SYMBOLCOMMON_NAMEaka. SYNONYMS
win.electricfish (Back to overview)

ELECTRICFISH

Actor(s): Lazarus Group


The application is a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-05-09CISACISA
@online{cisa:20190509:malware:0fa3b40, author = {CISA}, title = {{Malware Analysis Report (AR19-129A)}}, date = {2019-05-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (AR19-129A)
ELECTRICFISH Lazarus Group
Yara Rules
[TLP:WHITE] win_electricfish_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_electricfish_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c420 c3 8b07 8b4c2424 5f 5e }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   83c420               | add                 esp, 0x20
            //   c3                   | ret                 
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8b4c2424             | mov                 ecx, dword ptr [esp + 0x24]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_1 = { e8???????? 68cb060000 68???????? 6a7b 686d010000 6a14 c744242833000000 }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   68cb060000           | push                0x6cb
            //   68????????           |                     
            //   6a7b                 | push                0x7b
            //   686d010000           | push                0x16d
            //   6a14                 | push                0x14
            //   c744242833000000     | mov                 dword ptr [esp + 0x28], 0x33

        $sequence_2 = { e8???????? 83c408 85c0 750a 68ad000000 e9???????? 8b87b8000000 }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   68ad000000           | push                0xad
            //   e9????????           |                     
            //   8b87b8000000         | mov                 eax, dword ptr [edi + 0xb8]

        $sequence_3 = { c3 a1???????? 57 50 e8???????? 8b15???????? 33c9 }
            // n = 7, score = 1200
            //   c3                   | ret                 
            //   a1????????           |                     
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b15????????         |                     
            //   33c9                 | xor                 ecx, ecx

        $sequence_4 = { b8???????? 0fb64c3410 0fb6543411 50 c1e108 0bca 51 }
            // n = 7, score = 1200
            //   b8????????           |                     
            //   0fb64c3410           | movzx               ecx, byte ptr [esp + esi + 0x10]
            //   0fb6543411           | movzx               edx, byte ptr [esp + esi + 0x11]
            //   50                   | push                eax
            //   c1e108               | shl                 ecx, 8
            //   0bca                 | or                  ecx, edx
            //   51                   | push                ecx

        $sequence_5 = { f7f7 83fa01 7608 83c602 83c102 ebdf 83c502 }
            // n = 7, score = 1200
            //   f7f7                 | div                 edi
            //   83fa01               | cmp                 edx, 1
            //   7608                 | jbe                 0xa
            //   83c602               | add                 esi, 2
            //   83c102               | add                 ecx, 2
            //   ebdf                 | jmp                 0xffffffe1
            //   83c502               | add                 ebp, 2

        $sequence_6 = { c786e000000000000000 2bdf 81fb80000000 761e 8bfb 83e77f 7505 }
            // n = 7, score = 1200
            //   c786e000000000000000     | mov    dword ptr [esi + 0xe0], 0
            //   2bdf                 | sub                 ebx, edi
            //   81fb80000000         | cmp                 ebx, 0x80
            //   761e                 | jbe                 0x20
            //   8bfb                 | mov                 edi, ebx
            //   83e77f               | and                 edi, 0x7f
            //   7505                 | jne                 7

        $sequence_7 = { e8???????? 83c408 85c0 746b 803c3000 7565 85ff }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   746b                 | je                  0x6d
            //   803c3000             | cmp                 byte ptr [eax + esi], 0
            //   7565                 | jne                 0x67
            //   85ff                 | test                edi, edi

        $sequence_8 = { c3 8b4c240c 50 8b442414 50 51 e8???????? }
            // n = 7, score = 1200
            //   c3                   | ret                 
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   50                   | push                eax
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_9 = { 8d9b00000000 57 e8???????? 83c404 85ed 740b 6a08 }
            // n = 7, score = 1200
            //   8d9b00000000         | lea                 ebx, [ebx]
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85ed                 | test                ebp, ebp
            //   740b                 | je                  0xd
            //   6a08                 | push                8

    condition:
        7 of them and filesize < 3162112
}
[TLP:WHITE] win_electricfish_w0   (20190815 | HiddenCobraElectricFish)
rule win_electricfish_w0 {   
      meta:   
          author = "AlienVault Labs"   
          type = "malware"   
          description = "HiddenCobraElectricFish"   
          copyright = "Alienvault Inc. 2019"   
          reference = "a3a1a43f0e631c10ab42e5404b61580e760e7d6f849ab8eb5848057a8c60cda2,7efe8a7ad9c6a6146bddd5aef9ceba477ca6973203a41f4b7f823095a90cb10f"   
          malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish"
          malpedia_version = "20190815"
          malpedia_license = "CC BY-NC-SA 4.0"
          malpedia_sharing = "TLP:WHITE"
      strings:   
          $x1 = "CCGC_LOG ===>"   
          $x2 = "<==RECV==="   
          $x3 = "aaaabbbbccccdddd"   
      condition:   
           uint16(0) == 0x5a4d and all of them   
}
Download all Yara Rules