SYMBOLCOMMON_NAMEaka. SYNONYMS
win.duuzer (Back to overview)

Duuzer

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_duuzer_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_duuzer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f804 7408 83c8ff e9???????? }
            // n = 4, score = 200
            //   83f804               | cmp                 eax, 4
            //   7408                 | je                  0xa
            //   83c8ff               | or                  eax, 0xffffffff
            //   e9????????           |                     

        $sequence_1 = { b8a0010100 e8???????? 482be0 488b05???????? 4833c4 }
            // n = 5, score = 100
            //   b8a0010100           | mov                 eax, 0x101a0
            //   e8????????           |                     
            //   482be0               | dec                 eax
            //   488b05????????       |                     
            //   4833c4               | sub                 esp, eax

        $sequence_2 = { 52 66c745f0ffff ffd0 83c410 83f802 7458 }
            // n = 6, score = 100
            //   52                   | push                edx
            //   66c745f0ffff         | mov                 word ptr [ebp - 0x10], 0xffff
            //   ffd0                 | call                eax
            //   83c410               | add                 esp, 0x10
            //   83f802               | cmp                 eax, 2
            //   7458                 | je                  0x5a

        $sequence_3 = { 2521150000 8bc8 e8???????? 498bde 6690 e8???????? }
            // n = 6, score = 100
            //   2521150000           | dec                 eax
            //   8bc8                 | lea                 edx, [0x250c0]
            //   e8????????           |                     
            //   498bde               | dec                 eax
            //   6690                 | lea                 ecx, [ebp + 0xfe6]
            //   e8????????           |                     

        $sequence_4 = { 488b4b38 448bcd 4d8bc4 ff5310 }
            // n = 4, score = 100
            //   488b4b38             | dec                 eax
            //   448bcd               | mov                 ecx, dword ptr [esp + 0x10190]
            //   4d8bc4               | dec                 eax
            //   ff5310               | xor                 ecx, esp

        $sequence_5 = { 488d8db06b0000 ff15???????? 4885c0 740c }
            // n = 4, score = 100
            //   488d8db06b0000       | dec                 eax
            //   ff15????????         |                     
            //   4885c0               | lea                 ecx, [ebp + 0xfe6]
            //   740c                 | inc                 ecx

        $sequence_6 = { ffd1 83c410 83f802 75ae 8b8e9c000000 8b7e2c }
            // n = 6, score = 100
            //   ffd1                 | call                ecx
            //   83c410               | add                 esp, 0x10
            //   83f802               | cmp                 eax, 2
            //   75ae                 | jne                 0xffffffb0
            //   8b8e9c000000         | mov                 ecx, dword ptr [esi + 0x9c]
            //   8b7e2c               | mov                 edi, dword ptr [esi + 0x2c]

        $sequence_7 = { 668b8dc8f4ffff 8d95c8f4ffff 52 8d45f4 50 66894df6 }
            // n = 6, score = 100
            //   668b8dc8f4ffff       | mov                 cx, word ptr [ebp - 0xb38]
            //   8d95c8f4ffff         | lea                 edx, [ebp - 0xb38]
            //   52                   | push                edx
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   66894df6             | mov                 word ptr [ebp - 0xa], cx

        $sequence_8 = { 50 ff15???????? 8d8405edfeffff 85c0 751e 8d8decfeffff 6a5c }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d8405edfeffff       | lea                 eax, [ebp + eax - 0x113]
            //   85c0                 | test                eax, eax
            //   751e                 | jne                 0x20
            //   8d8decfeffff         | lea                 ecx, [ebp - 0x114]
            //   6a5c                 | push                0x5c

        $sequence_9 = { e8???????? 8d8d38fbffff 51 8d5db8 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8d8d38fbffff         | lea                 ecx, [ebp - 0x4c8]
            //   51                   | push                ecx
            //   8d5db8               | lea                 ebx, [ebp - 0x48]

        $sequence_10 = { 33ff e8???????? 8844370a 47 83ff1c }
            // n = 5, score = 100
            //   33ff                 | xor                 edi, edi
            //   e8????????           |                     
            //   8844370a             | mov                 byte ptr [edi + esi + 0xa], al
            //   47                   | inc                 edi
            //   83ff1c               | cmp                 edi, 0x1c

        $sequence_11 = { 8d4df4 51 50 8b4608 52 c745f42c000000 c745f800000000 }
            // n = 7, score = 100
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   52                   | push                edx
            //   c745f42c000000       | mov                 dword ptr [ebp - 0xc], 0x2c
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0

        $sequence_12 = { e8???????? 48897588 33c0 48894590 894598 488d8d301a0000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   48897588             | inc                 esp
            //   33c0                 | mov                 ecx, ebp
            //   48894590             | dec                 ebp
            //   894598               | mov                 eax, esp
            //   488d8d301a0000       | call                dword ptr [ebx + 0x10]

        $sequence_13 = { 488d15c0500200 488d8de60f0000 ff15???????? 488d8de60f0000 e8???????? 418bce }
            // n = 6, score = 100
            //   488d15c0500200       | dec                 eax
            //   488d8de60f0000       | mov                 ebx, dword ptr [esp + 0x101d0]
            //   ff15????????         |                     
            //   488d8de60f0000       | dec                 eax
            //   e8????????           |                     
            //   418bce               | mov                 ecx, dword ptr [ebx + 0x38]

        $sequence_14 = { e8???????? 488bc7 488b8c2490010100 4833cc e8???????? 488b9c24d0010100 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488bc7               | dec                 eax
            //   488b8c2490010100     | xor                 eax, esp
            //   4833cc               | dec                 eax
            //   e8????????           |                     
            //   488b9c24d0010100     | mov                 eax, edi

    condition:
        7 of them and filesize < 491520
}
Download all Yara Rules