SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dnespy (Back to overview)

DneSpy

DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.

References
2020-10-28Trend MicroWilliam Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph C Chen, John Zhang
@online{sanchez:20201028:operation:7f4b906, author = {William Gamazo Sanchez and Aliakbar Zahravi and Elliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C Chen and John Zhang}, title = {{Operation Earth Kitsune: A Dance of Two New Backdoors}}, date = {2020-10-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html}, language = {English}, urldate = {2020-10-29} } Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB
Yara Rules
[TLP:WHITE] win_dnespy_auto (20230407 | Detects win.dnespy.)
rule win_dnespy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.dnespy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8a8547deffff 83c408 33c9 c785dcddffff00000000 c785e0ddffff07000000 66898dccddffff 84c0 }
            // n = 7, score = 200
            //   8a8547deffff         | mov                 al, byte ptr [ebp - 0x21b9]
            //   83c408               | add                 esp, 8
            //   33c9                 | xor                 ecx, ecx
            //   c785dcddffff00000000     | mov    dword ptr [ebp - 0x2224], 0
            //   c785e0ddffff07000000     | mov    dword ptr [ebp - 0x2220], 7
            //   66898dccddffff       | mov                 word ptr [ebp - 0x2234], cx
            //   84c0                 | test                al, al

        $sequence_1 = { 83c410 83f804 0f8590000000 8b442424 88442424 0facf808 6a08 }
            // n = 7, score = 200
            //   83c410               | add                 esp, 0x10
            //   83f804               | cmp                 eax, 4
            //   0f8590000000         | jne                 0x96
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   88442424             | mov                 byte ptr [esp + 0x24], al
            //   0facf808             | shrd                eax, edi, 8
            //   6a08                 | push                8

        $sequence_2 = { 85ff 0f8474010000 e8???????? 8986f8000000 89442410 c786ec00000078563412 }
            // n = 6, score = 200
            //   85ff                 | test                edi, edi
            //   0f8474010000         | je                  0x17a
            //   e8????????           |                     
            //   8986f8000000         | mov                 dword ptr [esi + 0xf8], eax
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   c786ec00000078563412     | mov    dword ptr [esi + 0xec], 0x12345678

        $sequence_3 = { 8be5 5d c20800 5f 5e c74344601f4500 32c0 }
            // n = 7, score = 200
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c74344601f4500       | mov                 dword ptr [ebx + 0x44], 0x451f60
            //   32c0                 | xor                 al, al

        $sequence_4 = { 8d8ddcd9ffff e8???????? 8b8574d9ffff c645fc00 83f810 722d 8b8d60d9ffff }
            // n = 7, score = 200
            //   8d8ddcd9ffff         | lea                 ecx, [ebp - 0x2624]
            //   e8????????           |                     
            //   8b8574d9ffff         | mov                 eax, dword ptr [ebp - 0x268c]
            //   c645fc00             | mov                 byte ptr [ebp - 4], 0
            //   83f810               | cmp                 eax, 0x10
            //   722d                 | jb                  0x2f
            //   8b8d60d9ffff         | mov                 ecx, dword ptr [ebp - 0x26a0]

        $sequence_5 = { 8b442440 8944242c 7514 3b442438 750e 837c242400 7507 }
            // n = 7, score = 200
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   8944242c             | mov                 dword ptr [esp + 0x2c], eax
            //   7514                 | jne                 0x16
            //   3b442438             | cmp                 eax, dword ptr [esp + 0x38]
            //   750e                 | jne                 0x10
            //   837c242400           | cmp                 dword ptr [esp + 0x24], 0
            //   7507                 | jne                 9

        $sequence_6 = { c1e807 8a8098c54400 0fb6c0 66ff848688090000 8b869c160000 8b4e78 48 }
            // n = 7, score = 200
            //   c1e807               | shr                 eax, 7
            //   8a8098c54400         | mov                 al, byte ptr [eax + 0x44c598]
            //   0fb6c0               | movzx               eax, al
            //   66ff848688090000     | inc                 word ptr [esi + eax*4 + 0x988]
            //   8b869c160000         | mov                 eax, dword ptr [esi + 0x169c]
            //   8b4e78               | mov                 ecx, dword ptr [esi + 0x78]
            //   48                   | dec                 eax

        $sequence_7 = { 3bf1 75f3 8b4c240c 83c8ff 49 3bc8 0f42c1 }
            // n = 7, score = 200
            //   3bf1                 | cmp                 esi, ecx
            //   75f3                 | jne                 0xfffffff5
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   83c8ff               | or                  eax, 0xffffffff
            //   49                   | dec                 ecx
            //   3bc8                 | cmp                 ecx, eax
            //   0f42c1               | cmovb               eax, ecx

        $sequence_8 = { 880e 8b75e8 3bdf 75b5 8b7dd0 8b4ddc 8b37 }
            // n = 7, score = 200
            //   880e                 | mov                 byte ptr [esi], cl
            //   8b75e8               | mov                 esi, dword ptr [ebp - 0x18]
            //   3bdf                 | cmp                 ebx, edi
            //   75b5                 | jne                 0xffffffb7
            //   8b7dd0               | mov                 edi, dword ptr [ebp - 0x30]
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8b37                 | mov                 esi, dword ptr [edi]

        $sequence_9 = { 7453 ffb5a0fbffff 0f57c0 660f1385c8fbffff ff15???????? 8985c4fbffff b802000000 }
            // n = 7, score = 200
            //   7453                 | je                  0x55
            //   ffb5a0fbffff         | push                dword ptr [ebp - 0x460]
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f1385c8fbffff     | movlpd              qword ptr [ebp - 0x438], xmm0
            //   ff15????????         |                     
            //   8985c4fbffff         | mov                 dword ptr [ebp - 0x43c], eax
            //   b802000000           | mov                 eax, 2

    condition:
        7 of them and filesize < 794624
}
Download all Yara Rules