SYMBOLCOMMON_NAMEaka. SYNONYMS
win.imprudentcook (Back to overview)

ImprudentCook

Actor(s): Lazarus Group

VTCollection    

ImprudentCook is an HTTP(S) downloader.

It was delivered in the Operation DreamJob type of activity targeting aerospace and defense companies in South Africa (in Q2 2022) and in Central Europe (in H1 2023), and against an unknown sector in South Korea back in Q2 2021.

It uses the AES cipher implemented through Windows Cryptographic Providers for decryption of its binary configuration, and also for encryption and decryption of the client-server communication.

It’s hidden in an ADS stream (:dat or :zone) of its dropper, together with its configuration (:rsrc) and an AES-128 CBC key with an initialization vector for its decryption (:kgb or :data).

It contains two characteristic arrays of strings that represent cookie names for web services, including Bing, Daum and GitHub:

1. iKc;__uid;OAX;DMP_UID;PCID;_gid;_gat;csrftoken;NID;1P_JAR;JSESSIONID;WLS;SNID;__
utma;BID;SRCHD;GsCK_AC;spintop;eader;XSRF-TOKEN;_gat_gtag_UA;webid_
enabled;EDGE_V;dtck_channel;dtmulti;UUID;XUID;ZIA;IUID;SSID;_gh_sess;_octo

2. channel;post_titles;xfw_exp;wiht_clkey;SGPCOUPLE;NRTK;fbp;uaid;SRCHUSR;GUC;HPVN;dtck_
blog;dtck_media;MUIDB;SRCHHPGUSR;SiteMain

It contains a string, "5.40" or "5.60", looking like version information.

References
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SecondHandTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2021-05-13AhnLabAhnLab ASEC Analysis Team
APT attack for domestic companies using library files
ImprudentCook
Yara Rules
[TLP:WHITE] win_imprudentcook_auto (20260504 | Detects win.imprudentcook.)
rule win_imprudentcook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.imprudentcook."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.imprudentcook"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488b5520 894500 8b4528 83f803 7527 488b4508 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b5520             | cmp                 esi, ecx
            //   894500               | dec                 ecx
            //   8b4528               | adc                 eax, 0
            //   83f803               | dec                 ebp
            //   7527                 | add                 edx, eax
            //   488b4508             | dec                 eax

        $sequence_1 = { 3b3d???????? 736e 488bdf 4c8bef 49c1fd05 4c8d35384d0200 83e31f }
            // n = 7, score = 100
            //   3b3d????????         |                     
            //   736e                 | dec                 eax
            //   488bdf               | lea                 ecx, [ebp + ebx*8]
            //   4c8bef               | dec                 ebp
            //   49c1fd05             | mov                 ecx, edi
            //   4c8d35384d0200       | dec                 eax
            //   83e31f               | mov                 dword ptr [esp + 0x20], esi

        $sequence_2 = { 753a 4883e908 48ffc8 79eb 488b8c2498000000 4489642428 4d85f6 }
            // n = 7, score = 100
            //   753a                 | mov                 edx, dword ptr [esp + 0x48]
            //   4883e908             | dec                 eax
            //   48ffc8               | test                edx, edx
            //   79eb                 | je                  0x9dc
            //   488b8c2498000000     | dec                 eax
            //   4489642428           | mov                 ecx, dword ptr [esi + 8]
            //   4d85f6               | inc                 ecx

        $sequence_3 = { 4c2bc1 49c1e020 4d0bc3 4c3bc2 731a 498b45f8 49ffca }
            // n = 7, score = 100
            //   4c2bc1               | dec                 eax
            //   49c1e020             | lea                 edx, [0x4eb72]
            //   4d0bc3               | dec                 eax
            //   4c3bc2               | lea                 edx, [0x4ee71]
            //   731a                 | dec                 eax
            //   498b45f8             | mov                 ecx, ebx
            //   49ffca               | dec                 eax

        $sequence_4 = { 4983ec08 493bfd 0f8211020000 4989742408 7732 7563 4d8bcc }
            // n = 7, score = 100
            //   4983ec08             | lea                 eax, [ecx + esi]
            //   493bfd               | mov                 esi, edi
            //   0f8211020000         | dec                 eax
            //   4989742408           | cmp                 eax, ecx
            //   7732                 | dec                 eax
            //   7563                 | mov                 ecx, edi
            //   4d8bcc               | dec                 ecx

        $sequence_5 = { 4b0104ec 4d85f6 7430 488b4d28 4d8d46ff 498bc4 }
            // n = 6, score = 100
            //   4b0104ec             | dec                 eax
            //   4d85f6               | mov                 dword ptr [esp + 0x60], ecx
            //   7430                 | dec                 eax
            //   488b4d28             | mov                 eax, dword ptr [esp + 0x128]
            //   4d8d46ff             | dec                 eax
            //   498bc4               | mov                 ecx, dword ptr [eax]

        $sequence_6 = { 482bfa 660f1f440000 488b0c3b 488b13 483bca 0f8599000000 4883eb08 }
            // n = 7, score = 100
            //   482bfa               | sub                 edi, eax
            //   660f1f440000         | dec                 ebp
            //   488b0c3b             | mov                 ebx, ecx
            //   488b13               | dec                 ecx
            //   483bca               | lea                 eax, [edi + 1]
            //   0f8599000000         | dec                 ecx
            //   4883eb08             | cmp                 eax, eax

        $sequence_7 = { 4c8bc6 48898580000000 e8???????? 48894510 4885c0 7452 660f1f840000000000 }
            // n = 7, score = 100
            //   4c8bc6               | dec                 eax
            //   48898580000000       | xor                 eax, ebp
            //   e8????????           |                     
            //   48894510             | dec                 eax
            //   4885c0               | mov                 dword ptr [ebp + 0xc8], eax
            //   7452                 | dec                 eax
            //   660f1f840000000000     | mov    ebx, edx

        $sequence_8 = { 4c8b7c2460 4c8b942408010000 4a8d1c38 4f8d2c12 493bdd 7d41 488b842438010000 }
            // n = 7, score = 100
            //   4c8b7c2460           | dec                 ecx
            //   4c8b942408010000     | mov                 ebx, ecx
            //   4a8d1c38             | dec                 ecx
            //   4f8d2c12             | mov                 edi, eax
            //   493bdd               | inc                 ebp
            //   7d41                 | xor                 ebx, ebx
            //   488b842438010000     | inc                 ecx

        $sequence_9 = { 488905???????? e8???????? 488d15d3ec0400 488bcb 488905???????? e8???????? 488d15d5ec0400 }
            // n = 7, score = 100
            //   488905????????       |                     
            //   e8????????           |                     
            //   488d15d3ec0400       | mov                 eax, edi
            //   488bcb               | dec                 eax
            //   488905????????       |                     
            //   e8????????           |                     
            //   488d15d5ec0400       | mov                 edx, ebx

    condition:
        7 of them and filesize < 864256
}
Download all Yara Rules