SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doublepulsar (Back to overview)

DoublePulsar

Actor(s): Equation Group, UPS

URLhaus      

There is no description at this point.

References
2021-06-10ESET ResearchAdam Burgher
@online{burgher:20210610:backdoordiplomacy:4ebcb1d, author = {Adam Burgher}, title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}}, date = {2021-06-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/}, language = {English}, urldate = {2022-06-08} } BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy
2019-05-07SymantecSecurity Response Attack Investigation Team
@online{team:20190507:buckeye:a4cf7d8, author = {Security Response Attack Investigation Team}, title = {{Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak}}, date = {2019-05-07}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit}, language = {English}, urldate = {2020-01-13} } Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak
DoublePulsar
Yara Rules
[TLP:WHITE] win_doublepulsar_auto (20230715 | Detects win.doublepulsar.)
rule win_doublepulsar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.doublepulsar."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 68???????? 56 e8???????? 8bc6 5f }
            // n = 6, score = 100
            //   51                   | push                ecx
            //   68????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi
            //   5f                   | pop                 edi

        $sequence_1 = { c744242808164000 c744242cfc154000 c7442430f4154000 c7442434e0154000 89742424 }
            // n = 5, score = 100
            //   c744242808164000     | mov                 dword ptr [esp + 0x28], 0x401608
            //   c744242cfc154000     | mov                 dword ptr [esp + 0x2c], 0x4015fc
            //   c7442430f4154000     | mov                 dword ptr [esp + 0x30], 0x4015f4
            //   c7442434e0154000     | mov                 dword ptr [esp + 0x34], 0x4015e0
            //   89742424             | mov                 dword ptr [esp + 0x24], esi

        $sequence_2 = { 88442414 b940010000 33c0 8d7c2415 f3ab 8b8c2424050000 }
            // n = 6, score = 100
            //   88442414             | mov                 byte ptr [esp + 0x14], al
            //   b940010000           | mov                 ecx, 0x140
            //   33c0                 | xor                 eax, eax
            //   8d7c2415             | lea                 edi, [esp + 0x15]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8b8c2424050000       | mov                 ecx, dword ptr [esp + 0x524]

        $sequence_3 = { 3bc8 7321 8b4b68 33d2 668b144d702b4000 }
            // n = 5, score = 100
            //   3bc8                 | cmp                 ecx, eax
            //   7321                 | jae                 0x23
            //   8b4b68               | mov                 ecx, dword ptr [ebx + 0x68]
            //   33d2                 | xor                 edx, edx
            //   668b144d702b4000     | mov                 dx, word ptr [ecx*2 + 0x402b70]

        $sequence_4 = { 83ef08 d1ef 31c9 39f9 744d 89d3 83c308 }
            // n = 7, score = 100
            //   83ef08               | sub                 edi, 8
            //   d1ef                 | shr                 edi, 1
            //   31c9                 | xor                 ecx, ecx
            //   39f9                 | cmp                 ecx, edi
            //   744d                 | je                  0x4f
            //   89d3                 | mov                 ebx, edx
            //   83c308               | add                 ebx, 8

        $sequence_5 = { e8???????? 03f0 85f6 7f10 e8???????? 3d33270000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   03f0                 | add                 esi, eax
            //   85f6                 | test                esi, esi
            //   7f10                 | jg                  0x12
            //   e8????????           |                     
            //   3d33270000           | cmp                 eax, 0x2733

        $sequence_6 = { 8a9904334000 8b6c2424 8b88bc160000 33f6 ba10000000 668b749d02 895c241c }
            // n = 7, score = 100
            //   8a9904334000         | mov                 bl, byte ptr [ecx + 0x403304]
            //   8b6c2424             | mov                 ebp, dword ptr [esp + 0x24]
            //   8b88bc160000         | mov                 ecx, dword ptr [eax + 0x16bc]
            //   33f6                 | xor                 esi, esi
            //   ba10000000           | mov                 edx, 0x10
            //   668b749d02           | mov                 si, word ptr [ebp + ebx*4 + 2]
            //   895c241c             | mov                 dword ptr [esp + 0x1c], ebx

        $sequence_7 = { 8d4c240c c744242801000000 e8???????? 6a5c 8d4c240c 8bf0 e8???????? }
            // n = 7, score = 100
            //   8d4c240c             | lea                 ecx, [esp + 0xc]
            //   c744242801000000     | mov                 dword ptr [esp + 0x28], 1
            //   e8????????           |                     
            //   6a5c                 | push                0x5c
            //   8d4c240c             | lea                 ecx, [esp + 0xc]
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     

        $sequence_8 = { e8???????? 68???????? 57 894630 e8???????? 8d4e34 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   68????????           |                     
            //   57                   | push                edi
            //   894630               | mov                 dword ptr [esi + 0x30], eax
            //   e8????????           |                     
            //   8d4e34               | lea                 ecx, [esi + 0x34]

        $sequence_9 = { 754c 8b16 8b442420 6800000100 }
            // n = 4, score = 100
            //   754c                 | jne                 0x4e
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   6800000100           | push                0x10000

        $sequence_10 = { e8???????? 83c404 89463c 85c0 7414 8b5640 8b4c2414 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   89463c               | mov                 dword ptr [esi + 0x3c], eax
            //   85c0                 | test                eax, eax
            //   7414                 | je                  0x16
            //   8b5640               | mov                 edx, dword ptr [esi + 0x40]
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]

        $sequence_11 = { 7408 81ffc8000000 7507 8b06 3b4604 7e0c }
            // n = 6, score = 100
            //   7408                 | je                  0xa
            //   81ffc8000000         | cmp                 edi, 0xc8
            //   7507                 | jne                 9
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   3b4604               | cmp                 eax, dword ptr [esi + 4]
            //   7e0c                 | jle                 0xe

        $sequence_12 = { 53 33c0 56 8b742420 33db 6689442415 }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   33c0                 | xor                 eax, eax
            //   56                   | push                esi
            //   8b742420             | mov                 esi, dword ptr [esp + 0x20]
            //   33db                 | xor                 ebx, ebx
            //   6689442415           | mov                 word ptr [esp + 0x15], ax

        $sequence_13 = { 8d7101 56 e8???????? 8bce 8be8 8bc1 }
            // n = 6, score = 100
            //   8d7101               | lea                 esi, [ecx + 1]
            //   56                   | push                esi
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   8be8                 | mov                 ebp, eax
            //   8bc1                 | mov                 eax, ecx

        $sequence_14 = { 89d8 8945fc e8???????? 85c0 746e }
            // n = 5, score = 100
            //   89d8                 | mov                 eax, ebx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   746e                 | je                  0x70

        $sequence_15 = { e8???????? 8bf8 85ff 7518 81fb20010000 750a }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   7518                 | jne                 0x1a
            //   81fb20010000         | cmp                 ebx, 0x120
            //   750a                 | jne                 0xc

    condition:
        7 of them and filesize < 140288
}
[TLP:WHITE] win_doublepulsar_w0   (20180301 | Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.)
rule win_doublepulsar_w0 {
	meta:
		author = "Florian Roth"
		description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
		reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
   strings:
      $x1 = "[+] Ping returned Target architecture: %s - XOR Key: 0x%08X" fullword ascii
      $x2 = "[.] Sending shellcode to inject DLL" fullword ascii
      $x3 = "[-] Error setting ShellcodeFile name" fullword ascii
   condition:
      1 of them
}
Download all Yara Rules