SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gemcutter (Back to overview)

GEMCUTTER

Actor(s): APT 30

VTCollection    

According to FireEye, GEMCUTTER is used in a similar capacity as BACKBEND (downloader), but maintains persistence by creating a Windows registry run key.
GEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of GEMCUTTER is executing. If the mutex doesn't exist, the malware creates it and continues execution; otherwise, the malware signals the MicrosoftGMMExit event.

References
2015-04-01FireEyeFireEye
APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30
Yara Rules
[TLP:WHITE] win_gemcutter_auto (20230808 | Detects win.gemcutter.)
rule win_gemcutter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.gemcutter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff75fc ff15???????? eb09 ff75fc ff15???????? 3975fc }
            // n = 6, score = 100
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   eb09                 | jmp                 0xb
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   3975fc               | cmp                 dword ptr [ebp - 4], esi

        $sequence_1 = { 8d8500fcffff 50 e8???????? 59 56 ff15???????? }
            // n = 6, score = 100
            //   8d8500fcffff         | lea                 eax, [ebp - 0x400]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_2 = { 56 ffd7 53 56 56 56 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   53                   | push                ebx
            //   56                   | push                esi
            //   56                   | push                esi
            //   56                   | push                esi

        $sequence_3 = { 59 53 50 ffd6 0fbe85f0f8ffff 50 }
            // n = 6, score = 100
            //   59                   | pop                 ecx
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   0fbe85f0f8ffff       | movsx               eax, byte ptr [ebp - 0x710]
            //   50                   | push                eax

        $sequence_4 = { 6a01 ff15???????? 6a01 68???????? e8???????? 6a01 }
            // n = 6, score = 100
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   6a01                 | push                1
            //   68????????           |                     
            //   e8????????           |                     
            //   6a01                 | push                1

        $sequence_5 = { 50 ff15???????? 83c420 8818 8d85f0fdffff 50 8d85f0f8ffff }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c420               | add                 esp, 0x20
            //   8818                 | mov                 byte ptr [eax], bl
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   50                   | push                eax
            //   8d85f0f8ffff         | lea                 eax, [ebp - 0x710]

        $sequence_6 = { 8d85f0fdffff 50 ffd7 8d85f0f8ffff 6800040000 50 }
            // n = 6, score = 100
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8d85f0f8ffff         | lea                 eax, [ebp - 0x710]
            //   6800040000           | push                0x400
            //   50                   | push                eax

        $sequence_7 = { 8d45ac 56 50 e8???????? 83c40c 8d45f0 c745d801000000 }
            // n = 7, score = 100
            //   8d45ac               | lea                 eax, [ebp - 0x54]
            //   56                   | push                esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   c745d801000000       | mov                 dword ptr [ebp - 0x28], 1

        $sequence_8 = { ff15???????? 85c0 0f84df000000 8d85f0f8ffff 68???????? 50 e8???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84df000000         | je                  0xe5
            //   8d85f0f8ffff         | lea                 eax, [ebp - 0x710]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_9 = { c3 55 8bec 81ec00040000 56 57 68???????? }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec00040000         | sub                 esp, 0x400
            //   56                   | push                esi
            //   57                   | push                edi
            //   68????????           |                     

    condition:
        7 of them and filesize < 40960
}
Download all Yara Rules