KDC Sponge (Malware Family)

KDC Sponge

There is no description at this point.
References

2021-12-02 ⋅ CISA ⋅ US-CERT
Alert (AA21-336A): APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus
KDC Sponge NGLite
Yara Rules

[TLP:WHITE] win_kdcsponge_auto (20230715 | Detects win.kdcsponge.)
rule win_kdcsponge_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.kdcsponge."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kdcsponge"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8580010000 0fb681b0040000 3c01 0f85af000000 488b896c040000 4885c9 7429 }
            // n = 7, score = 100
            //   0f8580010000         | dec                 eax
            //   0fb681b0040000       | lea                 ecx, [esp + 0x60]
            //   3c01                 | jne                 0x18f
            //   0f85af000000         | mov                 ecx, dword ptr [ecx]
            //   488b896c040000       | mov                 dword ptr [eax], ecx
            //   4885c9               | dec                 eax
            //   7429                 | mov                 edx, dword ptr [esp + 0x60]

        $sequence_1 = { 57 4883ec20 488bd9 488d3d2c1afcff 488bcf e8???????? 85c0 }
            // n = 7, score = 100
            //   57                   | jne                 0x79f
            //   4883ec20             | cmp                 byte ptr [ecx + 0x4b0], 1
            //   488bd9               | jne                 0x775
            //   488d3d2c1afcff       | movzx               eax, byte ptr [ecx + 0x4c3]
            //   488bcf               | cmp                 al, 1
            //   e8????????           |                     
            //   85c0                 | jne                 0x720

        $sequence_2 = { e9???????? 80b90904000001 0f85c1000000 8b8138040000 488bd3 89813c040000 c6810904000008 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   80b90904000001       | mov                 dword ptr [edx + 0x4a9], 1
            //   0f85c1000000         | xor                 eax, eax
            //   8b8138040000         | je                  0xf3c
            //   488bd3               | dec                 eax
            //   89813c040000         | mov                 eax, dword ptr [edx + 0x420]
            //   c6810904000008       | dec                 eax

        $sequence_3 = { c3 f20f1005???????? 8b05???????? 4883a1a000000020 4883a1d000000001 48ff8120040000 }
            // n = 6, score = 100
            //   c3                   | add                 eax, ecx
            //   f20f1005????????     |                     
            //   8b05????????         |                     
            //   4883a1a000000020     | add                 ecx, dword ptr [edx + 0xc]
            //   4883a1d000000001     | dec                 eax
            //   48ff8120040000       | lea                 edx, [0x43a04]

        $sequence_4 = { 488d8bcc010000 c7834004000069000000 488bd3 e8???????? c7436000001d00 c783ec01000000100000 48c7832801000000000200 }
            // n = 7, score = 100
            //   488d8bcc010000       | dec                 eax
            //   c7834004000069000000     | mov    dword ptr [ebx], eax
            //   488bd3               | dec                 eax
            //   e8????????           |                     
            //   c7436000001d00       | test                eax, eax
            //   c783ec01000000100000     | jle    0x7f7
            //   48c7832801000000000200     | dec    eax

        $sequence_5 = { 3c02 0f85f3000000 80b9c304000001 0f85e6000000 80b9bc0400000f 740a }
            // n = 6, score = 100
            //   3c02                 | mov                 dword ptr [ebx + 0x4ca], 4
            //   0f85f3000000         | dec                 eax
            //   80b9c304000001       | lea                 ecx, [ebx + 0x1cc]
            //   0f85e6000000         | mov                 dword ptr [ebx + 0x440], eax
            //   80b9bc0400000f       | dec                 eax
            //   740a                 | lea                 ecx, [ebx + 0x110]

        $sequence_6 = { 8b84cd18010000 8b94cd10010000 3bc2 7207 2bc2 83f849 7356 }
            // n = 7, score = 100
            //   8b84cd18010000       | inc                 dword ptr [ebx + 0x420]
            //   8b94cd10010000       | dec                 eax
            //   3bc2                 | mov                 ecx, dword ptr [ebx + 0x46c]
            //   7207                 | dec                 eax
            //   2bc2                 | mov                 ebx, ecx
            //   83f849               | jne                 0xc26
            //   7356                 | movzx               eax, byte ptr [ecx + 0x4b0]

        $sequence_7 = { 4883ec38 4c63e9 4c8d1581490100 498bfd 4d8bfd 49c1ff06 83e73f }
            // n = 7, score = 100
            //   4883ec38             | mov                 eax, dword ptr [ecx + 0x43c]
            //   4c63e9               | dec                 eax
            //   4c8d1581490100       | mov                 ebx, ecx
            //   498bfd               | mov                 dword ptr [ecx + 0x438], eax
            //   4d8bfd               | ret                 
            //   49c1ff06             | inc                 eax
            //   83e73f               | push                edi

        $sequence_8 = { 488d0c80 8b44cd14 2b44cd0c 488b6c2470 03c3 4103c1 8b08 }
            // n = 7, score = 100
            //   488d0c80             | mov                 dword ptr [ebx + 0x214], 1
            //   8b44cd14             | dec                 eax
            //   2b44cd0c             | mov                 dword ptr [ebx + 0x21c], 2
            //   488b6c2470           | mov                 dword ptr [ebx + 0x1ec], 8
            //   03c3                 | test                eax, eax
            //   4103c1               | mov                 dword ptr [ebx + 0x43c], 0x20
            //   8b08                 | dec                 eax

        $sequence_9 = { 74eb 83f802 7510 f20f1005???????? 8b05???????? eb27 }
            // n = 6, score = 100
            //   74eb                 | movzx               edx, byte ptr [ecx + 0x4ad]
            //   83f802               | mov                 byte ptr [ecx + 0x4c4], 1
            //   7510                 | inc                 ecx
            //   f20f1005????????     |                     
            //   8b05????????         |                     
            //   eb27                 | mov                 eax, 0x120000

    condition:
        7 of them and filesize < 720896
}
Download all Yara Rules
KDC Sponge Propose Change

References

Yara Rules

KDC Sponge
