SYMBOLCOMMON_NAMEaka. SYNONYMS
win.downeks (Back to overview)

Downeks

URLhaus    

There is no description at this point.

References
2020-03-03Palo Alto Networks Unit 42Robert Falcone, Bryan Lee, Alex Hinchliffe
@online{falcone:20200303:molerats:990b000, author = {Robert Falcone and Bryan Lee and Alex Hinchliffe}, title = {{Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations}}, date = {2020-03-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/}, language = {English}, urldate = {2020-03-03} } Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations
Downeks JhoneRAT Molerat Loader Spark
2017-01-30Palo Alto Networks Unit 42Mashav Sapir, Tomer Bar, Netanel Rimer, Taras Malivanchuk, Yaron Samuel, Simon Conant
@online{sapir:20170130:downeks:07fcd1e, author = {Mashav Sapir and Tomer Bar and Netanel Rimer and Taras Malivanchuk and Yaron Samuel and Simon Conant}, title = {{Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments}}, date = {2017-01-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments
Downeks
Yara Rules
[TLP:WHITE] win_downeks_auto (20220411 | Detects win.downeks.)
rule win_downeks_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.downeks."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 83c404 894314 85c0 0f843bffffff e9???????? 8d95fcfeffff }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   894314               | mov                 dword ptr [ebx + 0x14], eax
            //   85c0                 | test                eax, eax
            //   0f843bffffff         | je                  0xffffff41
            //   e9????????           |                     
            //   8d95fcfeffff         | lea                 edx, dword ptr [ebp - 0x104]

        $sequence_1 = { 50 6a00 6a00 ff15???????? a3???????? c605????????01 8b5510 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   a3????????           |                     
            //   c605????????01       |                     
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]

        $sequence_2 = { b901000000 0908 094f08 394f04 751f c7470800000000 68b41f0804 }
            // n = 7, score = 200
            //   b901000000           | mov                 ecx, 1
            //   0908                 | or                  dword ptr [eax], ecx
            //   094f08               | or                  dword ptr [edi + 8], ecx
            //   394f04               | cmp                 dword ptr [edi + 4], ecx
            //   751f                 | jne                 0x21
            //   c7470800000000       | mov                 dword ptr [edi + 8], 0
            //   68b41f0804           | push                0x4081fb4

        $sequence_3 = { ff15???????? 8b45fc 83c404 895df8 3bc3 740d 50 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c404               | add                 esp, 4
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   3bc3                 | cmp                 eax, ebx
            //   740d                 | je                  0xf
            //   50                   | push                eax

        $sequence_4 = { c3 8b5510 8b02 8b4d08 5f 5e 8981c0020000 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   8981c0020000         | mov                 dword ptr [ecx + 0x2c0], eax

        $sequence_5 = { e9???????? 8d75b4 e9???????? 8d75d0 e9???????? 8bb560ffffff e9???????? }
            // n = 7, score = 200
            //   e9????????           |                     
            //   8d75b4               | lea                 esi, dword ptr [ebp - 0x4c]
            //   e9????????           |                     
            //   8d75d0               | lea                 esi, dword ptr [ebp - 0x30]
            //   e9????????           |                     
            //   8bb560ffffff         | mov                 esi, dword ptr [ebp - 0xa0]
            //   e9????????           |                     

        $sequence_6 = { f6404040 741a 8b0f 8b91c0860000 6a3f 52 e8???????? }
            // n = 7, score = 200
            //   f6404040             | test                byte ptr [eax + 0x40], 0x40
            //   741a                 | je                  0x1c
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   8b91c0860000         | mov                 edx, dword ptr [ecx + 0x86c0]
            //   6a3f                 | push                0x3f
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_7 = { e8???????? 83c408 5f 5e b847000000 5b 8be5 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   b847000000           | mov                 eax, 0x47
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp

        $sequence_8 = { 8b8548ffffff 50 e8???????? 8b8d44ffffff 83c404 51 e8???????? }
            // n = 7, score = 200
            //   8b8548ffffff         | mov                 eax, dword ptr [ebp - 0xb8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b8d44ffffff         | mov                 ecx, dword ptr [ebp - 0xbc]
            //   83c404               | add                 esp, 4
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_9 = { 8bc6 50 8d8db0fdffff 51 895dfc e8???????? 83c40c }
            // n = 7, score = 200
            //   8bc6                 | mov                 eax, esi
            //   50                   | push                eax
            //   8d8db0fdffff         | lea                 ecx, dword ptr [ebp - 0x250]
            //   51                   | push                ecx
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

    condition:
        7 of them and filesize < 1318912
}
Download all Yara Rules