SYMBOLCOMMON_NAMEaka. SYNONYMS
win.duuzer (Back to overview)

Duuzer

aka: Escad

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_duuzer_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_duuzer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f804 7408 83c8ff e9???????? }
            // n = 4, score = 200
            //   83f804               | cmp                 eax, 4
            //   7408                 | je                  0xa
            //   83c8ff               | or                  eax, 0xffffffff
            //   e9????????           |                     

        $sequence_1 = { c1e91f 03d1 488d4c2429 6bd251 2bf2 83c651 8bd6 }
            // n = 7, score = 100
            //   c1e91f               | dec                 ecx
            //   03d1                 | add                 edx, dword ptr [ecx + eax*8 + 0x37d60]
            //   488d4c2429           | test                byte ptr [edx + 0x38], 0x80
            //   6bd251               | je                  0x32
            //   2bf2                 | mov                 dword ptr [eax], 0x16
            //   83c651               | shr                 ecx, 0x1f
            //   8bd6                 | add                 edx, ecx

        $sequence_2 = { ff15???????? 8b7508 c7465c50124200 83660800 33ff }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   c7465c50124200       | mov                 dword ptr [esi + 0x5c], 0x421250
            //   83660800             | and                 dword ptr [esi + 8], 0
            //   33ff                 | xor                 edi, edi

        $sequence_3 = { 68e3010000 8d850dfeffff 6a00 50 c78548fdffffb62df5c5 c7854cfdffffcd7b90a3 }
            // n = 6, score = 100
            //   68e3010000           | push                0x1e3
            //   8d850dfeffff         | lea                 eax, [ebp - 0x1f3]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   c78548fdffffb62df5c5     | mov    dword ptr [ebp - 0x2b8], 0xc5f52db6
            //   c7854cfdffffcd7b90a3     | mov    dword ptr [ebp - 0x2b4], 0xa3907bcd

        $sequence_4 = { 488b5358 41b902000000 4533c0 488bcb e8???????? }
            // n = 5, score = 100
            //   488b5358             | mov                 ecx, edi
            //   41b902000000         | mov                 esi, eax
            //   4533c0               | test                eax, eax
            //   488bcb               | jne                 0xa5
            //   e8????????           |                     

        $sequence_5 = { 4155 4156 4157 488dac24e0e9ffff }
            // n = 4, score = 100
            //   4155                 | dec                 eax
            //   4156                 | lea                 ecx, [esp + 0x29]
            //   4157                 | imul                edx, edx, 0x51
            //   488dac24e0e9ffff     | sub                 esi, edx

        $sequence_6 = { 8b88bc160000 8a9adc4b4200 33f6 895c241c }
            // n = 4, score = 100
            //   8b88bc160000         | mov                 ecx, dword ptr [eax + 0x16bc]
            //   8a9adc4b4200         | mov                 bl, byte ptr [edx + 0x424bdc]
            //   33f6                 | xor                 esi, esi
            //   895c241c             | mov                 dword ptr [esp + 0x1c], ebx

        $sequence_7 = { 8d439a 5f 5e 5b 8be5 5d }
            // n = 6, score = 100
            //   8d439a               | lea                 eax, [ebx - 0x66]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_8 = { 74c2 e8???????? 8b4dfc 83c404 5f 5e 33cd }
            // n = 7, score = 100
            //   74c2                 | je                  0xffffffc4
            //   e8????????           |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   83c404               | add                 esp, 4
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   33cd                 | xor                 ecx, ebp

        $sequence_9 = { e8???????? 8bc6 c1f805 8b0485a0134300 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi
            //   c1f805               | sar                 eax, 5
            //   8b0485a0134300       | mov                 eax, dword ptr [eax*4 + 0x4313a0]

        $sequence_10 = { 57 e8???????? 3da2000000 b8a2000000 7405 }
            // n = 5, score = 100
            //   57                   | push                edi
            //   e8????????           |                     
            //   3da2000000           | cmp                 eax, 0xa2
            //   b8a2000000           | mov                 eax, 0xa2
            //   7405                 | je                  7

        $sequence_11 = { 4883c30b 6689442433 8b442430 488d9560010000 8943fb 0fb6442434 488bcb }
            // n = 7, score = 100
            //   4883c30b             | inc                 ecx
            //   6689442433           | push                edi
            //   8b442430             | dec                 eax
            //   488d9560010000       | lea                 ebp, [esp - 0x1620]
            //   8943fb               | dec                 ebp
            //   0fb6442434           | mov                 eax, esp
            //   488bcb               | dec                 eax

        $sequence_12 = { 448bc7 e8???????? 488b4c2428 4833cc }
            // n = 4, score = 100
            //   448bc7               | inc                 esp
            //   e8????????           |                     
            //   488b4c2428           | mov                 eax, edi
            //   4833cc               | dec                 eax

        $sequence_13 = { 4d8bc4 488bcf e8???????? 8bf0 85c0 0f859b000000 488b5758 }
            // n = 7, score = 100
            //   4d8bc4               | add                 esi, 0x51
            //   488bcf               | mov                 edx, esi
            //   e8????????           |                     
            //   8bf0                 | inc                 ecx
            //   85c0                 | push                ebp
            //   0f859b000000         | inc                 ecx
            //   488b5758             | push                esi

        $sequence_14 = { 486bd258 490394c1607d0300 f6423880 742c e8???????? c70016000000 e8???????? }
            // n = 7, score = 100
            //   486bd258             | mov                 ecx, dword ptr [esp + 0x28]
            //   490394c1607d0300     | dec                 eax
            //   f6423880             | xor                 ecx, esp
            //   742c                 | dec                 eax
            //   e8????????           |                     
            //   c70016000000         | imul                edx, edx, 0x58
            //   e8????????           |                     

    condition:
        7 of them and filesize < 491520
}
Download all Yara Rules