SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dnespy (Back to overview)

DneSpy


DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.

References
2020-10-28Trend MicroWilliam Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph C Chen, John Zhang
@online{sanchez:20201028:operation:7f4b906, author = {William Gamazo Sanchez and Aliakbar Zahravi and Elliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C Chen and John Zhang}, title = {{Operation Earth Kitsune: A Dance of Two New Backdoors}}, date = {2020-10-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html}, language = {English}, urldate = {2020-10-29} } Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB
Yara Rules
[TLP:WHITE] win_dnespy_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_dnespy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c418 c745b80f000000 c645a400 8d5101 8a01 41 84c0 }
            // n = 7, score = 200
            //   83c418               | add                 esp, 0x18
            //   c745b80f000000       | mov                 dword ptr [ebp - 0x48], 0xf
            //   c645a400             | mov                 byte ptr [ebp - 0x5c], 0
            //   8d5101               | lea                 edx, [ecx + 1]
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al

        $sequence_1 = { 7611 66837c5c5c00 7505 43 3bdf 72f3 895c241c }
            // n = 7, score = 200
            //   7611                 | jbe                 0x13
            //   66837c5c5c00         | cmp                 word ptr [esp + ebx*2 + 0x5c], 0
            //   7505                 | jne                 7
            //   43                   | inc                 ebx
            //   3bdf                 | cmp                 ebx, edi
            //   72f3                 | jb                  0xfffffff5
            //   895c241c             | mov                 dword ptr [esp + 0x1c], ebx

        $sequence_2 = { 83beb000010000 8d7c241c 8b562c 8b461c 8b4e08 6a04 57 }
            // n = 7, score = 200
            //   83beb000010000       | cmp                 dword ptr [esi + 0x100b0], 0
            //   8d7c241c             | lea                 edi, [esp + 0x1c]
            //   8b562c               | mov                 edx, dword ptr [esi + 0x2c]
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   6a04                 | push                4
            //   57                   | push                edi

        $sequence_3 = { 50 50 53 56 89442438 660f13442450 e8???????? }
            // n = 7, score = 200
            //   50                   | push                eax
            //   50                   | push                eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   89442438             | mov                 dword ptr [esp + 0x38], eax
            //   660f13442450         | movlpd              qword ptr [esp + 0x50], xmm0
            //   e8????????           |                     

        $sequence_4 = { 7202 8b06 c644080100 881c08 eb0f ff75ec 8bce }
            // n = 7, score = 200
            //   7202                 | jb                  4
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   c644080100           | mov                 byte ptr [eax + ecx + 1], 0
            //   881c08               | mov                 byte ptr [eax + ecx], bl
            //   eb0f                 | jmp                 0x11
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   8bce                 | mov                 ecx, esi

        $sequence_5 = { 83ec20 a1???????? 33c4 8944241c 53 8b5c2430 55 }
            // n = 7, score = 200
            //   83ec20               | sub                 esp, 0x20
            //   a1????????           |                     
            //   33c4                 | xor                 eax, esp
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   53                   | push                ebx
            //   8b5c2430             | mov                 ebx, dword ptr [esp + 0x30]
            //   55                   | push                ebp

        $sequence_6 = { 0f8554010000 8d5e08 8b4720 55 68c4160000 6a01 ff7728 }
            // n = 7, score = 200
            //   0f8554010000         | jne                 0x15a
            //   8d5e08               | lea                 ebx, [esi + 8]
            //   8b4720               | mov                 eax, dword ptr [edi + 0x20]
            //   55                   | push                ebp
            //   68c4160000           | push                0x16c4
            //   6a01                 | push                1
            //   ff7728               | push                dword ptr [edi + 0x28]

        $sequence_7 = { 50 e8???????? 83c40c c78550deffff2c104500 c645fc02 8d8560deffff 6a00 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c78550deffff2c104500     | mov    dword ptr [ebp - 0x21b0], 0x45102c
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   8d8560deffff         | lea                 eax, [ebp - 0x21a0]
            //   6a00                 | push                0

        $sequence_8 = { 0fb680bc214100 ff2485ac214100 8a470c 8b4e10 8b13 8845ec 3bca }
            // n = 7, score = 200
            //   0fb680bc214100       | movzx               eax, byte ptr [eax + 0x4121bc]
            //   ff2485ac214100       | jmp                 dword ptr [eax*4 + 0x4121ac]
            //   8a470c               | mov                 al, byte ptr [edi + 0xc]
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   8845ec               | mov                 byte ptr [ebp - 0x14], al
            //   3bca                 | cmp                 ecx, edx

        $sequence_9 = { c685addfffff7c c685aedfffff00 8a85a4dfffff 0f1f00 8a841594dfffff 8b8d90dfffff 32c8 }
            // n = 7, score = 200
            //   c685addfffff7c       | mov                 byte ptr [ebp - 0x2053], 0x7c
            //   c685aedfffff00       | mov                 byte ptr [ebp - 0x2052], 0
            //   8a85a4dfffff         | mov                 al, byte ptr [ebp - 0x205c]
            //   0f1f00               | nop                 dword ptr [eax]
            //   8a841594dfffff       | mov                 al, byte ptr [ebp + edx - 0x206c]
            //   8b8d90dfffff         | mov                 ecx, dword ptr [ebp - 0x2070]
            //   32c8                 | xor                 cl, al

    condition:
        7 of them and filesize < 794624
}
Download all Yara Rules