SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dnespy (Back to overview)

DneSpy


DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.

References
2020-10-28Trend MicroWilliam Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph C Chen, John Zhang
@online{sanchez:20201028:operation:7f4b906, author = {William Gamazo Sanchez and Aliakbar Zahravi and Elliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C Chen and John Zhang}, title = {{Operation Earth Kitsune: A Dance of Two New Backdoors}}, date = {2020-10-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html}, language = {English}, urldate = {2020-10-29} } Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB
Yara Rules
[TLP:WHITE] win_dnespy_auto (20210616 | Detects win.dnespy.)
rule win_dnespy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.dnespy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b8564ffffff 3477 888568ffffff 8b8564ffffff fec0 346d 888569ffffff }
            // n = 7, score = 200
            //   8b8564ffffff         | mov                 eax, dword ptr [ebp - 0x9c]
            //   3477                 | xor                 al, 0x77
            //   888568ffffff         | mov                 byte ptr [ebp - 0x98], al
            //   8b8564ffffff         | mov                 eax, dword ptr [ebp - 0x9c]
            //   fec0                 | inc                 al
            //   346d                 | xor                 al, 0x6d
            //   888569ffffff         | mov                 byte ptr [ebp - 0x97], al

        $sequence_1 = { e9???????? ff15???????? 83c404 57 e8???????? }
            // n = 5, score = 200
            //   e9????????           |                     
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_2 = { 0f1f440000 4f 3bdf 7446 8b5608 8bc7 4a }
            // n = 7, score = 200
            //   0f1f440000           | nop                 dword ptr [eax + eax]
            //   4f                   | dec                 edi
            //   3bdf                 | cmp                 ebx, edi
            //   7446                 | je                  0x48
            //   8b5608               | mov                 edx, dword ptr [esi + 8]
            //   8bc7                 | mov                 eax, edi
            //   4a                   | dec                 edx

        $sequence_3 = { 896c2414 89442424 0f85c5000000 8b5c2448 8b4c2418 895c2438 8b5c2428 }
            // n = 7, score = 200
            //   896c2414             | mov                 dword ptr [esp + 0x14], ebp
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   0f85c5000000         | jne                 0xcb
            //   8b5c2448             | mov                 ebx, dword ptr [esp + 0x48]
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   895c2438             | mov                 dword ptr [esp + 0x38], ebx
            //   8b5c2428             | mov                 ebx, dword ptr [esp + 0x28]

        $sequence_4 = { e9???????? 8b8dc4dfffff b8398ee338 2b8dc0dfffff 33f6 f7e9 89b548deffff }
            // n = 7, score = 200
            //   e9????????           |                     
            //   8b8dc4dfffff         | mov                 ecx, dword ptr [ebp - 0x203c]
            //   b8398ee338           | mov                 eax, 0x38e38e39
            //   2b8dc0dfffff         | sub                 ecx, dword ptr [ebp - 0x2040]
            //   33f6                 | xor                 esi, esi
            //   f7e9                 | imul                ecx
            //   89b548deffff         | mov                 dword ptr [ebp - 0x21b8], esi

        $sequence_5 = { 0f95c1 8d4102 59 c3 83bea016000000 7470 8b565c }
            // n = 7, score = 200
            //   0f95c1               | setne               cl
            //   8d4102               | lea                 eax, dword ptr [ecx + 2]
            //   59                   | pop                 ecx
            //   c3                   | ret                 
            //   83bea016000000       | cmp                 dword ptr [esi + 0x16a0], 0
            //   7470                 | je                  0x72
            //   8b565c               | mov                 edx, dword ptr [esi + 0x5c]

        $sequence_6 = { 03ca 394138 0f94c0 8d048501000000 0b410c 50 e8???????? }
            // n = 7, score = 200
            //   03ca                 | add                 ecx, edx
            //   394138               | cmp                 dword ptr [ecx + 0x38], eax
            //   0f94c0               | sete                al
            //   8d048501000000       | lea                 eax, dword ptr [eax*4 + 1]
            //   0b410c               | or                  eax, dword ptr [ecx + 0xc]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 8938 896804 894810 b802000000 5f 897240 5e }
            // n = 7, score = 200
            //   8938                 | mov                 dword ptr [eax], edi
            //   896804               | mov                 dword ptr [eax + 4], ebp
            //   894810               | mov                 dword ptr [eax + 0x10], ecx
            //   b802000000           | mov                 eax, 2
            //   5f                   | pop                 edi
            //   897240               | mov                 dword ptr [edx + 0x40], esi
            //   5e                   | pop                 esi

        $sequence_8 = { 32c5 8b4c241c 32442416 32e1 32442417 32442415 8844240f }
            // n = 7, score = 200
            //   32c5                 | xor                 al, ch
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   32442416             | xor                 al, byte ptr [esp + 0x16]
            //   32e1                 | xor                 ah, cl
            //   32442417             | xor                 al, byte ptr [esp + 0x17]
            //   32442415             | xor                 al, byte ptr [esp + 0x15]
            //   8844240f             | mov                 byte ptr [esp + 0xf], al

        $sequence_9 = { e9???????? ff75ec 8bce ff75ec 6a01 e8???????? e9???????? }
            // n = 7, score = 200
            //   e9????????           |                     
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   8bce                 | mov                 ecx, esi
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   6a01                 | push                1
            //   e8????????           |                     
            //   e9????????           |                     

    condition:
        7 of them and filesize < 794624
}
Download all Yara Rules