SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dnespy (Back to overview)

DneSpy


DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.

References
2020-10-28Trend MicroWilliam Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph C Chen, John Zhang
@online{sanchez:20201028:operation:7f4b906, author = {William Gamazo Sanchez and Aliakbar Zahravi and Elliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C Chen and John Zhang}, title = {{Operation Earth Kitsune: A Dance of Two New Backdoors}}, date = {2020-10-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html}, language = {English}, urldate = {2020-10-29} } Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB
Yara Rules
[TLP:WHITE] win_dnespy_auto (20230125 | Detects win.dnespy.)
rule win_dnespy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.dnespy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c786ec00000078563412 c786f000000089674523 c786f400000090785634 8a07 84c0 7460 bb78563412 }
            // n = 7, score = 200
            //   c786ec00000078563412     | mov    dword ptr [esi + 0xec], 0x12345678
            //   c786f000000089674523     | mov    dword ptr [esi + 0xf0], 0x23456789
            //   c786f400000090785634     | mov    dword ptr [esi + 0xf4], 0x34567890
            //   8a07                 | mov                 al, byte ptr [edi]
            //   84c0                 | test                al, al
            //   7460                 | je                  0x62
            //   bb78563412           | mov                 ebx, 0x12345678

        $sequence_1 = { 0f850e010000 8bc7 33c9 99 0bcd 0b442418 89442418 }
            // n = 7, score = 200
            //   0f850e010000         | jne                 0x114
            //   8bc7                 | mov                 eax, edi
            //   33c9                 | xor                 ecx, ecx
            //   99                   | cdq                 
            //   0bcd                 | or                  ecx, ebp
            //   0b442418             | or                  eax, dword ptr [esp + 0x18]
            //   89442418             | mov                 dword ptr [esp + 0x18], eax

        $sequence_2 = { 33db 57 89442414 399e84000000 0f8e5c010000 8b3e }
            // n = 6, score = 200
            //   33db                 | xor                 ebx, ebx
            //   57                   | push                edi
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   399e84000000         | cmp                 dword ptr [esi + 0x84], ebx
            //   0f8e5c010000         | jle                 0x162
            //   8b3e                 | mov                 edi, dword ptr [esi]

        $sequence_3 = { 8b8588f6ffff 0426 342a 8885b2f6ffff 8b8588f6ffff 0427 340d }
            // n = 7, score = 200
            //   8b8588f6ffff         | mov                 eax, dword ptr [ebp - 0x978]
            //   0426                 | add                 al, 0x26
            //   342a                 | xor                 al, 0x2a
            //   8885b2f6ffff         | mov                 byte ptr [ebp - 0x94e], al
            //   8b8588f6ffff         | mov                 eax, dword ptr [ebp - 0x978]
            //   0427                 | add                 al, 0x27
            //   340d                 | xor                 al, 0xd

        $sequence_4 = { 8b49fc 83c223 2bc1 83c0fc 83f81f 0f876af8ffff 52 }
            // n = 7, score = 200
            //   8b49fc               | mov                 ecx, dword ptr [ecx - 4]
            //   83c223               | add                 edx, 0x23
            //   2bc1                 | sub                 eax, ecx
            //   83c0fc               | add                 eax, -4
            //   83f81f               | cmp                 eax, 0x1f
            //   0f876af8ffff         | ja                  0xfffff870
            //   52                   | push                edx

        $sequence_5 = { 8b95e8deffff c78514dfffff00000000 c78518dfffff0f000000 c68504dfffff00 83fa10 722f 8b8dd4deffff }
            // n = 7, score = 200
            //   8b95e8deffff         | mov                 edx, dword ptr [ebp - 0x2118]
            //   c78514dfffff00000000     | mov    dword ptr [ebp - 0x20ec], 0
            //   c78518dfffff0f000000     | mov    dword ptr [ebp - 0x20e8], 0xf
            //   c68504dfffff00       | mov                 byte ptr [ebp - 0x20fc], 0
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8dd4deffff         | mov                 ecx, dword ptr [ebp - 0x212c]

        $sequence_6 = { 2bc2 83f810 0f821f020000 83791410 7202 8b09 52 }
            // n = 7, score = 200
            //   2bc2                 | sub                 eax, edx
            //   83f810               | cmp                 eax, 0x10
            //   0f821f020000         | jb                  0x225
            //   83791410             | cmp                 dword ptr [ecx + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   52                   | push                edx

        $sequence_7 = { 8d4508 8bcc 50 e8???????? e8???????? 8d45d8 8bcc }
            // n = 7, score = 200
            //   8d4508               | lea                 eax, [ebp + 8]
            //   8bcc                 | mov                 ecx, esp
            //   50                   | push                eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   8bcc                 | mov                 ecx, esp

        $sequence_8 = { 51 e8???????? 83c408 8b5588 c7856cffffff00000000 c78570ffffff0f000000 c6855cffffff00 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b5588               | mov                 edx, dword ptr [ebp - 0x78]
            //   c7856cffffff00000000     | mov    dword ptr [ebp - 0x94], 0
            //   c78570ffffff0f000000     | mov    dword ptr [ebp - 0x90], 0xf
            //   c6855cffffff00       | mov                 byte ptr [ebp - 0xa4], 0

        $sequence_9 = { 5b 8bc6 5e 5d 83c474 }
            // n = 5, score = 200
            //   5b                   | pop                 ebx
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   83c474               | add                 esp, 0x74

    condition:
        7 of them and filesize < 794624
}
Download all Yara Rules