SYMBOLCOMMON_NAMEaka. SYNONYMS
win.disttrack (Back to overview)

DistTrack

aka: Shamoon

Actor(s): Shamoon, Magic Hound, Timberworm, COBALT GIPSY

There is no description at this point.

References
2021-08-05SymantecThreat Hunter Team
@techreport{team:20210805:attacks:c2d7348, author = {Threat Hunter Team}, title = {{Attacks Against Critical Infrastructure: A Global Concern}}, date = {2021-08-05}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf}, language = {English}, urldate = {2021-08-06} } Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10ZDNetCatalin Cimpanu
@online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } FBI warns about ongoing attacks against software supply chain companies
DistTrack Kwampirs
2019-12-21MalwareInDepthMyrtus 0x0
@online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } Shamoon 2012 Complete Analysis
DistTrack
2018-12-14SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181214:shamoon:1f24fa5, author = {Critical Attack Discovery and Intelligence Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-04-21} } Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig
2018-12-13Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20181213:shamoon:1623fe7, author = {Robert Falcone}, title = {{Shamoon 3 Targets Oil and Gas Organization}}, date = {2018-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/}, language = {English}, urldate = {2020-01-10} } Shamoon 3 Targets Oil and Gas Organization
DistTrack
2017-03-26Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170326:shamoon:8a62f1a, author = {Robert Falcone and Bryan Lee}, title = {{Shamoon 2: Delivering Disttrack}}, date = {2017-03-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Delivering Disttrack
DistTrack
2017-03-14FireEyeFireEye
@online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } M-Trend 2017: A View From the Front Lines
DistTrack Powersniff FIN8
2017-02-27SymantecA L Johnson
@online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten
2017-02-05VinRansomwareGregory Paul, Shaunak
@online{paul:20170205:detailed:3a65aaf, author = {Gregory Paul and Shaunak}, title = {{Detailed threat analysis of Shamoon 2.0 Malware}}, date = {2017-02-05}, organization = {VinRansomware}, url = {http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware}, language = {English}, urldate = {2020-01-09} } Detailed threat analysis of Shamoon 2.0 Malware
DistTrack
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:a118a76, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-04-21} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:96eab4c, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-01-13} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-09Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20170109:second:2e36550, author = {Robert Falcone}, title = {{Second Wave of Shamoon 2 Attacks Identified}}, date = {2017-01-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/}, language = {English}, urldate = {2020-01-07} } Second Wave of Shamoon 2 Attacks Identified
DistTrack
2016-12-03Coding and SecurityCoding, Security
@online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } "Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis
DistTrack
2016-11-30Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20161130:shamoon:6befcf1, author = {Robert Falcone}, title = {{Shamoon 2: Return of the Disttrack Wiper}}, date = {2016-11-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Return of the Disttrack Wiper
DistTrack
2016-11-30SymantecA L Johnson
@online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Back from the dead and destructive as ever
DistTrack OilRig
2012-08-17Contagiodump BlogMila Parkour
@online{parkour:20120817:shamoon:efffab1, author = {Mila Parkour}, title = {{Shamoon or DistTrack.A samples}}, date = {2012-08-17}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html}, language = {English}, urldate = {2019-12-20} } Shamoon or DistTrack.A samples
DistTrack
2012-08-16Kaspersky LabsGReAT
@online{great:20120816:shamoon:143efb8, author = {GReAT}, title = {{Shamoon the Wiper – Copycats at Work}}, date = {2012-08-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/shamoon-the-wiper-copycats-at-work/}, language = {English}, urldate = {2019-12-20} } Shamoon the Wiper – Copycats at Work
DistTrack
2012-08-16SymantecSymantec Security Response
@online{response:20120816:shamoon:8f8fe97, author = {Symantec Security Response}, title = {{The Shamoon Attacks}}, date = {2012-08-16}, organization = {Symantec}, url = {https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks}, language = {English}, urldate = {2020-04-21} } The Shamoon Attacks
DistTrack OilRig
Yara Rules
[TLP:WHITE] win_disttrack_auto (20211008 | Detects win.disttrack.)
rule win_disttrack_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.disttrack."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 ff15???????? 5d 5b 8bc7 5f 5e }
            // n = 7, score = 200
            //   53                   | inc                 ecx
            //   ff15????????         |                     
            //   5d                   | mov                 eax, 4
            //   5b                   | inc                 ecx
            //   8bc7                 | mov                 ecx, eax
            //   5f                   | jmp                 0x78
            //   5e                   | inc                 bp

        $sequence_1 = { 58 5e 5d c3 6a0c 68???????? e8???????? }
            // n = 7, score = 200
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a0c                 | push                0xc
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_2 = { ff15???????? 8d45dc 50 ff15???????? 8b4ddc }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   8d45dc               | test                eax, eax
            //   50                   | je                  0x28
            //   ff15????????         |                     
            //   8b4ddc               | movzx               eax, word ptr [ecx]

        $sequence_3 = { e8???????? 6a07 e8???????? 59 c3 6a10 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   6a07                 | push                7
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   c3                   | ret                 
            //   6a10                 | push                0x10

        $sequence_4 = { 83c404 50 e8???????? 83c404 68???????? ff15???????? }
            // n = 6, score = 200
            //   83c404               | dec                 eax
            //   50                   | lea                 edx, dword ptr [0x1babd]
            //   e8????????           |                     
            //   83c404               | dec                 eax
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_5 = { 52 6a00 6a00 6848000700 }
            // n = 4, score = 200
            //   52                   | lea                 ecx, dword ptr [ebp - 0x30]
            //   6a00                 | dec                 eax
            //   6a00                 | mov                 dword ptr [ebp - 0x30], eax
            //   6848000700           | movdqu              xmmword ptr [ebp - 0x18], xmm5

        $sequence_6 = { 488d542438 488bd9 e8???????? 4c8d1db21b0100 }
            // n = 4, score = 100
            //   488d542438           | dec                 eax
            //   488bd9               | lea                 edx, dword ptr [esp + 0x38]
            //   e8????????           |                     
            //   4c8d1db21b0100       | dec                 eax

        $sequence_7 = { c1fb05 83e61f 8d1c9d40174200 894508 8b03 c1e606 }
            // n = 6, score = 100
            //   c1fb05               | sar                 ebx, 5
            //   83e61f               | and                 esi, 0x1f
            //   8d1c9d40174200       | lea                 ebx, dword ptr [ebx*4 + 0x421740]
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   c1e606               | shl                 esi, 6

        $sequence_8 = { 8d4801 498bc3 482bc1 498bcd 488d544580 e8???????? }
            // n = 6, score = 100
            //   8d4801               | dec                 eax
            //   498bc3               | test                eax, eax
            //   482bc1               | je                  0xff
            //   498bcd               | dec                 ebp
            //   488d544580           | mov                 eax, ebp
            //   e8????????           |                     

        $sequence_9 = { e8???????? 33c0 e9???????? 8975e4 33c0 39b8d0f84100 0f8491000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   33c0                 | xor                 eax, eax
            //   39b8d0f84100         | cmp                 dword ptr [eax + 0x41f8d0], edi
            //   0f8491000000         | je                  0x97

        $sequence_10 = { 8b442444 8b4804 c7440c44acc24100 8b542434 8b4204 c7440434b4c24100 }
            // n = 6, score = 100
            //   8b442444             | mov                 eax, dword ptr [esp + 0x44]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   c7440c44acc24100     | mov                 dword ptr [esp + ecx + 0x44], 0x41c2ac
            //   8b542434             | mov                 edx, dword ptr [esp + 0x34]
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   c7440434b4c24100     | mov                 dword ptr [esp + eax + 0x34], 0x41c2b4

        $sequence_11 = { 741e 488d0df1cc0000 e8???????? 85c0 }
            // n = 4, score = 100
            //   741e                 | mov                 ebx, ecx
            //   488d0df1cc0000       | dec                 esp
            //   e8????????           |                     
            //   85c0                 | lea                 ebx, dword ptr [0x11bb2]

        $sequence_12 = { 90 807c243000 750b 41b804000000 418bc8 eb6d }
            // n = 6, score = 100
            //   90                   | xor                 eax, eax
            //   807c243000           | call                dword ptr [eax + 0x10]
            //   750b                 | dec                 eax
            //   41b804000000         | mov                 eax, ebx
            //   418bc8               | dec                 eax
            //   eb6d                 | mov                 ebx, dword ptr [esp + 0x58]

        $sequence_13 = { 58 5d c3 8b04cdc4624200 5d }
            // n = 5, score = 100
            //   58                   | add                 esp, 4
            //   5d                   | push                ebx
            //   c3                   | pop                 ebp
            //   8b04cdc4624200       | pop                 ebx
            //   5d                   | mov                 eax, edi

        $sequence_14 = { 4c8be0 4885c0 0f84f9000000 4d8bc5 488bd6 488bc8 }
            // n = 6, score = 100
            //   4c8be0               | je                  0x20
            //   4885c0               | dec                 eax
            //   0f84f9000000         | lea                 ecx, dword ptr [0xccf1]
            //   4d8bc5               | test                eax, eax
            //   488bd6               | dec                 esp
            //   488bc8               | mov                 esp, eax

        $sequence_15 = { 8b45e0 8b4de4 8b95c4fdffff 891481 8d85d0fdffff }
            // n = 5, score = 100
            //   8b45e0               | pop                 edi
            //   8b4de4               | pop                 esi
            //   8b95c4fdffff         | add                 esp, 4
            //   891481               | push                eax
            //   8d85d0fdffff         | add                 esp, 4

        $sequence_16 = { 6bc930 8975e0 8db1e0f84100 8975e4 }
            // n = 4, score = 100
            //   6bc930               | imul                ecx, ecx, 0x30
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   8db1e0f84100         | lea                 esi, dword ptr [ecx + 0x41f8e0]
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi

        $sequence_17 = { 7451 0fbf4f0a 8b1418 51 52 8d8528fcffff }
            // n = 6, score = 100
            //   7451                 | je                  0x53
            //   0fbf4f0a             | movsx               ecx, word ptr [edi + 0xa]
            //   8b1418               | mov                 edx, dword ptr [eax + ebx]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   8d8528fcffff         | lea                 eax, dword ptr [ebp - 0x3d8]

        $sequence_18 = { 8b45a8 8b10 8b4da8 8b420c ffd0 }
            // n = 5, score = 100
            //   8b45a8               | pop                 ebp
            //   8b10                 | pop                 ebx
            //   8b4da8               | mov                 eax, edi
            //   8b420c               | pop                 edi
            //   ffd0                 | pop                 esi

        $sequence_19 = { e8???????? 803d????????00 74b3 33c0 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   803d????????00       |                     
            //   74b3                 | dec                 eax
            //   33c0                 | mov                 edx, esi

        $sequence_20 = { 0f106dc0 488d15bdba0100 488d4dd0 488945d0 f30f7f6de8 }
            // n = 5, score = 100
            //   0f106dc0             | dec                 ecx
            //   488d15bdba0100       | mov                 ecx, ebp
            //   488d4dd0             | dec                 eax
            //   488945d0             | lea                 edx, dword ptr [ebp + eax*2 - 0x80]
            //   f30f7f6de8           | je                  0xffffffb5

        $sequence_21 = { 3bf3 72e6 8b75ec 6a00 8d45f0 }
            // n = 5, score = 100
            //   3bf3                 | push                0
            //   72e6                 | push                0
            //   8b75ec               | push                0x70048
            //   6a00                 | add                 esp, 4
            //   8d45f0               | push                eax

        $sequence_22 = { ff5010 488bc3 488b5c2458 488b742460 4883c440 5f c3 }
            // n = 7, score = 100
            //   ff5010               | dec                 eax
            //   488bc3               | mov                 ecx, eax
            //   488b5c2458           | lea                 ecx, dword ptr [eax + 1]
            //   488b742460           | dec                 ecx
            //   4883c440             | mov                 eax, ebx
            //   5f                   | dec                 eax
            //   c3                   | sub                 eax, ecx

        $sequence_23 = { 894f14 8b95d0feffff 8b4204 f68405dcfeffff01 }
            // n = 4, score = 100
            //   894f14               | push                eax
            //   8b95d0feffff         | add                 esp, 4
            //   8b4204               | lea                 eax, dword ptr [ebp - 0x24]
            //   f68405dcfeffff01     | push                eax

        $sequence_24 = { 391a 7521 807f1900 7404 8bce eb15 }
            // n = 6, score = 100
            //   391a                 | pop                 edi
            //   7521                 | pop                 esi
            //   807f1900             | lea                 eax, dword ptr [ebp - 0x24]
            //   7404                 | push                eax
            //   8bce                 | mov                 ecx, dword ptr [ebp - 0x24]
            //   eb15                 | add                 esp, 4

        $sequence_25 = { 33c0 8b4d08 3b0cc578aa4100 740a 40 83f816 72ee }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   3b0cc578aa4100       | cmp                 ecx, dword ptr [eax*8 + 0x41aa78]
            //   740a                 | je                  0xc
            //   40                   | inc                 eax
            //   83f816               | cmp                 eax, 0x16
            //   72ee                 | jb                  0xfffffff0

    condition:
        7 of them and filesize < 1112064
}
Download all Yara Rules