SYMBOLCOMMON_NAMEaka. SYNONYMS
win.duuzer (Back to overview)

Duuzer

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_duuzer_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_duuzer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f804 7408 83c8ff e9???????? }
            // n = 4, score = 200
            //   83f804               | cmp                 eax, 4
            //   7408                 | je                  0xa
            //   83c8ff               | or                  eax, 0xffffffff
            //   e9????????           |                     

        $sequence_1 = { 683d040000 894df4 8955f8 ff15???????? 668b8dc8f4ffff }
            // n = 5, score = 100
            //   683d040000           | push                0x43d
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   ff15????????         |                     
            //   668b8dc8f4ffff       | mov                 cx, word ptr [ebp - 0xb38]

        $sequence_2 = { c783a000000002000000 c7838800000002000000 89bb90000000 897b70 488b5c2430 }
            // n = 5, score = 100
            //   c783a000000002000000     | je    0x110
            //   c7838800000002000000     | mov    dword ptr [ebp + 0xd8], 0xa116bb90
            //   89bb90000000         | mov                 dword ptr [ebp + 0xdc], 0x8a98a796
            //   897b70               | mov                 dword ptr [ebp + 0xe0], 0xa28f5cd0
            //   488b5c2430           | mov                 dword ptr [ebp + 0xe4], 0x37e5a7d4

        $sequence_3 = { 42c7042032000000 e8???????? 498bcc 8bf8 e8???????? 488b9580010000 483b15???????? }
            // n = 7, score = 100
            //   42c7042032000000     | inc                 edx
            //   e8????????           |                     
            //   498bcc               | mov                 dword ptr [eax], 0x32
            //   8bf8                 | dec                 ecx
            //   e8????????           |                     
            //   488b9580010000       | mov                 ecx, esp
            //   483b15????????       |                     

        $sequence_4 = { e8???????? 8b4f54 2bce 014f7c 8bd8 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8b4f54               | mov                 ecx, dword ptr [edi + 0x54]
            //   2bce                 | sub                 ecx, esi
            //   014f7c               | add                 dword ptr [edi + 0x7c], ecx
            //   8bd8                 | mov                 ebx, eax

        $sequence_5 = { 57 8d8504efffff 50 683d040000 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   8d8504efffff         | lea                 eax, [ebp - 0x10fc]
            //   50                   | push                eax
            //   683d040000           | push                0x43d

        $sequence_6 = { b98bffffff 3bc3 0f44cb 8bc1 eb19 }
            // n = 5, score = 100
            //   b98bffffff           | dec                 eax
            //   3bc3                 | sub                 ecx, edi
            //   0f44cb               | dec                 eax
            //   8bc1                 | mov                 ecx, dword ptr [ebx + 0x130]
            //   eb19                 | dec                 eax

        $sequence_7 = { c785d800000090bb16a1 c785dc00000096a7988a c785e0000000d05c8fa2 c785e4000000d4a7e537 c785e80000008d5a75cd c785ec0000003b4229b5 }
            // n = 6, score = 100
            //   c785d800000090bb16a1     | jmp    0x22
            //   c785dc00000096a7988a     | dec    eax
            //   c785e0000000d05c8fa2     | cmp    eax, -1
            //   c785e4000000d4a7e537     | je    0x139
            //   c785e80000008d5a75cd     | dec    eax
            //   c785ec0000003b4229b5     | lea    esi, [esp + 0x5c]

        $sequence_8 = { 894608 89460c 894610 7409 }
            // n = 4, score = 100
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   89460c               | mov                 dword ptr [esi + 0xc], eax
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   7409                 | je                  0xb

        $sequence_9 = { c745f00dcec815 c745f4b0c77a6a c745f8ae18e83f c705????????03000000 c705????????ca27fee7 c705????????020001bb }
            // n = 6, score = 100
            //   c745f00dcec815       | mov                 dword ptr [ebp - 0x10], 0x15c8ce0d
            //   c745f4b0c77a6a       | mov                 dword ptr [ebp - 0xc], 0x6a7ac7b0
            //   c745f8ae18e83f       | mov                 dword ptr [ebp - 8], 0x3fe818ae
            //   c705????????03000000     |     
            //   c705????????ca27fee7     |     
            //   c705????????020001bb     |     

        $sequence_10 = { 8bdf 8931 e8???????? 83c404 3da2000000 }
            // n = 5, score = 100
            //   8bdf                 | mov                 ebx, edi
            //   8931                 | mov                 dword ptr [ecx], esi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   3da2000000           | cmp                 eax, 0xa2

        $sequence_11 = { 488945cf 33c0 8945d7 668945db }
            // n = 4, score = 100
            //   488945cf             | dec                 eax
            //   33c0                 | lea                 edi, [0x22cb7]
            //   8945d7               | mov                 ecx, 2
            //   668945db             | repe cmpsd          dword ptr [esi], dword ptr es:[edi]

        $sequence_12 = { 4883f8ff 0f842f010000 488d74245c 488d3db72c0200 b902000000 66f3a7 0f84f6000000 }
            // n = 7, score = 100
            //   4883f8ff             | mov                 ecx, dword ptr [ebx + 0x158]
            //   0f842f010000         | dec                 eax
            //   488d74245c           | lea                 eax, [0x1b884]
            //   488d3db72c0200       | mov                 ecx, 0xffffff8b
            //   b902000000           | cmp                 eax, ebx
            //   66f3a7               | cmove               ecx, ebx
            //   0f84f6000000         | mov                 eax, ecx

        $sequence_13 = { 51 ffd2 83c410 83f802 7536 }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   ffd2                 | call                edx
            //   83c410               | add                 esp, 0x10
            //   83f802               | cmp                 eax, 2
            //   7536                 | jne                 0x38

        $sequence_14 = { 488b8b50010000 482bcf e8???????? 488b8b30010000 e8???????? 488b8b58010000 488d0584b80100 }
            // n = 7, score = 100
            //   488b8b50010000       | mov                 edi, eax
            //   482bcf               | dec                 eax
            //   e8????????           |                     
            //   488b8b30010000       | mov                 edx, dword ptr [ebp + 0x180]
            //   e8????????           |                     
            //   488b8b58010000       | dec                 eax
            //   488d0584b80100       | mov                 ecx, dword ptr [ebx + 0x150]

    condition:
        7 of them and filesize < 491520
}
Download all Yara Rules