SYMBOLCOMMON_NAMEaka. SYNONYMS
win.duuzer (Back to overview)

Duuzer

aka: Escad

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_duuzer_auto (20211008 | Detects win.duuzer.)
rule win_duuzer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.duuzer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4863df 488d542430 c74404300e560000 4c8bc3 e8???????? 440fb68c2460030000 }
            // n = 6, score = 100
            //   4863df               | mov                 ebx, eax
            //   488d542430           | test                eax, eax
            //   c74404300e560000     | je                  0x7f
            //   4c8bc3               | mov                 ecx, ebx
            //   e8????????           |                     
            //   440fb68c2460030000     | dec    eax

        $sequence_1 = { 6642890441 85d2 7422 8b8f94000000 8b4744 2bca }
            // n = 6, score = 100
            //   6642890441           | test                al, 4
            //   85d2                 | and                 eax, 0x1521
            //   7422                 | mov                 ecx, eax
            //   8b8f94000000         | xor                 ebx, ebx
            //   8b4744               | dec                 eax
            //   2bca                 | arpl                di, si

        $sequence_2 = { 488b8be0000000 8b461c 884124 48c1e808 884125 }
            // n = 5, score = 100
            //   488b8be0000000       | add                 ecx, 3
            //   8b461c               | cmp                 edx, eax
            //   884124               | cmp                 edx, eax
            //   48c1e808             | jne                 0x26e
            //   884125               | movzx               eax, byte ptr [ecx + 2]

        $sequence_3 = { 33f6 89711c 89710c 48897120 488b4710 897728 48894720 }
            // n = 7, score = 100
            //   33f6                 | dec                 eax
            //   89711c               | cmp                 ebx, eax
            //   89710c               | dec                 eax
            //   48897120             | mov                 ebx, ecx
            //   488b4710             | dec                 eax
            //   897728               | lea                 ecx, dword ptr [ebp + 0x5b]
            //   48894720             | xor                 edx, edx

        $sequence_4 = { 6689442431 ff15???????? b901030000 6689442433 8b442430 c644243016 8903 }
            // n = 7, score = 100
            //   6689442431           | mov                 dword ptr [ebp - 0x40], 0xe50d3984
            //   ff15????????         |                     
            //   b901030000           | mov                 dword ptr [ebp - 0x3c], 0xca7d6ad0
            //   6689442433           | mov                 dword ptr [ebp - 0x38], 0x3d38e9c3
            //   8b442430             | mov                 dword ptr [ebp - 0x34], 0x71860bc7
            //   c644243016           | mov                 dword ptr [ebp - 0x30], 0x2cd6c80e
            //   8903                 | mov                 dword ptr [ebp - 0x2c], 0xd560271c

        $sequence_5 = { c3 48895c2410 4889742418 48897c2420 4154 4883ec30 4889642420 }
            // n = 7, score = 100
            //   c3                   | dec                 esp
            //   48895c2410           | lea                 ecx, dword ptr [0xfffec663]
            //   4889742418           | dec                 ecx
            //   48897c2420           | sar                 edi, 5
            //   4154                 | js                  0xcda
            //   4883ec30             | dec                 eax
            //   4889642420           | mov                 dword ptr [esp + 0x10], ebp

        $sequence_6 = { c785e82000000314f159 c785ec200000943a31c5 c785f020000010c7cc6a c785f4200000fbbb175f c785f8200000de098064 c785fc2000004b92ba75 }
            // n = 6, score = 100
            //   c785e82000000314f159     | dec    eax
            //   c785ec200000943a31c5     | mov    ecx, ebx
            //   c785f020000010c7cc6a     | dec    eax
            //   c785f4200000fbbb175f     | test    eax, eax
            //   c785f8200000de098064     | je    0x322
            //   c785fc2000004b92ba75     | dec    eax

        $sequence_7 = { b8a0110000 e8???????? 482be0 488b05???????? 4833c4 48898590100000 0fb7d9 }
            // n = 7, score = 100
            //   b8a0110000           | lea                 ecx, dword ptr [ebp + 0x1a30]
            //   e8????????           |                     
            //   482be0               | test                eax, eax
            //   488b05????????       |                     
            //   4833c4               | je                  0x566
            //   48898590100000       | mov                 ecx, dword ptr [edi + 0x84]
            //   0fb7d9               | add                 dword ptr [edi + 0x94], eax

        $sequence_8 = { 66660f1f840000000000 4889742420 4c8d4c2440 41b800080000 488d9540290000 488bcb ff15???????? }
            // n = 7, score = 100
            //   66660f1f840000000000     | mov    dword ptr [ebp - 0x60], 0x305c5c54
            //   4889742420           | mov                 dword ptr [ebp - 0x5c], 0x30303030
            //   4c8d4c2440           | mov                 dword ptr [ebp - 0x58], 0x55427330
            //   41b800080000         | mov                 dword ptr [ebp - 0x54], 0x60554451
            //   488d9540290000       | mov                 dword ptr [ebp - 0x68], 0x8ae86a59
            //   488bcb               | mov                 dword ptr [ebp - 0x64], 0xaf2e78c1
            //   ff15????????         |                     

        $sequence_9 = { 85f6 0f8579010000 48837f2000 488b5758 488b4f38 7408 ff5718 }
            // n = 7, score = 100
            //   85f6                 | jb                  0xb11
            //   0f8579010000         | jmp                 0xbe3
            //   48837f2000           | cmp                 ecx, 0x50
            //   488b5758             | jb                  0xbe3
            //   488b4f38             | add                 ecx, -0x50
            //   7408                 | mov                 edx, dword ptr [esi + 8]
            //   ff5718               | mov                 eax, dword ptr [esi]

    condition:
        7 of them and filesize < 491520
}
Download all Yara Rules