SYMBOLCOMMON_NAMEaka. SYNONYMS
win.elise (Back to overview)

Elise

aka: EVILNEST

Actor(s): Lotus Blossom


There is no description at this point.

References
2021-05-20Github (microsoft)Microsoft
@online{microsoft:20210520:microsoft:41112d3, author = {Microsoft}, title = {{Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares}}, date = {2021-05-20}, organization = {Github (microsoft)}, url = {https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries}, language = {English}, urldate = {2021-05-25} } Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares
STRRAT OceanLotus BabyShark Elise Revenge RAT WastedLocker Zebrocy
2020-04-07FireEyeMichael Bailey
@online{bailey:20200407:thinking:7ee19d0, author = {Michael Bailey}, title = {{Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation}}, date = {2020-04-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html}, language = {English}, urldate = {2020-05-05} } Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation
Elise
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:47c382d, author = {SecureWorks}, title = {{BRONZE ELGIN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-elgin}, language = {English}, urldate = {2020-05-23} } BRONZE ELGIN
Elise Lotus Blossom
2018-02-20Joe Security's BlogJoe Security
@online{security:20180220:latest:37f0c70, author = {Joe Security}, title = {{Latest Elise APT comes packed with Sandbox Evasions}}, date = {2018-02-20}, organization = {Joe Security's Blog}, url = {https://www.joesecurity.org/blog/8409877569366580427}, language = {English}, urldate = {2020-01-13} } Latest Elise APT comes packed with Sandbox Evasions
Elise
2018-01-27Accenture SecurityAccenture Security, Bart Parys
@techreport{security:20180127:latest:b5760c8, author = {Accenture Security and Bart Parys}, title = {{LATEST CYBER ESPIONAGE MALWARE ATTACKS - DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES}}, date = {2018-01-27}, institution = {Accenture Security}, url = {https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf}, language = {English}, urldate = {2020-07-13} } LATEST CYBER ESPIONAGE MALWARE ATTACKS - DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES
Elise
2018AccentureBart Parys, Joshua Ray
@techreport{parys:2018:dragonfish:68a7bc2, author = {Bart Parys and Joshua Ray}, title = {{Dragonfish delivers New Form of Elise Malware targeting ASEAN Defence Ministers' Meeting and Associates}}, date = {2018}, institution = {Accenture}, url = {https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf}, language = {English}, urldate = {2020-06-18} } Dragonfish delivers New Form of Elise Malware targeting ASEAN Defence Ministers' Meeting and Associates
Elise Lotus Blossom
2016-02-03Palo Alto Networks Unit 42Robert Falcone, Jen Miller-Osborn
@online{falcone:20160203:emissary:99f3e21, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?}}, date = {2016-02-03}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/}, language = {English}, urldate = {2019-12-20} } Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?
Elise
2015-06-17Kaspersky LabsKurt Baumgartner
@online{baumgartner:20150617:spring:dc116aa, author = {Kurt Baumgartner}, title = {{The Spring Dragon APT}}, date = {2015-06-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/70726/the-spring-dragon-apt/}, language = {English}, urldate = {2019-12-20} } The Spring Dragon APT
Elise Lotus Blossom
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014Trend MicroUnknownUnknown
@techreport{unknownunknown:2014:targeted:341955b, author = {UnknownUnknown}, title = {{Targeted Attack Trends in Asia-Pacific}}, date = {2014}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/threat-reports/rpt-1h-2014-targeted-attack-trends-in-asia-pacific.pdf}, language = {English}, urldate = {2019-12-20} } Targeted Attack Trends in Asia-Pacific
Elise
Yara Rules
[TLP:WHITE] win_elise_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_elise_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7509 394604 0f8404020000 8b4e40 33db 43 }
            // n = 6, score = 400
            //   7509                 | jne                 0xb
            //   394604               | cmp                 dword ptr [esi + 4], eax
            //   0f8404020000         | je                  0x20a
            //   8b4e40               | mov                 ecx, dword ptr [esi + 0x40]
            //   33db                 | xor                 ebx, ebx
            //   43                   | inc                 ebx

        $sequence_1 = { 8b4618 8bd1 2b5034 8b80a0000000 03c1 8b4804 57 }
            // n = 7, score = 400
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]
            //   8bd1                 | mov                 edx, ecx
            //   2b5034               | sub                 edx, dword ptr [eax + 0x34]
            //   8b80a0000000         | mov                 eax, dword ptr [eax + 0xa0]
            //   03c1                 | add                 eax, ecx
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   57                   | push                edi

        $sequence_2 = { 8b442408 894604 8bc6 e8???????? 85c0 0f8484000000 }
            // n = 6, score = 400
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8484000000         | je                  0x8a

        $sequence_3 = { 7cf5 33c9 888f00010000 888f01010000 8bf7 }
            // n = 5, score = 400
            //   7cf5                 | jl                  0xfffffff7
            //   33c9                 | xor                 ecx, ecx
            //   888f00010000         | mov                 byte ptr [edi + 0x100], cl
            //   888f01010000         | mov                 byte ptr [edi + 0x101], cl
            //   8bf7                 | mov                 esi, edi

        $sequence_4 = { 83c60c 83c110 8945fc 8b41f8 8b11 }
            // n = 5, score = 400
            //   83c60c               | add                 esi, 0xc
            //   83c110               | add                 ecx, 0x10
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b41f8               | mov                 eax, dword ptr [ecx - 8]
            //   8b11                 | mov                 edx, dword ptr [ecx]

        $sequence_5 = { e8???????? 85c0 0f84d5000000 8b4508 0b450c 0f8471010000 837e1400 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f84d5000000         | je                  0xdb
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   0b450c               | or                  eax, dword ptr [ebp + 0xc]
            //   0f8471010000         | je                  0x177
            //   837e1400             | cmp                 dword ptr [esi + 0x14], 0

        $sequence_6 = { c6400c01 8b4820 8b5018 881c11 }
            // n = 4, score = 400
            //   c6400c01             | mov                 byte ptr [eax + 0xc], 1
            //   8b4820               | mov                 ecx, dword ptr [eax + 0x20]
            //   8b5018               | mov                 edx, dword ptr [eax + 0x18]
            //   881c11               | mov                 byte ptr [ecx + edx], bl

        $sequence_7 = { 837df807 8bd8 1bc0 83e0fd 83c00a 8945f8 }
            // n = 6, score = 400
            //   837df807             | cmp                 dword ptr [ebp - 8], 7
            //   8bd8                 | mov                 ebx, eax
            //   1bc0                 | sbb                 eax, eax
            //   83e0fd               | and                 eax, 0xfffffffd
            //   83c00a               | add                 eax, 0xa
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_8 = { 8dbdb8fdffff ab ab ab }
            // n = 4, score = 400
            //   8dbdb8fdffff         | lea                 edi, [ebp - 0x248]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_9 = { 394d0c 770e 7205 395d08 7307 8b5d08 c645ff01 }
            // n = 7, score = 400
            //   394d0c               | cmp                 dword ptr [ebp + 0xc], ecx
            //   770e                 | ja                  0x10
            //   7205                 | jb                  7
            //   395d08               | cmp                 dword ptr [ebp + 8], ebx
            //   7307                 | jae                 9
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1

        $sequence_10 = { 85ff 7415 0fb616 33d0 }
            // n = 4, score = 300
            //   85ff                 | test                edi, edi
            //   7415                 | je                  0x17
            //   0fb616               | movzx               edx, byte ptr [esi]
            //   33d0                 | xor                 edx, eax

        $sequence_11 = { ff45f8 8b7df8 3b7d0c 0f8c7bffffff 5f 5e }
            // n = 6, score = 300
            //   ff45f8               | inc                 dword ptr [ebp - 8]
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   3b7d0c               | cmp                 edi, dword ptr [ebp + 0xc]
            //   0f8c7bffffff         | jl                  0xffffff81
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_12 = { 8365f800 837d0c00 8a8800010000 8a9001010000 0f8e93000000 }
            // n = 5, score = 300
            //   8365f800             | and                 dword ptr [ebp - 8], 0
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   8a8800010000         | mov                 cl, byte ptr [eax + 0x100]
            //   8a9001010000         | mov                 dl, byte ptr [eax + 0x101]
            //   0f8e93000000         | jle                 0x99

        $sequence_13 = { 885d88 e8???????? 83c40c 8d4580 50 8d4588 50 }
            // n = 7, score = 300
            //   885d88               | mov                 byte ptr [ebp - 0x78], bl
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d4580               | lea                 eax, [ebp - 0x80]
            //   50                   | push                eax
            //   8d4588               | lea                 eax, [ebp - 0x78]
            //   50                   | push                eax

        $sequence_14 = { 6a20 e8???????? 59 8bd8 }
            // n = 4, score = 300
            //   6a20                 | push                0x20
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8bd8                 | mov                 ebx, eax

        $sequence_15 = { 8d4e01 81e1ff000080 7908 49 81c900ffffff 41 0fb6f1 }
            // n = 7, score = 300
            //   8d4e01               | lea                 ecx, [esi + 1]
            //   81e1ff000080         | and                 ecx, 0x800000ff
            //   7908                 | jns                 0xa
            //   49                   | dec                 ecx
            //   81c900ffffff         | or                  ecx, 0xffffff00
            //   41                   | inc                 ecx
            //   0fb6f1               | movzx               esi, cl

        $sequence_16 = { 81ca00ffffff 42 0fb6fa 8a1c07 881c06 8a5dff 881c07 }
            // n = 7, score = 300
            //   81ca00ffffff         | or                  edx, 0xffffff00
            //   42                   | inc                 edx
            //   0fb6fa               | movzx               edi, dl
            //   8a1c07               | mov                 bl, byte ptr [edi + eax]
            //   881c06               | mov                 byte ptr [esi + eax], bl
            //   8a5dff               | mov                 bl, byte ptr [ebp - 1]
            //   881c07               | mov                 byte ptr [edi + eax], bl

        $sequence_17 = { 1155f4 53 e8???????? 8bd8 8955ec }
            // n = 5, score = 300
            //   1155f4               | adc                 dword ptr [ebp - 0xc], edx
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx

        $sequence_18 = { 50 ff7580 e8???????? 85c0 }
            // n = 4, score = 300
            //   50                   | push                eax
            //   ff7580               | push                dword ptr [ebp - 0x80]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_19 = { 56 57 b99a000000 8d7510 }
            // n = 4, score = 300
            //   56                   | push                esi
            //   57                   | push                edi
            //   b99a000000           | mov                 ecx, 0x9a
            //   8d7510               | lea                 esi, [ebp + 0x10]

        $sequence_20 = { 81cb00ffffff 43 0fb6fb 8a1c07 }
            // n = 4, score = 300
            //   81cb00ffffff         | or                  ebx, 0xffffff00
            //   43                   | inc                 ebx
            //   0fb6fb               | movzx               edi, bl
            //   8a1c07               | mov                 bl, byte ptr [edi + eax]

    condition:
        7 of them and filesize < 204800
}
[TLP:WHITE] win_elise_w0   (20170517 | No description)
rule win_elise_w0 {
    meta:
        author = "ThreatConnect Intelligence Research Team - Wes Hurd"
        license = "Usage of this signature is subject to the ThreatConnect Terms of Service, which are incorporated herein by reference."
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Elise.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $0E = "\\000ELISEA"
        $D = "~DF37382D8F2E.tmp" nocase wide ascii
        $SE = "SetElise.pdb" wide ascii
        $xpage = "/%x/page_%02d%02d%02d%02d.html" wide ascii
    condition:
        any of them
}
Download all Yara Rules