SYMBOLCOMMON_NAMEaka. SYNONYMS
win.disttrack (Back to overview)

DistTrack

aka: Shamoon

Actor(s): Shamoon, Magic Hound, Timberworm, COBALT GIPSY

There is no description at this point.

References
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10ZDNetCatalin Cimpanu
@online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } FBI warns about ongoing attacks against software supply chain companies
DistTrack Kwampirs
2019-12-21MalwareInDepthMyrtus 0x0
@online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } Shamoon 2012 Complete Analysis
DistTrack
2018-12-14SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181214:shamoon:1f24fa5, author = {Critical Attack Discovery and Intelligence Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-04-21} } Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig
2018-12-13Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20181213:shamoon:1623fe7, author = {Robert Falcone}, title = {{Shamoon 3 Targets Oil and Gas Organization}}, date = {2018-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/}, language = {English}, urldate = {2020-01-10} } Shamoon 3 Targets Oil and Gas Organization
DistTrack
2017-03-26Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170326:shamoon:8a62f1a, author = {Robert Falcone and Bryan Lee}, title = {{Shamoon 2: Delivering Disttrack}}, date = {2017-03-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Delivering Disttrack
DistTrack
2017-03-14FireEyeFireEye
@online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } M-Trend 2017: A View From the Front Lines
DistTrack Powersniff FIN8
2017-02-27SymantecA L Johnson
@online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten
2017-02-05VinRansomwareGregory Paul, Shaunak
@online{paul:20170205:detailed:3a65aaf, author = {Gregory Paul and Shaunak}, title = {{Detailed threat analysis of Shamoon 2.0 Malware}}, date = {2017-02-05}, organization = {VinRansomware}, url = {http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware}, language = {English}, urldate = {2020-01-09} } Detailed threat analysis of Shamoon 2.0 Malware
DistTrack
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:a118a76, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-04-21} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:96eab4c, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-01-13} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-09Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20170109:second:2e36550, author = {Robert Falcone}, title = {{Second Wave of Shamoon 2 Attacks Identified}}, date = {2017-01-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/}, language = {English}, urldate = {2020-01-07} } Second Wave of Shamoon 2 Attacks Identified
DistTrack
2016-12-03Coding and SecurityCoding, Security
@online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } "Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis
DistTrack
2016-11-30Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20161130:shamoon:6befcf1, author = {Robert Falcone}, title = {{Shamoon 2: Return of the Disttrack Wiper}}, date = {2016-11-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Return of the Disttrack Wiper
DistTrack
2016-11-30SymantecA L Johnson
@online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Back from the dead and destructive as ever
DistTrack OilRig
2012-08-17Contagiodump BlogMila Parkour
@online{parkour:20120817:shamoon:efffab1, author = {Mila Parkour}, title = {{Shamoon or DistTrack.A samples}}, date = {2012-08-17}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html}, language = {English}, urldate = {2019-12-20} } Shamoon or DistTrack.A samples
DistTrack
2012-08-16Kaspersky LabsGReAT
@online{great:20120816:shamoon:143efb8, author = {GReAT}, title = {{Shamoon the Wiper – Copycats at Work}}, date = {2012-08-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/shamoon-the-wiper-copycats-at-work/}, language = {English}, urldate = {2019-12-20} } Shamoon the Wiper – Copycats at Work
DistTrack
2012-08-16SymantecSymantec Security Response
@online{response:20120816:shamoon:8f8fe97, author = {Symantec Security Response}, title = {{The Shamoon Attacks}}, date = {2012-08-16}, organization = {Symantec}, url = {https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks}, language = {English}, urldate = {2020-04-21} } The Shamoon Attacks
DistTrack OilRig
Yara Rules
[TLP:WHITE] win_disttrack_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_disttrack_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 52 6a00 6a00 6848000700 }
            // n = 4, score = 200
            //   52                   | push                edx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6848000700           | push                0x70048

        $sequence_1 = { ff15???????? 5d 5b 8bc7 5f 5e }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_2 = { ebb2 6a16 58 5e 5d c3 6a0c }
            // n = 7, score = 200
            //   ebb2                 | jmp                 0xffffffb4
            //   6a16                 | push                0x16
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a0c                 | push                0xc

        $sequence_3 = { 83c404 50 e8???????? 83c404 68???????? ff15???????? }
            // n = 6, score = 200
            //   83c404               | add                 esp, 4
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_4 = { e8???????? 6a07 e8???????? 59 c3 6a10 68???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   6a07                 | push                7
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   c3                   | ret                 
            //   6a10                 | push                0x10
            //   68????????           |                     

        $sequence_5 = { 68???????? ff15???????? 8d45dc 50 ff15???????? 8b4ddc }
            // n = 6, score = 200
            //   68????????           |                     
            //   ff15????????         |                     
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]

        $sequence_6 = { 8d4618 c74402e8242a4200 8b48f8 8b5104 }
            // n = 4, score = 100
            //   8d4618               | pop                 ebp
            //   c74402e8242a4200     | pop                 ebx
            //   8b48f8               | mov                 eax, edi
            //   8b5104               | pop                 edi

        $sequence_7 = { 8bce c745fc02000000 e8???????? 85c0 7524 8b8d20ffffff 8b4904 }
            // n = 7, score = 100
            //   8bce                 | pop                 esi
            //   c745fc02000000       | push                edx
            //   e8????????           |                     
            //   85c0                 | push                0
            //   7524                 | push                0
            //   8b8d20ffffff         | push                0x70048
            //   8b4904               | add                 esp, 4

        $sequence_8 = { 56 57 33f6 bf???????? 833cf5ecfd410001 751d }
            // n = 6, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   33f6                 | xor                 esi, esi
            //   bf????????           |                     
            //   833cf5ecfd410001     | cmp                 dword ptr [esi*8 + 0x41fdec], 1
            //   751d                 | jne                 0x1f

        $sequence_9 = { eb43 bb01000000 391d???????? 7e34 8d7b07 488d0d914a0100 e8???????? }
            // n = 7, score = 100
            //   eb43                 | dec                 eax
            //   bb01000000           | test                edx, edx
            //   391d????????         |                     
            //   7e34                 | je                  0x20
            //   8d7b07               | dec                 esp
            //   488d0d914a0100       | mov                 ecx, ecx
            //   e8????????           |                     

        $sequence_10 = { e8???????? 488b0d???????? 4885c9 7463 488b09 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   4885c9               | lea                 ecx, [esp + 0x24]
            //   7463                 | inc                 eax
            //   488b09               | mov                 ch, byte ptr [esp + 0x27]

        $sequence_11 = { e8???????? 56 ff15???????? 81c3ffff0000 6683fb30 0f87fbfeffff 8b0d???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   56                   | push                eax
            //   ff15????????         |                     
            //   81c3ffff0000         | add                 esp, 4
            //   6683fb30             | lea                 eax, [ebp - 0x24]
            //   0f87fbfeffff         | push                eax
            //   8b0d????????         |                     

        $sequence_12 = { 488b4768 4c8b0d???????? 4889442428 488d05ecf60000 8bd3 }
            // n = 5, score = 100
            //   488b4768             | dec                 eax
            //   4c8b0d????????       |                     
            //   4889442428           | mov                 eax, dword ptr [edi + 0x68]
            //   488d05ecf60000       | dec                 eax
            //   8bd3                 | mov                 dword ptr [esp + 0x28], eax

        $sequence_13 = { 8b0cb524174200 8b14b520174200 8b04b5b8044200 53 51 52 }
            // n = 6, score = 100
            //   8b0cb524174200       | mov                 ecx, dword ptr [esi*4 + 0x421724]
            //   8b14b520174200       | mov                 edx, dword ptr [esi*4 + 0x421720]
            //   8b04b5b8044200       | mov                 eax, dword ptr [esi*4 + 0x4204b8]
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   52                   | push                edx

        $sequence_14 = { 83f845 7526 8b4d14 51 e8???????? }
            // n = 5, score = 100
            //   83f845               | cmp                 eax, 0x45
            //   7526                 | jne                 0x28
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_15 = { 8d5dfc 884dfc e8???????? 8b4df4 88440df8 }
            // n = 5, score = 100
            //   8d5dfc               | lea                 ebx, [ebp - 4]
            //   884dfc               | mov                 byte ptr [ebp - 4], cl
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   88440df8             | mov                 byte ptr [ebp + ecx - 8], al

        $sequence_16 = { 838578feffff02 6683bd72feffff00 75df 8b8d78feffff }
            // n = 4, score = 100
            //   838578feffff02       | add                 dword ptr [ebp - 0x188], 2
            //   6683bd72feffff00     | cmp                 word ptr [ebp - 0x18e], 0
            //   75df                 | jne                 0xffffffe1
            //   8b8d78feffff         | mov                 ecx, dword ptr [ebp - 0x188]

        $sequence_17 = { 448bd0 e8???????? 488d1533fb0100 458bc7 498bcd e8???????? 478d0412 }
            // n = 7, score = 100
            //   448bd0               | dec                 eax
            //   e8????????           |                     
            //   488d1533fb0100       | lea                 eax, [0xf6ec]
            //   458bc7               | mov                 edx, ebx
            //   498bcd               | inc                 esp
            //   e8????????           |                     
            //   478d0412             | mov                 edx, eax

        $sequence_18 = { 85c0 751c 8b4c2434 8b4904 8b440c40 8d4c0c34 83c802 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   751c                 | jne                 0x1e
            //   8b4c2434             | mov                 ecx, dword ptr [esp + 0x34]
            //   8b4904               | mov                 ecx, dword ptr [ecx + 4]
            //   8b440c40             | mov                 eax, dword ptr [esp + ecx + 0x40]
            //   8d4c0c34             | lea                 ecx, [esp + ecx + 0x34]
            //   83c802               | or                  eax, 2

        $sequence_19 = { 488d4c2424 e8???????? 408a6c2427 40b701 }
            // n = 4, score = 100
            //   488d4c2424           | mov                 ecx, ebp
            //   e8????????           |                     
            //   408a6c2427           | inc                 edi
            //   40b701               | lea                 eax, [edx + edx]

        $sequence_20 = { 03d1 6bd264 443bca 751e 418bc2 }
            // n = 5, score = 100
            //   03d1                 | inc                 eax
            //   6bd264               | mov                 bh, 1
            //   443bca               | jmp                 0x52
            //   751e                 | mov                 ebx, 1
            //   418bc2               | jle                 0x4a

        $sequence_21 = { 895c2418 e8???????? 83c404 6800c80000 8bf0 53 56 }
            // n = 7, score = 100
            //   895c2418             | mov                 dword ptr [esp + 0x18], ebx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   6800c80000           | push                0xc800
            //   8bf0                 | mov                 esi, eax
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_22 = { 4885d2 741e 4c8bc9 4585c0 7412 }
            // n = 5, score = 100
            //   4885d2               | dec                 eax
            //   741e                 | lea                 edx, [0x1fb33]
            //   4c8bc9               | inc                 ebp
            //   4585c0               | mov                 eax, edi
            //   7412                 | dec                 ecx

        $sequence_23 = { 83f8ff 7505 bf04000000 8b4c2444 8b4904 }
            // n = 5, score = 100
            //   83f8ff               | cmp                 eax, -1
            //   7505                 | jne                 7
            //   bf04000000           | mov                 edi, 4
            //   8b4c2444             | mov                 ecx, dword ptr [esp + 0x44]
            //   8b4904               | mov                 ecx, dword ptr [ecx + 4]

        $sequence_24 = { ff15???????? 8ac3 eb02 32c0 4c8d9c24e0000000 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   8ac3                 | inc                 ebp
            //   eb02                 | test                eax, eax
            //   32c0                 | je                  0x1c
            //   4c8d9c24e0000000     | dec                 eax

        $sequence_25 = { 770f 0fbec2 0fbe8050ff4100 83e00f eb02 }
            // n = 5, score = 100
            //   770f                 | pop                 esi
            //   0fbec2               | lea                 eax, [ebp - 0x24]
            //   0fbe8050ff4100       | push                eax
            //   83e00f               | mov                 ecx, dword ptr [ebp - 0x24]
            //   eb02                 | push                ebx

    condition:
        7 of them and filesize < 1112064
}
Download all Yara Rules