SYMBOLCOMMON_NAMEaka. SYNONYMS
win.electricfish (Back to overview)

ELECTRICFISH

Actor(s): Lazarus Group


The application is a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-05-09CISACISA
@online{cisa:20190509:malware:0fa3b40, author = {CISA}, title = {{Malware Analysis Report (AR19-129A)}}, date = {2019-05-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (AR19-129A)
ELECTRICFISH Lazarus Group
Yara Rules
[TLP:WHITE] win_electricfish_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_electricfish_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b814000000 e8???????? 8b460c 53 55 6834010000 33ed }
            // n = 7, score = 1200
            //   b814000000           | mov                 eax, 0x14
            //   e8????????           |                     
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   6834010000           | push                0x134
            //   33ed                 | xor                 ebp, ebp

        $sequence_1 = { 8b4c240c 56 51 50 e8???????? 8bf0 83c408 }
            // n = 7, score = 1200
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   56                   | push                esi
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c408               | add                 esp, 8

        $sequence_2 = { c3 8b44240c 8b88200b0000 8bb8100b0000 8db0100b0000 89794c 8b7e04 }
            // n = 7, score = 1200
            //   c3                   | ret                 
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   8b88200b0000         | mov                 ecx, dword ptr [eax + 0xb20]
            //   8bb8100b0000         | mov                 edi, dword ptr [eax + 0xb10]
            //   8db0100b0000         | lea                 esi, [eax + 0xb10]
            //   89794c               | mov                 dword ptr [ecx + 0x4c], edi
            //   8b7e04               | mov                 edi, dword ptr [esi + 4]

        $sequence_3 = { e8???????? 53 e8???????? 83c418 8b8c2440010000 5d 5b }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   8b8c2440010000       | mov                 ecx, dword ptr [esp + 0x140]
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx

        $sequence_4 = { eb04 8b442410 8b4c2430 51 8bd6 57 2bd0 }
            // n = 7, score = 1200
            //   eb04                 | jmp                 6
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   51                   | push                ecx
            //   8bd6                 | mov                 edx, esi
            //   57                   | push                edi
            //   2bd0                 | sub                 edx, eax

        $sequence_5 = { 85f6 743c 8b06 50 e8???????? 8b4e04 51 }
            // n = 7, score = 1200
            //   85f6                 | test                esi, esi
            //   743c                 | je                  0x3e
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   51                   | push                ecx

        $sequence_6 = { be01000000 8b5314 8b4310 686e030000 68???????? 52 33ff }
            // n = 7, score = 1200
            //   be01000000           | mov                 esi, 1
            //   8b5314               | mov                 edx, dword ptr [ebx + 0x14]
            //   8b4310               | mov                 eax, dword ptr [ebx + 0x10]
            //   686e030000           | push                0x36e
            //   68????????           |                     
            //   52                   | push                edx
            //   33ff                 | xor                 edi, edi

        $sequence_7 = { e8???????? 83c404 85c0 7e4d 8b838c000000 56 50 }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7e4d                 | jle                 0x4f
            //   8b838c000000         | mov                 eax, dword ptr [ebx + 0x8c]
            //   56                   | push                esi
            //   50                   | push                eax

        $sequence_8 = { 8b5c243c 896c2450 33dd c1cb0c 895c243c 8b6c247c 03eb }
            // n = 7, score = 1200
            //   8b5c243c             | mov                 ebx, dword ptr [esp + 0x3c]
            //   896c2450             | mov                 dword ptr [esp + 0x50], ebp
            //   33dd                 | xor                 ebx, ebp
            //   c1cb0c               | ror                 ebx, 0xc
            //   895c243c             | mov                 dword ptr [esp + 0x3c], ebx
            //   8b6c247c             | mov                 ebp, dword ptr [esp + 0x7c]
            //   03eb                 | add                 ebp, ebx

        $sequence_9 = { e8???????? 8bf0 85f6 7420 8b442410 8b4c240c 50 }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7420                 | je                  0x22
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 3162112
}
[TLP:WHITE] win_electricfish_w0   (20190815 | HiddenCobraElectricFish)
rule win_electricfish_w0 {   
      meta:   
          author = "AlienVault Labs"   
          type = "malware"   
          description = "HiddenCobraElectricFish"   
          copyright = "Alienvault Inc. 2019"   
          reference = "a3a1a43f0e631c10ab42e5404b61580e760e7d6f849ab8eb5848057a8c60cda2,7efe8a7ad9c6a6146bddd5aef9ceba477ca6973203a41f4b7f823095a90cb10f"   
          malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish"
          malpedia_version = "20190815"
          malpedia_license = "CC BY-NC-SA 4.0"
          malpedia_sharing = "TLP:WHITE"
      strings:   
          $x1 = "CCGC_LOG ===>"   
          $x2 = "<==RECV==="   
          $x3 = "aaaabbbbccccdddd"   
      condition:   
           uint16(0) == 0x5a4d and all of them   
}
Download all Yara Rules