SYMBOLCOMMON_NAMEaka. SYNONYMS
win.havoc (Back to overview)

Havoc

aka: Havokiz

Havoc is a modern and malleable post-exploitation command and control framework, created by @C5pider.

References
2023-02-14ZscalerShatak Jain, Niraj Shivtarkar
@online{jain:20230214:havoc:cce9217, author = {Shatak Jain and Niraj Shivtarkar}, title = {{Havoc Across the Cyberspace}}, date = {2023-02-14}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace}, language = {English}, urldate = {2023-02-16} } Havoc Across the Cyberspace
Havoc
2022-10-11Twitter (@embee_research)Embee_research, Huntress Labs
@online{embeeresearch:20221011:havoc:3bc6fb5, author = {Embee_research and Huntress Labs}, title = {{Tweet on Havoc C2 - Static Detection Via Ntdll API Hashes}}, date = {2022-10-11}, organization = {Twitter (@embee_research)}, url = {https://twitter.com/embee_research/status/1579668721777643520?s=20&t=nDJOv1Yf5mQZKCou7qMrhQ}, language = {English}, urldate = {2022-11-21} } Tweet on Havoc C2 - Static Detection Via Ntdll API Hashes
Havoc
2022-10-054pfsec4pfsec
@online{4pfsec:20221005:havoc:f3b689d, author = {4pfsec}, title = {{Havoc C2: First look}}, date = {2022-10-05}, organization = {4pfsec}, url = {https://4pfsec.com/havoc-c2-first-look/}, language = {English}, urldate = {2022-10-12} } Havoc C2: First look
Havoc
2022-10-04YouTube (John Hammond)John Hammond
@online{hammond:20221004:havoc:ba93acc, author = {John Hammond}, title = {{HAVOC C2 - Demon Bypasses Windows 11 Defender}}, date = {2022-10-04}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=ErPKP4Ms28s}, language = {English}, urldate = {2022-10-12} } HAVOC C2 - Demon Bypasses Windows 11 Defender
Havoc
2022-09-11Github (HavocFramework)C5pider
@online{c5pider:20220911:havoc:9c6bc38, author = {C5pider}, title = {{Havoc}}, date = {2022-09-11}, organization = {Github (HavocFramework)}, url = {https://github.com/HavocFramework/Havoc}, language = {English}, urldate = {2022-10-12} } Havoc
Havoc
Yara Rules
[TLP:WHITE] win_havoc_auto (20230407 | Detects win.havoc.)
rule win_havoc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.havoc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c634114 488b09 e8???????? 488b03 48894308 }
            // n = 5, score = 800
            //   4c634114             | inc                 ecx
            //   488b09               | pop                 edi
            //   e8????????           |                     
            //   488b03               | dec                 esp
            //   48894308             | mov                 ecx, ebp

        $sequence_1 = { 8b5204 8b400c 486bc012 4801d0 }
            // n = 4, score = 800
            //   8b5204               | dec                 eax
            //   8b400c               | lea                 ecx, [ebx + 0x10]
            //   486bc012             | dec                 ebp
            //   4801d0               | mov                 ecx, ebp

        $sequence_2 = { 486bc628 488b13 4889f7 4531ed 48c1e704 }
            // n = 5, score = 800
            //   486bc628             | test                esi, esi
            //   488b13               | jne                 0x17a0
            //   4889f7               | mov                 esi, 2
            //   4531ed               | jmp                 0x17a0
            //   48c1e704             | test                esi, esi

        $sequence_3 = { 31f6 53 4889cb 4883ec28 488b4308 }
            // n = 5, score = 800
            //   31f6                 | push                esi
            //   53                   | dec                 eax
            //   4889cb               | mov                 esi, ecx
            //   4883ec28             | mov                 ecx, 0xf
            //   488b4308             | push                ebx

        $sequence_4 = { 488b01 ff5018 85c0 75e2 488b0b }
            // n = 5, score = 800
            //   488b01               | dec                 eax
            //   ff5018               | mov                 ecx, esi
            //   85c0                 | inc                 ecx
            //   75e2                 | mov                 eax, 0x5003c058
            //   488b0b               | mov                 edx, eax

        $sequence_5 = { 448a0401 443a0402 750b 48ffc0 4584c0 75ee }
            // n = 6, score = 800
            //   448a0401             | dec                 eax
            //   443a0402             | mov                 eax, dword ptr [esp + 0x190]
            //   750b                 | inc                 esp
            //   48ffc0               | mov                 dword ptr [esp + 0x28], esp
            //   4584c0               | dec                 eax
            //   75ee                 | mov                 dword ptr [esp + 0x40], 0

        $sequence_6 = { e8???????? 31c0 eb67 488b4500 488d542478 }
            // n = 5, score = 800
            //   e8????????           |                     
            //   31c0                 | mov                 dword ptr [esp + 0x80], 0
            //   eb67                 | dec                 eax
            //   488b4500             | mov                 dword ptr [esp + 0x88], 0
            //   488d542478           | dec                 eax

        $sequence_7 = { 488b4b20 486bd212 4801ca 803a00 0f84a5000000 }
            // n = 5, score = 800
            //   488b4b20             | mov                 dword ptr [esp + 0x30], eax
            //   486bd212             | call                dword ptr [eax + 0x154]
            //   4801ca               | dec                 eax
            //   803a00               | mov                 ebp, eax
            //   0f84a5000000         | dec                 eax

        $sequence_8 = { 57 56 4889d6 4489c2 }
            // n = 4, score = 800
            //   57                   | dec                 eax
            //   56                   | mov                 ecx, dword ptr [esp + 0x78]
            //   4889d6               | call                dword ptr [eax + 0x3cc]
            //   4489c2               | dec                 eax

        $sequence_9 = { 4883c004 83791c00 895114 48894108 4489c0 }
            // n = 5, score = 800
            //   4883c004             | dec                 eax
            //   83791c00             | add                 esp, 0x78
            //   895114               | pop                 ebx
            //   48894108             | pop                 esi
            //   4489c0               | mov                 dword ptr [eax + 4], edx

    condition:
        7 of them and filesize < 164864
}
[TLP:WHITE] win_havoc_w0   (20221012 | No description)
rule win_havoc_w0 {
	//Detects ntdll API hashes used in Havoc C2 Demon payloads
    
	meta:
		author = "embee_research @ HuntressLabs"
		vendor = "Huntress Research" 
		date = "2022/10/11"
		source = "https://raw.githubusercontent.com/embee-research/Yara/main/HavocDemons.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc"
        malpedia_rule_date = "20221012"
        malpedia_hash = ""
        malpedia_version = "20221012"
        malpedia_sharing = "TLP:WHITE"
	strings:
		
		// Syscall Hashes
		$nt_hash1 = {53 17 e6 70} //0x70e61753 == ntdll.dll
		$nt_hash2 = {43 6a 45 9e} //0x9e456a43 == LdrLoadDll
		$nt_hash3 = {ec b8 83 f7} //0xf783b8ec == NtAllocateVirtualMemory
		$nt_hash4 = {88 28 e9 50} //0x50e92888 == NtProtectVirtualMemory
        
        
		$nt_hash5 = {f6 99 5a 2e} //0x2e5a99f6 == LdrGetProcedureAddress
		$nt_hash6 = {da 81 b3 c0} //0xc0b381da == NtAllocateHeap
		$nt_hash7 = {d7 71 ba 70} //0x70ba71d7 == RtlFreeHeap
		$nt_hash8 = {88 2b 49 8e} //0x8e492b88 == RtlExitUserThread
		$nt_hash9 = {ef f0 a1 3a} //0x3aa1f0ef == RtlExitUserProcess
		$nt_hash10 = {f5 39 34 7c} //0x7c3439f5 == RtlRandomEx
		$nt_hash11 = {70 f2 ab 35} //0x35abf270 == RtlNtStatusToDosError
		$nt_hash12 = {1d aa a3 3c} //0x3ca3aa1d == RtlGetVersion
		$nt_hash13 = {11 b2 8f f7} //0xf78fb211 == RtlCreateTimerQueue
		$nt_hash14 = {4c 7c de a5} //0xa5de7c4c == RtlCreateTimer
		$nt_hash15 = {90 fe 61 95} //0x9561fe90 == RtlDeleteTimerQueue
		$nt_hash16 = {d0 ee 33 77} //0x7733eed0 == RtlCaptureContext
		$nt_hash17 = {a9 af 4b 55} //0x554bafa9 == RtlAddVectoredExceptionHandler
		$nt_hash18 = {0e 21 0c 88} //0x880c210e == RtlRemoveVectoredExceptionHandler
		$nt_hash19 = {3d 13 8e 8b} //0x8b8e133d == NtClose
		$nt_hash20 = {7d 74 58 ca} //0xca58747d == ZwCreateEvent
		
	condition:
		//PE or Shellcode or Shellcode
		//Leave as "3 of them" for more robust (but compute expensive) searching
		(3 of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8 or uint16(0) == 0x4856)
}
[TLP:WHITE] win_havoc_w1   (20221012 | No description)
rule win_havoc_w1 {
	//Detects the hashing routine used in Havoc C2
    
	meta:
		author = "embee_research @ HuntressLabs"
		vendor = "Huntress Research" 
		date = "2022/10/11"
		source = "https://raw.githubusercontent.com/embee-research/Yara/main/HavocDemonDJB2.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc"
        malpedia_rule_date = "20221012"
        malpedia_hash = ""
        malpedia_version = "20221012"
        malpedia_sharing = "TLP:WHITE"
	strings:
		

		//  Hashing Routine of DLL   
		$dll = {b8 05 15 00 00 0f be 11 48 ff c1 84 d2 74 07 6b c0 21 01 d0 eb ef} 
		
		                             
        //Hashing Routine of Shellcode
		$shellcode = {41 80 f8 60 76 04 41 83 e8 20 6b c0 21 45 0f b6 c0 49 ff c1 44 01 c0 eb c4}
		
		
	condition:
		//PE or Shellcode or Shellcode
		//Leave as "any of them" for more robust (but compute expensive) searching
		(any of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8 or uint16(0) == 0x4856)
}
Download all Yara Rules