SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kagent (Back to overview)

KAgent

Actor(s): Cleaver


There is no description at this point.

References
2016-04-06CylanceCylance
@techreport{cylance:20160406:operation:d4da7b5, author = {Cylance}, title = {{Operation Cleaver}}, date = {2016-04-06}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf}, language = {English}, urldate = {2020-01-10} } Operation Cleaver
CsExt Jasus KAgent NetC PvzOut SynFlooder TinyZbot WndTest ZhCat ZhMimikatz Cleaver
Yara Rules
[TLP:WHITE] win_kagent_auto (20211008 | Detects win.kagent.)
rule win_kagent_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.kagent."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kagent"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 2bc1 46 c1f803 3bf0 7ce1 807f1400 741f }
            // n = 7, score = 400
            //   2bc1                 | sub                 eax, ecx
            //   46                   | inc                 esi
            //   c1f803               | sar                 eax, 3
            //   3bf0                 | cmp                 esi, eax
            //   7ce1                 | jl                  0xffffffe3
            //   807f1400             | cmp                 byte ptr [edi + 0x14], 0
            //   741f                 | je                  0x21

        $sequence_1 = { 8d55f1 6a01 52 e8???????? 8b45ec 50 }
            // n = 6, score = 400
            //   8d55f1               | lea                 edx, dword ptr [ebp - 0xf]
            //   6a01                 | push                1
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   50                   | push                eax

        $sequence_2 = { 33f6 85c0 7e2c 3bf0 7d49 85f6 }
            // n = 6, score = 400
            //   33f6                 | xor                 esi, esi
            //   85c0                 | test                eax, eax
            //   7e2c                 | jle                 0x2e
            //   3bf0                 | cmp                 esi, eax
            //   7d49                 | jge                 0x4b
            //   85f6                 | test                esi, esi

        $sequence_3 = { 8d7802 668b08 83c002 6685c9 75f5 8b4df8 2bc7 }
            // n = 7, score = 400
            //   8d7802               | lea                 edi, dword ptr [eax + 2]
            //   668b08               | mov                 cx, word ptr [eax]
            //   83c002               | add                 eax, 2
            //   6685c9               | test                cx, cx
            //   75f5                 | jne                 0xfffffff7
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   2bc7                 | sub                 eax, edi

        $sequence_4 = { 8bcb e8???????? 8b4f64 8b4768 2bc1 46 c1f803 }
            // n = 7, score = 400
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8b4f64               | mov                 ecx, dword ptr [edi + 0x64]
            //   8b4768               | mov                 eax, dword ptr [edi + 0x68]
            //   2bc1                 | sub                 eax, ecx
            //   46                   | inc                 esi
            //   c1f803               | sar                 eax, 3

        $sequence_5 = { 50 8b420c ffd0 83c9ff 3bc1 0f85b4000000 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   8b420c               | mov                 eax, dword ptr [edx + 0xc]
            //   ffd0                 | call                eax
            //   83c9ff               | or                  ecx, 0xffffffff
            //   3bc1                 | cmp                 eax, ecx
            //   0f85b4000000         | jne                 0xba

        $sequence_6 = { 8b4604 83c404 33c9 c70600000000 668908 }
            // n = 5, score = 400
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   83c404               | add                 esp, 4
            //   33c9                 | xor                 ecx, ecx
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   668908               | mov                 word ptr [eax], cx

        $sequence_7 = { 8bce ffd2 83c308 83c708 }
            // n = 4, score = 400
            //   8bce                 | mov                 ecx, esi
            //   ffd2                 | call                edx
            //   83c308               | add                 ebx, 8
            //   83c708               | add                 edi, 8

        $sequence_8 = { 8d4de4 e9???????? 8d4de4 e9???????? 8d4dd8 e9???????? 8b542408 }
            // n = 7, score = 400
            //   8d4de4               | lea                 ecx, dword ptr [ebp - 0x1c]
            //   e9????????           |                     
            //   8d4de4               | lea                 ecx, dword ptr [ebp - 0x1c]
            //   e9????????           |                     
            //   8d4dd8               | lea                 ecx, dword ptr [ebp - 0x28]
            //   e9????????           |                     
            //   8b542408             | mov                 edx, dword ptr [esp + 8]

        $sequence_9 = { e8???????? 83c40c 895e04 895e08 895e0c c706???????? 8b4df4 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   895e04               | mov                 dword ptr [esi + 4], ebx
            //   895e08               | mov                 dword ptr [esi + 8], ebx
            //   895e0c               | mov                 dword ptr [esi + 0xc], ebx
            //   c706????????         |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

    condition:
        7 of them and filesize < 4972544
}
[TLP:WHITE] win_kagent_w0   (20170521 | Backdoor used by attackers in Operation Cleaver)
rule win_kagent_w0 {
	meta:
		description = "Backdoor used by attackers in Operation Cleaver"
		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
		date = "2014/12/02"
		author = "Cylance Inc."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kagent"
        malpedia_version = "20170521"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$s1 = "kill command is in last machine, going back"
		$s2 = "message data length in B64: %d Bytes"
	condition:
		all of them
}
Download all Yara Rules