Actor(s): Stone Panda
APT10's fork of the (open-source) Quasar RAT.
import "pe" rule win_dilljuice_w0 { meta: author = "FireEye" source = "https://www.youtube.com/watch?v=a_CYCoL81bw" date = "2019-07-08" description = "Detection of DILLJUICE.A through its dropper" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dilljuice" malpedia_version = "20190708" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and uint32(pe.rva_to_offset(0x177A0)) ^ uint32(pe.rva_to_offset(0x177A0+8)) == 0x905A49 }
rule win_dilljuice_w1 { meta: author = "FireEye" source = "https://www.youtube.com/watch?v=a_CYCoL81bw" date = "2019-07-08" description = "Detection of DILLJUICE.B through its dropper" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dilljuice" malpedia_version = "20190708" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $b = { ff 2f fa ff } condition: uint16(0) == 0x5a4d and $b and for any i in (#b): (((uint32(@b[i]+0x4)+uint32(@b[i]+0x8))%0xff)^uint8(@b[i]+0xc) == 0x4d and ((uint32(@b[i]+0x4)+2*uint32(@b[i]+0x8))%0xff)^uint8(@b[i]+0xd) == 0x5a) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
