SYMBOLCOMMON_NAMEaka. SYNONYMS
win.duuzer (Back to overview)

Duuzer

aka: Escad

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_duuzer_auto (20230715 | Detects win.duuzer.)
rule win_duuzer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.duuzer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f804 7408 83c8ff e9???????? }
            // n = 4, score = 200
            //   83f804               | cmp                 eax, 4
            //   7408                 | je                  0xa
            //   83c8ff               | or                  eax, 0xffffffff
            //   e9????????           |                     

        $sequence_1 = { 0145f0 1155f4 85c9 7533 }
            // n = 4, score = 100
            //   0145f0               | jle                 0x33
            //   1155f4               | dec                 eax
            //   85c9                 | arpl                di, ax
            //   7533                 | dec                 esp

        $sequence_2 = { 4c8b5c2450 4c3b1d???????? 410f44f6 8bc6 }
            // n = 4, score = 100
            //   4c8b5c2450           | mov                 ecx, 0xcd
            //   4c3b1d????????       |                     
            //   410f44f6             | cmove               eax, ecx
            //   8bc6                 | jmp                 0x1a

        $sequence_3 = { 4c8b5c2428 41837b0800 7519 807c243800 }
            // n = 4, score = 100
            //   4c8b5c2428           | inc                 ecx
            //   41837b0800           | movzx               eax, byte ptr [edx + eax]
            //   7519                 | cmp                 edx, eax
            //   807c243800           | jne                 0xb7

        $sequence_4 = { 00e0 3541000436 41 0023 }
            // n = 4, score = 100
            //   00e0                 | mov                 ecx, dword ptr [ebp + 0x100]
            //   3541000436           | dec                 eax
            //   41                   | xor                 ecx, esp
            //   0023                 | dec                 esp

        $sequence_5 = { 014dec 83bf8400000000 7708 398780000000 }
            // n = 4, score = 100
            //   014dec               | mov                 eax, dword ptr [esi + 0x30]
            //   83bf8400000000       | cmp                 eax, ebx
            //   7708                 | je                  0x20
            //   398780000000         | mov                 edi, dword ptr [eax]

        $sequence_6 = { 4c8b5c2454 488d542420 488d4c2454 4c895c2420 }
            // n = 4, score = 100
            //   4c8b5c2454           | mov                 ebx, dword ptr [esp + 0x28]
            //   488d542420           | inc                 ecx
            //   488d4c2454           | cmp                 dword ptr [ebx + 8], 0
            //   4c895c2420           | jne                 0x20

        $sequence_7 = { 01442410 3bfb 75c4 8b4630 }
            // n = 4, score = 100
            //   01442410             | mov                 ebx, dword ptr [esp + 0x54]
            //   3bfb                 | dec                 eax
            //   75c4                 | lea                 edx, [esp + 0x20]
            //   8b4630               | dec                 eax

        $sequence_8 = { 4c8b6348 418bff 85f6 7e2c }
            // n = 4, score = 100
            //   4c8b6348             | dec                 esp
            //   418bff               | mov                 ebx, dword ptr [esp + 0x50]
            //   85f6                 | inc                 ecx
            //   7e2c                 | cmove               esi, esi

        $sequence_9 = { 4c8b5110 43880413 ff4128 0fb68111170000 eb0c 85c0 7e16 }
            // n = 7, score = 100
            //   4c8b5110             | dec                 esp
            //   43880413             | mov                 edx, dword ptr [ecx + 0x10]
            //   ff4128               | inc                 ebx
            //   0fb68111170000       | mov                 byte ptr [ebx + edx], al
            //   eb0c                 | inc                 dword ptr [ecx + 0x28]
            //   85c0                 | movzx               eax, byte ptr [ecx + 0x1711]
            //   7e16                 | jmp                 0xe

        $sequence_10 = { 4c8b5c2420 b88bffffff 4c3b1d???????? b9cd000000 }
            // n = 4, score = 100
            //   4c8b5c2420           | dec                 esp
            //   b88bffffff           | mov                 ecx, eax
            //   4c3b1d????????       |                     
            //   b9cd000000           | inc                 ecx

        $sequence_11 = { 00f4 c640001c c740008a460323 d188470383ee }
            // n = 4, score = 100
            //   00f4                 | lea                 edx, [esp + 0x20]
            //   c640001c             | dec                 eax
            //   c740008a460323       | lea                 ecx, [esp + 0x54]
            //   d188470383ee         | dec                 esp

        $sequence_12 = { 014dec 66837dec00 0f8efc010000 0fbf45ec }
            // n = 4, score = 100
            //   014dec               | add                 dword ptr [ebx], ecx
            //   66837dec00           | add                 dword ptr [esi + 0x4c], ecx
            //   0f8efc010000         | add                 dword ptr [esi + 0x48], ecx
            //   0fbf45ec             | add                 dword ptr [esi + 0x54], ecx

        $sequence_13 = { 4c8b5750 4c8bc8 410fb65402ff 498d4c02ff }
            // n = 4, score = 100
            //   4c8b5750             | test                eax, eax
            //   4c8bc8               | jle                 0x18
            //   410fb65402ff         | dec                 esp
            //   498d4c02ff           | mov                 edx, dword ptr [edi + 0x50]

        $sequence_14 = { 010b 014e4c 014e48 014e54 }
            // n = 4, score = 100
            //   010b                 | mov                 dword ptr [esp + 0x20], ebx
            //   014e4c               | dec                 eax
            //   014e48               | lea                 edx, [esp + 0x28]
            //   014e54               | dec                 esp

    condition:
        7 of them and filesize < 491520
}
Download all Yara Rules