SYMBOLCOMMON_NAMEaka. SYNONYMS
win.electricfish (Back to overview)

ELECTRICFISH

Actor(s): Lazarus Group


The application is a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-05-09CISACISA
@online{cisa:20190509:malware:0fa3b40, author = {CISA}, title = {{Malware Analysis Report (AR19-129A)}}, date = {2019-05-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (AR19-129A)
ELECTRICFISH Lazarus Group
Yara Rules
[TLP:WHITE] win_electricfish_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_electricfish_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8944241c 8a4608 88542422 8b556c 8d4c241c 88442423 8b8210010000 }
            // n = 7, score = 700
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   8a4608               | mov                 al, byte ptr [esi + 8]
            //   88542422             | mov                 byte ptr [esp + 0x22], dl
            //   8b556c               | mov                 edx, dword ptr [ebp + 0x6c]
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   88442423             | mov                 byte ptr [esp + 0x23], al
            //   8b8210010000         | mov                 eax, dword ptr [edx + 0x110]

        $sequence_1 = { c1e104 03f9 837f0415 740b 395708 7406 89961c0b0000 }
            // n = 7, score = 700
            //   c1e104               | shl                 ecx, 4
            //   03f9                 | add                 edi, ecx
            //   837f0415             | cmp                 dword ptr [edi + 4], 0x15
            //   740b                 | je                  0xd
            //   395708               | cmp                 dword ptr [edi + 8], edx
            //   7406                 | je                  8
            //   89961c0b0000         | mov                 dword ptr [esi + 0xb1c], edx

        $sequence_2 = { eb04 8b442410 85ed 741b 8b4d00 8d50fe c1ea08 }
            // n = 7, score = 700
            //   eb04                 | jmp                 6
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   85ed                 | test                ebp, ebp
            //   741b                 | je                  0x1d
            //   8b4d00               | mov                 ecx, dword ptr [ebp]
            //   8d50fe               | lea                 edx, [eax - 2]
            //   c1ea08               | shr                 edx, 8

        $sequence_3 = { c3 8b5668 89ba30020000 8b4e68 898134020000 57 56 }
            // n = 7, score = 700
            //   c3                   | ret                 
            //   8b5668               | mov                 edx, dword ptr [esi + 0x68]
            //   89ba30020000         | mov                 dword ptr [edx + 0x230], edi
            //   8b4e68               | mov                 ecx, dword ptr [esi + 0x68]
            //   898134020000         | mov                 dword ptr [ecx + 0x234], eax
            //   57                   | push                edi
            //   56                   | push                esi

        $sequence_4 = { b818000000 e8???????? 53 55 56 57 33ff }
            // n = 7, score = 700
            //   b818000000           | mov                 eax, 0x18
            //   e8????????           |                     
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   56                   | push                esi
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi

        $sequence_5 = { e8???????? 8b561c 68???????? 52 e8???????? 6893010000 68???????? }
            // n = 7, score = 700
            //   e8????????           |                     
            //   8b561c               | mov                 edx, dword ptr [esi + 0x1c]
            //   68????????           |                     
            //   52                   | push                edx
            //   e8????????           |                     
            //   6893010000           | push                0x193
            //   68????????           |                     

        $sequence_6 = { e8???????? 83c40c 85db 0f8f7affffff 837c242400 c70600000000 c7460400000000 }
            // n = 7, score = 700
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85db                 | test                ebx, ebx
            //   0f8f7affffff         | jg                  0xffffff80
            //   837c242400           | cmp                 dword ptr [esp + 0x24], 0
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0

        $sequence_7 = { e8???????? 83c408 85c0 7524 6849010000 68???????? 683e010000 }
            // n = 7, score = 700
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   7524                 | jne                 0x26
            //   6849010000           | push                0x149
            //   68????????           |                     
            //   683e010000           | push                0x13e

        $sequence_8 = { e8???????? 8b4e04 68b3000000 68???????? 51 e8???????? 68b4000000 }
            // n = 7, score = 700
            //   e8????????           |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   68b3000000           | push                0xb3
            //   68????????           |                     
            //   51                   | push                ecx
            //   e8????????           |                     
            //   68b4000000           | push                0xb4

        $sequence_9 = { c3 6873030000 68???????? be32000000 689f000000 6882010000 6a14 }
            // n = 7, score = 700
            //   c3                   | ret                 
            //   6873030000           | push                0x373
            //   68????????           |                     
            //   be32000000           | mov                 esi, 0x32
            //   689f000000           | push                0x9f
            //   6882010000           | push                0x182
            //   6a14                 | push                0x14

    condition:
        7 of them and filesize < 3162112
}
[TLP:WHITE] win_electricfish_w0   (20190815 | HiddenCobraElectricFish)
rule win_electricfish_w0 {   
      meta:   
          author = "AlienVault Labs"   
          type = "malware"   
          description = "HiddenCobraElectricFish"   
          copyright = "Alienvault Inc. 2019"   
          reference = "a3a1a43f0e631c10ab42e5404b61580e760e7d6f849ab8eb5848057a8c60cda2,7efe8a7ad9c6a6146bddd5aef9ceba477ca6973203a41f4b7f823095a90cb10f"   
          malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish"
          malpedia_version = "20190815"
          malpedia_license = "CC BY-NC-SA 4.0"
          malpedia_sharing = "TLP:WHITE"
      strings:   
          $x1 = "CCGC_LOG ===>"   
          $x2 = "<==RECV==="   
          $x3 = "aaaabbbbccccdddd"   
      condition:   
           uint16(0) == 0x5a4d and all of them   
}
Download all Yara Rules