SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doublepulsar (Back to overview)

DoublePulsar

Actor(s): Equation Group, UPS

URLhaus      

There is no description at this point.

References
2021-06-10ESET ResearchAdam Burgher
@online{burgher:20210610:backdoordiplomacy:4ebcb1d, author = {Adam Burgher}, title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}}, date = {2021-06-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/}, language = {English}, urldate = {2022-06-08} } BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy
2019-05-07SymantecSecurity Response Attack Investigation Team
@online{team:20190507:buckeye:a4cf7d8, author = {Security Response Attack Investigation Team}, title = {{Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak}}, date = {2019-05-07}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit}, language = {English}, urldate = {2020-01-13} } Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak
DoublePulsar
Yara Rules
[TLP:WHITE] win_doublepulsar_auto (20221125 | Detects win.doublepulsar.)
rule win_doublepulsar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.doublepulsar."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 55 e8???????? e9???????? 6a00 6a0f 68???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   55                   | push                ebp
            //   e8????????           |                     
            //   e9????????           |                     
            //   6a00                 | push                0
            //   6a0f                 | push                0xf
            //   68????????           |                     

        $sequence_1 = { 83c704 3bf0 7ce7 5f 5e 5d }
            // n = 6, score = 100
            //   83c704               | add                 edi, 4
            //   3bf0                 | cmp                 esi, eax
            //   7ce7                 | jl                  0xffffffe9
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

        $sequence_2 = { 72e7 33c0 5f 5e c20400 8b410c 8b4908 }
            // n = 7, score = 100
            //   72e7                 | jb                  0xffffffe9
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c20400               | ret                 4
            //   8b410c               | mov                 eax, dword ptr [ecx + 0xc]
            //   8b4908               | mov                 ecx, dword ptr [ecx + 8]

        $sequence_3 = { 668944241e b808000000 6689442429 8b44ac14 83c404 89442427 83f801 }
            // n = 7, score = 100
            //   668944241e           | mov                 word ptr [esp + 0x1e], ax
            //   b808000000           | mov                 eax, 8
            //   6689442429           | mov                 word ptr [esp + 0x29], ax
            //   8b44ac14             | mov                 eax, dword ptr [esp + ebp*4 + 0x14]
            //   83c404               | add                 esp, 4
            //   89442427             | mov                 dword ptr [esp + 0x27], eax
            //   83f801               | cmp                 eax, 1

        $sequence_4 = { 6689442415 88442417 8b442424 8bce }
            // n = 4, score = 100
            //   6689442415           | mov                 word ptr [esp + 0x15], ax
            //   88442417             | mov                 byte ptr [esp + 0x17], al
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   8bce                 | mov                 ecx, esi

        $sequence_5 = { 898528ffffff 48 8b8500ffffff 48 89f9 48 8b9520ffffff }
            // n = 7, score = 100
            //   898528ffffff         | mov                 dword ptr [ebp - 0xd8], eax
            //   48                   | dec                 eax
            //   8b8500ffffff         | mov                 eax, dword ptr [ebp - 0x100]
            //   48                   | dec                 eax
            //   89f9                 | mov                 ecx, edi
            //   48                   | dec                 eax
            //   8b9520ffffff         | mov                 edx, dword ptr [ebp - 0xe0]

        $sequence_6 = { 53 e8???????? 6a00 8d94245c020000 680c040000 }
            // n = 5, score = 100
            //   53                   | push                ebx
            //   e8????????           |                     
            //   6a00                 | push                0
            //   8d94245c020000       | lea                 edx, [esp + 0x25c]
            //   680c040000           | push                0x40c

        $sequence_7 = { 48 8b09 48 8d442430 48 89442428 48 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   48                   | dec                 eax
            //   8d442430             | lea                 eax, [esp + 0x30]
            //   48                   | dec                 eax
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   48                   | dec                 eax

        $sequence_8 = { 50 e8???????? 8b1d???????? 83c408 85c0 0f8597000000 68???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b1d????????         |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   0f8597000000         | jne                 0x9d
            //   68????????           |                     

        $sequence_9 = { 8b0b 68???????? 51 ff15???????? 83c408 85c0 757f }
            // n = 7, score = 100
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   68????????           |                     
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   757f                 | jne                 0x81

        $sequence_10 = { 5e 83c410 c3 68???????? 57 }
            // n = 5, score = 100
            //   5e                   | pop                 esi
            //   83c410               | add                 esp, 0x10
            //   c3                   | ret                 
            //   68????????           |                     
            //   57                   | push                edi

        $sequence_11 = { 8dbc24050e0000 889424e8060000 f3ab 66ab }
            // n = 4, score = 100
            //   8dbc24050e0000       | lea                 edi, [esp + 0xe05]
            //   889424e8060000       | mov                 byte ptr [esp + 0x6e8], dl
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax

        $sequence_12 = { 52 ff15???????? 8a15???????? b940000000 33c0 8dbc24ed070000 889424ec070000 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8a15????????         |                     
            //   b940000000           | mov                 ecx, 0x40
            //   33c0                 | xor                 eax, eax
            //   8dbc24ed070000       | lea                 edi, [esp + 0x7ed]
            //   889424ec070000       | mov                 byte ptr [esp + 0x7ec], dl

        $sequence_13 = { 6a01 8d8c243c010000 53 51 6a00 55 }
            // n = 6, score = 100
            //   6a01                 | push                1
            //   8d8c243c010000       | lea                 ecx, [esp + 0x13c]
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   55                   | push                ebp

        $sequence_14 = { 7e2a 8a0432 3c0d 740e }
            // n = 4, score = 100
            //   7e2a                 | jle                 0x2c
            //   8a0432               | mov                 al, byte ptr [edx + esi]
            //   3c0d                 | cmp                 al, 0xd
            //   740e                 | je                  0x10

        $sequence_15 = { 8b430b 83c013 394508 0f821f010000 8b45fc }
            // n = 5, score = 100
            //   8b430b               | mov                 eax, dword ptr [ebx + 0xb]
            //   83c013               | add                 eax, 0x13
            //   394508               | cmp                 dword ptr [ebp + 8], eax
            //   0f821f010000         | jb                  0x125
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

    condition:
        7 of them and filesize < 140288
}
[TLP:WHITE] win_doublepulsar_w0   (20180301 | Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.)
rule win_doublepulsar_w0 {
	meta:
		author = "Florian Roth"
		description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
		reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
   strings:
      $x1 = "[+] Ping returned Target architecture: %s - XOR Key: 0x%08X" fullword ascii
      $x2 = "[.] Sending shellcode to inject DLL" fullword ascii
      $x3 = "[-] Error setting ShellcodeFile name" fullword ascii
   condition:
      1 of them
}
Download all Yara Rules