SYMBOLCOMMON_NAMEaka. SYNONYMS
win.duuzer (Back to overview)

Duuzer

aka: Escad

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_duuzer_auto (20220411 | Detects win.duuzer.)
rule win_duuzer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.duuzer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f804 7408 83c8ff e9???????? }
            // n = 4, score = 200
            //   83f804               | cmp                 eax, 4
            //   7408                 | je                  0xa
            //   83c8ff               | or                  eax, 0xffffffff
            //   e9????????           |                     

        $sequence_1 = { 0145f0 1155f4 85c9 7533 }
            // n = 4, score = 100
            //   0145f0               | dec                 esp
            //   1155f4               | mov                 dword ptr [ebx + 0xb0], ebp
            //   85c9                 | dec                 esp
            //   7533                 | mov                 dword ptr [ebx + 0xb8], ebp

        $sequence_2 = { 4c89ab04010100 4c89abd0000000 48c783f800000008000000 41bfffffffff }
            // n = 4, score = 100
            //   4c89ab04010100       | mov                 esp, 0xffffeeee
            //   4c89abd0000000       | jmp                 0xa
            //   48c783f800000008000000     | inc    esp
            //   41bfffffffff         | mov                 esp, dword ptr [esp + 0x40]

        $sequence_3 = { 4c89abb8000000 c744242008000000 e8???????? 85c0 }
            // n = 4, score = 100
            //   4c89abb8000000       | dec                 eax
            //   c744242008000000     | lea                 ecx, dword ptr [ebx + 0x100]
            //   e8????????           |                     
            //   85c0                 | dec                 esp

        $sequence_4 = { 4c89ab80000000 48898b88000000 48c7839000000000000100 4489abc0000000 }
            // n = 4, score = 100
            //   4c89ab80000000       | mov                 dword ptr [ebx + 0x88], ecx
            //   48898b88000000       | dec                 eax
            //   48c7839000000000000100     | mov    dword ptr [ebx + 0x90], 0x10000
            //   4489abc0000000       | inc                 esp

        $sequence_5 = { 4c89ab18010100 4c89ab20010100 4c89ab10010100 e8???????? }
            // n = 4, score = 100
            //   4c89ab18010100       | mov                 edi, 0xffffffff
            //   4c89ab20010100       | dec                 esp
            //   4c89ab10010100       | cmp                 dword ptr [ebx + 0x20], ebp
            //   e8????????           |                     

        $sequence_6 = { 4c89aba8000000 4c89abb0000000 4c89abb8000000 c744242008000000 }
            // n = 4, score = 100
            //   4c89aba8000000       | mov                 dword ptr [ebx + 0x10120], ebp
            //   4c89abb0000000       | dec                 esp
            //   4c89abb8000000       | mov                 dword ptr [ebx + 0x10110], ebp
            //   c744242008000000     | dec                 eax

        $sequence_7 = { 00e0 3541000436 41 0023 }
            // n = 4, score = 100
            //   00e0                 | mov                 dword ptr [ebx + 0x80], ebp
            //   3541000436           | dec                 eax
            //   41                   | mov                 dword ptr [ebx + 0x88], ecx
            //   0023                 | dec                 eax

        $sequence_8 = { 4c89a424b8100000 ff15???????? 44396c2444 7e08 41bceeeeffff eb08 448b642440 }
            // n = 7, score = 100
            //   4c89a424b8100000     | dec                 esp
            //   ff15????????         |                     
            //   44396c2444           | mov                 dword ptr [esp + 0x10b8], esp
            //   7e08                 | inc                 esp
            //   41bceeeeffff         | cmp                 dword ptr [esp + 0x44], ebp
            //   eb08                 | jle                 0xa
            //   448b642440           | inc                 ecx

        $sequence_9 = { 014dec 83bf8400000000 7708 398780000000 }
            // n = 4, score = 100
            //   014dec               | xor                 eax, 0x36040041
            //   83bf8400000000       | inc                 ecx
            //   7708                 | add                 byte ptr [ebx], ah
            //   398780000000         | add                 al, ah

        $sequence_10 = { 4c89ab10010100 e8???????? 488d8b00010000 4c89ab80000000 }
            // n = 4, score = 100
            //   4c89ab10010100       | dec                 esp
            //   e8????????           |                     
            //   488d8b00010000       | mov                 dword ptr [ebx + 0x10104], ebp
            //   4c89ab80000000       | dec                 esp

        $sequence_11 = { 00f4 c640001c c740008a460323 d188470383ee }
            // n = 4, score = 100
            //   00f4                 | mov                 dword ptr [ebx + 0xb8], ebp
            //   c640001c             | mov                 dword ptr [esp + 0x20], 8
            //   c740008a460323       | dec                 esp
            //   d188470383ee         | mov                 dword ptr [ebx + 0xa8], ebp

        $sequence_12 = { 014dec 66837dec00 0f8efc010000 0fbf45ec }
            // n = 4, score = 100
            //   014dec               | cmp                 dword ptr [ebx + 0x20], ebp
            //   66837dec00           | je                  0x11
            //   0f8efc010000         | call                dword ptr [ebx + 0x18]
            //   0fbf45ec             | dec                 esp

        $sequence_13 = { 01442410 3bfb 75c4 8b4630 }
            // n = 4, score = 100
            //   01442410             | mov                 dword ptr [esp + 0x20], 8
            //   3bfb                 | test                eax, eax
            //   75c4                 | dec                 esp
            //   8b4630               | mov                 dword ptr [ebx + 0xa8], ebp

        $sequence_14 = { 010b 014e4c 014e48 014e54 }
            // n = 4, score = 100
            //   010b                 | dec                 esp
            //   014e4c               | mov                 dword ptr [ebx + 0xb0], ebp
            //   014e48               | dec                 esp
            //   014e54               | mov                 dword ptr [ebx + 0xb8], ebp

    condition:
        7 of them and filesize < 491520
}
Download all Yara Rules