SYMBOLCOMMON_NAMEaka. SYNONYMS
win.graphdrop (Back to overview)

GraphDrop

aka: GraphicalProton, SPICYBEAT

PANW Unit 42 describes this malware as capable of up and downloading files as well as loading additional shellcode payloads into selected target processes. It uses the Microsoft Graph API and Dropbox API as C&C channel.

References
2023-09-22MandiantLuke Jenkins, Josh Atkins, Dan Black
@online{jenkins:20230922:backchannel:6da10a8, author = {Luke Jenkins and Josh Atkins and Dan Black}, title = {{Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations}}, date = {2023-09-22}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing}, language = {English}, urldate = {2023-10-18} } Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
Brute Ratel C4 Cobalt Strike EnvyScout GraphDrop QUARTERRIG sRDI Unidentified 107 (APT29)
2023-07-27Recorded FutureInsikt Group
@techreport{group:20230727:bluebravo:b456f7d, author = {Insikt Group}, title = {{BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware}}, date = {2023-07-27}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf}, language = {English}, urldate = {2023-07-28} } BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware
GraphDrop GraphicalNeutrino QUARTERRIG
2023-07-25AvertiumAvertium
@online{avertium:20230725:evolution:15a6f6a, author = {Avertium}, title = {{EVOLUTION OF RUSSIAN APT29 – NEW ATTACKS AND TECHNIQUES UNCOVERED}}, date = {2023-07-25}, organization = {Avertium}, url = {https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered}, language = {English}, urldate = {2023-07-28} } EVOLUTION OF RUSSIAN APT29 – NEW ATTACKS AND TECHNIQUES UNCOVERED
GraphDrop
2023-07-12Palo Alto Networks Unit 42Unit 42
@online{42:20230712:diplomats:ff60fd1, author = {Unit 42}, title = {{Diplomats Beware: Cloaked Ursa Phishing With a Twist}}, date = {2023-07-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/}, language = {English}, urldate = {2023-07-17} } Diplomats Beware: Cloaked Ursa Phishing With a Twist
GraphDrop
Yara Rules
[TLP:WHITE] win_graphdown_w0 (20230728 | Detects unpacked GraphicalProton samples)
rule win_graphdown_w0 {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2023-05-11"
        description = "Detects unpacked GraphicalProton samples"
        version = "1.0"
        hash = "38f8b8036ed2a0b5abb8fbf264ee6fd2b82dcd917f60d9f1d8f18d07c26b1534"
        hash = "60d96d8d3a09f822ded0a3c84194a5d88ed62a979cbb6378545b45b04353bb37"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphdown"
        malpedia_rule_date = "20230728"
        malpedia_hash = ""
        malpedia_version = "20230728"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
        
    strings:
        $chaskey = { 4? 8b 44 ?4 08 8b 48 04 4? 8b 44 ?4 08 03 08 89 08 4? 8b 44 ?4 08 8b 48 04 c1 e9 1b 4? 8b 44 ?4 08
        8b 50 04 c1 e2 05 09 d1 4? 8b 44 ?4 08 33 08 4? 8b 44 ?4 08 89 48 04 4? 8b 44 ?4 08 8b 48 0c 4? 8b 44 ?4 08 03 48 08
        89 48 08 4? 8b 44 ?4 08 8b 48 0c c1 e9 18 4? 8b 44 ?4 08 8b 50 0c c1 e2 08 09 d1 4? 8b 44 ?4 08 33 48 08 4? 8b 44 ?4
        08 89 48 0c 4? 8b 44 ?4 08 8b 48 04 4? 8b 44 ?4 08 03 48 08 89 48 08 4? 8b 44 ?4 08 8b 08 c1 e9 10 4? 8b 44 ?4 08 8b
        10 c1 e2 10 09 d1 4? 8b 44 ?4 08 03 48 0c 4? 8b 44 ?4 08 89 08 4? 8b 44 ?4 08 8b 48 0c c1 e9 13 4? 8b 44 ?4 08 8b 50
        0c c1 e2 0d 09 d1 4? 8b 44 ?4 08 33 08 4? 8b 44 ?4 08 89 48 0c 4? 8b 44 ?4 08 8b 48 04 c1 e9 19 4? 8b 44 ?4 08 8b 50
        04 c1 e2 07 09 d1 4? 8b 44 ?4 08 33 48 08 4? 8b 44 ?4 08 89 48 04 4? 8b 44 ?4 08 8b 48 08 c1 e9 10 4? 8b 44 ?4 08 8b
        50 08 c1 e2 10 09 d1 4? 8b 44 ?4 08 89 48 08 }
        
        $decrypt = { 8b 44 ?? ?? 89 c1 0f b6 44 0c 50 4? 8b 4c ?? ?? 8b 54 ?? ?? 4? 89 d0 4? 0f b6 14 01 31 c2 4? 88 14
        01 8b 44 ?? ?? 83 c0 01 89 44 ?? ?? e9 ?? ?? ?? ?? 8b 44 ?? ?? 8b 4c ?? ?? 29 c1 89 4c ?? ?? 8b 44 ?? ?? 4? 8b 54 ??
        ?? 89 c0 4? 89 c0 4? 01 c2 4? 89 54 ?? ?? }
        
        $bmp_header = { 66 c7 00 42 4d c7 40 02 00 00 00 00 66 c7 40 06 00 00 66 c7 40 08 00 00 c7 40 0a 00 00 00 00 59 c3 }
        
        $parse_bmp = { 89 02 4? 8b 4? ?? ba 03 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 04 4? 8b 4? ?? ba
        07 00 00 00 e8 ?? ?? ?? ?? 66 4? 8b 08 4? 8b 4? ?? 66 4? 89 48 08 4? 8b 4? ?? ba 09 00 00 00 e8 ?? ?? ?? ?? 66 4? 8b
        08 4? 8b 4? ?? 66 4? 89 48 0a 4? 8b 4? ?? ba 0b 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 0c 4? 8b 4? ??
        ba 0f 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 10 4? 8b 4? ?? ba 13 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4?
        8b 4? ?? 4? 89 40 14 4? 8b 4? ?? ba 17 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 18 4? 8b 4? ?? ba 1b 00
        00 00 e8 ?? ?? ?? ?? 66 4? 8b 08 4? 8b 4? ?? 66 4? 89 48 1c 4? 8b 4? ?? ba 1d 00 00 00 e8 ?? ?? ?? ?? 66 4? 8b 08 4?
        8b 4? ?? 66 4? 89 48 1e 4? 8b 4? ?? ba 1f 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 20 4? 8b 4? ?? ba 23
        00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 24 4? 8b 4? ?? ba 27 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4?
        ?? 4? 89 40 28 4? 8b 4? ?? ba 2b 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 2c 4? 8b 4? ?? ba 2f 00 00 00
        e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 30 4? 8b 4? ?? ba 33 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89
        40 34 4? 8b 40 14 4? 89 4? ?? 4? 8b 40 18 4? 89 4? ?? 4? 8b 4? ?? 4? 0f af 4? ?? 4? 6b c0 03 4? 89 4? ?? 4? 8b 4? ??
        4? c1 e8 03 4? 83 e8 36 4? 89 40 38 }
    condition:
        uint16(0) == 0x5a4d
        and filesize > 1MB
        and all of them
}
Download all Yara Rules