SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lowkey (Back to overview)

LOWKEY

aka: PortReuse

Actor(s): APT41

There is no description at this point.

References
2022-03-08MandiantRufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram
@online{brown:20220308:does:94c6c3e, author = {Rufus Brown and Van Ta and Douglas Bienstock and Geoff Ackerman and John Wolfram}, title = {{Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments}}, date = {2022-03-08}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/apt41-us-state-governments}, language = {English}, urldate = {2022-03-10} } Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
KEYPLUG Cobalt Strike LOWKEY
2019-10-21ESET ResearchMathieu Tartare
@online{tartare:20191021:winnti:eb2c722, author = {Mathieu Tartare}, title = {{Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor}}, date = {2019-10-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/}, language = {English}, urldate = {2019-11-14} } Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor
LOWKEY skip-2.0
2019-10-15FireEyeTobias Krueger
@online{krueger:20191015:lowkey:aab2f5e, author = {Tobias Krueger}, title = {{LOWKEY: Hunting for the Missing Volume Serial ID}}, date = {2019-10-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html}, language = {English}, urldate = {2019-12-10} } LOWKEY: Hunting for the Missing Volume Serial ID
LOWKEY poisonplug
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8, author = {Marc-Etienne M.Léveillé and Mathieu Tartare}, title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}}, date = {2019-10-07}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf}, language = {English}, urldate = {2020-01-10} } CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
Yara Rules
[TLP:WHITE] win_lowkey_auto (20230715 | Detects win.lowkey.)
rule win_lowkey_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.lowkey."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowkey"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff5020 66837c247001 488d05bb0e0200 448b4dd8 488d5500 480f45442478 488d4d30 }
            // n = 7, score = 100
            //   ff5020               | dec                 esp
            //   66837c247001         | lea                 eax, [0xfffffdce]
            //   488d05bb0e0200       | xor                 edx, edx
            //   448b4dd8             | xor                 ecx, ecx
            //   488d5500             | mov                 dword ptr [esp + 0x50], edi
            //   480f45442478         | inc                 ecx
            //   488d4d30             | mov                 eax, 0x2000

        $sequence_1 = { 488d5510 40887c0510 897c2458 48897c2420 ff15???????? 85c0 }
            // n = 6, score = 100
            //   488d5510             | mov                 dword ptr [esp + 0x20], ebx
            //   40887c0510           | dec                 eax
            //   897c2458             | mov                 eax, dword ptr [ecx]
            //   48897c2420           | call                dword ptr [eax + 0x20]
            //   ff15????????         |                     
            //   85c0                 | cmp                 word ptr [esp + 0x70], 1

        $sequence_2 = { 3939 0f85b3040000 4c89ac24a8470000 458d6e66 660f1f440000 41b910000000 }
            // n = 6, score = 100
            //   3939                 | inc                 cx
            //   0f85b3040000         | cmp                 eax, esi
            //   4c89ac24a8470000     | test                eax, eax
            //   458d6e66             | je                  0x1b4b
            //   660f1f440000         | mov                 eax, dword ptr [esp + 0x34]
            //   41b910000000         | test                eax, eax

        $sequence_3 = { 488d057c4a0100 48c74424580e000000 4889442450 488d4c2470 4883c8ff 48ffc0 66391c41 }
            // n = 7, score = 100
            //   488d057c4a0100       | mov                 dword ptr [esp + 0x20], ebp
            //   48c74424580e000000     | dec    eax
            //   4889442450           | mov                 edx, edi
            //   488d4c2470           | test                eax, eax
            //   4883c8ff             | jne                 0x511
            //   48ffc0               | xor                 eax, eax
            //   66391c41             | inc                 esp

        $sequence_4 = { 668945ad 488d55a8 e8???????? 85c0 0f95c3 8bc3 488b8d30400000 }
            // n = 7, score = 100
            //   668945ad             | inc                 esp
            //   488d55a8             | mov                 dword ptr [esp + 0x48], esp
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   0f95c3               | mov                 eax, dword ptr [ecx]
            //   8bc3                 | dec                 eax
            //   488b8d30400000       | lea                 edx, [0x3f379]

        $sequence_5 = { 4833cc e8???????? 4c8d9c24a0210000 498b5b20 498b7330 }
            // n = 5, score = 100
            //   4833cc               | dec                 eax
            //   e8????????           |                     
            //   4c8d9c24a0210000     | mov                 dword ptr [esp + 0x60], eax
            //   498b5b20             | xor                 edx, edx
            //   498b7330             | dec                 eax

        $sequence_6 = { 3c09 7769 48ffc1 488d040a 493bc0 7ce7 488bcb }
            // n = 7, score = 100
            //   3c09                 | je                  0x372
            //   7769                 | dec                 eax
            //   48ffc1               | mov                 eax, dword ptr [ecx]
            //   488d040a             | dec                 eax
            //   493bc0               | test                eax, eax
            //   7ce7                 | jne                 0x383
            //   488bcb               | dec                 esp

        $sequence_7 = { 4883c420 5d c3 488b8a50000000 4883c128 e9???????? }
            // n = 6, score = 100
            //   4883c420             | dec                 eax
            //   5d                   | lea                 ebx, [0x32f38]
            //   c3                   | jmp                 0x1c5f
            //   488b8a50000000       | dec                 eax
            //   4883c128             | lea                 ebx, [0x32f3f]
            //   e9????????           |                     

        $sequence_8 = { 4533c9 4889742428 4533c0 33d2 89742430 488b4f10 4889442420 }
            // n = 7, score = 100
            //   4533c9               | dec                 eax
            //   4889742428           | test                eax, eax
            //   4533c0               | je                  0x14e
            //   33d2                 | dec                 eax
            //   89742430             | cmp                 eax, ecx
            //   488b4f10             | jne                 0x14e
            //   4889442420           | test                edx, edx

        $sequence_9 = { c6435401 488d0d4f1e0100 480f45cf 48894b48 e8???????? eb17 4885ff }
            // n = 7, score = 100
            //   c6435401             | jne                 0x23b
            //   488d0d4f1e0100       | je                  0x233
            //   480f45cf             | dec                 eax
            //   48894b48             | lea                 ecx, [0x147ac]
            //   e8????????           |                     
            //   eb17                 | test                eax, eax
            //   4885ff               | je                  0x22e

    condition:
        7 of them and filesize < 643072
}
Download all Yara Rules