SYMBOLCOMMON_NAMEaka. SYNONYMS
win.electricfish (Back to overview)

ELECTRICFISH

Actor(s): Lazarus Group


The application is a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-05-09CISACISA
@online{cisa:20190509:malware:0fa3b40, author = {CISA}, title = {{Malware Analysis Report (AR19-129A)}}, date = {2019-05-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (AR19-129A)
ELECTRICFISH Lazarus Group
Yara Rules
[TLP:WHITE] win_electricfish_auto (20220411 | Detects win.electricfish.)
rule win_electricfish_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.electricfish."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c744241400000000 56 e8???????? 57 e8???????? 55 e8???????? }
            // n = 7, score = 1200
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   56                   | push                esi
            //   e8????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     
            //   55                   | push                ebp
            //   e8????????           |                     

        $sequence_1 = { c3 837c240c00 740f 8b442408 8b8030010000 c1e806 eb0d }
            // n = 7, score = 1200
            //   c3                   | ret                 
            //   837c240c00           | cmp                 dword ptr [esp + 0xc], 0
            //   740f                 | je                  0x11
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   8b8030010000         | mov                 eax, dword ptr [eax + 0x130]
            //   c1e806               | shr                 eax, 6
            //   eb0d                 | jmp                 0xf

        $sequence_2 = { f7da 56 894c241c 897c2414 89542428 e8???????? 83c404 }
            // n = 7, score = 1200
            //   f7da                 | neg                 edx
            //   56                   | push                esi
            //   894c241c             | mov                 dword ptr [esp + 0x1c], ecx
            //   897c2414             | mov                 dword ptr [esp + 0x14], edi
            //   89542428             | mov                 dword ptr [esp + 0x28], edx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_3 = { e8???????? 83c404 3bd8 0f8c60ffffff 8b742410 837e0400 7575 }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   3bd8                 | cmp                 ebx, eax
            //   0f8c60ffffff         | jl                  0xffffff66
            //   8b742410             | mov                 esi, dword ptr [esp + 0x10]
            //   837e0400             | cmp                 dword ptr [esi + 4], 0
            //   7575                 | jne                 0x77

        $sequence_4 = { e8???????? 83c414 c3 56 e8???????? 55 6a00 }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   c3                   | ret                 
            //   56                   | push                esi
            //   e8????????           |                     
            //   55                   | push                ebp
            //   6a00                 | push                0

        $sequence_5 = { e8???????? 83c40c 85c0 0f84edfeffff 8b442418 55 50 }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f84edfeffff         | je                  0xfffffef3
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   55                   | push                ebp
            //   50                   | push                eax

        $sequence_6 = { f6475420 7511 5e 5d 33c0 5b 83c408 }
            // n = 7, score = 1200
            //   f6475420             | test                byte ptr [edi + 0x54], 0x20
            //   7511                 | jne                 0x13
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   83c408               | add                 esp, 8

        $sequence_7 = { c744240c0c000000 eb28 81fdc8000000 7c0a c744240c0f000000 eb16 33c0 }
            // n = 7, score = 1200
            //   c744240c0c000000     | mov                 dword ptr [esp + 0xc], 0xc
            //   eb28                 | jmp                 0x2a
            //   81fdc8000000         | cmp                 ebp, 0xc8
            //   7c0a                 | jl                  0xc
            //   c744240c0f000000     | mov                 dword ptr [esp + 0xc], 0xf
            //   eb16                 | jmp                 0x18
            //   33c0                 | xor                 eax, eax

        $sequence_8 = { eb0a 50 51 e8???????? 83c408 3bc5 0f8497000000 }
            // n = 7, score = 1200
            //   eb0a                 | jmp                 0xc
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   3bc5                 | cmp                 eax, ebp
            //   0f8497000000         | je                  0x9d

        $sequence_9 = { 83c408 898678020000 83c8ff 5f 898680020000 899e84020000 898688020000 }
            // n = 7, score = 1200
            //   83c408               | add                 esp, 8
            //   898678020000         | mov                 dword ptr [esi + 0x278], eax
            //   83c8ff               | or                  eax, 0xffffffff
            //   5f                   | pop                 edi
            //   898680020000         | mov                 dword ptr [esi + 0x280], eax
            //   899e84020000         | mov                 dword ptr [esi + 0x284], ebx
            //   898688020000         | mov                 dword ptr [esi + 0x288], eax

    condition:
        7 of them and filesize < 3162112
}
[TLP:WHITE] win_electricfish_w0   (20190815 | HiddenCobraElectricFish)
rule win_electricfish_w0 {   
      meta:   
          author = "AlienVault Labs"   
          type = "malware"   
          description = "HiddenCobraElectricFish"   
          copyright = "Alienvault Inc. 2019"   
          reference = "a3a1a43f0e631c10ab42e5404b61580e760e7d6f849ab8eb5848057a8c60cda2,7efe8a7ad9c6a6146bddd5aef9ceba477ca6973203a41f4b7f823095a90cb10f"   
          malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish"
          malpedia_version = "20190815"
          malpedia_license = "CC BY-NC-SA 4.0"
          malpedia_sharing = "TLP:WHITE"
      strings:   
          $x1 = "CCGC_LOG ===>"   
          $x2 = "<==RECV==="   
          $x3 = "aaaabbbbccccdddd"   
      condition:   
           uint16(0) == 0x5a4d and all of them   
}
Download all Yara Rules