SYMBOLCOMMON_NAMEaka. SYNONYMS
win.flawedgrace (Back to overview)

FlawedGrace

aka: GraceWire

Actor(s): TA505


According to ProofPoint, FlawedGrace is written in C++ and can be categorized as a Remote Access Trojan (RAT). It seems to have been developed in the second half of 2017 mainly.

FlawedGrace uses a series of commands:
FlawedGrace also uses a series of commands, provided below for reference:
* desktop_stat
* destroy_os
* target_download
* target_module_load
* target_module_load_external
* target_module_unload
* target_passwords
* target_rdp
* target_reboot
* target_remove
* target_script
* target_servers
* target_update
* target_upload

References
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-17Twitter (@MsftSecIntel)Microsoft Security Intelligence
@online{intelligence:20200617:thread:b4b74d5, author = {Microsoft Security Intelligence}, title = {{A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace}}, date = {2020-06-17}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1273359829390655488}, language = {English}, urldate = {2020-06-18} } A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace
FlawedGrace
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-01-14Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20190114:quick:42a2552, author = {Rolf Rolles}, title = {{A Quick Solution to an Ugly Reverse Engineering Problem}}, date = {2019-01-14}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem}, language = {English}, urldate = {2020-01-13} } A Quick Solution to an Ugly Reverse Engineering Problem
FlawedGrace
2019-01-09ProofpointDennis Schwarz, Proofpoint Staff
@online{schwarz:20190109:servhelper:e20586c, author = {Dennis Schwarz and Proofpoint Staff}, title = {{ServHelper and FlawedGrace - New malware introduced by TA505}}, date = {2019-01-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505}, language = {English}, urldate = {2019-12-20} } ServHelper and FlawedGrace - New malware introduced by TA505
FlawedGrace ServHelper
Yara Rules
[TLP:WHITE] win_flawedgrace_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_flawedgrace_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b04958cf94500 8985ccf6ffff 85c0 757c 50 8985d4f4ffff 89855cfcffff }
            // n = 7, score = 100
            //   8b04958cf94500       | mov                 eax, dword ptr [edx*4 + 0x45f98c]
            //   8985ccf6ffff         | mov                 dword ptr [ebp - 0x934], eax
            //   85c0                 | test                eax, eax
            //   757c                 | jne                 0x7e
            //   50                   | push                eax
            //   8985d4f4ffff         | mov                 dword ptr [ebp - 0xb2c], eax
            //   89855cfcffff         | mov                 dword ptr [ebp - 0x3a4], eax

        $sequence_1 = { 034dec 894a18 1345e4 8b4de0 89421c 8b5508 2b55ec }
            // n = 7, score = 100
            //   034dec               | add                 ecx, dword ptr [ebp - 0x14]
            //   894a18               | mov                 dword ptr [edx + 0x18], ecx
            //   1345e4               | adc                 eax, dword ptr [ebp - 0x1c]
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   89421c               | mov                 dword ptr [edx + 0x1c], eax
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   2b55ec               | sub                 edx, dword ptr [ebp - 0x14]

        $sequence_2 = { e8???????? 83c404 84c0 7517 8b4dfc 8b5118 8b5c1714 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   84c0                 | test                al, al
            //   7517                 | jne                 0x19
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b5118               | mov                 edx, dword ptr [ecx + 0x18]
            //   8b5c1714             | mov                 ebx, dword ptr [edi + edx + 0x14]

        $sequence_3 = { 83c408 85f6 7427 6a00 6a00 6a01 6a00 }
            // n = 7, score = 100
            //   83c408               | add                 esp, 8
            //   85f6                 | test                esi, esi
            //   7427                 | je                  0x29
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   6a00                 | push                0

        $sequence_4 = { 2bc6 50 8d041e 50 ff7710 ff15???????? 85c0 }
            // n = 7, score = 100
            //   2bc6                 | sub                 eax, esi
            //   50                   | push                eax
            //   8d041e               | lea                 eax, [esi + ebx]
            //   50                   | push                eax
            //   ff7710               | push                dword ptr [edi + 0x10]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_5 = { 3a83a0fb4500 7408 3a83a4fb4500 754a 8bcf e8???????? 43 }
            // n = 7, score = 100
            //   3a83a0fb4500         | cmp                 al, byte ptr [ebx + 0x45fba0]
            //   7408                 | je                  0xa
            //   3a83a4fb4500         | cmp                 al, byte ptr [ebx + 0x45fba4]
            //   754a                 | jne                 0x4c
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   43                   | inc                 ebx

        $sequence_6 = { 2b85d8f6ffff 8985c8f6ffff 0f8599fcffff 8b8db4f6ffff 85c9 0f84e2000000 8b3c8d8cf94500 }
            // n = 7, score = 100
            //   2b85d8f6ffff         | sub                 eax, dword ptr [ebp - 0x928]
            //   8985c8f6ffff         | mov                 dword ptr [ebp - 0x938], eax
            //   0f8599fcffff         | jne                 0xfffffc9f
            //   8b8db4f6ffff         | mov                 ecx, dword ptr [ebp - 0x94c]
            //   85c9                 | test                ecx, ecx
            //   0f84e2000000         | je                  0xe8
            //   8b3c8d8cf94500       | mov                 edi, dword ptr [ecx*4 + 0x45f98c]

        $sequence_7 = { c68557cfffff73 c68558cfffff4d c68559cfffff03 c6855acfffffe5 c6855bcfffff49 c6855ccfffff8b c6855dcfffffcc }
            // n = 7, score = 100
            //   c68557cfffff73       | mov                 byte ptr [ebp - 0x30a9], 0x73
            //   c68558cfffff4d       | mov                 byte ptr [ebp - 0x30a8], 0x4d
            //   c68559cfffff03       | mov                 byte ptr [ebp - 0x30a7], 3
            //   c6855acfffffe5       | mov                 byte ptr [ebp - 0x30a6], 0xe5
            //   c6855bcfffff49       | mov                 byte ptr [ebp - 0x30a5], 0x49
            //   c6855ccfffff8b       | mov                 byte ptr [ebp - 0x30a4], 0x8b
            //   c6855dcfffffcc       | mov                 byte ptr [ebp - 0x30a3], 0xcc

        $sequence_8 = { 8b03 8bcb 6a01 ff10 8b45fc 5e 5b }
            // n = 7, score = 100
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8bcb                 | mov                 ecx, ebx
            //   6a01                 | push                1
            //   ff10                 | call                dword ptr [eax]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_9 = { 894e2c 334ddc 894e10 33cf 8b7d0c 8b75f0 33f2 }
            // n = 7, score = 100
            //   894e2c               | mov                 dword ptr [esi + 0x2c], ecx
            //   334ddc               | xor                 ecx, dword ptr [ebp - 0x24]
            //   894e10               | mov                 dword ptr [esi + 0x10], ecx
            //   33cf                 | xor                 ecx, edi
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   8b75f0               | mov                 esi, dword ptr [ebp - 0x10]
            //   33f2                 | xor                 esi, edx

    condition:
        7 of them and filesize < 966656
}
Download all Yara Rules