SYMBOLCOMMON_NAMEaka. SYNONYMS
win.havoc (Back to overview)

Havoc

aka: Havokiz
VTCollection    

Havoc is a modern and malleable post-exploitation command and control framework, created by @C5pider.

References
2024-01-25JSAC 2024Masafumi Takeda, Tomoya Furukawa
Threat Intelligence of Abused Public Post-Exploitation Frameworks
AsyncRAT DCRat Empire Downloader GRUNT Havoc Koadic Merlin PoshC2 Quasar RAT Sliver
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-10-10SymantecThreat Hunter Team
Grayling: Previously Unseen Threat Actor Targets Multiple Organizations in Taiwan
Cobalt Strike Havoc MimiKatz Grayling
2023-07-21CheckmarxTzachi Zornstein
First Known Targeted OSS Supply Chain Attacks Against the Banking Sector
Havoc
2023-07-11SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee
2023-02-14ZscalerNiraj Shivtarkar, Shatak Jain
Havoc Across the Cyberspace
Havoc
2022-10-11Twitter (@embee_research)Embee_research, Huntress Labs
Tweet on Havoc C2 - Static Detection Via Ntdll API Hashes
Havoc
2022-10-054pfsec4pfsec
Havoc C2: First look
Havoc
2022-10-04YouTube (John Hammond)John Hammond
HAVOC C2 - Demon Bypasses Windows 11 Defender
Havoc
2022-09-11Github (HavocFramework)C5pider
Havoc
Havoc
Yara Rules
[TLP:WHITE] win_havoc_auto (20230808 | Detects win.havoc.)
rule win_havoc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.havoc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 7856 488b842488000000 488bb42488000000 4531c9 }
            // n = 5, score = 800
            //   85c0                 | dec                 eax
            //   7856                 | mov                 dword ptr [esp + 0x28], eax
            //   488b842488000000     | mov                 eax, 0x10
            //   488bb42488000000     | dec                 eax
            //   4531c9               | mov                 dword ptr [esp + 0x20], edi

        $sequence_1 = { 48898424ae000000 4c8d442458 ba2a040000 8b842498000000 4889442448 }
            // n = 5, score = 800
            //   48898424ae000000     | call                dword ptr [eax + 0x15c]
            //   4c8d442458           | mov                 ecx, 0x40
            //   ba2a040000           | dec                 eax
            //   8b842498000000       | mov                 dword ptr [esp + 0x70], eax
            //   4889442448           | dec                 ecx

        $sequence_2 = { 4488440101 448a440202 4488440102 448a440203 4488440103 4883c004 4883f820 }
            // n = 7, score = 800
            //   4488440101           | mov                 dword ptr [esp + 0x38], ebx
            //   448a440202           | xor                 eax, eax
            //   4488440102           | mov                 dword ptr [esp + 0x40], esi
            //   448a440203           | xor                 edi, edi
            //   4488440103           | mov                 ecx, 0xadd31df0
            //   4883c004             | dec                 eax
            //   4883f820             | mov                 dword ptr [esp + 0x38], ebx

        $sequence_3 = { 4885c0 7504 31f6 eb08 488b4030 ffc3 }
            // n = 6, score = 800
            //   4885c0               | dec                 eax
            //   7504                 | mov                 edx, dword ptr [ebx]
            //   31f6                 | dec                 eax
            //   eb08                 | mov                 dword ptr [edx + 0x55c], eax
            //   488b4030             | dec                 eax
            //   ffc3                 | mov                 ecx, dword ptr [edx + 0x644]

        $sequence_4 = { 55 4c89c5 57 56 4889d6 53 }
            // n = 6, score = 800
            //   55                   | dec                 eax
            //   4c89c5               | mov                 edx, dword ptr [ebx]
            //   57                   | dec                 eax
            //   56                   | mov                 dword ptr [edx + 0x30c], eax
            //   4889d6               | dec                 eax
            //   53                   | mov                 eax, dword ptr [ebx]

        $sequence_5 = { 4883ec28 488b410c 488b4904 488d5008 488b05???????? }
            // n = 5, score = 800
            //   4883ec28             | je                  0x164a
            //   488b410c             | dec                 eax
            //   488b4904             | mov                 eax, dword ptr [esi]
            //   488d5008             | dec                 eax
            //   488b05????????       |                     

        $sequence_6 = { 488d4b10 4c8d4c2460 4889442460 8b442478 ba00000002 4c8d842490000000 }
            // n = 6, score = 800
            //   488d4b10             | mov                 eax, dword ptr [ebx]
            //   4c8d4c2460           | call                dword ptr [eax + 0x45c]
            //   4889442460           | dec                 eax
            //   8b442478             | mov                 ecx, esi
            //   ba00000002           | mov                 dword ptr [esp + 0x2c], eax
            //   4c8d842490000000     | dec                 eax

        $sequence_7 = { f3a5 488bbc2480000000 488b742460 b934010000 f3a5 }
            // n = 5, score = 800
            //   f3a5                 | dec                 esp
            //   488bbc2480000000     | mov                 ecx, ebp
            //   488b742460           | dec                 eax
            //   b934010000           | lea                 ecx, [esp + 0x98]
            //   f3a5                 | dec                 eax

        $sequence_8 = { baff010f00 c744244001000000 4889442444 31c0 85f6 }
            // n = 5, score = 800
            //   baff010f00           | inc                 ecx
            //   c744244001000000     | mov                 eax, 0x2ce5a244
            //   4889442444           | dec                 eax
            //   31c0                 | mov                 dword ptr [edx + 0x5cc], eax
            //   85f6                 | dec                 eax

        $sequence_9 = { 4155 4154 4531e4 55 57 56 53 }
            // n = 7, score = 800
            //   4155                 | mov                 dword ptr [edx + 0x484], eax
            //   4154                 | dec                 eax
            //   4531e4               | test                ecx, ecx
            //   55                   | je                  0x1746
            //   57                   | mov                 edx, 0xbb6970d6
            //   56                   | dec                 eax
            //   53                   | mov                 edx, dword ptr [ebx]

    condition:
        7 of them and filesize < 164864
}
[TLP:WHITE] win_havoc_w0   (20221012 | No description)
rule win_havoc_w0 {
	//Detects ntdll API hashes used in Havoc C2 Demon payloads
    
	meta:
		author = "embee_research @ HuntressLabs"
		vendor = "Huntress Research" 
		date = "2022/10/11"
		source = "https://raw.githubusercontent.com/embee-research/Yara/main/HavocDemons.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc"
        malpedia_rule_date = "20221012"
        malpedia_hash = ""
        malpedia_version = "20221012"
        malpedia_sharing = "TLP:WHITE"
	strings:
		
		// Syscall Hashes
		$nt_hash1 = {53 17 e6 70} //0x70e61753 == ntdll.dll
		$nt_hash2 = {43 6a 45 9e} //0x9e456a43 == LdrLoadDll
		$nt_hash3 = {ec b8 83 f7} //0xf783b8ec == NtAllocateVirtualMemory
		$nt_hash4 = {88 28 e9 50} //0x50e92888 == NtProtectVirtualMemory
        
        
		$nt_hash5 = {f6 99 5a 2e} //0x2e5a99f6 == LdrGetProcedureAddress
		$nt_hash6 = {da 81 b3 c0} //0xc0b381da == NtAllocateHeap
		$nt_hash7 = {d7 71 ba 70} //0x70ba71d7 == RtlFreeHeap
		$nt_hash8 = {88 2b 49 8e} //0x8e492b88 == RtlExitUserThread
		$nt_hash9 = {ef f0 a1 3a} //0x3aa1f0ef == RtlExitUserProcess
		$nt_hash10 = {f5 39 34 7c} //0x7c3439f5 == RtlRandomEx
		$nt_hash11 = {70 f2 ab 35} //0x35abf270 == RtlNtStatusToDosError
		$nt_hash12 = {1d aa a3 3c} //0x3ca3aa1d == RtlGetVersion
		$nt_hash13 = {11 b2 8f f7} //0xf78fb211 == RtlCreateTimerQueue
		$nt_hash14 = {4c 7c de a5} //0xa5de7c4c == RtlCreateTimer
		$nt_hash15 = {90 fe 61 95} //0x9561fe90 == RtlDeleteTimerQueue
		$nt_hash16 = {d0 ee 33 77} //0x7733eed0 == RtlCaptureContext
		$nt_hash17 = {a9 af 4b 55} //0x554bafa9 == RtlAddVectoredExceptionHandler
		$nt_hash18 = {0e 21 0c 88} //0x880c210e == RtlRemoveVectoredExceptionHandler
		$nt_hash19 = {3d 13 8e 8b} //0x8b8e133d == NtClose
		$nt_hash20 = {7d 74 58 ca} //0xca58747d == ZwCreateEvent
		
	condition:
		//PE or Shellcode or Shellcode
		//Leave as "3 of them" for more robust (but compute expensive) searching
		(3 of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8 or uint16(0) == 0x4856)
}
[TLP:WHITE] win_havoc_w1   (20221012 | No description)
rule win_havoc_w1 {
	//Detects the hashing routine used in Havoc C2
    
	meta:
		author = "embee_research @ HuntressLabs"
		vendor = "Huntress Research" 
		date = "2022/10/11"
		source = "https://raw.githubusercontent.com/embee-research/Yara/main/HavocDemonDJB2.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc"
        malpedia_rule_date = "20221012"
        malpedia_hash = ""
        malpedia_version = "20221012"
        malpedia_sharing = "TLP:WHITE"
	strings:
		

		//  Hashing Routine of DLL   
		$dll = {b8 05 15 00 00 0f be 11 48 ff c1 84 d2 74 07 6b c0 21 01 d0 eb ef} 
		
		                             
        //Hashing Routine of Shellcode
		$shellcode = {41 80 f8 60 76 04 41 83 e8 20 6b c0 21 45 0f b6 c0 49 ff c1 44 01 c0 eb c4}
		
		
	condition:
		//PE or Shellcode or Shellcode
		//Leave as "any of them" for more robust (but compute expensive) searching
		(any of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8 or uint16(0) == 0x4856)
}
Download all Yara Rules