SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hotwax (Back to overview)

HOTWAX

Actor(s): Lazarus Group


HOTWAX is a module that upon starting imports all necessary system API functions, and searches for a .CHM file. HOTWAX decrypts a payload using the Spritz algorithm with a hard-coded key and then searches the target process and attempts to inject the decrypted payload module from the CHM file into the address space of the target process.

References
2018-10-03Virus BulletinPeter Kálnai, Michal Poslušný
@techreport{klnai:20181003:lazarus:bebf0ad, author = {Peter Kálnai and Michal Poslušný}, title = {{LAZARUS GROUP: A MAHJONG GAME PLAYED WITH DIFFERENT SETS OF TILES}}, date = {2018-10-03}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf}, language = {English}, urldate = {2020-01-06} } LAZARUS GROUP: A MAHJONG GAME PLAYED WITH DIFFERENT SETS OF TILES
HOTWAX
2018-03Kaspersky LabsKaspersky Lab
@techreport{lab:201803:lazarus:3fd5ac4, author = {Kaspersky Lab}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf}, language = {English}, urldate = {2020-01-07} } Lazarus under the Hood
HOTWAX REDSHAWL WORMHOLE
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2017-02-16ESET ResearchPeter Kálnai
@online{klnai:20170216:demystifying:7ae8785, author = {Peter Kálnai}, title = {{Demystifying targeted malware used against Polish banks}}, date = {2017-02-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/}, language = {English}, urldate = {2019-11-14} } Demystifying targeted malware used against Polish banks
HOTWAX NACHOCHEESE
Yara Rules
[TLP:WHITE] win_hotwax_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_hotwax_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bcb 488905???????? ff15???????? 488d156ed10000 488bcb 488905???????? }
            // n = 6, score = 100
            //   488bcb               | mov                 eax, esi
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d156ed10000       | mov                 edi, dword ptr [ebx]
            //   488bcb               | dec                 esp
            //   488905????????       |                     

        $sequence_1 = { e9???????? 488b442450 488d0d13a20000 488b04c1 41f644070840 740b }
            // n = 6, score = 100
            //   e9????????           |                     
            //   488b442450           | mov                 edi, esi
            //   488d0d13a20000       | dec                 edx
            //   488b04c1             | lea                 ebx, [ecx + edi + 0x3c]
            //   41f644070840         | dec                 eax
            //   740b                 | or                  edx, 0xffffffff

        $sequence_2 = { 488d054a930000 e9???????? 443be6 0f8591000000 ffc7 e9???????? ba58000000 }
            // n = 7, score = 100
            //   488d054a930000       | lea                 eax, [0xd8f8]
            //   e9????????           |                     
            //   443be6               | dec                 esp
            //   0f8591000000         | cmp                 edx, eax
            //   ffc7                 | je                  0x315
            //   e9????????           |                     
            //   ba58000000           | dec                 eax

        $sequence_3 = { 7647 498bcd e8???????? 4c8d0543540000 41b903000000 488d4c45bc 488bc1 }
            // n = 7, score = 100
            //   7647                 | dec                 ecx
            //   498bcd               | or                  ecx, 0xffffff00
            //   e8????????           |                     
            //   4c8d0543540000       | inc                 ecx
            //   41b903000000         | inc                 ecx
            //   488d4c45bc           | movzx               ecx, al
            //   488bc1               | inc                 ecx

        $sequence_4 = { e8???????? 4c8d0dac7fffff 4c8bd8 4b8b84f9a04b0100 4c895c3040 4b8b84f9a04b0100 498bd6 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8d0dac7fffff       | jae                 0x1b46
            //   4c8bd8               | dec                 eax
            //   4b8b84f9a04b0100     | test                ecx, ecx
            //   4c895c3040           | je                  0x1b4c
            //   4b8b84f9a04b0100     | dec                 esp
            //   498bd6               | lea                 eax, [ecx + 2]

        $sequence_5 = { 420fbe940a90ef0000 c1fa04 89542460 8bca 85d2 0f8451070000 ffc9 }
            // n = 7, score = 100
            //   420fbe940a90ef0000     | dec    eax
            //   c1fa04               | lea                 ebx, [0x998c]
            //   89542460             | mov                 esi, edi
            //   8bca                 | dec                 eax
            //   85d2                 | mov                 ebp, dword ptr [ebx]
            //   0f8451070000         | dec                 eax
            //   ffc9                 | test                ebp, ebp

        $sequence_6 = { ff15???????? 488d159bd50000 488bcb 488905???????? }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   488d159bd50000       | jae                 0x11cb
            //   488bcb               | test                eax, eax
            //   488905????????       |                     

        $sequence_7 = { ff15???????? 488d1537cd0000 488bcb 488905???????? ff15???????? 488d1500cd0000 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   488d1537cd0000       | lea                 edx, [0xd0f1]
            //   488bcb               | dec                 eax
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d1500cd0000       | mov                 ecx, ebx

        $sequence_8 = { ff15???????? 488d155ecd0000 488bcb 488905???????? ff15???????? 488d1537cd0000 488bcb }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488d155ecd0000       | add                 ebx, 8
            //   488bcb               | dec                 eax
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d1537cd0000       | cmp                 ebx, edi
            //   488bcb               | jb                  0x409

        $sequence_9 = { 33c9 85c0 0f8514010000 4c8d2d06950000 41b804010000 }
            // n = 5, score = 100
            //   33c9                 | xor                 eax, eax
            //   85c0                 | jbe                 0x444
            //   0f8514010000         | inc                 esp
            //   4c8d2d06950000       | mov                 byte ptr [eax], bl
            //   41b804010000         | inc                 ebp

    condition:
        7 of them and filesize < 198656
}
Download all Yara Rules