SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dnespy (Back to overview)

DneSpy

DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.

References
2020-10-28Trend MicroWilliam Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph C Chen, John Zhang
@online{sanchez:20201028:operation:7f4b906, author = {William Gamazo Sanchez and Aliakbar Zahravi and Elliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C Chen and John Zhang}, title = {{Operation Earth Kitsune: A Dance of Two New Backdoors}}, date = {2020-10-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html}, language = {English}, urldate = {2020-10-29} } Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB
Yara Rules
[TLP:WHITE] win_dnespy_auto (20230808 | Detects win.dnespy.)
rule win_dnespy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.dnespy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83ec18 8d4508 8bcc 50 e8???????? ba01000000 8d4dc8 }
            // n = 7, score = 200
            //   83ec18               | sub                 esp, 0x18
            //   8d4508               | lea                 eax, [ebp + 8]
            //   8bcc                 | mov                 ecx, esp
            //   50                   | push                eax
            //   e8????????           |                     
            //   ba01000000           | mov                 edx, 1
            //   8d4dc8               | lea                 ecx, [ebp - 0x38]

        $sequence_1 = { f30f7e4594 8b459c 660fd645a4 8945ac 7209 8b0e 8bc1 }
            // n = 7, score = 200
            //   f30f7e4594           | movq                xmm0, qword ptr [ebp - 0x6c]
            //   8b459c               | mov                 eax, dword ptr [ebp - 0x64]
            //   660fd645a4           | movq                qword ptr [ebp - 0x5c], xmm0
            //   8945ac               | mov                 dword ptr [ebp - 0x54], eax
            //   7209                 | jb                  0xb
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8bc1                 | mov                 eax, ecx

        $sequence_2 = { 8bf1 8954240c 57 8b7d08 89442414 837e4c00 7471 }
            // n = 7, score = 200
            //   8bf1                 | mov                 esi, ecx
            //   8954240c             | mov                 dword ptr [esp + 0xc], edx
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   837e4c00             | cmp                 dword ptr [esi + 0x4c], 0
            //   7471                 | je                  0x73

        $sequence_3 = { 74e7 83f80d 74e2 40 83f87e 0f878b010000 }
            // n = 6, score = 200
            //   74e7                 | je                  0xffffffe9
            //   83f80d               | cmp                 eax, 0xd
            //   74e2                 | je                  0xffffffe4
            //   40                   | inc                 eax
            //   83f87e               | cmp                 eax, 0x7e
            //   0f878b010000         | ja                  0x191

        $sequence_4 = { 6a50 668945e8 ff15???????? 668945ea 8d45e8 6a10 }
            // n = 6, score = 200
            //   6a50                 | push                0x50
            //   668945e8             | mov                 word ptr [ebp - 0x18], ax
            //   ff15????????         |                     
            //   668945ea             | mov                 word ptr [ebp - 0x16], ax
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   6a10                 | push                0x10

        $sequence_5 = { 0f84f0000000 8bc8 e8???????? 8bd0 c745e000000000 8bca c745e40f000000 }
            // n = 7, score = 200
            //   0f84f0000000         | je                  0xf6
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8bd0                 | mov                 edx, eax
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0
            //   8bca                 | mov                 ecx, edx
            //   c745e40f000000       | mov                 dword ptr [ebp - 0x1c], 0xf

        $sequence_6 = { 6a00 6a00 8d85e0cfffff 50 6a00 ff15???????? ffb5a0cfffff }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d85e0cfffff         | lea                 eax, [ebp - 0x3020]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   ffb5a0cfffff         | push                dword ptr [ebp - 0x3060]

        $sequence_7 = { 8a18 3a19 750a 40 41 3bc2 75f0 }
            // n = 7, score = 200
            //   8a18                 | mov                 bl, byte ptr [eax]
            //   3a19                 | cmp                 bl, byte ptr [ecx]
            //   750a                 | jne                 0xc
            //   40                   | inc                 eax
            //   41                   | inc                 ecx
            //   3bc2                 | cmp                 eax, edx
            //   75f0                 | jne                 0xfffffff2

        $sequence_8 = { 744b 8d45f4 c745f000000000 50 8d45f8 c745f800000000 50 }
            // n = 7, score = 200
            //   744b                 | je                  0x4d
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   50                   | push                eax
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   50                   | push                eax

        $sequence_9 = { c685ebfeffff00 c685ecfeffff0f c685edfeffff0a c685eefeffff03 8a85dcfeffff c685effeffff00 0f1f440000 }
            // n = 7, score = 200
            //   c685ebfeffff00       | mov                 byte ptr [ebp - 0x115], 0
            //   c685ecfeffff0f       | mov                 byte ptr [ebp - 0x114], 0xf
            //   c685edfeffff0a       | mov                 byte ptr [ebp - 0x113], 0xa
            //   c685eefeffff03       | mov                 byte ptr [ebp - 0x112], 3
            //   8a85dcfeffff         | mov                 al, byte ptr [ebp - 0x124]
            //   c685effeffff00       | mov                 byte ptr [ebp - 0x111], 0
            //   0f1f440000           | nop                 dword ptr [eax + eax]

    condition:
        7 of them and filesize < 794624
}
Download all Yara Rules