SYMBOLCOMMON_NAMEaka. SYNONYMS
win.flawedgrace (Back to overview)

FlawedGrace

aka: GraceWire

Actor(s): TA505


According to ProofPoint, FlawedGrace is written in C++ and can be categorized as a Remote Access Trojan (RAT). It seems to have been developed in the second half of 2017 mainly.

FlawedGrace uses a series of commands:
FlawedGrace also uses a series of commands, provided below for reference:
* desktop_stat
* destroy_os
* target_download
* target_module_load
* target_module_load_external
* target_module_unload
* target_passwords
* target_rdp
* target_reboot
* target_remove
* target_script
* target_servers
* target_update
* target_upload

References
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-17Twitter (@MsftSecIntel)Microsoft Security Intelligence
@online{intelligence:20200617:thread:b4b74d5, author = {Microsoft Security Intelligence}, title = {{A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace}}, date = {2020-06-17}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1273359829390655488}, language = {English}, urldate = {2020-06-18} } A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace
FlawedGrace
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-01-14Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20190114:quick:42a2552, author = {Rolf Rolles}, title = {{A Quick Solution to an Ugly Reverse Engineering Problem}}, date = {2019-01-14}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem}, language = {English}, urldate = {2020-01-13} } A Quick Solution to an Ugly Reverse Engineering Problem
FlawedGrace
2019-01-09ProofpointDennis Schwarz, Proofpoint Staff
@online{schwarz:20190109:servhelper:e20586c, author = {Dennis Schwarz and Proofpoint Staff}, title = {{ServHelper and FlawedGrace - New malware introduced by TA505}}, date = {2019-01-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505}, language = {English}, urldate = {2019-12-20} } ServHelper and FlawedGrace - New malware introduced by TA505
FlawedGrace ServHelper
Yara Rules
[TLP:WHITE] win_flawedgrace_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_flawedgrace_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b5dfc 8d7324 56 ff15???????? 8d4b1c 8bd7 e8???????? }
            // n = 7, score = 200
            //   8b5dfc               | mov                 ebx, dword ptr [ebp - 4]
            //   8d7324               | lea                 esi, [ebx + 0x24]
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8d4b1c               | lea                 ecx, [ebx + 0x1c]
            //   8bd7                 | mov                 edx, edi
            //   e8????????           |                     

        $sequence_1 = { 7604 8bf2 2bf1 8b470c 56 03c1 50 }
            // n = 7, score = 200
            //   7604                 | jbe                 6
            //   8bf2                 | mov                 esi, edx
            //   2bf1                 | sub                 esi, ecx
            //   8b470c               | mov                 eax, dword ptr [edi + 0xc]
            //   56                   | push                esi
            //   03c1                 | add                 eax, ecx
            //   50                   | push                eax

        $sequence_2 = { 8be5 5d c20400 8bc3 8b4df4 64890d00000000 }
            // n = 6, score = 200
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   8bc3                 | mov                 eax, ebx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx

        $sequence_3 = { b954555515 8b4304 2bc8 83f901 7230 8d4801 894b04 }
            // n = 7, score = 200
            //   b954555515           | mov                 ecx, 0x15555554
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]
            //   2bc8                 | sub                 ecx, eax
            //   83f901               | cmp                 ecx, 1
            //   7230                 | jb                  0x32
            //   8d4801               | lea                 ecx, [eax + 1]
            //   894b04               | mov                 dword ptr [ebx + 4], ecx

        $sequence_4 = { ff761c ff15???????? 8b4df4 64890d00000000 59 5e 8be5 }
            // n = 7, score = 200
            //   ff761c               | push                dword ptr [esi + 0x1c]
            //   ff15????????         |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   59                   | pop                 ecx
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp

        $sequence_5 = { c6852fc4ffff00 c68530c4ffff00 c68531c4ffff00 c68532c4ffff00 c68533c4ffff00 c68534c4ffff00 }
            // n = 6, score = 200
            //   c6852fc4ffff00       | mov                 byte ptr [ebp - 0x3bd1], 0
            //   c68530c4ffff00       | mov                 byte ptr [ebp - 0x3bd0], 0
            //   c68531c4ffff00       | mov                 byte ptr [ebp - 0x3bcf], 0
            //   c68532c4ffff00       | mov                 byte ptr [ebp - 0x3bce], 0
            //   c68533c4ffff00       | mov                 byte ptr [ebp - 0x3bcd], 0
            //   c68534c4ffff00       | mov                 byte ptr [ebp - 0x3bcc], 0

        $sequence_6 = { c685d2f7ffffec c685d3f7ffff04 c685d4f7ffff56 c685d5f7ffff69 c685d6f7ffff72 c685d7f7ffff74 c685d8f7ffff75 }
            // n = 7, score = 200
            //   c685d2f7ffffec       | mov                 byte ptr [ebp - 0x82e], 0xec
            //   c685d3f7ffff04       | mov                 byte ptr [ebp - 0x82d], 4
            //   c685d4f7ffff56       | mov                 byte ptr [ebp - 0x82c], 0x56
            //   c685d5f7ffff69       | mov                 byte ptr [ebp - 0x82b], 0x69
            //   c685d6f7ffff72       | mov                 byte ptr [ebp - 0x82a], 0x72
            //   c685d7f7ffff74       | mov                 byte ptr [ebp - 0x829], 0x74
            //   c685d8f7ffff75       | mov                 byte ptr [ebp - 0x828], 0x75

        $sequence_7 = { c68555c2ffff6d c68556c2ffff20 c68557c2ffff63 c68558c2ffff61 c68559c2ffff6e c6855ac2ffff6e c6855bc2ffff6f }
            // n = 7, score = 200
            //   c68555c2ffff6d       | mov                 byte ptr [ebp - 0x3dab], 0x6d
            //   c68556c2ffff20       | mov                 byte ptr [ebp - 0x3daa], 0x20
            //   c68557c2ffff63       | mov                 byte ptr [ebp - 0x3da9], 0x63
            //   c68558c2ffff61       | mov                 byte ptr [ebp - 0x3da8], 0x61
            //   c68559c2ffff6e       | mov                 byte ptr [ebp - 0x3da7], 0x6e
            //   c6855ac2ffff6e       | mov                 byte ptr [ebp - 0x3da6], 0x6e
            //   c6855bc2ffff6f       | mov                 byte ptr [ebp - 0x3da5], 0x6f

        $sequence_8 = { 8bc1 8b55e4 0bc2 7412 52 51 8bd3 }
            // n = 7, score = 200
            //   8bc1                 | mov                 eax, ecx
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   0bc2                 | or                  eax, edx
            //   7412                 | je                  0x14
            //   52                   | push                edx
            //   51                   | push                ecx
            //   8bd3                 | mov                 edx, ebx

        $sequence_9 = { c6854ec7ffff00 c6854fc7ffffff c68550c7ffff15 c68551c7ffffeb c68552c7ffff30 c68553c7ffff00 c68554c7ffff00 }
            // n = 7, score = 200
            //   c6854ec7ffff00       | mov                 byte ptr [ebp - 0x38b2], 0
            //   c6854fc7ffffff       | mov                 byte ptr [ebp - 0x38b1], 0xff
            //   c68550c7ffff15       | mov                 byte ptr [ebp - 0x38b0], 0x15
            //   c68551c7ffffeb       | mov                 byte ptr [ebp - 0x38af], 0xeb
            //   c68552c7ffff30       | mov                 byte ptr [ebp - 0x38ae], 0x30
            //   c68553c7ffff00       | mov                 byte ptr [ebp - 0x38ad], 0
            //   c68554c7ffff00       | mov                 byte ptr [ebp - 0x38ac], 0

    condition:
        7 of them and filesize < 966656
}
Download all Yara Rules