SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hotwax (Back to overview)

HOTWAX

Actor(s): Lazarus Group


HOTWAX is a module that upon starting imports all necessary system API functions, and searches for a .CHM file. HOTWAX decrypts a payload using the Spritz algorithm with a hard-coded key and then searches the target process and attempts to inject the decrypted payload module from the CHM file into the address space of the target process.

References
2018-10-03Virus BulletinPeter Kálnai, Michal Poslušný
@techreport{klnai:20181003:lazarus:bebf0ad, author = {Peter Kálnai and Michal Poslušný}, title = {{LAZARUS GROUP: A MAHJONG GAME PLAYED WITH DIFFERENT SETS OF TILES}}, date = {2018-10-03}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf}, language = {English}, urldate = {2020-01-06} } LAZARUS GROUP: A MAHJONG GAME PLAYED WITH DIFFERENT SETS OF TILES
HOTWAX
2018-03Kaspersky LabsKaspersky Lab
@techreport{lab:201803:lazarus:3fd5ac4, author = {Kaspersky Lab}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf}, language = {English}, urldate = {2020-01-07} } Lazarus under the Hood
HOTWAX REDSHAWL WORMHOLE
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2017-02-16ESET ResearchPeter Kálnai
@online{klnai:20170216:demystifying:7ae8785, author = {Peter Kálnai}, title = {{Demystifying targeted malware used against Polish banks}}, date = {2017-02-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/}, language = {English}, urldate = {2019-11-14} } Demystifying targeted malware used against Polish banks
HOTWAX NACHOCHEESE
Yara Rules
[TLP:WHITE] win_hotwax_auto (20220808 | Detects win.hotwax.)
rule win_hotwax_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.hotwax."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8596000000 397ddc 0f848d000000 4c8d05247bffff }
            // n = 4, score = 100
            //   0f8596000000         | add                 byte ptr [eax + 0xfc88548], al
            //   397ddc               | test                ch, al
            //   0f848d000000         | add                 byte ptr [eax], al
            //   4c8d05247bffff       | dec                 eax

        $sequence_1 = { 488d8c2401020000 33d2 41b803010000 c684240002000000 e8???????? 488d8c24f1000000 }
            // n = 6, score = 100
            //   488d8c2401020000     | arpl                cx, di
            //   33d2                 | dec                 eax
            //   41b803010000         | lea                 ebp, [0x96ff]
            //   c684240002000000     | js                  0x25b
            //   e8????????           |                     
            //   488d8c24f1000000     | jae                 0x255

        $sequence_2 = { 488905???????? ff15???????? 488d1570d10000 488bcb }
            // n = 4, score = 100
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d1570d10000       | inc                 ebp
            //   488bcb               | xor                 esi, esi

        $sequence_3 = { 4c8d35d8c20000 83e31f 486bdb58 4b8b04ee 0fbe4c1808 83e101 7445 }
            // n = 7, score = 100
            //   4c8d35d8c20000       | je                  0xe6a
            //   83e31f               | dec                 esp
            //   486bdb58             | lea                 ecx, [0xffff8083]
            //   4b8b04ee             | dec                 ecx
            //   0fbe4c1808           | sar                 edi, 5
            //   83e101               | and                 esi, 0x1f
            //   7445                 | dec                 ebx

        $sequence_4 = { 7435 e8???????? c70016000000 e8???????? eb40 4c8d2585830000 }
            // n = 6, score = 100
            //   7435                 | dec                 edx
            //   e8????????           |                     
            //   c70016000000         | mov                 ecx, dword ptr [eax]
            //   e8????????           |                     
            //   eb40                 | jmp                 0x1c05
            //   4c8d2585830000       | dec                 ecx

        $sequence_5 = { ff15???????? 488d15e7d40000 488bcb 488905???????? ff15???????? 488d15c0d40000 488bcb }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488d15e7d40000       | lea                 esp, [0x8382]
            //   488bcb               | jmp                 0xc97
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d15c0d40000       | dec                 esp
            //   488bcb               | lea                 esp, [0x836a]

        $sequence_6 = { 488bce e8???????? 48ffc3 48ffcf 75ed 488b7c2430 488b5c2438 }
            // n = 7, score = 100
            //   488bce               | dec                 eax
            //   e8????????           |                     
            //   48ffc3               | add                 esp, 0x20
            //   48ffcf               | dec                 eax
            //   75ed                 | lea                 edx, [0xcd5e]
            //   488b7c2430           | dec                 eax
            //   488b5c2438           | mov                 ecx, ebx

        $sequence_7 = { 488bcb 488905???????? ff15???????? 488d15fecf0000 488bcb }
            // n = 5, score = 100
            //   488bcb               | add                 dword ptr [eax + eax], esi
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d15fecf0000       | jmp                 0xc11
            //   488bcb               | mov                 edx, 0xa

        $sequence_8 = { 488bd0 e8???????? 488d4c2420 4c8bcb 448bc7 488bd3 }
            // n = 6, score = 100
            //   488bd0               | mov                 ecx, dword ptr [eax + edi*8 + 0x14ba0]
            //   e8????????           |                     
            //   488d4c2420           | dec                 esp
            //   4c8bcb               | lea                 ecx, [ebp - 0x24]
            //   448bc7               | dec                 eax
            //   488bd3               | lea                 edx, [ebp - 0x28]

        $sequence_9 = { 415f 415e 5e c3 33c0 4883c430 }
            // n = 6, score = 100
            //   415f                 | dec                 eax
            //   415e                 | mov                 ecx, dword ptr [esp + 0xa8]
            //   5e                   | dec                 esp
            //   c3                   | lea                 ecx, [esp + 0xb8]
            //   33c0                 | inc                 esp
            //   4883c430             | movzx               eax, si

    condition:
        7 of them and filesize < 198656
}
Download all Yara Rules