SYMBOLCOMMON_NAMEaka. SYNONYMS
win.grease (Back to overview)

GREASE

Actor(s): Kimsuky


There is no description at this point.

References
2023-02-02WithSecureSami Ruohonen, Stephen Robinson
@techreport{ruohonen:20230202:no:2a5fce3, author = {Sami Ruohonen and Stephen Robinson}, title = {{No Pineapple! –DPRK Targeting of Medical Research and Technology Sector}}, date = {2023-02-02}, institution = {WithSecure}, url = {https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf}, language = {English}, urldate = {2023-08-25} } No Pineapple! –DPRK Targeting of Medical Research and Technology Sector
Dtrack GREASE QuiteRAT
2020-10-27US-CERTUS-CERT
@online{uscert:20201027:alert:cd5c1eb, author = {US-CERT}, title = {{Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky}}, date = {2020-10-27}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-301a}, language = {English}, urldate = {2023-02-09} } Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky
BabyShark GREASE MECHANICAL Meterpreter Kimsuky
2018-12-05NetScoutASERT Team
@online{team:20181205:stolen:bc9dd60, author = {ASERT Team}, title = {{STOLEN PENCIL Campaign Targets Academia}}, date = {2018-12-05}, organization = {NetScout}, url = {https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/}, language = {English}, urldate = {2020-01-08} } STOLEN PENCIL Campaign Targets Academia
GREASE MECHANICAL
Yara Rules
[TLP:WHITE] win_grease_auto (20230715 | Detects win.grease.)
rule win_grease_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.grease."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grease"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 52 50 683f000f00 50 50 50 }
            // n = 6, score = 400
            //   52                   | push                edx
            //   50                   | push                eax
            //   683f000f00           | push                0xf003f
            //   50                   | push                eax
            //   50                   | push                eax
            //   50                   | push                eax

        $sequence_1 = { 488b4c2460 ff15???????? b801000000 488b8c2480020000 4833cc e8???????? }
            // n = 6, score = 300
            //   488b4c2460           | xor                 eax, eax
            //   ff15????????         |                     
            //   b801000000           | dec                 eax
            //   488b8c2480020000     | mov                 edx, ebx
            //   4833cc               | mov                 dword ptr [esp + 0x28], 4
            //   e8????????           |                     

        $sequence_2 = { 488b4c2460 48897c2440 488d442450 4889442438 48897c2430 }
            // n = 5, score = 300
            //   488b4c2460           | dec                 eax
            //   48897c2440           | mov                 ecx, dword ptr [esp + 0x60]
            //   488d442450           | dec                 eax
            //   4889442438           | mov                 ecx, dword ptr [esp + 0x60]
            //   48897c2430           | dec                 eax

        $sequence_3 = { 4533c0 c74424283f000f00 897c2420 ff15???????? 85c0 }
            // n = 5, score = 300
            //   4533c0               | mov                 dword ptr [esp + 0x28], 4
            //   c74424283f000f00     | dec                 eax
            //   897c2420             | mov                 dword ptr [esp + 0x20], eax
            //   ff15????????         |                     
            //   85c0                 | dec                 eax

        $sequence_4 = { 4053 4881ec90020000 488b05???????? 4833c4 4889842480020000 488d4c2472 }
            // n = 6, score = 300
            //   4053                 | mov                 dword ptr [esp + 0x30], edi
            //   4881ec90020000       | inc                 ebp
            //   488b05????????       |                     
            //   4833c4               | xor                 eax, eax
            //   4889842480020000     | inc                 ebp
            //   488d4c2472           | xor                 ecx, ecx

        $sequence_5 = { 488bd3 c744242804000000 4889442420 ff15???????? 488b4c2450 ff15???????? }
            // n = 6, score = 300
            //   488bd3               | mov                 dword ptr [esp + 0x40], edi
            //   c744242804000000     | dec                 eax
            //   4889442420           | lea                 eax, [esp + 0x50]
            //   ff15????????         |                     
            //   488b4c2450           | dec                 eax
            //   ff15????????         |                     

        $sequence_6 = { 48897c2440 4889442438 48897c2430 4533c0 c74424283f000f00 }
            // n = 5, score = 300
            //   48897c2440           | mov                 dword ptr [esp + 0x38], eax
            //   4889442438           | dec                 eax
            //   48897c2430           | mov                 dword ptr [esp + 0x30], edi
            //   4533c0               | dec                 eax
            //   c74424283f000f00     | mov                 edx, ebx

        $sequence_7 = { 7534 488b4c2450 488d442458 41b904000000 4533c0 488bd3 c744242804000000 }
            // n = 7, score = 300
            //   7534                 | mov                 ecx, dword ptr [esp + 0x50]
            //   488b4c2450           | dec                 eax
            //   488d442458           | mov                 dword ptr [esp + 0x40], edi
            //   41b904000000         | dec                 eax
            //   4533c0               | mov                 dword ptr [esp + 0x38], eax
            //   488bd3               | dec                 eax
            //   c744242804000000     | mov                 dword ptr [esp + 0x30], edi

        $sequence_8 = { 48c7c102000080 c74424281f000200 895c2420 ff15???????? 85c0 0f85e7000000 488b4c2460 }
            // n = 7, score = 300
            //   48c7c102000080       | dec                 eax
            //   c74424281f000200     | mov                 ecx, 0x80000002
            //   895c2420             | mov                 dword ptr [esp + 0x28], 0x2001f
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [esp + 0x20], ebx
            //   0f85e7000000         | test                eax, eax
            //   488b4c2460           | jne                 0xed

        $sequence_9 = { c684342807000065 e9???????? c684342807000075 e9???????? c68434280700006e e9???????? }
            // n = 6, score = 200
            //   c684342807000065     | mov                 byte ptr [esp + esi + 0x728], 0x65
            //   e9????????           |                     
            //   c684342807000075     | mov                 byte ptr [esp + esi + 0x728], 0x75
            //   e9????????           |                     
            //   c68434280700006e     | mov                 byte ptr [esp + esi + 0x728], 0x6e
            //   e9????????           |                     

        $sequence_10 = { 8b44240c 8b35???????? 50 ffd6 8d4c2418 68???????? }
            // n = 6, score = 200
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   8b35????????         |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8d4c2418             | lea                 ecx, [esp + 0x18]
            //   68????????           |                     

        $sequence_11 = { c1f805 83e11f 8b048560e44000 8d04c8 8b0b 8908 }
            // n = 6, score = 200
            //   c1f805               | sar                 eax, 5
            //   83e11f               | and                 ecx, 0x1f
            //   8b048560e44000       | mov                 eax, dword ptr [eax*4 + 0x40e460]
            //   8d04c8               | lea                 eax, [eax + ecx*8]
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8908                 | mov                 dword ptr [eax], ecx

        $sequence_12 = { c684341c0400002f eb1c c684341c0400003f eb12 c684341c0400002e eb08 }
            // n = 6, score = 200
            //   c684341c0400002f     | mov                 byte ptr [esp + esi + 0x41c], 0x2f
            //   eb1c                 | jmp                 0x1e
            //   c684341c0400003f     | mov                 byte ptr [esp + esi + 0x41c], 0x3f
            //   eb12                 | jmp                 0x14
            //   c684341c0400002e     | mov                 byte ptr [esp + esi + 0x41c], 0x2e
            //   eb08                 | jmp                 0xa

        $sequence_13 = { ffd5 8b4c2410 8b35???????? 51 }
            // n = 4, score = 200
            //   ffd5                 | call                ebp
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8b35????????         |                     
            //   51                   | push                ecx

        $sequence_14 = { f3a5 e8???????? 8d84243c040000 83c40c 8d5001 8bff }
            // n = 6, score = 200
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   e8????????           |                     
            //   8d84243c040000       | lea                 eax, [esp + 0x43c]
            //   83c40c               | add                 esp, 0xc
            //   8d5001               | lea                 edx, [eax + 1]
            //   8bff                 | mov                 edi, edi

        $sequence_15 = { c68434100100003d e9???????? c68434100100005f e9???????? c68434100100003a e9???????? }
            // n = 6, score = 200
            //   c68434100100003d     | mov                 byte ptr [esp + esi + 0x110], 0x3d
            //   e9????????           |                     
            //   c68434100100005f     | mov                 byte ptr [esp + esi + 0x110], 0x5f
            //   e9????????           |                     
            //   c68434100100003a     | mov                 byte ptr [esp + esi + 0x110], 0x3a
            //   e9????????           |                     

        $sequence_16 = { eb58 c68434100100003c eb4e c684341001000028 }
            // n = 4, score = 200
            //   eb58                 | jmp                 0x5a
            //   c68434100100003c     | mov                 byte ptr [esp + esi + 0x110], 0x3c
            //   eb4e                 | jmp                 0x50
            //   c684341001000028     | mov                 byte ptr [esp + esi + 0x110], 0x28

        $sequence_17 = { 85c0 75f4 33c9 85f6 }
            // n = 4, score = 200
            //   85c0                 | test                eax, eax
            //   75f4                 | jne                 0xfffffff6
            //   33c9                 | xor                 ecx, ecx
            //   85f6                 | test                esi, esi

        $sequence_18 = { c644340c64 e9???????? c644340c70 e9???????? c644340c73 e9???????? c644340c74 }
            // n = 7, score = 200
            //   c644340c64           | mov                 byte ptr [esp + esi + 0xc], 0x64
            //   e9????????           |                     
            //   c644340c70           | mov                 byte ptr [esp + esi + 0xc], 0x70
            //   e9????????           |                     
            //   c644340c73           | mov                 byte ptr [esp + esi + 0xc], 0x73
            //   e9????????           |                     
            //   c644340c74           | mov                 byte ptr [esp + esi + 0xc], 0x74

        $sequence_19 = { 50 e8???????? 83c40c 6a00 8d8c240c010000 51 ffd6 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6a00                 | push                0
            //   8d8c240c010000       | lea                 ecx, [esp + 0x10c]
            //   51                   | push                ecx
            //   ffd6                 | call                esi

        $sequence_20 = { 83c001 3ad3 75f7 2bc1 53 66899c442c010000 }
            // n = 6, score = 200
            //   83c001               | add                 eax, 1
            //   3ad3                 | cmp                 dl, bl
            //   75f7                 | jne                 0xfffffff9
            //   2bc1                 | sub                 eax, ecx
            //   53                   | push                ebx
            //   66899c442c010000     | mov                 word ptr [esp + eax*2 + 0x12c], bx

        $sequence_21 = { 8d4c241c 51 53 68???????? 52 c744243804000000 }
            // n = 6, score = 200
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   68????????           |                     
            //   52                   | push                edx
            //   c744243804000000     | mov                 dword ptr [esp + 0x38], 4

        $sequence_22 = { 83c001 50 8d542430 52 53 53 ff15???????? }
            // n = 7, score = 200
            //   83c001               | add                 eax, 1
            //   50                   | push                eax
            //   8d542430             | lea                 edx, [esp + 0x30]
            //   52                   | push                edx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 278528
}
Download all Yara Rules