SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doppelpaymer (Back to overview)

DoppelPaymer

Actor(s): DOPPEL SPIDER


Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt".

References
2020-06-03ZDNetCatalin Cimpanu
@online{cimpanu:20200603:ransomware:116ecb8, author = {Catalin Cimpanu}, title = {{Ransomware gang says it breached one of NASA's IT contractors}}, date = {2020-06-03}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/}, language = {English}, urldate = {2020-06-03} } Ransomware gang says it breached one of NASA's IT contractors
DoppelPaymer
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03Bleeping ComputerLawrence Abrams
@online{abrams:20200303:ransomware:8be6fa7, author = {Lawrence Abrams}, title = {{Ransomware Attackers Use Your Cloud Backups Against You}}, date = {2020-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/}, language = {English}, urldate = {2020-03-04} } Ransomware Attackers Use Your Cloud Backups Against You
DoppelPaymer Maze
2020-03-02TechCrunchZack Whittaker, Kirsten Korosec
@online{whittaker:20200302:visser:7a6d06b, author = {Zack Whittaker and Kirsten Korosec}, title = {{Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach}}, date = {2020-03-02}, organization = {TechCrunch}, url = {https://techcrunch.com/2020/03/01/visser-breach/}, language = {English}, urldate = {2020-03-09} } Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach
DoppelPaymer
2020-02-25Bleeping ComputerLawrence Abrams
@online{abrams:20200225:doppelpaymer:9ca20ab, author = {Lawrence Abrams}, title = {{DoppelPaymer Ransomware Launches Site to Post Victim's Data}}, date = {2020-02-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/}, language = {English}, urldate = {2020-02-26} } DoppelPaymer Ransomware Launches Site to Post Victim's Data
DoppelPaymer FriedEx
2020SecureworksSecureWorks
@online{secureworks:2020:gold:b12ae49, author = {SecureWorks}, title = {{GOLD HERON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-heron}, language = {English}, urldate = {2020-05-23} } GOLD HERON
DoppelPaymer Dridex Empire Downloader
2019-07-12CrowdStrikeBrett Stone-Gross, Sergei Frankoff, Bex Hartley
@online{stonegross:20190712:bitpaymer:113a037, author = {Brett Stone-Gross and Sergei Frankoff and Bex Hartley}, title = {{BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0}}, date = {2019-07-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/}, language = {English}, urldate = {2020-04-25} } BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
DoppelPaymer Dridex FriedEx
Yara Rules
[TLP:WHITE] win_doppelpaymer_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_doppelpaymer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a01 ff765c ffd2 8b442418 ff7004 8b4c240c }
            // n = 6, score = 600
            //   6a01                 | push                1
            //   ff765c               | push                dword ptr [esi + 0x5c]
            //   ffd2                 | call                edx
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   ff7004               | push                dword ptr [eax + 4]
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]

        $sequence_1 = { 8b30 83fe01 751a 6a00 8b4c2430 e8???????? ff30 }
            // n = 7, score = 600
            //   8b30                 | mov                 esi, dword ptr [eax]
            //   83fe01               | cmp                 esi, 1
            //   751a                 | jne                 0x1c
            //   6a00                 | push                0
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   e8????????           |                     
            //   ff30                 | push                dword ptr [eax]

        $sequence_2 = { e8???????? 33c0 89442414 c644241801 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   c644241801           | mov                 byte ptr [esp + 0x18], 1

        $sequence_3 = { 8d4c2470 e8???????? 6a00 8d4c240c e8???????? 6a00 }
            // n = 6, score = 600
            //   8d4c2470             | lea                 ecx, [esp + 0x70]
            //   e8????????           |                     
            //   6a00                 | push                0
            //   8d4c240c             | lea                 ecx, [esp + 0xc]
            //   e8????????           |                     
            //   6a00                 | push                0

        $sequence_4 = { 740e 8b442470 3b442464 7504 }
            // n = 4, score = 600
            //   740e                 | je                  0x10
            //   8b442470             | mov                 eax, dword ptr [esp + 0x70]
            //   3b442464             | cmp                 eax, dword ptr [esp + 0x64]
            //   7504                 | jne                 6

        $sequence_5 = { 8d4c244c e8???????? 8bc8 8bc6 }
            // n = 4, score = 600
            //   8d4c244c             | lea                 ecx, [esp + 0x4c]
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   8bc6                 | mov                 eax, esi

        $sequence_6 = { e8???????? 6a3a 8d4c240c e8???????? 8bf8 }
            // n = 5, score = 600
            //   e8????????           |                     
            //   6a3a                 | push                0x3a
            //   8d4c240c             | lea                 ecx, [esp + 0xc]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_7 = { e8???????? 8b4c2408 8b1424 6a00 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   8b1424               | mov                 edx, dword ptr [esp]
            //   6a00                 | push                0

        $sequence_8 = { 83c404 5d c3 55 89e5 83ec08 }
            // n = 6, score = 100
            //   83c404               | add                 esp, 4
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   83ec08               | sub                 esp, 8

        $sequence_9 = { 8b45b0 8b00 8945a8 8b45b0 8b4014 }
            // n = 5, score = 100
            //   8b45b0               | mov                 eax, dword ptr [ebp - 0x50]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8945a8               | mov                 dword ptr [ebp - 0x58], eax
            //   8b45b0               | mov                 eax, dword ptr [ebp - 0x50]
            //   8b4014               | mov                 eax, dword ptr [eax + 0x14]

        $sequence_10 = { 8b75d8 03561c 8b7de4 033c8a 897dcc }
            // n = 5, score = 100
            //   8b75d8               | mov                 esi, dword ptr [ebp - 0x28]
            //   03561c               | add                 edx, dword ptr [esi + 0x1c]
            //   8b7de4               | mov                 edi, dword ptr [ebp - 0x1c]
            //   033c8a               | add                 edi, dword ptr [edx + ecx*4]
            //   897dcc               | mov                 dword ptr [ebp - 0x34], edi

        $sequence_11 = { 8b45dc 83c0f8 8945e0 eb0f 8a45db }
            // n = 5, score = 100
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   83c0f8               | add                 eax, -8
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   eb0f                 | jmp                 0x11
            //   8a45db               | mov                 al, byte ptr [ebp - 0x25]

        $sequence_12 = { 8b75c8 39f2 8945e0 8955c4 74ce }
            // n = 5, score = 100
            //   8b75c8               | mov                 esi, dword ptr [ebp - 0x38]
            //   39f2                 | cmp                 edx, esi
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8955c4               | mov                 dword ptr [ebp - 0x3c], edx
            //   74ce                 | je                  0xffffffd0

        $sequence_13 = { 8b55e8 8b7254 c7042400000000 89742404 8945b8 894de0 e8???????? }
            // n = 7, score = 100
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   8b7254               | mov                 esi, dword ptr [edx + 0x54]
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   89742404             | mov                 dword ptr [esp + 4], esi
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   e8????????           |                     

        $sequence_14 = { 8b4df0 81f1ae120746 25ffff0000 01c8 8b4de4 01c1 }
            // n = 6, score = 100
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   81f1ae120746         | xor                 ecx, 0x460712ae
            //   25ffff0000           | and                 eax, 0xffff
            //   01c8                 | add                 eax, ecx
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   01c1                 | add                 ecx, eax

        $sequence_15 = { be58000000 8b7950 897de0 8b793c 897de4 }
            // n = 5, score = 100
            //   be58000000           | mov                 esi, 0x58
            //   8b7950               | mov                 edi, dword ptr [ecx + 0x50]
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi
            //   8b793c               | mov                 edi, dword ptr [ecx + 0x3c]
            //   897de4               | mov                 dword ptr [ebp - 0x1c], edi

    condition:
        7 of them and filesize < 7266304
}
[TLP:WHITE] win_doppelpaymer_w0   (20200304 | DoppelPaymer Payload)
/*
# Copyright (C) 2019 Kevin O'Reilly (kevoreilly@gmail.com)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

rule win_doppelpaymer_w0 {
    meta:
        author = "kevoreilly"
        description = "DoppelPaymer Payload"
        source = "https://github.com/ctxis/CAPE/blob/9580330546c9cc084c1cef70045ff3cc2db37af8/data/yara/CAPE/DoppelPaymer.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
        malpedia_version = "20200304"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $getproc32 = {81 FB ?? ?? ?? ?? 74 2D 8B CB E8 ?? ?? ?? ?? 85 C0 74 0C 8B C8 8B D7 E8 ?? ?? ?? ?? 5B 5F C3}
        $cmd_string = "Setup run\n" wide
    condition:
        uint16(0) == 0x5A4D and all of them
}
Download all Yara Rules