SYMBOLCOMMON_NAMEaka. SYNONYMS
win.disttrack (Back to overview)

DistTrack

aka: Shamoon

Actor(s): Shamoon, Magic Hound, Timberworm, COBALT GIPSY

There is no description at this point.

References
2021-08-05SymantecThreat Hunter Team
@techreport{team:20210805:attacks:c2d7348, author = {Threat Hunter Team}, title = {{Attacks Against Critical Infrastructure: A Global Concern}}, date = {2021-08-05}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf}, language = {English}, urldate = {2021-08-06} } Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10ZDNetCatalin Cimpanu
@online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } FBI warns about ongoing attacks against software supply chain companies
DistTrack Kwampirs
2019-12-21MalwareInDepthMyrtus 0x0
@online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } Shamoon 2012 Complete Analysis
DistTrack
2018-12-14SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181214:shamoon:1f24fa5, author = {Critical Attack Discovery and Intelligence Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-04-21} } Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig
2018-12-13Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20181213:shamoon:1623fe7, author = {Robert Falcone}, title = {{Shamoon 3 Targets Oil and Gas Organization}}, date = {2018-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/}, language = {English}, urldate = {2020-01-10} } Shamoon 3 Targets Oil and Gas Organization
DistTrack
2017-03-26Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170326:shamoon:8a62f1a, author = {Robert Falcone and Bryan Lee}, title = {{Shamoon 2: Delivering Disttrack}}, date = {2017-03-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Delivering Disttrack
DistTrack
2017-03-14FireEyeFireEye
@online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } M-Trend 2017: A View From the Front Lines
DistTrack Powersniff FIN8
2017-02-27SymantecA L Johnson
@online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten
2017-02-05VinRansomwareGregory Paul, Shaunak
@online{paul:20170205:detailed:3a65aaf, author = {Gregory Paul and Shaunak}, title = {{Detailed threat analysis of Shamoon 2.0 Malware}}, date = {2017-02-05}, organization = {VinRansomware}, url = {http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware}, language = {English}, urldate = {2020-01-09} } Detailed threat analysis of Shamoon 2.0 Malware
DistTrack
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:a118a76, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-04-21} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:96eab4c, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-01-13} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-09Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20170109:second:2e36550, author = {Robert Falcone}, title = {{Second Wave of Shamoon 2 Attacks Identified}}, date = {2017-01-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/}, language = {English}, urldate = {2020-01-07} } Second Wave of Shamoon 2 Attacks Identified
DistTrack
2016-12-03Coding and SecurityCoding, Security
@online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } "Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis
DistTrack
2016-11-30Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20161130:shamoon:6befcf1, author = {Robert Falcone}, title = {{Shamoon 2: Return of the Disttrack Wiper}}, date = {2016-11-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Return of the Disttrack Wiper
DistTrack
2016-11-30SymantecA L Johnson
@online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Back from the dead and destructive as ever
DistTrack OilRig
2012-08-17Contagiodump BlogMila Parkour
@online{parkour:20120817:shamoon:efffab1, author = {Mila Parkour}, title = {{Shamoon or DistTrack.A samples}}, date = {2012-08-17}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html}, language = {English}, urldate = {2019-12-20} } Shamoon or DistTrack.A samples
DistTrack
2012-08-16Kaspersky LabsGReAT
@online{great:20120816:shamoon:143efb8, author = {GReAT}, title = {{Shamoon the Wiper – Copycats at Work}}, date = {2012-08-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/shamoon-the-wiper-copycats-at-work/}, language = {English}, urldate = {2019-12-20} } Shamoon the Wiper – Copycats at Work
DistTrack
2012-08-16SymantecSymantec Security Response
@online{response:20120816:shamoon:8f8fe97, author = {Symantec Security Response}, title = {{The Shamoon Attacks}}, date = {2012-08-16}, organization = {Symantec}, url = {https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks}, language = {English}, urldate = {2020-04-21} } The Shamoon Attacks
DistTrack OilRig
Yara Rules
[TLP:WHITE] win_disttrack_auto (20210616 | Detects win.disttrack.)
rule win_disttrack_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.disttrack."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 58 5e 5d c3 6a0c 68???????? }
            // n = 6, score = 200
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a0c                 | push                0xc
            //   68????????           |                     

        $sequence_1 = { 53 ff15???????? 5d 5b 8bc7 5f 5e }
            // n = 7, score = 200
            //   53                   | dec                 esp
            //   ff15????????         |                     
            //   5d                   | lea                 eax, dword ptr [0xfffeb5bf]
            //   5b                   | je                  0x1c
            //   8bc7                 | jmp                 0x16
            //   5f                   | jne                 0x141
            //   5e                   | dec                 eax

        $sequence_2 = { ff15???????? 8d45dc 50 ff15???????? 8b4ddc }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   8d45dc               | arpl                word ptr [eax + 4], cx
            //   50                   | dec                 eax
            //   ff15????????         |                     
            //   8b4ddc               | lea                 eax, dword ptr [0x120b4]

        $sequence_3 = { 52 6a00 6a00 6848000700 }
            // n = 4, score = 200
            //   52                   | dec                 eax
            //   6a00                 | cmp                 ecx, eax
            //   6a00                 | je                  0x1c
            //   6848000700           | cmp                 dword ptr [ecx + 0x160], 0

        $sequence_4 = { 83c404 50 e8???????? 83c404 68???????? ff15???????? e8???????? }
            // n = 7, score = 200
            //   83c404               | dec                 eax
            //   50                   | or                  edx, 0xffffffff
            //   e8????????           |                     
            //   83c404               | cmp                 byte ptr [ebp + 0x58], 0xa
            //   68????????           |                     
            //   ff15????????         |                     
            //   e8????????           |                     

        $sequence_5 = { 57 e8???????? 6a07 e8???????? 59 c3 6a10 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   e8????????           |                     
            //   6a07                 | push                7
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   c3                   | ret                 
            //   6a10                 | push                0x10

        $sequence_6 = { 8bd6 83e203 8a8a2c7a4200 8b55f4 320c16 }
            // n = 5, score = 100
            //   8bd6                 | mov                 ecx, dword ptr [ebp - 0x24]
            //   83e203               | add                 esp, 4
            //   8a8a2c7a4200         | push                eax
            //   8b55f4               | add                 esp, 4
            //   320c16               | push                ebx

        $sequence_7 = { 8d0445e40a4200 8bc8 2bce 6a03 }
            // n = 4, score = 100
            //   8d0445e40a4200       | lea                 eax, dword ptr [eax*2 + 0x420ae4]
            //   8bc8                 | mov                 ecx, eax
            //   2bce                 | sub                 ecx, esi
            //   6a03                 | push                3

        $sequence_8 = { c1fa05 c1e006 03049540174200 eb05 b8???????? f6400420 7415 }
            // n = 7, score = 100
            //   c1fa05               | sar                 edx, 5
            //   c1e006               | shl                 eax, 6
            //   03049540174200       | add                 eax, dword ptr [edx*4 + 0x421740]
            //   eb05                 | jmp                 7
            //   b8????????           |                     
            //   f6400420             | test                byte ptr [eax + 4], 0x20
            //   7415                 | je                  0x17

        $sequence_9 = { 41b801000000 4883caff e8???????? 807d580a 4c8d05bfb5feff 740f eb07 }
            // n = 7, score = 100
            //   41b801000000         | mov                 eax, ebx
            //   4883caff             | dec                 eax
            //   e8????????           |                     
            //   807d580a             | lea                 edx, dword ptr [0x1fb33]
            //   4c8d05bfb5feff       | inc                 ebp
            //   740f                 | mov                 eax, edi
            //   eb07                 | dec                 ecx

        $sequence_10 = { 488bcd 4889442420 e8???????? 4c8d2dcef50000 4c8d7768 4c8d05c7f60000 }
            // n = 6, score = 100
            //   488bcd               | dec                 eax
            //   4889442420           | mov                 ecx, ebp
            //   e8????????           |                     
            //   4c8d2dcef50000       | dec                 eax
            //   4c8d7768             | mov                 dword ptr [esp + 0x20], eax
            //   4c8d05c7f60000       | dec                 esp

        $sequence_11 = { 4885ff 744a 488d4c2430 e8???????? 488d15ee520100 448bc3 }
            // n = 6, score = 100
            //   4885ff               | lea                 eax, dword ptr [0xf6c7]
            //   744a                 | dec                 eax
            //   488d4c2430           | lea                 eax, dword ptr [0x13ede]
            //   e8????????           |                     
            //   488d15ee520100       | dec                 eax
            //   448bc3               | add                 ecx, ecx

        $sequence_12 = { 0f853b010000 488d2dffd00100 c605????????00 488bcd ff15???????? e8???????? 8bc8 }
            // n = 7, score = 100
            //   0f853b010000         | mov                 ecx, ebp
            //   488d2dffd00100       | dec                 eax
            //   c605????????00       |                     
            //   488bcd               | mov                 ecx, edx
            //   ff15????????         |                     
            //   e8????????           |                     
            //   8bc8                 | dec                 esp

        $sequence_13 = { 488d05de3e0100 4803c9 488b0cc8 48ff25???????? 48895c2408 }
            // n = 5, score = 100
            //   488d05de3e0100       | lea                 ebp, dword ptr [0xf5ce]
            //   4803c9               | dec                 esp
            //   488b0cc8             | lea                 esi, dword ptr [edi + 0x68]
            //   48ff25????????       |                     
            //   48895c2408           | dec                 esp

        $sequence_14 = { 2bc1 03c2 c1fb05 83e61f 8d1c9d40174200 894508 }
            // n = 6, score = 100
            //   2bc1                 | sub                 eax, ecx
            //   03c2                 | add                 eax, edx
            //   c1fb05               | sar                 ebx, 5
            //   83e61f               | and                 esi, 0x1f
            //   8d1c9d40174200       | lea                 ebx, dword ptr [ebx*4 + 0x421740]
            //   894508               | mov                 dword ptr [ebp + 8], eax

        $sequence_15 = { 57 ff15???????? 8bf0 85f6 7405 83feff }
            // n = 6, score = 100
            //   57                   | push                0
            //   ff15????????         |                     
            //   8bf0                 | push                0
            //   85f6                 | push                0x70048
            //   7405                 | lea                 eax, dword ptr [ebp - 0x24]
            //   83feff               | push                eax

        $sequence_16 = { 8d55a0 52 8d4dd0 e8???????? 8bc8 }
            // n = 5, score = 100
            //   8d55a0               | pop                 ebp
            //   52                   | pop                 ebx
            //   8d4dd0               | mov                 eax, edi
            //   e8????????           |                     
            //   8bc8                 | pop                 edi

        $sequence_17 = { 488d05b4200100 483bc8 741a 83b96001000000 7511 e8???????? }
            // n = 6, score = 100
            //   488d05b4200100       | dec                 eax
            //   483bc8               | lea                 ecx, dword ptr [esp + 0x30]
            //   741a                 | dec                 eax
            //   83b96001000000       | lea                 edx, dword ptr [0x152ee]
            //   7511                 | inc                 esp
            //   e8????????           |                     

        $sequence_18 = { e8???????? 488d1533fb0100 458bc7 498bcd e8???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   488d1533fb0100       | dec                 eax
            //   458bc7               | mov                 ecx, dword ptr [eax + ecx*8]
            //   498bcd               | dec                 eax
            //   e8????????           |                     

        $sequence_19 = { 8d8dd0f9ffff e9???????? 8db588faffff e9???????? 8d8db8f9ffff e9???????? 8db5a4faffff }
            // n = 7, score = 100
            //   8d8dd0f9ffff         | lea                 eax, dword ptr [ebp - 0x24]
            //   e9????????           |                     
            //   8db588faffff         | push                eax
            //   e9????????           |                     
            //   8d8db8f9ffff         | mov                 ecx, dword ptr [ebp - 0x24]
            //   e9????????           |                     
            //   8db5a4faffff         | push                edx

        $sequence_20 = { 488bca e8???????? 4c8be8 4c8b06 4d634804 }
            // n = 5, score = 100
            //   488bca               | mov                 dword ptr [esp + 8], ebx
            //   e8????????           |                     
            //   4c8be8               | dec                 eax
            //   4c8b06               | test                edi, edi
            //   4d634804             | je                  0x4f

        $sequence_21 = { 8bec 8b4508 56 8d34c5f8664200 }
            // n = 4, score = 100
            //   8bec                 | pop                 ebp
            //   8b4508               | pop                 ebx
            //   56                   | mov                 eax, edi
            //   8d34c5f8664200       | pop                 edi

        $sequence_22 = { ff15???????? 6a64 68???????? ff15???????? 8b4d08 83f902 0f8ca3020000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   6a64                 | push                0x64
            //   68????????           |                     
            //   ff15????????         |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   83f902               | cmp                 ecx, 2
            //   0f8ca3020000         | jl                  0x2a9

        $sequence_23 = { 8b5104 8d8c15c4feffff e8???????? 0fb6c0 }
            // n = 4, score = 100
            //   8b5104               | pop                 esi
            //   8d8c15c4feffff       | add                 esp, 4
            //   e8????????           |                     
            //   0fb6c0               | push                eax

        $sequence_24 = { 5d c3 8b04cd24fc4100 5d }
            // n = 4, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b04cd24fc4100       | mov                 eax, dword ptr [ecx*8 + 0x41fc24]
            //   5d                   | pop                 ebp

        $sequence_25 = { 7414 8bc8 83e01f c1f905 c1e006 03048d40174200 }
            // n = 6, score = 100
            //   7414                 | je                  0x16
            //   8bc8                 | mov                 ecx, eax
            //   83e01f               | and                 eax, 0x1f
            //   c1f905               | sar                 ecx, 5
            //   c1e006               | shl                 eax, 6
            //   03048d40174200       | add                 eax, dword ptr [ecx*4 + 0x421740]

    condition:
        7 of them and filesize < 1112064
}
Download all Yara Rules