SYMBOLCOMMON_NAMEaka. SYNONYMS
win.domino (Back to overview)

Minodo

VTCollection    

Since late February 2023, Minodo Backdoor campaigns have been employed to deliver either the Project Nemesis information stealer or more sophisticated backdoors like Cobalt Strike. This backdoor collects basic system information, which it then transmits to the C2 server. In return, it receives an AES-encrypted payload. Notably, the Minodo Backdoor is designed to contact a different C2 address for domain-joined systems. This suggests that more capable backdoors, such as Cobalt Strike, are downloaded on higher-value targets instead of Project Nemesis.

References
2023-04-14Security IntelligenceCharlotte Hammond, Ole Villadsen
Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
Minodo
2023-04-14IBMCharlotte Hammond, Ole Villadsen
Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
Minodo Nemesis
Yara Rules
[TLP:WHITE] win_domino_auto (20230808 | Detects win.domino.)
rule win_domino_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.domino."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.domino"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b940000000 488bd8 ff15???????? 4c63c3 }
            // n = 4, score = 200
            //   b940000000           | dec                 eax
            //   488bd8               | mov                 ecx, dword ptr [ebp - 0x19]
            //   ff15????????         |                     
            //   4c63c3               | dec                 esp

        $sequence_1 = { 8bc6 4881c470010000 415f 415e 415d 415c }
            // n = 6, score = 200
            //   8bc6                 | and                 al, 0xd9
            //   4881c470010000       | add                 al, 0x57
            //   415f                 | add                 al, cl
            //   415e                 | inc                 edx
            //   415d                 | mov                 byte ptr [edx + eax], al
            //   415c                 | dec                 eax

        $sequence_2 = { 41b800300000 488bd6 33c9 4c8bf6 ff15???????? }
            // n = 5, score = 200
            //   41b800300000         | mov                 ecx, ebp
            //   488bd6               | test                eax, eax
            //   33c9                 | js                  0x149
            //   4c8bf6               | inc                 ebp
            //   ff15????????         |                     

        $sequence_3 = { 498bd0 492bc8 4963c1 4c8d1d622e0000 428a0418 320411 }
            // n = 6, score = 200
            //   498bd0               | je                  0xb72
            //   492bc8               | mov                 dword ptr [esp + 0x20], ebx
            //   4963c1               | dec                 eax
            //   4c8d1d622e0000       | lea                 edx, [ebp - 9]
            //   428a0418             | test                eax, eax
            //   320411               | je                  0xb87

        $sequence_4 = { 7d07 ffc8 83c8f0 ffc0 48ffc2 }
            // n = 5, score = 200
            //   7d07                 | xor                 eax, eax
            //   ffc8                 | mov                 edx, eax
            //   83c8f0               | dec                 ecx
            //   ffc0                 | mov                 ecx, edx
            //   48ffc2               | dec                 ecx

        $sequence_5 = { 4889742410 57 4883ec20 4863fa 488bf1 4885c9 750e }
            // n = 7, score = 200
            //   4889742410           | test                eax, eax
            //   57                   | je                  0x7ce
            //   4883ec20             | inc                 ebp
            //   4863fa               | xor                 eax, eax
            //   488bf1               | inc                 ebp
            //   4885c9               | lea                 esi, [eax + 2]
            //   750e                 | inc                 ecx

        $sequence_6 = { 488b1a 488bfa 488bf1 8b13 488bce e8???????? }
            // n = 6, score = 200
            //   488b1a               | je                  0x12e5
            //   488bfa               | dec                 eax
            //   488bf1               | mov                 ecx, ebx
            //   8b13                 | inc                 ebp
            //   488bce               | test                bh, bh
            //   e8????????           |                     

        $sequence_7 = { 895c2420 66899c24b0000000 ff15???????? 85c0 741a 488b4c2458 }
            // n = 6, score = 200
            //   895c2420             | inc                 edx
            //   66899c24b0000000     | mov                 byte ptr [edx + eax], al
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   741a                 | inc                 edx
            //   488b4c2458           | dec                 ecx

        $sequence_8 = { 7f20 488b0b 4885c9 7406 ff15???????? 48832300 83c8ff }
            // n = 7, score = 200
            //   7f20                 | dec                 eax
            //   488b0b               | mov                 ecx, dword ptr [ebp - 0x11]
            //   4885c9               | dec                 eax
            //   7406                 | lea                 eax, [ebp - 0x19]
            //   ff15????????         |                     
            //   48832300             | inc                 esp
            //   83c8ff               | lea                 eax, [edx + 0x4c]

        $sequence_9 = { e8???????? 4533c9 448bc7 488bd6 488bcb e8???????? 488b5c2438 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   4533c9               | lea                 eax, [ebp - 4]
            //   448bc7               | mov                 dword ptr [esp + 0x20], 0x40
            //   488bd6               | dec                 esp
            //   488bcb               | arpl                ax, di
            //   e8????????           |                     
            //   488b5c2438           | inc                 ecx

    condition:
        7 of them and filesize < 50176
}
Download all Yara Rules