SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hotwax (Back to overview)

HOTWAX

Actor(s): Lazarus Group

VTCollection    

HOTWAX is a module that upon starting imports all necessary system API functions, and searches for a .CHM file. HOTWAX decrypts a payload using the Spritz algorithm with a hard-coded key and then searches the target process and attempts to inject the decrypted payload module from the CHM file into the address space of the target process.

References
2018-10-03Virus BulletinMichal Poslušný, Peter Kálnai
Lazarus Group A Mahjong Game Played with Different Sets of Tiles
Bankshot BanPolMex RAT FuwuqiDrama HOTWAX KillDisk (Lazarus) NACHOCHEESE REDSHAWL WannaCryptor
2018-03-01Kaspersky LabsKaspersky Lab
Lazarus under the Hood
BlueNoroff HOTWAX REDSHAWL WORMHOLE
2018-01-01FireEyeFireEye
APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2017-05-30Group-IBGroup-IB
Lazarus Arisen: Architecture, Techniques and Attribution
HOTWAX NACHOCHEESE Ratankba
2017-04-03Kaspersky LabsGReAT
Lazarus under the Hood
Alreay DYEPACK HOTWAX NESTEGG RatankbaPOS REDSHAWL WORMHOLE Lazarus Group
2017-02-20BAE SystemsSergei Shevchenko
Lazarus’ False Flag Malware
HOTWAX NACHOCHEESE
2017-02-16ESET ResearchPeter Kálnai
Demystifying targeted malware used against Polish banks
BanPolMex RAT HOTWAX NACHOCHEESE
Yara Rules
[TLP:WHITE] win_hotwax_auto (20230808 | Detects win.hotwax.)
rule win_hotwax_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.hotwax."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7e74 817d0063736de0 7528 48833d????????00 741e 488d0d5dee0000 }
            // n = 6, score = 100
            //   7e74                 | dec                 eax
            //   817d0063736de0       | add                 eax, ebp
            //   7528                 | cmp                 eax, edx
            //   48833d????????00     |                     
            //   741e                 | jne                 0xb93
            //   488d0d5dee0000       | dec                 eax

        $sequence_1 = { 488bd7 ff15???????? 418d8770050000 4489bdcc040000 c745a400080000 8945a0 }
            // n = 6, score = 100
            //   488bd7               | dec                 esp
            //   ff15????????         |                     
            //   418d8770050000       | lea                 ecx, [0xffffa009]
            //   4489bdcc040000       | jne                 0x394
            //   c745a400080000       | dec                 eax
            //   8945a0               | mov                 ecx, ebx

        $sequence_2 = { 4889842410030000 488bf9 488d8c2401020000 33d2 41b803010000 c684240002000000 }
            // n = 6, score = 100
            //   4889842410030000     | mov                 ebx, eax
            //   488bf9               | dec                 eax
            //   488d8c2401020000     | test                eax, eax
            //   33d2                 | je                  0x1005
            //   41b803010000         | dec                 ecx
            //   c684240002000000     | lea                 ecx, [ebp + 0x48]

        $sequence_3 = { 488bd9 4885c0 7479 488d0d7fe50000 483bc1 746d 488b8310010000 }
            // n = 7, score = 100
            //   488bd9               | mov                 ecx, ebx
            //   4885c0               | dec                 eax
            //   7479                 | mov                 eax, ebx
            //   488d0d7fe50000       | dec                 eax
            //   483bc1               | lea                 edx, [0xaa1f]
            //   746d                 | dec                 eax
            //   488b8310010000       | sar                 eax, 5

        $sequence_4 = { 4533db 488d9424f0000000 41b803010000 44895c2440 4c895c2448 ff15???????? 833d????????00 }
            // n = 7, score = 100
            //   4533db               | lea                 edx, [esp + 0xb0]
            //   488d9424f0000000     | inc                 ecx
            //   41b803010000         | mov                 ecx, 4
            //   44895c2440           | dec                 eax
            //   4c895c2448           | or                  ecx, 0xffffffff
            //   ff15????????         |                     
            //   833d????????00       |                     

        $sequence_5 = { 486bd258 490394c1a04b0100 f6423880 742c }
            // n = 4, score = 100
            //   486bd258             | mov                 dword ptr [esp + 0x20], 0x40
            //   490394c1a04b0100     | add                 ecx, 0xfff
            //   f6423880             | inc                 esp
            //   742c                 | add                 esp, edx

        $sequence_6 = { 488bcb 488905???????? ff15???????? 488d1547d20000 488bcb 488905???????? ff15???????? }
            // n = 7, score = 100
            //   488bcb               | mov                 dword ptr [ebp + 0x4a], edx
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d1547d20000       | dec                 ecx
            //   488bcb               | lea                 ecx, [ebp + 0x48]
            //   488905????????       |                     
            //   ff15????????         |                     

        $sequence_7 = { cc 4c8d05f8530000 498bd4 488bcd e8???????? 85c0 }
            // n = 6, score = 100
            //   cc                   | mov                 esi, ecx
            //   4c8d05f8530000       | dec                 esi
            //   498bd4               | lea                 eax, [ecx + edi + 0x570]
            //   488bcd               | dec                 eax
            //   e8????????           |                     
            //   85c0                 | mov                 ecx, esi

        $sequence_8 = { 488b0d???????? eb7c 4c8d256a830000 488b0d???????? eb6c e8???????? }
            // n = 6, score = 100
            //   488b0d????????       |                     
            //   eb7c                 | dec                 ebx
            //   4c8d256a830000       | mov                 eax, dword ptr [eax + edi*8 + 0x14ba0]
            //   488b0d????????       |                     
            //   eb6c                 | mov                 byte ptr [eax + esi + 0x3a], dl
            //   e8????????           |                     

        $sequence_9 = { 488d0d50bf0000 ba01000000 e8???????? 4c8d442440 }
            // n = 4, score = 100
            //   488d0d50bf0000       | dec                 eax
            //   ba01000000           | lea                 edx, [0xccc9]
            //   e8????????           |                     
            //   4c8d442440           | dec                 eax

    condition:
        7 of them and filesize < 198656
}
Download all Yara Rules