SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dnespy (Back to overview)

DneSpy


DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.

References
2020-10-28Trend MicroWilliam Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph C Chen, John Zhang
@online{sanchez:20201028:operation:7f4b906, author = {William Gamazo Sanchez and Aliakbar Zahravi and Elliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C Chen and John Zhang}, title = {{Operation Earth Kitsune: A Dance of Two New Backdoors}}, date = {2020-10-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html}, language = {English}, urldate = {2020-10-29} } Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB
Yara Rules
[TLP:WHITE] win_dnespy_auto (20211008 | Detects win.dnespy.)
rule win_dnespy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.dnespy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8443fcffff 0fb607 8bce d3e0 47 03d8 897c2418 }
            // n = 7, score = 200
            //   0f8443fcffff         | je                  0xfffffc49
            //   0fb607               | movzx               eax, byte ptr [edi]
            //   8bce                 | mov                 ecx, esi
            //   d3e0                 | shl                 eax, cl
            //   47                   | inc                 edi
            //   03d8                 | add                 ebx, eax
            //   897c2418             | mov                 dword ptr [esp + 0x18], edi

        $sequence_1 = { 732b b802010000 2bfb 3bf8 0f47f8 8b4638 57 }
            // n = 7, score = 200
            //   732b                 | jae                 0x2d
            //   b802010000           | mov                 eax, 0x102
            //   2bfb                 | sub                 edi, ebx
            //   3bf8                 | cmp                 edi, eax
            //   0f47f8               | cmova               edi, eax
            //   8b4638               | mov                 eax, dword ptr [esi + 0x38]
            //   57                   | push                edi

        $sequence_2 = { 8b0e 894dfc 85d2 791b 8bc2 f7d8 7415 }
            // n = 7, score = 200
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   85d2                 | test                edx, edx
            //   791b                 | jns                 0x1d
            //   8bc2                 | mov                 eax, edx
            //   f7d8                 | neg                 eax
            //   7415                 | je                  0x17

        $sequence_3 = { 8bc3 eb11 ff74246c ff74245c ff542458 83c408 33c0 }
            // n = 7, score = 200
            //   8bc3                 | mov                 eax, ebx
            //   eb11                 | jmp                 0x13
            //   ff74246c             | push                dword ptr [esp + 0x6c]
            //   ff74245c             | push                dword ptr [esp + 0x5c]
            //   ff542458             | call                dword ptr [esp + 0x58]
            //   83c408               | add                 esp, 8
            //   33c0                 | xor                 eax, eax

        $sequence_4 = { 894610 8bc6 83fa10 7202 8b06 8a55ec }
            // n = 6, score = 200
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   8bc6                 | mov                 eax, esi
            //   83fa10               | cmp                 edx, 0x10
            //   7202                 | jb                  4
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8a55ec               | mov                 dl, byte ptr [ebp - 0x14]

        $sequence_5 = { c68589fbffff6b c6858afbffff3d c6858bfbffff23 c6858cfbffff00 8a857cfbffff 0f1f4000 6666660f1f840000000000 }
            // n = 7, score = 200
            //   c68589fbffff6b       | mov                 byte ptr [ebp - 0x477], 0x6b
            //   c6858afbffff3d       | mov                 byte ptr [ebp - 0x476], 0x3d
            //   c6858bfbffff23       | mov                 byte ptr [ebp - 0x475], 0x23
            //   c6858cfbffff00       | mov                 byte ptr [ebp - 0x474], 0
            //   8a857cfbffff         | mov                 al, byte ptr [ebp - 0x484]
            //   0f1f4000             | nop                 dword ptr [eax]
            //   6666660f1f840000000000     | nop    word ptr [eax + eax]

        $sequence_6 = { c1e807 8a8098c54400 0fb6c0 66ff848688090000 8b869c160000 8b4e78 48 }
            // n = 7, score = 200
            //   c1e807               | shr                 eax, 7
            //   8a8098c54400         | mov                 al, byte ptr [eax + 0x44c598]
            //   0fb6c0               | movzx               eax, al
            //   66ff848688090000     | inc                 word ptr [esi + eax*4 + 0x988]
            //   8b869c160000         | mov                 eax, dword ptr [esi + 0x169c]
            //   8b4e78               | mov                 ecx, dword ptr [esi + 0x78]
            //   48                   | dec                 eax

        $sequence_7 = { 8b4e14 8bd3 8b4608 c1ea08 885c01fc 8b4e14 8b4608 }
            // n = 7, score = 200
            //   8b4e14               | mov                 ecx, dword ptr [esi + 0x14]
            //   8bd3                 | mov                 edx, ebx
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   c1ea08               | shr                 edx, 8
            //   885c01fc             | mov                 byte ptr [ecx + eax - 4], bl
            //   8b4e14               | mov                 ecx, dword ptr [esi + 0x14]
            //   8b4608               | mov                 eax, dword ptr [esi + 8]

        $sequence_8 = { ff771c ffd0 83c408 85c0 7549 6a01 8d44241c }
            // n = 7, score = 200
            //   ff771c               | push                dword ptr [edi + 0x1c]
            //   ffd0                 | call                eax
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   7549                 | jne                 0x4b
            //   6a01                 | push                1
            //   8d44241c             | lea                 eax, dword ptr [esp + 0x1c]

        $sequence_9 = { 3bf1 7e48 8b4814 668990b8160000 8b5008 8b442420 88040a }
            // n = 7, score = 200
            //   3bf1                 | cmp                 esi, ecx
            //   7e48                 | jle                 0x4a
            //   8b4814               | mov                 ecx, dword ptr [eax + 0x14]
            //   668990b8160000       | mov                 word ptr [eax + 0x16b8], dx
            //   8b5008               | mov                 edx, dword ptr [eax + 8]
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   88040a               | mov                 byte ptr [edx + ecx], al

    condition:
        7 of them and filesize < 794624
}
Download all Yara Rules