SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hikit (Back to overview)

HiKit

Actor(s): Aurora Panda, Hurricane Panda


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:65ecf8a, author = {SecureWorks}, title = {{BRONZE KEYSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone}, language = {English}, urldate = {2020-05-23} } BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17
2017-05-31MITREMITRE ATT&CK
@online{attck:20170531:axiom:b181fdb, author = {MITRE ATT&CK}, title = {{Axiom}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0001/}, language = {English}, urldate = {2022-08-30} } Axiom
Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17
2014-10-14SymantecSymantec Security Response
@online{response:20141014:security:9bb4cd5, author = {Symantec Security Response}, title = {{Security vendors take action against Hidden Lynx malware}}, date = {2014-10-14}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware}, language = {English}, urldate = {2020-01-07} } Security vendors take action against Hidden Lynx malware
HiKit
2014-10-14SymantecSymantec Security Response
@online{response:20141014:security:81c5ea5, author = {Symantec Security Response}, title = {{Security vendors take action against Hidden Lynx malware}}, date = {2014-10-14}, organization = {Symantec}, url = {https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware}, language = {English}, urldate = {2020-04-21} } Security vendors take action against Hidden Lynx malware
Gameover P2P HiKit Shylock APT17
2013-09-17SymantecStephen Doherty, Jozsef Gegeny, Branko Spasojevic, Jonell Baltazar
@techreport{doherty:20130917:hidden:72a1bd7, author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf}, language = {English}, urldate = {2020-04-21} } Hidden Lynx – Professional Hackers for Hire
9002 RAT HiKit APT17
Yara Rules
[TLP:WHITE] win_hikit_auto (20230125 | Detects win.hikit.)
rule win_hikit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.hikit."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 837c243402 7554 8b442428 83f805 754b 8b44242c }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   837c243402           | cmp                 dword ptr [esp + 0x34], 2
            //   7554                 | jne                 0x56
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   83f805               | cmp                 eax, 5
            //   754b                 | jne                 0x4d
            //   8b44242c             | mov                 eax, dword ptr [esp + 0x2c]

        $sequence_1 = { 8b842480000000 0fb600 240f 0fb6c8 48 8b842488000000 0fb6400c }
            // n = 7, score = 100
            //   8b842480000000       | mov                 eax, dword ptr [esp + 0x80]
            //   0fb600               | movzx               eax, byte ptr [eax]
            //   240f                 | and                 al, 0xf
            //   0fb6c8               | movzx               ecx, al
            //   48                   | dec                 eax
            //   8b842488000000       | mov                 eax, dword ptr [esp + 0x88]
            //   0fb6400c             | movzx               eax, byte ptr [eax + 0xc]

        $sequence_2 = { ebe4 48 8b442430 48 83780800 750e 48 }
            // n = 7, score = 100
            //   ebe4                 | jmp                 0xffffffe6
            //   48                   | dec                 eax
            //   8b442430             | mov                 eax, dword ptr [esp + 0x30]
            //   48                   | dec                 eax
            //   83780800             | cmp                 dword ptr [eax + 8], 0
            //   750e                 | jne                 0x10
            //   48                   | dec                 eax

        $sequence_3 = { 53 56 57 8b7d0c 8b5f38 83fb02 7541 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   8b5f38               | mov                 ebx, dword ptr [edi + 0x38]
            //   83fb02               | cmp                 ebx, 2
            //   7541                 | jne                 0x43

        $sequence_4 = { 7407 33c0 e9???????? 48 83bc244001000000 0f857a010000 c684249001000000 }
            // n = 7, score = 100
            //   7407                 | je                  9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   48                   | dec                 eax
            //   83bc244001000000     | cmp                 dword ptr [esp + 0x140], 0
            //   0f857a010000         | jne                 0x180
            //   c684249001000000     | mov                 byte ptr [esp + 0x190], 0

        $sequence_5 = { e8???????? 85c0 750a b801000000 e9???????? 0fb7550c 81fae8030000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   b801000000           | mov                 eax, 1
            //   e9????????           |                     
            //   0fb7550c             | movzx               edx, word ptr [ebp + 0xc]
            //   81fae8030000         | cmp                 edx, 0x3e8

        $sequence_6 = { e8???????? 83c404 8945ec 8b4dec 890d???????? 6800040000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   890d????????         |                     
            //   6800040000           | push                0x400

        $sequence_7 = { eb53 837e0400 7433 8d4618 50 ff15???????? }
            // n = 6, score = 100
            //   eb53                 | jmp                 0x55
            //   837e0400             | cmp                 dword ptr [esi + 4], 0
            //   7433                 | je                  0x35
            //   8d4618               | lea                 eax, [esi + 0x18]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { 8b4c2428 48 8b842488000000 48 8b04c8 48 89442450 }
            // n = 7, score = 100
            //   8b4c2428             | mov                 ecx, dword ptr [esp + 0x28]
            //   48                   | dec                 eax
            //   8b842488000000       | mov                 eax, dword ptr [esp + 0x88]
            //   48                   | dec                 eax
            //   8b04c8               | mov                 eax, dword ptr [eax + ecx*8]
            //   48                   | dec                 eax
            //   89442450             | mov                 dword ptr [esp + 0x50], eax

        $sequence_9 = { 7544 48 8b442458 0fb74802 48 8b442408 0fb700 }
            // n = 7, score = 100
            //   7544                 | jne                 0x46
            //   48                   | dec                 eax
            //   8b442458             | mov                 eax, dword ptr [esp + 0x58]
            //   0fb74802             | movzx               ecx, word ptr [eax + 2]
            //   48                   | dec                 eax
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   0fb700               | movzx               eax, word ptr [eax]

    condition:
        7 of them and filesize < 573440
}
[TLP:WHITE] win_hikit_w0   (20170517 | Backdoor.Hikit is a Trojan horse that opens a back door on the compromised computer.)
rule win_hikit_w0 {
	meta:
		author = "31ric"
		description = "Backdoor.Hikit is a Trojan horse that opens a back door on the compromised computer."
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/hiddenlynxfiles.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings: 
		$f1 = "w7fw.sys" nocase ascii wide
		$f2 = "w7fw_m.inf" nocase ascii wide
		$f3 = "w7fw.inf" nocase ascii wide
		$f4 = "w7fw.cat" nocase ascii wide
		
	condition:
		1 of them
}
Download all Yara Rules