SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gemcutter (Back to overview)

GEMCUTTER

Actor(s): APT 30


According to FireEye, GEMCUTTER is used in a similar capacity as BACKBEND (downloader), but maintains persistence by creating a Windows registry run key.
GEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of GEMCUTTER is executing. If the mutex doesn't exist, the malware creates it and continues execution; otherwise, the malware signals the MicrosoftGMMExit event.

References
2015-04FireEyeFireEye
@techreport{fireeye:201504:apt30:0129bf7, author = {FireEye}, title = {{APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION}}, date = {2015-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf}, language = {English}, urldate = {2020-01-07} } APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30
Yara Rules
[TLP:WHITE] win_gemcutter_auto (20221125 | Detects win.gemcutter.)
rule win_gemcutter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.gemcutter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ebea 395d08 889ea0314000 7477 }
            // n = 4, score = 100
            //   ebea                 | jmp                 0xffffffec
            //   395d08               | cmp                 dword ptr [ebp + 8], ebx
            //   889ea0314000         | mov                 byte ptr [esi + 0x4031a0], bl
            //   7477                 | je                  0x79

        $sequence_1 = { 751b e8???????? 59 50 ff7508 6a01 }
            // n = 6, score = 100
            //   751b                 | jne                 0x1d
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a01                 | push                1

        $sequence_2 = { ff7508 6a01 56 ff7508 ff75fc }
            // n = 5, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a01                 | push                1
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_3 = { 50 ff15???????? 8d45f0 50 ffd7 8d85f0fdffff }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]

        $sequence_4 = { ffd7 8d85f0fdffff 50 8d85f0fcffff }
            // n = 4, score = 100
            //   ffd7                 | call                edi
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   50                   | push                eax
            //   8d85f0fcffff         | lea                 eax, [ebp - 0x310]

        $sequence_5 = { ffd7 85c0 7404 33c0 eb17 8d8500fcffff }
            // n = 6, score = 100
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   7404                 | je                  6
            //   33c0                 | xor                 eax, eax
            //   eb17                 | jmp                 0x19
            //   8d8500fcffff         | lea                 eax, [ebp - 0x400]

        $sequence_6 = { ff35???????? ff15???????? 68f4010000 ff15???????? 53 56 e8???????? }
            // n = 7, score = 100
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   68f4010000           | push                0x1f4
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_7 = { 50 8d45f0 68???????? 50 ff15???????? 83c40c 8d45f0 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   8d45f0               | lea                 eax, [ebp - 0x10]

        $sequence_8 = { 8d45f0 50 ffd7 8d85f0fdffff }
            // n = 4, score = 100
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]

        $sequence_9 = { c605????????55 ff15???????? 8bf0 68???????? }
            // n = 4, score = 100
            //   c605????????55       |                     
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   68????????           |                     

    condition:
        7 of them and filesize < 40960
}
Download all Yara Rules