SYMBOLCOMMON_NAMEaka. SYNONYMS
win.disttrack (Back to overview)

DistTrack

aka: Shamoon

Actor(s): Shamoon, Magic Hound, Timberworm, COBALT GIPSY


There is no description at this point.

References
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10ZDNetCatalin Cimpanu
@online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } FBI warns about ongoing attacks against software supply chain companies
DistTrack Kwampirs
2019-12-21MalwareInDepthMyrtus 0x0
@online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } Shamoon 2012 Complete Analysis
DistTrack
2018-12-14SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181214:shamoon:1f24fa5, author = {Critical Attack Discovery and Intelligence Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-04-21} } Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig
2018-12-13Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20181213:shamoon:1623fe7, author = {Robert Falcone}, title = {{Shamoon 3 Targets Oil and Gas Organization}}, date = {2018-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/}, language = {English}, urldate = {2020-01-10} } Shamoon 3 Targets Oil and Gas Organization
DistTrack
2017-03-26Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170326:shamoon:8a62f1a, author = {Robert Falcone and Bryan Lee}, title = {{Shamoon 2: Delivering Disttrack}}, date = {2017-03-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Delivering Disttrack
DistTrack
2017-03-14FireEyeFireEye
@online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } M-Trend 2017: A View From the Front Lines
DistTrack Powersniff FIN8
2017-02-27SymantecA L Johnson
@online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten
2017-02-05VinRansomwareGregory Paul, Shaunak
@online{paul:20170205:detailed:3a65aaf, author = {Gregory Paul and Shaunak}, title = {{Detailed threat analysis of Shamoon 2.0 Malware}}, date = {2017-02-05}, organization = {VinRansomware}, url = {http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware}, language = {English}, urldate = {2020-01-09} } Detailed threat analysis of Shamoon 2.0 Malware
DistTrack
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:a118a76, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-04-21} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:96eab4c, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-01-13} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-09Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20170109:second:2e36550, author = {Robert Falcone}, title = {{Second Wave of Shamoon 2 Attacks Identified}}, date = {2017-01-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/}, language = {English}, urldate = {2020-01-07} } Second Wave of Shamoon 2 Attacks Identified
DistTrack
2016-12-03Coding and SecurityCoding, Security
@online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } "Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis
DistTrack
2016-11-30Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20161130:shamoon:6befcf1, author = {Robert Falcone}, title = {{Shamoon 2: Return of the Disttrack Wiper}}, date = {2016-11-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Return of the Disttrack Wiper
DistTrack
2016-11-30SymantecA L Johnson
@online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Back from the dead and destructive as ever
DistTrack OilRig
2012-08-17Contagiodump BlogMila Parkour
@online{parkour:20120817:shamoon:efffab1, author = {Mila Parkour}, title = {{Shamoon or DistTrack.A samples}}, date = {2012-08-17}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html}, language = {English}, urldate = {2019-12-20} } Shamoon or DistTrack.A samples
DistTrack
2012-08-16Kaspersky LabsGReAT
@online{great:20120816:shamoon:143efb8, author = {GReAT}, title = {{Shamoon the Wiper – Copycats at Work}}, date = {2012-08-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/shamoon-the-wiper-copycats-at-work/}, language = {English}, urldate = {2019-12-20} } Shamoon the Wiper – Copycats at Work
DistTrack
2012-08-16SymantecSymantec Security Response
@online{response:20120816:shamoon:8f8fe97, author = {Symantec Security Response}, title = {{The Shamoon Attacks}}, date = {2012-08-16}, organization = {Symantec}, url = {https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks}, language = {English}, urldate = {2020-04-21} } The Shamoon Attacks
DistTrack OilRig
Yara Rules
[TLP:WHITE] win_disttrack_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_disttrack_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 52 6a00 6a00 6848000700 }
            // n = 4, score = 200
            //   52                   | push                edx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6848000700           | push                0x70048

        $sequence_1 = { 68???????? ff15???????? 8d45dc 50 ff15???????? 8b4ddc }
            // n = 6, score = 200
            //   68????????           |                     
            //   ff15????????         |                     
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]

        $sequence_2 = { ff15???????? 5d 5b 8bc7 5f 5e }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_3 = { 58 5e 5d c3 6a0c }
            // n = 5, score = 200
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a0c                 | push                0xc

        $sequence_4 = { e8???????? 6a07 e8???????? 59 c3 6a10 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   6a07                 | push                7
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   c3                   | ret                 
            //   6a10                 | push                0x10

        $sequence_5 = { 83c404 50 e8???????? 83c404 68???????? ff15???????? e8???????? }
            // n = 7, score = 200
            //   83c404               | add                 esp, 4
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   68????????           |                     
            //   ff15????????         |                     
            //   e8????????           |                     

        $sequence_6 = { 4c8b0d???????? 4889442428 488d05ecf60000 8bd3 }
            // n = 4, score = 100
            //   4c8b0d????????       |                     
            //   4889442428           | dec                 edx
            //   488d05ecf60000       | lea                 ecx, [ebp + ebx*2 - 0x80]
            //   8bd3                 | dec                 eax

        $sequence_7 = { 4c895f18 4533c0 33d2 488d4f18 e8???????? 90 488bc7 }
            // n = 7, score = 100
            //   4c895f18             | dec                 eax
            //   4533c0               | sub                 esp, 0x30
            //   33d2                 | dec                 eax
            //   488d4f18             | mov                 dword ptr [esp + 0x20], 0xfffffffe
            //   e8????????           |                     
            //   90                   | inc                 ecx
            //   488bc7               | mov                 eax, eax

        $sequence_8 = { c1f905 8b0c8d00864300 83e21f c1e206 385c1104 7506 }
            // n = 6, score = 100
            //   c1f905               | sar                 ecx, 5
            //   8b0c8d00864300       | mov                 ecx, dword ptr [ecx*4 + 0x438600]
            //   83e21f               | and                 edx, 0x1f
            //   c1e206               | shl                 edx, 6
            //   385c1104             | cmp                 byte ptr [ecx + edx + 4], bl
            //   7506                 | jne                 8

        $sequence_9 = { e8???????? b001 488b8c2440020000 4833cc }
            // n = 4, score = 100
            //   e8????????           |                     
            //   b001                 | dec                 esp
            //   488b8c2440020000     | mov                 edx, edx
            //   4833cc               | dec                 eax

        $sequence_10 = { 498bcd 448bc0 e8???????? 8bd0 }
            // n = 4, score = 100
            //   498bcd               | mov                 dword ptr [esp + 0x28], eax
            //   448bc0               | dec                 eax
            //   e8????????           |                     
            //   8bd0                 | lea                 eax, [0xf6ec]

        $sequence_11 = { 8b8424b0000000 83c804 83e017 898424b0000000 858424b4000000 740d }
            // n = 6, score = 100
            //   8b8424b0000000       | mov                 eax, dword ptr [esp + 0xb0]
            //   83c804               | or                  eax, 4
            //   83e017               | and                 eax, 0x17
            //   898424b0000000       | mov                 dword ptr [esp + 0xb0], eax
            //   858424b4000000       | test                dword ptr [esp + 0xb4], eax
            //   740d                 | je                  0xf

        $sequence_12 = { 8d4de0 51 8b4dc8 e8???????? 50 8d4dec e8???????? }
            // n = 7, score = 100
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   51                   | push                ecx
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d4dec               | lea                 ecx, [ebp - 0x14]
            //   e8????????           |                     

        $sequence_13 = { 752b 8b542434 8b4a04 8b440c40 8d4c0c34 83c802 }
            // n = 6, score = 100
            //   752b                 | jne                 0x2d
            //   8b542434             | mov                 edx, dword ptr [esp + 0x34]
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]
            //   8b440c40             | mov                 eax, dword ptr [esp + ecx + 0x40]
            //   8d4c0c34             | lea                 ecx, [esp + ecx + 0x34]
            //   83c802               | or                  eax, 2

        $sequence_14 = { 8b4d08 6a01 8d55fc 52 50 51 }
            // n = 6, score = 100
            //   8b4d08               | add                 esp, 4
            //   6a01                 | push                eax
            //   8d55fc               | add                 esp, 4
            //   52                   | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   51                   | mov                 ecx, dword ptr [ebp - 0x24]

        $sequence_15 = { 40 89442428 83f801 0f8ce4f7ffff 8b442430 }
            // n = 5, score = 100
            //   40                   | inc                 eax
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   83f801               | cmp                 eax, 1
            //   0f8ce4f7ffff         | jl                  0xfffff7ea
            //   8b442430             | mov                 eax, dword ptr [esp + 0x30]

        $sequence_16 = { 6a00 56 ff15???????? 57 ff15???????? 5f 5b }
            // n = 7, score = 100
            //   6a00                 | pop                 esi
            //   56                   | push                ebx
            //   ff15????????         |                     
            //   57                   | pop                 ebp
            //   ff15????????         |                     
            //   5f                   | pop                 ebx
            //   5b                   | mov                 eax, edi

        $sequence_17 = { 8b4c242c 8b5104 8d742444 c744142c1c2b4200 e8???????? c784245806000002000000 }
            // n = 6, score = 100
            //   8b4c242c             | add                 esp, 4
            //   8b5104               | push                eax
            //   8d742444             | add                 esp, 4
            //   c744142c1c2b4200     | pop                 ebp
            //   e8????????           |                     
            //   c784245806000002000000     | pop    ebx

        $sequence_18 = { ff15???????? 85c0 0f854cffffff 57 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f854cffffff         | jne                 0xffffff52
            //   57                   | push                edi

        $sequence_19 = { 033485a08d4200 8b45f8 8b00 8906 8b45fc }
            // n = 5, score = 100
            //   033485a08d4200       | pop                 edi
            //   8b45f8               | pop                 esi
            //   8b00                 | add                 esp, 4
            //   8906                 | push                eax
            //   8b45fc               | add                 esp, 4

        $sequence_20 = { cc 4c8d05e0b10000 498bd4 488bcd e8???????? 85c0 7541 }
            // n = 7, score = 100
            //   cc                   | mov                 edx, ebx
            //   4c8d05e0b10000       | dec                 ecx
            //   498bd4               | mov                 ecx, ebp
            //   488bcd               | inc                 esp
            //   e8????????           |                     
            //   85c0                 | mov                 eax, eax
            //   7541                 | mov                 edx, eax

        $sequence_21 = { 488d0587730100 4889442438 4c89742430 418d5110 }
            // n = 4, score = 100
            //   488d0587730100       | dec                 eax
            //   4889442438           | mov                 ecx, ebp
            //   4c89742430           | test                eax, eax
            //   418d5110             | jne                 0x52

        $sequence_22 = { 84c0 7577 498bcd e8???????? 4a8d4c5d80 }
            // n = 5, score = 100
            //   84c0                 | test                al, al
            //   7577                 | jne                 0x79
            //   498bcd               | dec                 ecx
            //   e8????????           |                     
            //   4a8d4c5d80           | mov                 ecx, ebp

        $sequence_23 = { e8???????? 399c24a0000000 0f844b020000 8b442410 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   399c24a0000000       | cmp                 dword ptr [esp + 0xa0], ebx
            //   0f844b020000         | je                  0x251
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]

        $sequence_24 = { 50 e8???????? 83c404 8b442424 8b8c2498030000 64890d00000000 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   8b8c2498030000       | mov                 ecx, dword ptr [esp + 0x398]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx

        $sequence_25 = { 4883ec30 48c7442420feffffff 418bc0 4c8bd2 488bd9 }
            // n = 5, score = 100
            //   4883ec30             | int3                
            //   48c7442420feffffff     | dec    esp
            //   418bc0               | lea                 eax, [0xb1e0]
            //   4c8bd2               | dec                 ecx
            //   488bd9               | mov                 edx, esp

    condition:
        7 of them and filesize < 1112064
}
Download all Yara Rules