SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hotwax (Back to overview)

HOTWAX

Actor(s): Lazarus Group


HOTWAX is a module that upon starting imports all necessary system API functions, and searches for a .CHM file. HOTWAX decrypts a payload using the Spritz algorithm with a hard-coded key and then searches the target process and attempts to inject the decrypted payload module from the CHM file into the address space of the target process.

References
2018-10-03Virus BulletinPeter Kálnai, Michal Poslušný
@techreport{klnai:20181003:lazarus:bebf0ad, author = {Peter Kálnai and Michal Poslušný}, title = {{Lazarus Group A Mahjong Game Played with Different Sets of Tiles}}, date = {2018-10-03}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf}, language = {English}, urldate = {2023-08-31} } Lazarus Group A Mahjong Game Played with Different Sets of Tiles
Bankshot BanPolMex RAT FuwuqiDrama HOTWAX KillDisk (Lazarus) NACHOCHEESE REDSHAWL WannaCryptor
2018-03Kaspersky LabsKaspersky Lab
@techreport{lab:201803:lazarus:3fd5ac4, author = {Kaspersky Lab}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf}, language = {English}, urldate = {2020-01-07} } Lazarus under the Hood
BlueNoroff HOTWAX REDSHAWL WORMHOLE
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2017-05-30Group-IBGroup-IB
@techreport{groupib:20170530:lazarus:642e890, author = {Group-IB}, title = {{Lazarus Arisen: Architecture, Techniques and Attribution}}, date = {2017-05-30}, institution = {Group-IB}, url = {https://raw.githubusercontent.com/eric-erki/APT_CyberCriminal_Campagin_Collections/master/2017/2017.05.30.Lazarus_Arisen/Group-IB_Lazarus.pdf}, language = {English}, urldate = {2023-08-10} } Lazarus Arisen: Architecture, Techniques and Attribution
HOTWAX NACHOCHEESE Ratankba
2017-04-03Kaspersky LabsGReAT
@online{great:20170403:lazarus:033fcf7, author = {GReAT}, title = {{Lazarus under the Hood}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-under-the-hood/77908/}, language = {English}, urldate = {2023-08-14} } Lazarus under the Hood
Alreay DYEPACK HOTWAX NESTEGG RatankbaPOS REDSHAWL WORMHOLE Lazarus Group
2017-02-20BAE SystemsSergei Shevchenko
@online{shevchenko:20170220:lazarus:c608fd5, author = {Sergei Shevchenko}, title = {{Lazarus’ False Flag Malware}}, date = {2017-02-20}, organization = {BAE Systems}, url = {https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html}, language = {English}, urldate = {2023-08-15} } Lazarus’ False Flag Malware
HOTWAX NACHOCHEESE
2017-02-16ESET ResearchPeter Kálnai
@online{klnai:20170216:demystifying:7ae8785, author = {Peter Kálnai}, title = {{Demystifying targeted malware used against Polish banks}}, date = {2017-02-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/}, language = {English}, urldate = {2019-11-14} } Demystifying targeted malware used against Polish banks
BanPolMex RAT HOTWAX NACHOCHEESE
Yara Rules
[TLP:WHITE] win_hotwax_auto (20230715 | Detects win.hotwax.)
rule win_hotwax_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.hotwax."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7441 b9d0070000 ff15???????? 33d2 41b8f8000000 }
            // n = 5, score = 100
            //   7441                 | inc                 ebp
            //   b9d0070000           | mov                 eax, edi
            //   ff15????????         |                     
            //   33d2                 | dec                 eax
            //   41b8f8000000         | lea                 ecx, [0xa2d8]

        $sequence_1 = { 4885c9 741c f0ff09 7517 488d0513ce0000 488b4c2430 483bc8 }
            // n = 7, score = 100
            //   4885c9               | lea                 esp, [0x923a]
            //   741c                 | and                 ebx, 0x1f
            //   f0ff09               | dec                 eax
            //   7517                 | imul                ebx, ebx, 0x58
            //   488d0513ce0000       | dec                 eax
            //   488b4c2430           | mov                 ebx, edi
            //   483bc8               | dec                 esp

        $sequence_2 = { 48833d????????00 8bd9 7418 488d0dfbc00000 e8???????? 85c0 }
            // n = 6, score = 100
            //   48833d????????00     |                     
            //   8bd9                 | dec                 eax
            //   7418                 | lea                 ecx, [esp + 0x200]
            //   488d0dfbc00000       | dec                 eax
            //   e8????????           |                     
            //   85c0                 | mov                 ebx, dword ptr [esp + 0x48]

        $sequence_3 = { 4d03f4 4c8d442460 41b970050000 488bce 498bd6 }
            // n = 5, score = 100
            //   4d03f4               | dec                 ecx
            //   4c8d442460           | mov                 ecx, eax
            //   41b970050000         | dec                 esp
            //   488bce               | lea                 edx, [0xd6a9]
            //   498bd6               | dec                 ecx

        $sequence_4 = { 488bce 488bc6 488d1510ee0000 83e11f 48c1f805 486bc958 }
            // n = 6, score = 100
            //   488bce               | dec                 esp
            //   488bc6               | lea                 eax, [esp + 0xb8]
            //   488d1510ee0000       | dec                 eax
            //   83e11f               | mov                 dword ptr [esp + 0xb8], eax
            //   48c1f805             | dec                 eax
            //   486bc958             | lea                 eax, [esp + 0xa8]

        $sequence_5 = { 48896c2418 56 4883ec20 498bd9 488bf2 48897c2430 488be9 }
            // n = 7, score = 100
            //   48896c2418           | dec                 eax
            //   56                   | lea                 ecx, [0x66d9]
            //   4883ec20             | dec                 eax
            //   498bd9               | test                eax, eax
            //   488bf2               | je                  0x14c
            //   48897c2430           | dec                 eax
            //   488be9               | lea                 edx, [0x66b7]

        $sequence_6 = { 57 4881ec60010000 488b05???????? 4833c4 4889842450010000 488bf1 33ff }
            // n = 7, score = 100
            //   57                   | mov                 byte ptr [ebp + 0x4ec], 0
            //   4881ec60010000       | mov                 word ptr [ebp + 0x51c], 0x7373
            //   488b05????????       |                     
            //   4833c4               | mov                 byte ptr [ebp + 0x51e], 0
            //   4889842450010000     | mov                 dword ptr [ebp + 0x520], 0x7250744e
            //   488bf1               | mov                 dword ptr [ebp + 0x524], 0x6365746f
            //   33ff                 | mov                 dword ptr [ebp + 0x528], 0x72695674

        $sequence_7 = { 488bc1 48c1f805 4c8d0573710000 83e11f 486bc958 }
            // n = 5, score = 100
            //   488bc1               | dec                 esp
            //   48c1f805             | lea                 eax, [0xffff7d68]
            //   4c8d0573710000       | inc                 esp
            //   83e11f               | mov                 byte ptr [ebx], ah
            //   486bc958             | dec                 eax

        $sequence_8 = { 420fbe840170300100 85c0 7513 e8???????? }
            // n = 4, score = 100
            //   420fbe840170300100     | dec    eax
            //   85c0                 | sub                 esp, 0x20
            //   7513                 | dec                 esp
            //   e8????????           |                     

        $sequence_9 = { 488905???????? ff15???????? 488d1568d30000 488bcb 488905???????? }
            // n = 5, score = 100
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d1568d30000       | lea                 ecx, [eax + eax*4]
            //   488bcb               | dec                 eax
            //   488905????????       |                     

    condition:
        7 of them and filesize < 198656
}
Download all Yara Rules