SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gemcutter (Back to overview)

GEMCUTTER

Actor(s): APT 30


According to FireEye, GEMCUTTER is used in a similar capacity as BACKBEND (downloader), but maintains persistence by creating a Windows registry run key.
GEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of GEMCUTTER is executing. If the mutex doesn't exist, the malware creates it and continues execution; otherwise, the malware signals the MicrosoftGMMExit event.

References
2015-04FireEyeFireEye
@techreport{fireeye:201504:apt30:0129bf7, author = {FireEye}, title = {{APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION}}, date = {2015-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf}, language = {English}, urldate = {2020-01-07} } APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30
Yara Rules
[TLP:WHITE] win_gemcutter_auto (20230715 | Detects win.gemcutter.)
rule win_gemcutter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.gemcutter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c40c 8d45f0 c745d801000000 668975dc 50 8d45ac }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   c745d801000000       | mov                 dword ptr [ebp - 0x28], 1
            //   668975dc             | mov                 word ptr [ebp - 0x24], si
            //   50                   | push                eax
            //   8d45ac               | lea                 eax, [ebp - 0x54]

        $sequence_1 = { ffd7 8d85f0fdffff 50 8d85f0fcffff 50 e8???????? 8d85f0fcffff }
            // n = 7, score = 100
            //   ffd7                 | call                edi
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   50                   | push                eax
            //   8d85f0fcffff         | lea                 eax, [ebp - 0x310]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d85f0fcffff         | lea                 eax, [ebp - 0x310]

        $sequence_2 = { e8???????? 83c424 8b3d???????? 56 33f6 56 56 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c424               | add                 esp, 0x24
            //   8b3d????????         |                     
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi
            //   56                   | push                esi
            //   56                   | push                esi

        $sequence_3 = { ff15???????? 8d45f0 50 ffd7 8d85f0fdffff 50 8d85f0fcffff }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   50                   | push                eax
            //   8d85f0fcffff         | lea                 eax, [ebp - 0x310]

        $sequence_4 = { ff15???????? 8d85f0fdffff 68???????? 50 e8???????? 8d85f0fdffff 56 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   56                   | push                esi

        $sequence_5 = { 50 51 68???????? 50 ffd7 85c0 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   51                   | push                ecx
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax

        $sequence_6 = { 6a2e 50 ff15???????? 8818 8d85f0f8ffff 6a2e 50 }
            // n = 7, score = 100
            //   6a2e                 | push                0x2e
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8818                 | mov                 byte ptr [eax], bl
            //   8d85f0f8ffff         | lea                 eax, [ebp - 0x710]
            //   6a2e                 | push                0x2e
            //   50                   | push                eax

        $sequence_7 = { 53 56 56 56 a3???????? ffd7 56 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   56                   | push                esi
            //   56                   | push                esi
            //   56                   | push                esi
            //   a3????????           |                     
            //   ffd7                 | call                edi
            //   56                   | push                esi

        $sequence_8 = { 68???????? c605????????55 ff15???????? 8bf0 68???????? }
            // n = 5, score = 100
            //   68????????           |                     
            //   c605????????55       |                     
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   68????????           |                     

        $sequence_9 = { 59 50 ff15???????? 0c06 50 8d85f0fdffff }
            // n = 6, score = 100
            //   59                   | pop                 ecx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   0c06                 | or                  al, 6
            //   50                   | push                eax
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]

    condition:
        7 of them and filesize < 40960
}
Download all Yara Rules