SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kerrdown (Back to overview)

KerrDown

Actor(s): APT32

URLhaus    

There is no description at this point.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:tin:ccd6795, author = {SecureWorks}, title = {{TIN WOODLAWN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn}, language = {English}, urldate = {2020-05-23} } TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32
2019-05-31TradaHackingm4n0w4r
@online{m4n0w4r:20190531:thng:c687d46, author = {m4n0w4r}, title = {{Thưởng tết….}}, date = {2019-05-31}, organization = {TradaHacking}, url = {https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7}, language = {Vietnamese}, urldate = {2020-01-10} } Thưởng tết….
KerrDown
2019-03-24One Night in NorfolkKevin Perlow
@online{perlow:20190324:jeshell:439ae8b, author = {Kevin Perlow}, title = {{JEShell: An OceanLotus (APT32) Backdoor}}, date = {2019-03-24}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/}, language = {English}, urldate = {2020-05-19} } JEShell: An OceanLotus (APT32) Backdoor
Cobalt Strike KerrDown
2019-02-02CyStackBach Nguyen
@online{nguyen:20190202:wordbased:89a23db, author = {Bach Nguyen}, title = {{Word-based Malware Attack}}, date = {2019-02-02}, organization = {CyStack}, url = {https://blog.cystack.net/word-based-malware-attack/}, language = {English}, urldate = {2019-12-20} } Word-based Malware Attack
KerrDown
2019-02-01Palo Alto Networks Unit 42Vicky Ray, Kaoru Hayashi
@online{ray:20190201:tracking:479c2b7, author = {Vicky Ray and Kaoru Hayashi}, title = {{Tracking OceanLotus’ new Downloader, KerrDown}}, date = {2019-02-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/}, language = {English}, urldate = {2019-10-23} } Tracking OceanLotus’ new Downloader, KerrDown
KerrDown
Yara Rules
[TLP:WHITE] win_kerrdown_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_kerrdown_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 1bc0 23c1 eb55 8b1c9d48f23200 }
            // n = 4, score = 100
            //   1bc0                 | sbb                 eax, eax
            //   23c1                 | and                 eax, ecx
            //   eb55                 | jmp                 0x57
            //   8b1c9d48f23200       | mov                 ebx, dword ptr [ebx*4 + 0x32f248]

        $sequence_1 = { a7 8ade 2c2d 246d }
            // n = 4, score = 100
            //   a7                   | cmpsd               dword ptr [esi], dword ptr es:[edi]
            //   8ade                 | mov                 bl, dh
            //   2c2d                 | sub                 al, 0x2d
            //   246d                 | and                 al, 0x6d

        $sequence_2 = { 75b2 83ff10 8935???????? b8???????? }
            // n = 4, score = 100
            //   75b2                 | jne                 0xffffffb4
            //   83ff10               | cmp                 edi, 0x10
            //   8935????????         |                     
            //   b8????????           |                     

        $sequence_3 = { 8a01 41 884435e8 46 894de0 }
            // n = 5, score = 100
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   41                   | inc                 ecx
            //   884435e8             | mov                 byte ptr [ebp + esi - 0x18], al
            //   46                   | inc                 esi
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx

        $sequence_4 = { 722b 83f923 772b 8bc8 }
            // n = 4, score = 100
            //   722b                 | jb                  0x2d
            //   83f923               | cmp                 ecx, 0x23
            //   772b                 | ja                  0x2d
            //   8bc8                 | mov                 ecx, eax

        $sequence_5 = { 3d00100000 721a f6c11f 752f }
            // n = 4, score = 100
            //   3d00100000           | cmp                 eax, 0x1000
            //   721a                 | jb                  0x1c
            //   f6c11f               | test                cl, 0x1f
            //   752f                 | jne                 0x31

        $sequence_6 = { 0f85ac0a0000 8d0d202e3300 ba1b000000 e9???????? }
            // n = 4, score = 100
            //   0f85ac0a0000         | jne                 0xab2
            //   8d0d202e3300         | lea                 ecx, [0x332e20]
            //   ba1b000000           | mov                 edx, 0x1b
            //   e9????????           |                     

        $sequence_7 = { 8b45e4 8b4de8 8b0485d8cc3300 f644082840 7409 803f1a }
            // n = 6, score = 100
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   8b0485d8cc3300       | mov                 eax, dword ptr [eax*4 + 0x33ccd8]
            //   f644082840           | test                byte ptr [eax + ecx + 0x28], 0x40
            //   7409                 | je                  0xb
            //   803f1a               | cmp                 byte ptr [edi], 0x1a

        $sequence_8 = { 02d1 c0e004 8855e4 33db }
            // n = 4, score = 100
            //   02d1                 | add                 dl, cl
            //   c0e004               | shl                 al, 4
            //   8855e4               | mov                 byte ptr [ebp - 0x1c], dl
            //   33db                 | xor                 ebx, ebx

        $sequence_9 = { 8bd6 83e03f c1fa06 6bc830 8b0495d8cc3300 }
            // n = 5, score = 100
            //   8bd6                 | mov                 edx, esi
            //   83e03f               | and                 eax, 0x3f
            //   c1fa06               | sar                 edx, 6
            //   6bc830               | imul                ecx, eax, 0x30
            //   8b0495d8cc3300       | mov                 eax, dword ptr [edx*4 + 0x33ccd8]

    condition:
        7 of them and filesize < 278528
}
Download all Yara Rules