SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dilljuice (Back to overview)

DILLJUICE

Actor(s): Stone Panda

APT10's fork of the (open-source) Quasar RAT.

References
2021-04-27KasperskyGReAT
APT trends report Q1 2021
PAS Artra Downloader BadNews Bozok DILLJUICE Kazuar Quasar RAT SodaMaster
2019-06-10CylanceCylance Threat Research Team
Threat Spotlight: MenuPass/QuasarRAT Backdoor
DILLJUICE
Yara Rules
[TLP:WHITE] win_dilljuice_w0 (20190708 | Detection of DILLJUICE.A through its dropper)
import "pe"	

rule win_dilljuice_w0 {
    meta:
        author = "FireEye"
        source = "https://www.youtube.com/watch?v=a_CYCoL81bw"
        date = "2019-07-08"
        description = "Detection of DILLJUICE.A through its dropper"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dilljuice"
        malpedia_version = "20190708"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    condition:
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 
        uint32(pe.rva_to_offset(0x177A0)) ^
        uint32(pe.rva_to_offset(0x177A0+8)) == 0x905A49

}
[TLP:WHITE] win_dilljuice_w1 (20190708 | Detection of DILLJUICE.B through its dropper)
rule win_dilljuice_w1 {
    meta:
        author = "FireEye"
        source = "https://www.youtube.com/watch?v=a_CYCoL81bw"
        date = "2019-07-08"
        description = "Detection of DILLJUICE.B through its dropper"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dilljuice"
        malpedia_version = "20190708"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
	    $b = { ff 2f fa ff }
	condition:
	    uint16(0) == 0x5a4d and $b and for any i in (#b): 
	    (((uint32(@b[i]+0x4)+uint32(@b[i]+0x8))%0xff)^uint8(@b[i]+0xc) 
		    == 0x4d and 
	    ((uint32(@b[i]+0x4)+2*uint32(@b[i]+0x8))%0xff)^uint8(@b[i]+0xd) 
		    == 0x5a)
}
Download all Yara Rules