68575ffffff63       | mov                 byte ptr [ebp - 0x8b], 0x63
            //   c68576ffffff74       | mov                 byte ptr [ebp - 0x8a], 0x74
            //   889d77ffffff         | mov                 byte ptr [ebp - 0x89], bl

    condition:
        7 of them and filesize < 81920
}
Download all Yara Rules