SYMBOLCOMMON_NAMEaka. SYNONYMS
win.disttrack (Back to overview)

DistTrack

aka: Shamoon

Actor(s): Shamoon, Magic Hound, Timberworm, COBALT GIPSY


There is no description at this point.

References
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10ZDNetCatalin Cimpanu
@online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } FBI warns about ongoing attacks against software supply chain companies
DistTrack Kwampirs
2019-12-21MalwareInDepthMyrtus 0x0
@online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } Shamoon 2012 Complete Analysis
DistTrack
2018-12-14SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181214:shamoon:1f24fa5, author = {Critical Attack Discovery and Intelligence Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-04-21} } Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig
2018-12-13Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20181213:shamoon:1623fe7, author = {Robert Falcone}, title = {{Shamoon 3 Targets Oil and Gas Organization}}, date = {2018-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/}, language = {English}, urldate = {2020-01-10} } Shamoon 3 Targets Oil and Gas Organization
DistTrack
2017-03-26Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170326:shamoon:8a62f1a, author = {Robert Falcone and Bryan Lee}, title = {{Shamoon 2: Delivering Disttrack}}, date = {2017-03-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Delivering Disttrack
DistTrack
2017-03-14FireEyeFireEye
@online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } M-Trend 2017: A View From the Front Lines
DistTrack Powersniff FIN8
2017-02-27SymantecA L Johnson
@online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten
2017-02-05VinRansomwareGregory Paul, Shaunak
@online{paul:20170205:detailed:3a65aaf, author = {Gregory Paul and Shaunak}, title = {{Detailed threat analysis of Shamoon 2.0 Malware}}, date = {2017-02-05}, organization = {VinRansomware}, url = {http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware}, language = {English}, urldate = {2020-01-09} } Detailed threat analysis of Shamoon 2.0 Malware
DistTrack
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:a118a76, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-04-21} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:96eab4c, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-01-13} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-09Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20170109:second:2e36550, author = {Robert Falcone}, title = {{Second Wave of Shamoon 2 Attacks Identified}}, date = {2017-01-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/}, language = {English}, urldate = {2020-01-07} } Second Wave of Shamoon 2 Attacks Identified
DistTrack
2016-12-03Coding and SecurityCoding, Security
@online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } "Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis
DistTrack
2016-11-30Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20161130:shamoon:6befcf1, author = {Robert Falcone}, title = {{Shamoon 2: Return of the Disttrack Wiper}}, date = {2016-11-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Return of the Disttrack Wiper
DistTrack
2016-11-30SymantecA L Johnson
@online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Back from the dead and destructive as ever
DistTrack OilRig
2012-08-17Contagiodump BlogMila Parkour
@online{parkour:20120817:shamoon:efffab1, author = {Mila Parkour}, title = {{Shamoon or DistTrack.A samples}}, date = {2012-08-17}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html}, language = {English}, urldate = {2019-12-20} } Shamoon or DistTrack.A samples
DistTrack
2012-08-16Kaspersky LabsGReAT
@online{great:20120816:shamoon:143efb8, author = {GReAT}, title = {{Shamoon the Wiper – Copycats at Work}}, date = {2012-08-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/shamoon-the-wiper-copycats-at-work/}, language = {English}, urldate = {2019-12-20} } Shamoon the Wiper – Copycats at Work
DistTrack
2012-08-16SymantecSymantec Security Response
@online{response:20120816:shamoon:8f8fe97, author = {Symantec Security Response}, title = {{The Shamoon Attacks}}, date = {2012-08-16}, organization = {Symantec}, url = {https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks}, language = {English}, urldate = {2020-04-21} } The Shamoon Attacks
DistTrack OilRig
Yara Rules
[TLP:WHITE] win_disttrack_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_disttrack_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 ff15???????? 5d 5b 8bc7 5f 5e }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_1 = { 68???????? ff15???????? 8d45dc 50 ff15???????? 8b4ddc }
            // n = 6, score = 200
            //   68????????           |                     
            //   ff15????????         |                     
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]

        $sequence_2 = { e8???????? 6a07 e8???????? 59 c3 6a10 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   6a07                 | push                7
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   c3                   | ret                 
            //   6a10                 | push                0x10

        $sequence_3 = { 83c404 50 e8???????? 83c404 68???????? ff15???????? e8???????? }
            // n = 7, score = 200
            //   83c404               | add                 esp, 4
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   68????????           |                     
            //   ff15????????         |                     
            //   e8????????           |                     

        $sequence_4 = { 52 6a00 6a00 6848000700 }
            // n = 4, score = 200
            //   52                   | push                edx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6848000700           | push                0x70048

        $sequence_5 = { 58 5e 5d c3 6a0c }
            // n = 5, score = 200
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a0c                 | push                0xc

        $sequence_6 = { 47 897e14 897e70 c686c800000043 c6864b01000043 c74668a0f44100 }
            // n = 6, score = 100
            //   47                   | inc                 edi
            //   897e14               | mov                 dword ptr [esi + 0x14], edi
            //   897e70               | mov                 dword ptr [esi + 0x70], edi
            //   c686c800000043       | mov                 byte ptr [esi + 0xc8], 0x43
            //   c6864b01000043       | mov                 byte ptr [esi + 0x14b], 0x43
            //   c74668a0f44100       | mov                 dword ptr [esi + 0x68], 0x41f4a0

        $sequence_7 = { 8b4d0c 51 8b5508 52 8b4dfc 83c118 e8???????? }
            // n = 7, score = 100
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   51                   | push                ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   83c118               | add                 ecx, 0x18
            //   e8????????           |                     

        $sequence_8 = { 53 57 50 8d4c2450 51 e8???????? }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   57                   | push                edi
            //   50                   | push                eax
            //   8d4c2450             | lea                 ecx, [esp + 0x50]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_9 = { 8905???????? 488d059a140100 4889442458 e8???????? }
            // n = 4, score = 100
            //   8905????????         |                     
            //   488d059a140100       | dec                 eax
            //   4889442458           | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_10 = { 448d4602 488d15825a0100 448bd8 4a8d4c5de4 e8???????? }
            // n = 5, score = 100
            //   448d4602             | dec                 ecx
            //   488d15825a0100       | mov                 edx, ebp
            //   448bd8               | inc                 esp
            //   4a8d4c5de4           | lea                 eax, [eax + eax]
            //   e8????????           |                     

        $sequence_11 = { 8bca c1e91f 43 83c71c 03ca }
            // n = 5, score = 100
            //   8bca                 | add                 esp, 4
            //   c1e91f               | push                eax
            //   43                   | add                 esp, 4
            //   83c71c               | add                 esp, 4
            //   03ca                 | push                eax

        $sequence_12 = { 33d2 488d4dd0 e8???????? 488d5dd0 48837de810 480f435dd0 488d0dfb5e0100 }
            // n = 7, score = 100
            //   33d2                 | xor                 edx, edx
            //   488d4dd0             | dec                 eax
            //   e8????????           |                     
            //   488d5dd0             | lea                 ecx, [ebp - 0x30]
            //   48837de810           | dec                 eax
            //   480f435dd0           | lea                 ebx, [ebp - 0x30]
            //   488d0dfb5e0100       | dec                 eax

        $sequence_13 = { 488bc3 488d1517590100 48c1f805 83e11f }
            // n = 4, score = 100
            //   488bc3               | sub                 esp, 0x30
            //   488d1517590100       | mov                 ebx, ecx
            //   48c1f805             | dec                 eax
            //   83e11f               | lea                 esi, [0x122a7]

        $sequence_14 = { 0f84a0010000 8da42400000000 8b4508 0fb610 ff4d0c }
            // n = 5, score = 100
            //   0f84a0010000         | je                  0x1a6
            //   8da42400000000       | lea                 esp, [esp]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   0fb610               | movzx               edx, byte ptr [eax]
            //   ff4d0c               | dec                 dword ptr [ebp + 0xc]

        $sequence_15 = { e8???????? ebd1 8bc8 c1f905 8d3c8da08d4200 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   ebd1                 | add                 esp, 4
            //   8bc8                 | lea                 eax, [ebp - 0x24]
            //   c1f905               | push                eax
            //   8d3c8da08d4200       | mov                 ecx, dword ptr [ebp - 0x24]

        $sequence_16 = { a1???????? 50 8b4df0 51 ff15???????? 85c0 }
            // n = 6, score = 100
            //   a1????????           |                     
            //   50                   | push                eax
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_17 = { e8???????? be01000000 4883630800 488d05cf450100 488903 488d4c2428 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   be01000000           | mov                 eax, ebx
            //   4883630800           | dec                 eax
            //   488d05cf450100       | lea                 edx, [0x15917]
            //   488903               | dec                 eax
            //   488d4c2428           | sar                 eax, 5

        $sequence_18 = { 6a00 ff15???????? 6888130000 ff15???????? 8b442410 }
            // n = 5, score = 100
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   6888130000           | push                0x1388
            //   ff15????????         |                     
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]

        $sequence_19 = { ff15???????? 85c0 0f84b4000000 8b442418 3bc3 0f84a8000000 395c2414 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84b4000000         | je                  0xba
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   3bc3                 | cmp                 eax, ebx
            //   0f84a8000000         | je                  0xae
            //   395c2414             | cmp                 dword ptr [esp + 0x14], ebx

        $sequence_20 = { 83e001 0f8412000000 83a588fcfffffe 8d8d00fdffff e9???????? c3 8d8d50fdffff }
            // n = 7, score = 100
            //   83e001               | and                 eax, 1
            //   0f8412000000         | je                  0x18
            //   83a588fcfffffe       | and                 dword ptr [ebp - 0x378], 0xfffffffe
            //   8d8d00fdffff         | lea                 ecx, [ebp - 0x300]
            //   e9????????           |                     
            //   c3                   | ret                 
            //   8d8d50fdffff         | lea                 ecx, [ebp - 0x2b0]

        $sequence_21 = { 4889440ae8 488b41f8 48635004 488d052d520100 4889440af8 488b41e8 48635004 }
            // n = 7, score = 100
            //   4889440ae8           | and                 ecx, 0x1f
            //   488b41f8             | dec                 eax
            //   48635004             | lea                 eax, [0x1149a]
            //   488d052d520100       | dec                 eax
            //   4889440af8           | mov                 dword ptr [esp + 0x58], eax
            //   488b41e8             | inc                 sp
            //   48635004             | mov                 dword ptr [esi + edx*2], esp

        $sequence_22 = { 4883ec30 8bd9 488d35a7220100 488bce e8???????? 83fb01 0f853b010000 }
            // n = 7, score = 100
            //   4883ec30             | cmp                 dword ptr [ebp - 0x18], 0x10
            //   8bd9                 | dec                 eax
            //   488d35a7220100       | cmovae              ebx, dword ptr [ebp - 0x30]
            //   488bce               | dec                 eax
            //   e8????????           |                     
            //   83fb01               | lea                 ecx, [0x15efb]
            //   0f853b010000         | dec                 eax

        $sequence_23 = { 8bec 56 8d71e8 8b0e 8b5104 8d4618 c74402e8242a4200 }
            // n = 7, score = 100
            //   8bec                 | dec                 eax
            //   56                   | add                 esi, 0x1e
            //   8d71e8               | dec                 eax
            //   8b0e                 | dec                 ebp
            //   8b5104               | jne                 0xffffff87
            //   8d4618               | add                 esp, 4
            //   c74402e8242a4200     | push                eax

        $sequence_24 = { 57 8d7df4 e8???????? 8b00 5e 8903 }
            // n = 6, score = 100
            //   57                   | add                 esp, 4
            //   8d7df4               | push                edx
            //   e8????????           |                     
            //   8b00                 | push                0
            //   5e                   | push                0
            //   8903                 | push                0x70048

        $sequence_25 = { 6644892456 e8???????? 498bd5 448d0400 }
            // n = 4, score = 100
            //   6644892456           | cmp                 ebx, 1
            //   e8????????           |                     
            //   498bd5               | jne                 0x14e
            //   448d0400             | dec                 eax

    condition:
        7 of them and filesize < 1112064
}
Download all Yara Rules