SYMBOLCOMMON_NAMEaka. SYNONYMS
win.havoc (Back to overview)

Havoc

aka: Havokiz

Havoc is a modern and malleable post-exploitation command and control framework, created by @C5pider.

References
2022-10-11Twitter (@embee_research)Embee_research, Huntress Labs
@online{embeeresearch:20221011:havoc:3bc6fb5, author = {Embee_research and Huntress Labs}, title = {{Tweet on Havoc C2 - Static Detection Via Ntdll API Hashes}}, date = {2022-10-11}, organization = {Twitter (@embee_research)}, url = {https://twitter.com/embee_research/status/1579668721777643520?s=20&t=nDJOv1Yf5mQZKCou7qMrhQ}, language = {English}, urldate = {2022-11-21} } Tweet on Havoc C2 - Static Detection Via Ntdll API Hashes
Havoc
2022-10-054pfsec4pfsec
@online{4pfsec:20221005:havoc:f3b689d, author = {4pfsec}, title = {{Havoc C2: First look}}, date = {2022-10-05}, organization = {4pfsec}, url = {https://4pfsec.com/havoc-c2-first-look/}, language = {English}, urldate = {2022-10-12} } Havoc C2: First look
Havoc
2022-10-04YouTube (John Hammond)John Hammond
@online{hammond:20221004:havoc:ba93acc, author = {John Hammond}, title = {{HAVOC C2 - Demon Bypasses Windows 11 Defender}}, date = {2022-10-04}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=ErPKP4Ms28s}, language = {English}, urldate = {2022-10-12} } HAVOC C2 - Demon Bypasses Windows 11 Defender
Havoc
2022-09-11Github (HavocFramework)C5pider
@online{c5pider:20220911:havoc:9c6bc38, author = {C5pider}, title = {{Havoc}}, date = {2022-09-11}, organization = {Github (HavocFramework)}, url = {https://github.com/HavocFramework/Havoc}, language = {English}, urldate = {2022-10-12} } Havoc
Havoc
Yara Rules
[TLP:WHITE] win_havoc_auto (20230125 | Detects win.havoc.)
rule win_havoc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.havoc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4885d2 7408 488b5218 ffc0 }
            // n = 4, score = 800
            //   4885d2               | mov                 ecx, edi
            //   7408                 | inc                 esp
            //   488b5218             | mov                 eax, dword ptr [esp + 0x20]
            //   ffc0                 | inc                 ebp

        $sequence_1 = { 4889b424a8000000 488b35???????? 48c784249800000003000100 48c78424a000000010000000 }
            // n = 4, score = 800
            //   4889b424a8000000     | mov                 ebx, eax
            //   488b35????????       |                     
            //   48c784249800000003000100     | dec    eax
            //   48c78424a000000010000000     | sub    esp, 0x488

        $sequence_2 = { 4531c0 31d2 5b 5e 5f 415c 415d }
            // n = 7, score = 800
            //   4531c0               | dec                 eax
            //   31d2                 | add                 esp, 0x20
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   415c                 | pop                 ebp
            //   415d                 | dec                 eax

        $sequence_3 = { 448a42fe 443242ff 4131c9 4189cf }
            // n = 4, score = 800
            //   448a42fe             | inc                 ecx
            //   443242ff             | mov                 eax, dword ptr [ecx + 0x80]
            //   4131c9               | jne                 0x121b
            //   4189cf               | cmp                 eax, 1

        $sequence_4 = { 740a b902000000 e8???????? 448b442448 }
            // n = 4, score = 800
            //   740a                 | mov                 ecx, dword ptr [ecx + 0x30]
            //   b902000000           | dec                 esp
            //   e8????????           |                     
            //   448b442448           | lea                 eax, [edx + 2]

        $sequence_5 = { 889403f0000000 31c0 4863d0 ffc0 }
            // n = 4, score = 800
            //   889403f0000000       | dec                 ecx
            //   31c0                 | mov                 dword ptr [edi + 0x80], esi
            //   4863d0               | dec                 ebp
            //   ffc0                 | mov                 dword ptr [edi + 0x88], ebx

        $sequence_6 = { 6683f901 751f 488b4b28 0fb7520c }
            // n = 4, score = 800
            //   6683f901             | inc                 ebp
            //   751f                 | xor                 eax, eax
            //   488b4b28             | inc                 esp
            //   0fb7520c             | mov                 dword ptr [esp + 0x28], ecx

        $sequence_7 = { 8b44244a 488d542444 4c8b442438 4883c9ff 8903 668b44244e }
            // n = 6, score = 800
            //   8b44244a             | xor                 eax, eax
            //   488d542444           | xor                 edx, edx
            //   4c8b442438           | dec                 esp
            //   4883c9ff             | mov                 ecx, ebp
            //   8903                 | dec                 eax
            //   668b44244e           | lea                 edi, [esp + 0x30]

        $sequence_8 = { b801000000 6681fa0b01 740c 31c0 6681fa0b02 }
            // n = 5, score = 800
            //   b801000000           | lea                 edx, [esp + 0x90]
            //   6681fa0b01           | mov                 byte ptr [esp + ebx + 0x90], al
            //   740c                 | dec                 eax
            //   31c0                 | inc                 ebx
            //   6681fa0b02           | dec                 eax

        $sequence_9 = { 48894304 4803430c 4889c7 f3a4 }
            // n = 4, score = 800
            //   48894304             | dec                 eax
            //   4803430c             | mov                 ecx, eax
            //   4889c7               | dec                 ecx
            //   f3a4                 | mov                 esi, eax

    condition:
        7 of them and filesize < 164864
}
[TLP:WHITE] win_havoc_w0   (20221012 | No description)
rule win_havoc_w0 {
	//Detects ntdll API hashes used in Havoc C2 Demon payloads
    
	meta:
		author = "embee_research @ HuntressLabs"
		vendor = "Huntress Research" 
		date = "2022/10/11"
		source = "https://raw.githubusercontent.com/embee-research/Yara/main/HavocDemons.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc"
        malpedia_rule_date = "20221012"
        malpedia_hash = ""
        malpedia_version = "20221012"
        malpedia_sharing = "TLP:WHITE"
	strings:
		
		// Syscall Hashes
		$nt_hash1 = {53 17 e6 70} //0x70e61753 == ntdll.dll
		$nt_hash2 = {43 6a 45 9e} //0x9e456a43 == LdrLoadDll
		$nt_hash3 = {ec b8 83 f7} //0xf783b8ec == NtAllocateVirtualMemory
		$nt_hash4 = {88 28 e9 50} //0x50e92888 == NtProtectVirtualMemory
        
        
		$nt_hash5 = {f6 99 5a 2e} //0x2e5a99f6 == LdrGetProcedureAddress
		$nt_hash6 = {da 81 b3 c0} //0xc0b381da == NtAllocateHeap
		$nt_hash7 = {d7 71 ba 70} //0x70ba71d7 == RtlFreeHeap
		$nt_hash8 = {88 2b 49 8e} //0x8e492b88 == RtlExitUserThread
		$nt_hash9 = {ef f0 a1 3a} //0x3aa1f0ef == RtlExitUserProcess
		$nt_hash10 = {f5 39 34 7c} //0x7c3439f5 == RtlRandomEx
		$nt_hash11 = {70 f2 ab 35} //0x35abf270 == RtlNtStatusToDosError
		$nt_hash12 = {1d aa a3 3c} //0x3ca3aa1d == RtlGetVersion
		$nt_hash13 = {11 b2 8f f7} //0xf78fb211 == RtlCreateTimerQueue
		$nt_hash14 = {4c 7c de a5} //0xa5de7c4c == RtlCreateTimer
		$nt_hash15 = {90 fe 61 95} //0x9561fe90 == RtlDeleteTimerQueue
		$nt_hash16 = {d0 ee 33 77} //0x7733eed0 == RtlCaptureContext
		$nt_hash17 = {a9 af 4b 55} //0x554bafa9 == RtlAddVectoredExceptionHandler
		$nt_hash18 = {0e 21 0c 88} //0x880c210e == RtlRemoveVectoredExceptionHandler
		$nt_hash19 = {3d 13 8e 8b} //0x8b8e133d == NtClose
		$nt_hash20 = {7d 74 58 ca} //0xca58747d == ZwCreateEvent
		
	condition:
		//PE or Shellcode or Shellcode
		//Leave as "3 of them" for more robust (but compute expensive) searching
		(3 of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8 or uint16(0) == 0x4856)
}
[TLP:WHITE] win_havoc_w1   (20221012 | No description)
rule win_havoc_w1 {
	//Detects the hashing routine used in Havoc C2
    
	meta:
		author = "embee_research @ HuntressLabs"
		vendor = "Huntress Research" 
		date = "2022/10/11"
		source = "https://raw.githubusercontent.com/embee-research/Yara/main/HavocDemonDJB2.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc"
        malpedia_rule_date = "20221012"
        malpedia_hash = ""
        malpedia_version = "20221012"
        malpedia_sharing = "TLP:WHITE"
	strings:
		

		//  Hashing Routine of DLL   
		$dll = {b8 05 15 00 00 0f be 11 48 ff c1 84 d2 74 07 6b c0 21 01 d0 eb ef} 
		
		                             
        //Hashing Routine of Shellcode
		$shellcode = {41 80 f8 60 76 04 41 83 e8 20 6b c0 21 45 0f b6 c0 49 ff c1 44 01 c0 eb c4}
		
		
	condition:
		//PE or Shellcode or Shellcode
		//Leave as "any of them" for more robust (but compute expensive) searching
		(any of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8 or uint16(0) == 0x4856)
}
Download all Yara Rules