SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hotwax (Back to overview)

HOTWAX

Actor(s): Lazarus Group


HOTWAX is a module that upon starting imports all necessary system API functions, and searches for a .CHM file. HOTWAX decrypts a payload using the Spritz algorithm with a hard-coded key and then searches the target process and attempts to inject the decrypted payload module from the CHM file into the address space of the target process.

References
2018-10-03Virus BulletinPeter Kálnai, Michal Poslušný
@techreport{klnai:20181003:lazarus:bebf0ad, author = {Peter Kálnai and Michal Poslušný}, title = {{LAZARUS GROUP: A MAHJONG GAME PLAYED WITH DIFFERENT SETS OF TILES}}, date = {2018-10-03}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf}, language = {English}, urldate = {2020-01-06} } LAZARUS GROUP: A MAHJONG GAME PLAYED WITH DIFFERENT SETS OF TILES
HOTWAX
2018-03Kaspersky LabsKaspersky Lab
@techreport{lab:201803:lazarus:3fd5ac4, author = {Kaspersky Lab}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf}, language = {English}, urldate = {2020-01-07} } Lazarus under the Hood
HOTWAX REDSHAWL WORMHOLE
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2017-02-16ESET ResearchPeter Kálnai
@online{klnai:20170216:demystifying:7ae8785, author = {Peter Kálnai}, title = {{Demystifying targeted malware used against Polish banks}}, date = {2017-02-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/}, language = {English}, urldate = {2019-11-14} } Demystifying targeted malware used against Polish banks
HOTWAX NACHOCHEESE
Yara Rules
[TLP:WHITE] win_hotwax_auto (20211008 | Detects win.hotwax.)
rule win_hotwax_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.hotwax."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488905???????? ff15???????? 488d15c9cc0000 488bcb 488905???????? ff15???????? }
            // n = 6, score = 100
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d15c9cc0000       | mov                 dword ptr [esp + 0x20], edx
            //   488bcb               | cmp                 edx, 5
            //   488905????????       |                     
            //   ff15????????         |                     

        $sequence_1 = { 488905???????? ff15???????? 488bc8 ff15???????? 488d15d4350000 488bce 488905???????? }
            // n = 7, score = 100
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488bc8               | mov                 dword ptr [esp + 0x20], 0x40
            //   ff15????????         |                     
            //   488d15d4350000       | add                 ecx, 0xfff
            //   488bce               | dec                 ecx
            //   488905????????       |                     

        $sequence_2 = { 4183fb08 7e72 0f1f840000000000 418b4204 458b02 448d48f8 }
            // n = 6, score = 100
            //   4183fb08             | dec                 eax
            //   7e72                 | lea                 edx, dword ptr [0x66b7]
            //   0f1f840000000000     | dec                 eax
            //   418b4204             | mov                 ecx, eax
            //   458b02               | dec                 eax
            //   448d48f8             | test                eax, eax

        $sequence_3 = { 742c 4c8b05???????? 33c9 c705????????01000000 48890d???????? 4d85c0 }
            // n = 6, score = 100
            //   742c                 | inc                 edx
            //   4c8b05????????       |                     
            //   33c9                 | movsx               eax, byte ptr [ecx + eax + 0x13070]
            //   c705????????01000000     |     
            //   48890d????????       |                     
            //   4d85c0               | test                eax, eax

        $sequence_4 = { 4c3b6de8 0f820cffffff eb1f 4b8b84f8a04b0100 }
            // n = 4, score = 100
            //   4c3b6de8             | lea                 ecx, dword ptr [0x57ef]
            //   0f820cffffff         | test                eax, eax
            //   eb1f                 | dec                 eax
            //   4b8b84f8a04b0100     | lea                 edx, dword ptr [0xd31a]

        $sequence_5 = { e8???????? eb40 4c8d2585830000 488b0d???????? e9???????? 4c8d2582830000 488b0d???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb40                 | mov                 eax, dword ptr [ecx + edi*8 + 0x14ba0]
            //   4c8d2585830000       | dec                 esp
            //   488b0d????????       |                     
            //   e9????????           |                     
            //   4c8d2582830000       | mov                 dword ptr [eax + esi + 0x40], ebx
            //   488b0d????????       |                     

        $sequence_6 = { 488bcb 488905???????? ff15???????? 488d15e7d40000 488bcb 488905???????? ff15???????? }
            // n = 7, score = 100
            //   488bcb               | dec                 esp
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d15e7d40000       | lea                 ecx, dword ptr [0xffff4bc2]
            //   488bcb               | dec                 ecx
            //   488905????????       |                     
            //   ff15????????         |                     

        $sequence_7 = { 41b920000000 488bcb e8???????? 4885ff 740e }
            // n = 5, score = 100
            //   41b920000000         | test                ax, ax
            //   488bcb               | mov                 al, byte ptr [ebx]
            //   e8????????           |                     
            //   4885ff               | dec                 eax
            //   740e                 | lea                 edx, dword ptr [0xa5a1]

        $sequence_8 = { 4883c304 4883c602 443b7718 72d9 eb50 }
            // n = 5, score = 100
            //   4883c304             | lea                 ecx, dword ptr [0xffffa009]
            //   4883c602             | inc                 ebp
            //   443b7718             | test                eax, eax
            //   72d9                 | je                  0x12b7
            //   eb50                 | dec                 eax

        $sequence_9 = { 410fb77706 4c8d8424b8000000 48898424b8000000 488d8424a8000000 }
            // n = 4, score = 100
            //   410fb77706           | mov                 eax, 0x103
            //   4c8d8424b8000000     | mov                 byte ptr [esp + 0x200], 0
            //   48898424b8000000     | xor                 edx, edx
            //   488d8424a8000000     | inc                 ecx

    condition:
        7 of them and filesize < 198656
}
Download all Yara Rules