Graphican (Malware Family)

Graphican

Actor(s): APT15
VTCollection
According to Symantec, Graphican is an evolution of the known APT15 backdoor Ketrican, which itself was based on a previous malware - BS2005 - also used by APT15. Graphican has the same basic functionality as Ketrican, with the difference between them being Graphican’s use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure.
References

2023-06-21 ⋅ Symantec ⋅ Threat Hunter Team
Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries
Graphican
Yara Rules

[TLP:WHITE] win_graphican_auto (20230808 | Detects win.graphican.)
rule win_graphican_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.graphican."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphican"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d5f07 83e3f8 03d3 3b10 7619 8b06 3bc3 }
            // n = 7, score = 200
            //   8d5f07               | lea                 ebx, [edi + 7]
            //   83e3f8               | and                 ebx, 0xfffffff8
            //   03d3                 | add                 edx, ebx
            //   3b10                 | cmp                 edx, dword ptr [eax]
            //   7619                 | jbe                 0x1b
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   3bc3                 | cmp                 eax, ebx

        $sequence_1 = { 3c65 7408 3c45 0f8570010000 47 807def00 897dc0 }
            // n = 7, score = 200
            //   3c65                 | cmp                 al, 0x65
            //   7408                 | je                  0xa
            //   3c45                 | cmp                 al, 0x45
            //   0f8570010000         | jne                 0x176
            //   47                   | inc                 edi
            //   807def00             | cmp                 byte ptr [ebp - 0x11], 0
            //   897dc0               | mov                 dword ptr [ebp - 0x40], edi

        $sequence_2 = { 56 57 8bf1 8bfa 85db 7517 68a8010000 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf1                 | mov                 esi, ecx
            //   8bfa                 | mov                 edi, edx
            //   85db                 | test                ebx, ebx
            //   7517                 | jne                 0x19
            //   68a8010000           | push                0x1a8

        $sequence_3 = { 53 8bf0 6a00 56 e8???????? a1???????? }
            // n = 6, score = 200
            //   53                   | push                ebx
            //   8bf0                 | mov                 esi, eax
            //   6a00                 | push                0
            //   56                   | push                esi
            //   e8????????           |                     
            //   a1????????           |                     

        $sequence_4 = { 8d0c89 8d4c48d0 8a07 42 3c30 7dd4 894de8 }
            // n = 7, score = 200
            //   8d0c89               | lea                 ecx, [ecx + ecx*4]
            //   8d4c48d0             | lea                 ecx, [eax + ecx*2 - 0x30]
            //   8a07                 | mov                 al, byte ptr [edi]
            //   42                   | inc                 edx
            //   3c30                 | cmp                 al, 0x30
            //   7dd4                 | jge                 0xffffffd6
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx

        $sequence_5 = { 68???????? 68???????? e8???????? 83c40c 8b4ddc c7461810000000 894e1c }
            // n = 7, score = 200
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   c7461810000000       | mov                 dword ptr [esi + 0x18], 0x10
            //   894e1c               | mov                 dword ptr [esi + 0x1c], ecx

        $sequence_6 = { 8d85e8edffff 6a00 50 e8???????? 83c40c 68???????? }
            // n = 6, score = 200
            //   8d85e8edffff         | lea                 eax, [ebp - 0x1218]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   68????????           |                     

        $sequence_7 = { 68???????? 68???????? e8???????? 83c40c 8b5624 2b5620 }
            // n = 6, score = 200
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b5624               | mov                 edx, dword ptr [esi + 0x24]
            //   2b5620               | sub                 edx, dword ptr [esi + 0x20]

        $sequence_8 = { 8d8dc4efffff 51 50 ffd2 8bb5c4efffff 33ff }
            // n = 6, score = 200
            //   8d8dc4efffff         | lea                 ecx, [ebp - 0x103c]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ffd2                 | call                edx
            //   8bb5c4efffff         | mov                 esi, dword ptr [ebp - 0x103c]
            //   33ff                 | xor                 edi, edi

        $sequence_9 = { 8bd8 e8???????? 8d4311 83c404 }
            // n = 4, score = 200
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   8d4311               | lea                 eax, [ebx + 0x11]
            //   83c404               | add                 esp, 4

    condition:
        7 of them and filesize < 362496
}
Download all Yara Rules
Graphican Propose Change

References

Yara Rules

Graphican
