SYMBOLCOMMON_NAMEaka. SYNONYMS
win.flawedgrace (Back to overview)

FlawedGrace

aka: GraceWire

Actor(s): TA505


According to ProofPoint, FlawedGrace is written in C++ and can be categorized as a Remote Access Trojan (RAT). It seems to have been developed in the second half of 2017 mainly.

FlawedGrace uses a series of commands:
FlawedGrace also uses a series of commands, provided below for reference:
* desktop_stat
* destroy_os
* target_download
* target_module_load
* target_module_load_external
* target_module_unload
* target_passwords
* target_rdp
* target_reboot
* target_remove
* target_script
* target_servers
* target_update
* target_upload

References
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-17Twitter (@MsftSecIntel)Microsoft Security Intelligence
@online{intelligence:20200617:thread:b4b74d5, author = {Microsoft Security Intelligence}, title = {{A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace}}, date = {2020-06-17}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1273359829390655488}, language = {English}, urldate = {2020-06-18} } A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace
FlawedGrace
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-01-14Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20190114:quick:42a2552, author = {Rolf Rolles}, title = {{A Quick Solution to an Ugly Reverse Engineering Problem}}, date = {2019-01-14}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem}, language = {English}, urldate = {2020-01-13} } A Quick Solution to an Ugly Reverse Engineering Problem
FlawedGrace
2019-01-09ProofpointDennis Schwarz, Proofpoint Staff
@online{schwarz:20190109:servhelper:e20586c, author = {Dennis Schwarz and Proofpoint Staff}, title = {{ServHelper and FlawedGrace - New malware introduced by TA505}}, date = {2019-01-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505}, language = {English}, urldate = {2019-12-20} } ServHelper and FlawedGrace - New malware introduced by TA505
FlawedGrace ServHelper
Yara Rules
[TLP:WHITE] win_flawedgrace_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_flawedgrace_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 660f1345c4 8b460c 85c0 7415 8b4f18 8d1480 8b04d1 }
            // n = 7, score = 100
            //   660f1345c4           | movlpd              qword ptr [ebp - 0x3c], xmm0
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   85c0                 | test                eax, eax
            //   7415                 | je                  0x17
            //   8b4f18               | mov                 ecx, dword ptr [edi + 0x18]
            //   8d1480               | lea                 edx, [eax + eax*4]
            //   8b04d1               | mov                 eax, dword ptr [ecx + edx*8]

        $sequence_1 = { 8954f104 8d04f1 8b4de0 8908 8b4f18 8945dc 8b45e4 }
            // n = 7, score = 100
            //   8954f104             | mov                 dword ptr [ecx + esi*8 + 4], edx
            //   8d04f1               | lea                 eax, [ecx + esi*8]
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b4f18               | mov                 ecx, dword ptr [edi + 0x18]
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_2 = { ff15???????? 6808020000 6a00 8944241c ffd7 50 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   6808020000           | push                0x208
            //   6a00                 | push                0
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   ffd7                 | call                edi
            //   50                   | push                eax

        $sequence_3 = { 8b4810 898d00c0ffff 8b9500c0ffff 8a02 8885b4c0ffff 8b8dfcbfffff 3a01 }
            // n = 7, score = 100
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   898d00c0ffff         | mov                 dword ptr [ebp - 0x4000], ecx
            //   8b9500c0ffff         | mov                 edx, dword ptr [ebp - 0x4000]
            //   8a02                 | mov                 al, byte ptr [edx]
            //   8885b4c0ffff         | mov                 byte ptr [ebp - 0x3f4c], al
            //   8b8dfcbfffff         | mov                 ecx, dword ptr [ebp - 0x4004]
            //   3a01                 | cmp                 al, byte ptr [ecx]

        $sequence_4 = { c68520c3ffff00 c68521c3ffff00 c68522c3ffff00 c68523c3ffff00 c68524c3ffff00 c68525c3ffff10 c68526c3ffff00 }
            // n = 7, score = 100
            //   c68520c3ffff00       | mov                 byte ptr [ebp - 0x3ce0], 0
            //   c68521c3ffff00       | mov                 byte ptr [ebp - 0x3cdf], 0
            //   c68522c3ffff00       | mov                 byte ptr [ebp - 0x3cde], 0
            //   c68523c3ffff00       | mov                 byte ptr [ebp - 0x3cdd], 0
            //   c68524c3ffff00       | mov                 byte ptr [ebp - 0x3cdc], 0
            //   c68525c3ffff10       | mov                 byte ptr [ebp - 0x3cdb], 0x10
            //   c68526c3ffff00       | mov                 byte ptr [ebp - 0x3cda], 0

        $sequence_5 = { c3 837f2c00 762c b801000000 3bf0 7616 8b4f1c }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   837f2c00             | cmp                 dword ptr [edi + 0x2c], 0
            //   762c                 | jbe                 0x2e
            //   b801000000           | mov                 eax, 1
            //   3bf0                 | cmp                 esi, eax
            //   7616                 | jbe                 0x18
            //   8b4f1c               | mov                 ecx, dword ptr [edi + 0x1c]

        $sequence_6 = { 8bec 83ec18 53 8bd9 c645ff01 56 }
            // n = 6, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83ec18               | sub                 esp, 0x18
            //   53                   | push                ebx
            //   8bd9                 | mov                 ebx, ecx
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1
            //   56                   | push                esi

        $sequence_7 = { 0fb6c3 8b5dec 331485e0b34500 33579c 8bc2 c1e808 0fb6c8 }
            // n = 7, score = 100
            //   0fb6c3               | movzx               eax, bl
            //   8b5dec               | mov                 ebx, dword ptr [ebp - 0x14]
            //   331485e0b34500       | xor                 edx, dword ptr [eax*4 + 0x45b3e0]
            //   33579c               | xor                 edx, dword ptr [edi - 0x64]
            //   8bc2                 | mov                 eax, edx
            //   c1e808               | shr                 eax, 8
            //   0fb6c8               | movzx               ecx, al

        $sequence_8 = { c68576d4ffff83 c68577d4ffffec c68578d4ffff20 c68579d4ffff48 c6857ad4ffff8b c6857bd4ffff0d c6857cd4ffff1c }
            // n = 7, score = 100
            //   c68576d4ffff83       | mov                 byte ptr [ebp - 0x2b8a], 0x83
            //   c68577d4ffffec       | mov                 byte ptr [ebp - 0x2b89], 0xec
            //   c68578d4ffff20       | mov                 byte ptr [ebp - 0x2b88], 0x20
            //   c68579d4ffff48       | mov                 byte ptr [ebp - 0x2b87], 0x48
            //   c6857ad4ffff8b       | mov                 byte ptr [ebp - 0x2b86], 0x8b
            //   c6857bd4ffff0d       | mov                 byte ptr [ebp - 0x2b85], 0xd
            //   c6857cd4ffff1c       | mov                 byte ptr [ebp - 0x2b84], 0x1c

        $sequence_9 = { c68532f2fffffc c68533f2ffffe8 c68534f2ffffce c68535f2ffff02 c68536f2ffff00 c68537f2ffff00 c68538f2ffffa1 }
            // n = 7, score = 100
            //   c68532f2fffffc       | mov                 byte ptr [ebp - 0xdce], 0xfc
            //   c68533f2ffffe8       | mov                 byte ptr [ebp - 0xdcd], 0xe8
            //   c68534f2ffffce       | mov                 byte ptr [ebp - 0xdcc], 0xce
            //   c68535f2ffff02       | mov                 byte ptr [ebp - 0xdcb], 2
            //   c68536f2ffff00       | mov                 byte ptr [ebp - 0xdca], 0
            //   c68537f2ffff00       | mov                 byte ptr [ebp - 0xdc9], 0
            //   c68538f2ffffa1       | mov                 byte ptr [ebp - 0xdc8], 0xa1

    condition:
        7 of them and filesize < 966656
}
Download all Yara Rules