SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doublepulsar (Back to overview)

DoublePulsar

Actor(s): Equation Group, UPS

URLhaus      

There is no description at this point.

References
2021-06-10ESET ResearchAdam Burgher
@online{burgher:20210610:backdoordiplomacy:4ebcb1d, author = {Adam Burgher}, title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}}, date = {2021-06-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/}, language = {English}, urldate = {2021-06-16} } BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks BackdoorDiplomacy
2019-05-07SymantecSecurity Response Attack Investigation Team
@online{team:20190507:buckeye:a4cf7d8, author = {Security Response Attack Investigation Team}, title = {{Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak}}, date = {2019-05-07}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit}, language = {English}, urldate = {2020-01-13} } Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak
DoublePulsar
Yara Rules
[TLP:WHITE] win_doublepulsar_auto (20220411 | Detects win.doublepulsar.)
rule win_doublepulsar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.doublepulsar."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff15???????? 8a0d???????? 33c0 888c2464060000 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8a0d????????         |                     
            //   33c0                 | xor                 eax, eax
            //   888c2464060000       | mov                 byte ptr [esp + 0x664], cl

        $sequence_1 = { 8d8c243c010000 53 51 6a00 55 e8???????? }
            // n = 6, score = 100
            //   8d8c243c010000       | lea                 ecx, dword ptr [esp + 0x13c]
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   55                   | push                ebp
            //   e8????????           |                     

        $sequence_2 = { 740d 3c77 741c 3cc8 }
            // n = 4, score = 100
            //   740d                 | je                  0xf
            //   3c77                 | cmp                 al, 0x77
            //   741c                 | je                  0x1e
            //   3cc8                 | cmp                 al, 0xc8

        $sequence_3 = { 6a00 6a04 52 56 e8???????? 8b44242c 85c0 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   6a04                 | push                4
            //   52                   | push                edx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b44242c             | mov                 eax, dword ptr [esp + 0x2c]
            //   85c0                 | test                eax, eax

        $sequence_4 = { 8d442414 52 8d4c241c 50 51 c744242004050000 }
            // n = 6, score = 100
            //   8d442414             | lea                 eax, dword ptr [esp + 0x14]
            //   52                   | push                edx
            //   8d4c241c             | lea                 ecx, dword ptr [esp + 0x1c]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   c744242004050000     | mov                 dword ptr [esp + 0x20], 0x504

        $sequence_5 = { 48 83c108 41 8bc1 49 3bc2 }
            // n = 6, score = 100
            //   48                   | dec                 eax
            //   83c108               | add                 ecx, 8
            //   41                   | inc                 ecx
            //   8bc1                 | mov                 eax, ecx
            //   49                   | dec                 ecx
            //   3bc2                 | cmp                 eax, edx

        $sequence_6 = { 33c0 5e 40 5b 5d c20800 8b542404 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   40                   | inc                 eax
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8
            //   8b542404             | mov                 edx, dword ptr [esp + 4]

        $sequence_7 = { e8???????? 83c410 eb23 68???????? bf35000000 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   eb23                 | jmp                 0x25
            //   68????????           |                     
            //   bf35000000           | mov                 edi, 0x35

        $sequence_8 = { 894750 0fbe4a16 33db 894f4c 3bcb b9???????? 7405 }
            // n = 7, score = 100
            //   894750               | mov                 dword ptr [edi + 0x50], eax
            //   0fbe4a16             | movsx               ecx, byte ptr [edx + 0x16]
            //   33db                 | xor                 ebx, ebx
            //   894f4c               | mov                 dword ptr [edi + 0x4c], ecx
            //   3bcb                 | cmp                 ecx, ebx
            //   b9????????           |                     
            //   7405                 | je                  7

        $sequence_9 = { 83c020 52 68???????? 50 ff15???????? 53 }
            // n = 6, score = 100
            //   83c020               | add                 eax, 0x20
            //   52                   | push                edx
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   53                   | push                ebx

        $sequence_10 = { 837f6002 0f85bc030000 8b8768010000 3bc3 0f84ae030000 50 }
            // n = 6, score = 100
            //   837f6002             | cmp                 dword ptr [edi + 0x60], 2
            //   0f85bc030000         | jne                 0x3c2
            //   8b8768010000         | mov                 eax, dword ptr [edi + 0x168]
            //   3bc3                 | cmp                 eax, ebx
            //   0f84ae030000         | je                  0x3b4
            //   50                   | push                eax

        $sequence_11 = { 8944241c 61 6800000000 8b403c 50 6800000000 }
            // n = 6, score = 100
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   61                   | popal               
            //   6800000000           | push                0
            //   8b403c               | mov                 eax, dword ptr [eax + 0x3c]
            //   50                   | push                eax
            //   6800000000           | push                0

        $sequence_12 = { 8b5304 6804010000 8d8424040e0000 52 50 ffd6 83c40c }
            // n = 7, score = 100
            //   8b5304               | mov                 edx, dword ptr [ebx + 4]
            //   6804010000           | push                0x104
            //   8d8424040e0000       | lea                 eax, dword ptr [esp + 0xe04]
            //   52                   | push                edx
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   83c40c               | add                 esp, 0xc

        $sequence_13 = { ffd3 83c408 85c0 0f84c8000000 8b4608 68???????? }
            // n = 6, score = 100
            //   ffd3                 | call                ebx
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   0f84c8000000         | je                  0xce
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   68????????           |                     

        $sequence_14 = { 51 ff15???????? 83c404 8d55d4 c745d401000000 68???????? 52 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   8d55d4               | lea                 edx, dword ptr [ebp - 0x2c]
            //   c745d401000000       | mov                 dword ptr [ebp - 0x2c], 1
            //   68????????           |                     
            //   52                   | push                edx

        $sequence_15 = { 8b10 85d2 742d 3b5004 7528 3b5008 7523 }
            // n = 7, score = 100
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   85d2                 | test                edx, edx
            //   742d                 | je                  0x2f
            //   3b5004               | cmp                 edx, dword ptr [eax + 4]
            //   7528                 | jne                 0x2a
            //   3b5008               | cmp                 edx, dword ptr [eax + 8]
            //   7523                 | jne                 0x25

    condition:
        7 of them and filesize < 140288
}
[TLP:WHITE] win_doublepulsar_w0   (20180301 | Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.)
rule win_doublepulsar_w0 {
	meta:
		author = "Florian Roth"
		description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
		reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
   strings:
      $x1 = "[+] Ping returned Target architecture: %s - XOR Key: 0x%08X" fullword ascii
      $x2 = "[.] Sending shellcode to inject DLL" fullword ascii
      $x3 = "[-] Error setting ShellcodeFile name" fullword ascii
   condition:
      1 of them
}
Download all Yara Rules