SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lowkey (Back to overview)

LOWKEY

aka: PortReuse

Actor(s): APT41

There is no description at this point.

References
2022-03-08MandiantRufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram
@online{brown:20220308:does:94c6c3e, author = {Rufus Brown and Van Ta and Douglas Bienstock and Geoff Ackerman and John Wolfram}, title = {{Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments}}, date = {2022-03-08}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/apt41-us-state-governments}, language = {English}, urldate = {2022-03-10} } Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
KEYPLUG Cobalt Strike LOWKEY
2019-10-21ESET ResearchMathieu Tartare
@online{tartare:20191021:winnti:eb2c722, author = {Mathieu Tartare}, title = {{Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor}}, date = {2019-10-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/}, language = {English}, urldate = {2019-11-14} } Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor
LOWKEY skip-2.0
2019-10-15FireEyeTobias Krueger
@online{krueger:20191015:lowkey:aab2f5e, author = {Tobias Krueger}, title = {{LOWKEY: Hunting for the Missing Volume Serial ID}}, date = {2019-10-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html}, language = {English}, urldate = {2019-12-10} } LOWKEY: Hunting for the Missing Volume Serial ID
LOWKEY poisonplug
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8, author = {Marc-Etienne M.Léveillé and Mathieu Tartare}, title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}}, date = {2019-10-07}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf}, language = {English}, urldate = {2020-01-10} } CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
Yara Rules
[TLP:WHITE] win_lowkey_auto (20220411 | Detects win.lowkey.)
rule win_lowkey_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.lowkey."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowkey"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 7585 488bce ff15???????? 488bcb ff15???????? b801000000 }
            // n = 7, score = 100
            //   85c0                 | sub                 esp, 0x50
            //   7585                 | dec                 eax
            //   488bce               | xor                 eax, esp
            //   ff15????????         |                     
            //   488bcb               | dec                 eax
            //   ff15????????         |                     
            //   b801000000           | mov                 dword ptr [esp + 0x48], eax

        $sequence_1 = { 0f84a9000000 4c8d442440 488bc8 8d5708 ff15???????? 85c0 0f8487000000 }
            // n = 7, score = 100
            //   0f84a9000000         | je                  0x7bf
            //   4c8d442440           | dec                 eax
            //   488bc8               | mov                 ecx, eax
            //   8d5708               | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | lea                 edx, dword ptr [0xb842]
            //   0f8487000000         | mov                 ecx, 0x18

        $sequence_2 = { 42387c3039 0f84bf000000 488d05e11b0300 4a8b0ce8 488d55f8 }
            // n = 5, score = 100
            //   42387c3039           | dec                 eax
            //   0f84bf000000         | mov                 ecx, dword ptr [edx + 0x50]
            //   488d05e11b0300       | dec                 eax
            //   4a8b0ce8             | add                 ecx, 0x28
            //   488d55f8             | ret                 

        $sequence_3 = { 488d542450 e8???????? 85c0 0f8486000000 448b442458 4585c0 741e }
            // n = 7, score = 100
            //   488d542450           | mov                 edx, dword ptr [ebx + 0x10]
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   0f8486000000         | lea                 ecx, dword ptr [0x2334a]
            //   448b442458           | xor                 ebx, ebx
            //   4585c0               | jmp                 0xb2
            //   741e                 | dec                 eax

        $sequence_4 = { ff15???????? 85c0 743a 488b4c2430 448d4b10 48895c2428 4c8d442438 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | mov                 ebx, eax
            //   743a                 | mov                 dword ptr [esp + 0x30], eax
            //   488b4c2430           | dec                 eax
            //   448d4b10             | mov                 esi, edx
            //   48895c2428           | inc                 esp
            //   4c8d442438           | mov                 dword ptr [esp + 0x30], esi

        $sequence_5 = { 488b542420 4c8d442430 41b904010000 488bcf ff15???????? 85c0 7413 }
            // n = 7, score = 100
            //   488b542420           | cmp                 eax, esp
            //   4c8d442430           | mov                 eax, ebp
            //   41b904010000         | dec                 ebp
            //   488bcf               | lea                 ecx, dword ptr [esp + 0x10]
            //   ff15????????         |                     
            //   85c0                 | dec                 esp
            //   7413                 | lea                 esi, dword ptr [0x12545]

        $sequence_6 = { e8???????? 488b9c24c8040000 4881c4a0040000 5f c3 48895c2418 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488b9c24c8040000     | mov                 ecx, dword ptr [esp + 0x2170]
            //   4881c4a0040000       | dec                 eax
            //   5f                   | xor                 ecx, esp
            //   c3                   | dec                 esp
            //   48895c2418           | lea                 ebx, dword ptr [esp + 0x2180]

        $sequence_7 = { 48898560460000 4533f6 4c89a424a0470000 418bfe 4c89bc24b0470000 4c8d3dc6180200 }
            // n = 6, score = 100
            //   48898560460000       | mov                 dword ptr [ebx], eax
            //   4533f6               | dec                 eax
            //   4c89a424a0470000     | mov                 eax, ebx
            //   418bfe               | dec                 eax
            //   4c89bc24b0470000     | add                 esp, 0x20
            //   4c8d3dc6180200       | dec                 eax

        $sequence_8 = { 740b 488b4010 ffc3 4885c0 75f5 488d4e08 ff15???????? }
            // n = 7, score = 100
            //   740b                 | test                eax, eax
            //   488b4010             | inc                 ebp
            //   ffc3                 | test                eax, eax
            //   4885c0               | je                  0x331
            //   75f5                 | inc                 ecx
            //   488d4e08             | cmp                 eax, 0x2000
            //   ff15????????         |                     

        $sequence_9 = { 4889442468 c744247010000000 448bcd 4889742448 4889742440 89742438 4889742430 }
            // n = 7, score = 100
            //   4889442468           | lea                 eax, dword ptr [ebx - 0x38]
            //   c744247010000000     | mov                 dword ptr [esp + 0x50], ebx
            //   448bcd               | dec                 ebp
            //   4889742448           | mov                 dword ptr [ebx - 0x30], eax
            //   4889742440           | mov                 dword ptr [esp + 0x38], ebx
            //   89742438             | dec                 esp
            //   4889742430           | lea                 eax, dword ptr [ebp + 0x970]

    condition:
        7 of them and filesize < 643072
}
Download all Yara Rules