LOWKEY (Malware Family)

LOWKEY

aka: PortReuse
Actor(s): APT41
There is no description at this point.
References

2019-10-21 ⋅ ESET Research ⋅ Mathieu Tartare
Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor
LOWKEY skip-2.0
2019-10-15 ⋅ FireEye ⋅ Tobias Krueger
LOWKEY: Hunting for the Missing Volume Serial ID
LOWKEY poisonplug
2019-10-07 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé, Mathieu Tartare
CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
Yara Rules

[TLP:WHITE] win_lowkey_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_lowkey_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowkey"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4833c4 48898580200000 488bda 488d8d80000000 33d2 41b800200000 e8???????? }
            // n = 7, score = 100
            //   4833c4               | dec                 esp
            //   48898580200000       | lea                 eax, [0xfffffdfb]
            //   488bda               | dec                 eax
            //   488d8d80000000       | lea                 edx, [esp + 0x60]
            //   33d2                 | dec                 eax
            //   41b800200000         | mov                 dword ptr [esp + 0x4770], esi
            //   e8????????           |                     

        $sequence_1 = { 0f8401010000 e9???????? e8???????? 85c0 0f84ef000000 e9???????? 66413bc4 }
            // n = 7, score = 100
            //   0f8401010000         | lea                 ecx, [0x8e16]
            //   e9????????           |                     
            //   e8????????           |                     
            //   85c0                 | js                  0x86e
            //   0f84ef000000         | jne                 0x853
            //   e9????????           |                     
            //   66413bc4             | mov                 ecx, 0xa

        $sequence_2 = { 4883ec28 488d0dcd660300 e8???????? 488d0dd9660300 e8???????? b001 }
            // n = 6, score = 100
            //   4883ec28             | test                eax, eax
            //   488d0dcd660300       | setne               cl
            //   e8????????           |                     
            //   488d0dd9660300       | jmp                 0xd64
            //   e8????????           |                     
            //   b001                 | dec                 eax

        $sequence_3 = { ff15???????? 85c0 7551 488d9570050000 488d4c2470 ff15???????? }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   85c0                 | lea                 eax, [edx + 0x79]
            //   7551                 | xorps               xmm0, xmm0
            //   488d9570050000       | dec                 eax
            //   488d4c2470           | lea                 edx, [ebp - 0x70]
            //   ff15????????         |                     

        $sequence_4 = { 488d1519190400 e8???????? 85c0 0f84ae020000 41ffc7 4883c614 453b3e }
            // n = 7, score = 100
            //   488d1519190400       | dec                 eax
            //   e8????????           |                     
            //   85c0                 | add                 esp, 0x20
            //   0f84ae020000         | pop                 ebp
            //   41ffc7               | ret                 
            //   4883c614             | dec                 eax
            //   453b3e               | mov                 ecx, dword ptr [edx + 0x50]

        $sequence_5 = { 488bd0 48035610 442bf8 443bfd 7e1c 4c8bc5 e8???????? }
            // n = 7, score = 100
            //   488bd0               | inc                 ebp
            //   48035610             | xor                 edi, edi
            //   442bf8               | inc                 ecx
            //   443bfd               | mov                 edi, ecx
            //   7e1c                 | dec                 ecx
            //   4c8bc5               | mov                 esi, eax
            //   e8????????           |                     

        $sequence_6 = { 7408 8b5010 e8???????? 488b0d???????? 4883c108 ff15???????? }
            // n = 6, score = 100
            //   7408                 | inc                 ecx
            //   8b5010               | mov                 ecx, dword ptr [esi + 0x104]
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   4883c108             | mov                 dword ptr [esi + 0x10], ecx
            //   ff15????????         |                     

        $sequence_7 = { 85c0 0f8478010000 0fb7442465 663bc6 7517 }
            // n = 5, score = 100
            //   85c0                 | test                edi, edi
            //   0f8478010000         | dec                 eax
            //   0fb7442465           | mov                 edx, ebx
            //   663bc6               | dec                 eax
            //   7517                 | mov                 ecx, dword ptr [esp + 0x1b0]

        $sequence_8 = { 4c8d4c2450 488bc8 4c8d442458 488d542460 ff15???????? 85c0 7458 }
            // n = 7, score = 100
            //   4c8d4c2450           | dec                 eax
            //   488bc8               | mov                 dword ptr [esp + 0x4770], esi
            //   4c8d442458           | dec                 eax
            //   488d542460           | mov                 ecx, eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7458                 | je                  0x646

        $sequence_9 = { 488d8c2450010000 e8???????? 85c0 740a b865000000 668944242d 4533c0 }
            // n = 7, score = 100
            //   488d8c2450010000     | mov                 dword ptr [esp + 0x38], eax
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   740a                 | test                ebx, ebx
            //   b865000000           | dec                 ecx
            //   668944242d           | mov                 esi, edi
            //   4533c0               | je                  0x482

    condition:
        7 of them and filesize < 643072
}
Download all Yara Rules
LOWKEY Propose Change

References

Yara Rules

LOWKEY
