SYMBOLCOMMON_NAMEaka. SYNONYMS
win.donot (Back to overview)

DONOT

Actor(s): VICEROY TIGER


Donot malware is a sophisticated, high-level malware toolkit designed to collect and exfiltrate information from vulnerable systems. It has been used in targeted attacks against government and military organizations in Asia. Donot malware is highly complex and well-crafted, and it poses a serious threat to information security.

References
2023-02-23K7 SecurityVigneshwaran P
@online{p:20230223:donot:3806844, author = {Vigneshwaran P}, title = {{The DoNot APT}}, date = {2023-02-23}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/the-donot-apt/}, language = {English}, urldate = {2023-07-24} } The DoNot APT
DONOT
2022-08-11MorphisecHido Cohen, Arnold Osipov
@online{cohen:20220811:aptc35:bc731cd, author = {Hido Cohen and Arnold Osipov}, title = {{APT-C-35 GETS A NEW UPGRADE}}, date = {2022-08-11}, organization = {Morphisec}, url = {https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed}, language = {English}, urldate = {2023-07-24} } APT-C-35 GETS A NEW UPGRADE
DONOT
Yara Rules
[TLP:WHITE] win_donot_auto (20230715 | Detects win.donot.)
rule win_donot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.donot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.donot"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6bd238 8b0c8d187b0410 88441129 8b0b 8bc1 c1f806 }
            // n = 6, score = 100
            //   6bd238               | imul                edx, edx, 0x38
            //   8b0c8d187b0410       | mov                 ecx, dword ptr [ecx*4 + 0x10047b18]
            //   88441129             | mov                 byte ptr [ecx + edx + 0x29], al
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8bc1                 | mov                 eax, ecx
            //   c1f806               | sar                 eax, 6

        $sequence_1 = { 83c408 8bb5e8fdffff 8dbdd8fdffff 83bdecfdffff10 c745b000000000 0f43bdd8fdffff }
            // n = 6, score = 100
            //   83c408               | add                 esp, 8
            //   8bb5e8fdffff         | mov                 esi, dword ptr [ebp - 0x218]
            //   8dbdd8fdffff         | lea                 edi, [ebp - 0x228]
            //   83bdecfdffff10       | cmp                 dword ptr [ebp - 0x214], 0x10
            //   c745b000000000       | mov                 dword ptr [ebp - 0x50], 0
            //   0f43bdd8fdffff       | cmovae              edi, dword ptr [ebp - 0x228]

        $sequence_2 = { 8bf3 6bf938 c1fe06 6a00 8b0cb5187b0410 ff740f24 }
            // n = 6, score = 100
            //   8bf3                 | mov                 esi, ebx
            //   6bf938               | imul                edi, ecx, 0x38
            //   c1fe06               | sar                 esi, 6
            //   6a00                 | push                0
            //   8b0cb5187b0410       | mov                 ecx, dword ptr [esi*4 + 0x10047b18]
            //   ff740f24             | push                dword ptr [edi + ecx + 0x24]

        $sequence_3 = { 894610 c7461407000000 668906 e9???????? 837f1410 8bcf 7202 }
            // n = 7, score = 100
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   c7461407000000       | mov                 dword ptr [esi + 0x14], 7
            //   668906               | mov                 word ptr [esi], ax
            //   e9????????           |                     
            //   837f1410             | cmp                 dword ptr [edi + 0x14], 0x10
            //   8bcf                 | mov                 ecx, edi
            //   7202                 | jb                  4

        $sequence_4 = { c785e4fbffff07000000 8d5102 668985d0fbffff 6690 668b01 83c102 6685c0 }
            // n = 7, score = 100
            //   c785e4fbffff07000000     | mov    dword ptr [ebp - 0x41c], 7
            //   8d5102               | lea                 edx, [ecx + 2]
            //   668985d0fbffff       | mov                 word ptr [ebp - 0x430], ax
            //   6690                 | nop                 
            //   668b01               | mov                 ax, word ptr [ecx]
            //   83c102               | add                 ecx, 2
            //   6685c0               | test                ax, ax

        $sequence_5 = { 8d85e8e7ffff 68???????? 50 ff15???????? 83c410 8d8594e7ffff 50 }
            // n = 7, score = 100
            //   8d85e8e7ffff         | lea                 eax, [ebp - 0x1818]
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c410               | add                 esp, 0x10
            //   8d8594e7ffff         | lea                 eax, [ebp - 0x186c]
            //   50                   | push                eax

        $sequence_6 = { 0f1085b0fcffff 0f1100 8bc4 0f108590fcffff 51 0f1100 ff5228 }
            // n = 7, score = 100
            //   0f1085b0fcffff       | movups              xmm0, xmmword ptr [ebp - 0x350]
            //   0f1100               | movups              xmmword ptr [eax], xmm0
            //   8bc4                 | mov                 eax, esp
            //   0f108590fcffff       | movups              xmm0, xmmword ptr [ebp - 0x370]
            //   51                   | push                ecx
            //   0f1100               | movups              xmmword ptr [eax], xmm0
            //   ff5228               | call                dword ptr [edx + 0x28]

        $sequence_7 = { 83c408 8b95dcfeffff 83fa10 722f 8b8dc8feffff 42 8bc1 }
            // n = 7, score = 100
            //   83c408               | add                 esp, 8
            //   8b95dcfeffff         | mov                 edx, dword ptr [ebp - 0x124]
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8dc8feffff         | mov                 ecx, dword ptr [ebp - 0x138]
            //   42                   | inc                 edx
            //   8bc1                 | mov                 eax, ecx

        $sequence_8 = { 6a00 68???????? 6802000080 c785c8e7ffff3f000f00 ff15???????? 85c0 0f84ef000000 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   68????????           |                     
            //   6802000080           | push                0x80000002
            //   c785c8e7ffff3f000f00     | mov    dword ptr [ebp - 0x1838], 0xf003f
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84ef000000         | je                  0xf5

        $sequence_9 = { 8d45f4 64a300000000 8965f0 8b4510 8b4d18 8b5d0c }
            // n = 6, score = 100
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8965f0               | mov                 dword ptr [ebp - 0x10], esp
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]

    condition:
        7 of them and filesize < 626688
}
Download all Yara Rules