SYMBOLCOMMON_NAMEaka. SYNONYMS
win.flawedgrace (Back to overview)

FlawedGrace

aka: GraceWire

Actor(s): TA505


According to ProofPoint, FlawedGrace is written in C++ and can be categorized as a Remote Access Trojan (RAT). It seems to have been developed in the second half of 2017 mainly.

FlawedGrace uses a series of commands:
FlawedGrace also uses a series of commands, provided below for reference:
* desktop_stat
* destroy_os
* target_download
* target_module_load
* target_module_load_external
* target_module_unload
* target_passwords
* target_rdp
* target_reboot
* target_remove
* target_script
* target_servers
* target_update
* target_upload

References
2021-03-02Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20210302:exhaustivelyanalyzed:ea1e91f, author = {Rolf Rolles}, title = {{An Exhaustively-Analyzed IDB for FlawedGrace}}, date = {2021-03-02}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace}, language = {English}, urldate = {2021-03-04} } An Exhaustively-Analyzed IDB for FlawedGrace
FlawedGrace
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-17Twitter (@MsftSecIntel)Microsoft Security Intelligence
@online{intelligence:20200617:thread:b4b74d5, author = {Microsoft Security Intelligence}, title = {{A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace}}, date = {2020-06-17}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1273359829390655488}, language = {English}, urldate = {2020-06-18} } A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace
FlawedGrace
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-01-14Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20190114:quick:42a2552, author = {Rolf Rolles}, title = {{A Quick Solution to an Ugly Reverse Engineering Problem}}, date = {2019-01-14}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem}, language = {English}, urldate = {2020-01-13} } A Quick Solution to an Ugly Reverse Engineering Problem
FlawedGrace
2019-01-09ProofpointDennis Schwarz, Proofpoint Staff
@online{schwarz:20190109:servhelper:e20586c, author = {Dennis Schwarz and Proofpoint Staff}, title = {{ServHelper and FlawedGrace - New malware introduced by TA505}}, date = {2019-01-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505}, language = {English}, urldate = {2019-12-20} } ServHelper and FlawedGrace - New malware introduced by TA505
FlawedGrace ServHelper
Yara Rules
[TLP:WHITE] win_flawedgrace_auto (20210616 | Detects win.flawedgrace.)
rule win_flawedgrace_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.flawedgrace."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c685e4f6ffffc6 c685e5f6ffff21 c685e6f6ffff00 c685e7f6ffff00 c685e8f6ffffd6 c685e9f6ffff21 c685eaf6ffff00 }
            // n = 7, score = 200
            //   c685e4f6ffffc6       | mov                 byte ptr [ebp - 0x91c], 0xc6
            //   c685e5f6ffff21       | mov                 byte ptr [ebp - 0x91b], 0x21
            //   c685e6f6ffff00       | mov                 byte ptr [ebp - 0x91a], 0
            //   c685e7f6ffff00       | mov                 byte ptr [ebp - 0x919], 0
            //   c685e8f6ffffd6       | mov                 byte ptr [ebp - 0x918], 0xd6
            //   c685e9f6ffff21       | mov                 byte ptr [ebp - 0x917], 0x21
            //   c685eaf6ffff00       | mov                 byte ptr [ebp - 0x916], 0

        $sequence_1 = { c6854acbffff46 c6854bcbffff08 c6854ccbffff5e c6854dcbffff48 c6854ecbffff83 c6854fcbffffec c68550cbffff20 }
            // n = 7, score = 200
            //   c6854acbffff46       | mov                 byte ptr [ebp - 0x34b6], 0x46
            //   c6854bcbffff08       | mov                 byte ptr [ebp - 0x34b5], 8
            //   c6854ccbffff5e       | mov                 byte ptr [ebp - 0x34b4], 0x5e
            //   c6854dcbffff48       | mov                 byte ptr [ebp - 0x34b3], 0x48
            //   c6854ecbffff83       | mov                 byte ptr [ebp - 0x34b2], 0x83
            //   c6854fcbffffec       | mov                 byte ptr [ebp - 0x34b1], 0xec
            //   c68550cbffff20       | mov                 byte ptr [ebp - 0x34b0], 0x20

        $sequence_2 = { c68540dfffff00 c68541dfffff78 c68542dfffff00 c68543dfffff74 c68544dfffff00 c68545dfffff00 c68546dfffff00 }
            // n = 7, score = 200
            //   c68540dfffff00       | mov                 byte ptr [ebp - 0x20c0], 0
            //   c68541dfffff78       | mov                 byte ptr [ebp - 0x20bf], 0x78
            //   c68542dfffff00       | mov                 byte ptr [ebp - 0x20be], 0
            //   c68543dfffff74       | mov                 byte ptr [ebp - 0x20bd], 0x74
            //   c68544dfffff00       | mov                 byte ptr [ebp - 0x20bc], 0
            //   c68545dfffff00       | mov                 byte ptr [ebp - 0x20bb], 0
            //   c68546dfffff00       | mov                 byte ptr [ebp - 0x20ba], 0

        $sequence_3 = { 53 32db 56 85c9 741d 85d2 7411 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   32db                 | xor                 bl, bl
            //   56                   | push                esi
            //   85c9                 | test                ecx, ecx
            //   741d                 | je                  0x1f
            //   85d2                 | test                edx, edx
            //   7411                 | je                  0x13

        $sequence_4 = { 8bec 8b01 8bd0 53 8b5d0c 56 8b4804 }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   8bd0                 | mov                 edx, eax
            //   53                   | push                ebx
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   56                   | push                esi
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]

        $sequence_5 = { 50 8d45ec c745f400000000 50 8b45f0 6a08 ff3406 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   8d45ec               | lea                 eax, dword ptr [ebp - 0x14]
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0
            //   50                   | push                eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   6a08                 | push                8
            //   ff3406               | push                dword ptr [esi + eax]

        $sequence_6 = { c6857ef0ffff09 c6857ff0ffffc7 c68580f0ffff45 c68581f0ffffc0 c68582f0ffff20 c68583f0ffff00 c68584f0ffff00 }
            // n = 7, score = 200
            //   c6857ef0ffff09       | mov                 byte ptr [ebp - 0xf82], 9
            //   c6857ff0ffffc7       | mov                 byte ptr [ebp - 0xf81], 0xc7
            //   c68580f0ffff45       | mov                 byte ptr [ebp - 0xf80], 0x45
            //   c68581f0ffffc0       | mov                 byte ptr [ebp - 0xf7f], 0xc0
            //   c68582f0ffff20       | mov                 byte ptr [ebp - 0xf7e], 0x20
            //   c68583f0ffff00       | mov                 byte ptr [ebp - 0xf7d], 0
            //   c68584f0ffff00       | mov                 byte ptr [ebp - 0xf7c], 0

        $sequence_7 = { c685b0cbffffc8 c685b1cbffffe8 c685b2cbffff1a c685b3cbffff0c c685b4cbffff00 c685b5cbffff00 c685b6cbffff48 }
            // n = 7, score = 200
            //   c685b0cbffffc8       | mov                 byte ptr [ebp - 0x3450], 0xc8
            //   c685b1cbffffe8       | mov                 byte ptr [ebp - 0x344f], 0xe8
            //   c685b2cbffff1a       | mov                 byte ptr [ebp - 0x344e], 0x1a
            //   c685b3cbffff0c       | mov                 byte ptr [ebp - 0x344d], 0xc
            //   c685b4cbffff00       | mov                 byte ptr [ebp - 0x344c], 0
            //   c685b5cbffff00       | mov                 byte ptr [ebp - 0x344b], 0
            //   c685b6cbffff48       | mov                 byte ptr [ebp - 0x344a], 0x48

        $sequence_8 = { 8bf0 85f6 0f8497000000 837e6800 8975e4 7468 8dbe90020000 }
            // n = 7, score = 200
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   0f8497000000         | je                  0x9d
            //   837e6800             | cmp                 dword ptr [esi + 0x68], 0
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   7468                 | je                  0x6a
            //   8dbe90020000         | lea                 edi, dword ptr [esi + 0x290]

        $sequence_9 = { 8b45fc 33c2 898ebc000000 8945fc 8bc8 c1e810 8b55fc }
            // n = 7, score = 200
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   33c2                 | xor                 eax, edx
            //   898ebc000000         | mov                 dword ptr [esi + 0xbc], ecx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8bc8                 | mov                 ecx, eax
            //   c1e810               | shr                 eax, 0x10
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

    condition:
        7 of them and filesize < 966656
}
Download all Yara Rules