SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nachocheese (Back to overview)

NACHOCHEESE

aka: Cyruslish, TWOPENCE, VIVACIOUSGIFT

Actor(s): Lazarus Group


According to FireEye, NACHOCHEESE is a command-line tunneler that accepts delimited C&C IPs or domains via command-line and gives actors shell access to a victim's system.

References
2020-08-26CISACISA
@online{cisa:20200826:mar103017062v1:e64b3ac, author = {CISA}, title = {{MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b}, language = {English}, urldate = {2020-09-01} } MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT
NACHOCHEESE
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018FireEyeFireEye
@techreport{fireeye:2018:apt38:c81b87d, author = {FireEye}, title = {{APT38}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf}, language = {English}, urldate = {2020-01-07} } APT38
CHEESETRAY CLEANTOAD NACHOCHEESE
2017-02-20BAE SystemsSergei Shevchenko
@online{shevchenko:20170220:lazarus:c608fd5, author = {Sergei Shevchenko}, title = {{Lazarus’ False Flag Malware}}, date = {2017-02-20}, organization = {BAE Systems}, url = {https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html}, language = {English}, urldate = {2019-12-20} } Lazarus’ False Flag Malware
NACHOCHEESE
2017-02-16ESET ResearchPeter Kálnai
@online{klnai:20170216:demystifying:7ae8785, author = {Peter Kálnai}, title = {{Demystifying targeted malware used against Polish banks}}, date = {2017-02-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/}, language = {English}, urldate = {2019-11-14} } Demystifying targeted malware used against Polish banks
HOTWAX NACHOCHEESE
Yara Rules
[TLP:WHITE] win_nachocheese_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_nachocheese_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nachocheese"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 b813000000 c3 b816000000 c3 }
            // n = 5, score = 300
            //   c3                   | ret                 
            //   b813000000           | mov                 eax, 0x13
            //   c3                   | ret                 
            //   b816000000           | mov                 eax, 0x16
            //   c3                   | ret                 

        $sequence_1 = { 81fb00010000 7305 83c303 eb1c 81fb00000100 7305 83c304 }
            // n = 7, score = 300
            //   81fb00010000         | cmp                 ebx, 0x100
            //   7305                 | jae                 7
            //   83c303               | add                 ebx, 3
            //   eb1c                 | jmp                 0x1e
            //   81fb00000100         | cmp                 ebx, 0x10000
            //   7305                 | jae                 7
            //   83c304               | add                 ebx, 4

        $sequence_2 = { c3 b817000000 c3 b830000000 c3 b831000000 }
            // n = 6, score = 300
            //   c3                   | ret                 
            //   b817000000           | mov                 eax, 0x17
            //   c3                   | ret                 
            //   b830000000           | mov                 eax, 0x30
            //   c3                   | ret                 
            //   b831000000           | mov                 eax, 0x31

        $sequence_3 = { 763a b801011000 f7e6 8bc6 }
            // n = 4, score = 300
            //   763a                 | jbe                 0x3c
            //   b801011000           | mov                 eax, 0x100101
            //   f7e6                 | mul                 esi
            //   8bc6                 | mov                 eax, esi

        $sequence_4 = { 7305 83c302 eb29 81fb00010000 7305 }
            // n = 5, score = 300
            //   7305                 | jae                 7
            //   83c302               | add                 ebx, 2
            //   eb29                 | jmp                 0x2b
            //   81fb00010000         | cmp                 ebx, 0x100
            //   7305                 | jae                 7

        $sequence_5 = { c3 b805000000 c3 b806000000 c3 b80c000000 }
            // n = 6, score = 300
            //   c3                   | ret                 
            //   b805000000           | mov                 eax, 5
            //   c3                   | ret                 
            //   b806000000           | mov                 eax, 6
            //   c3                   | ret                 
            //   b80c000000           | mov                 eax, 0xc

        $sequence_6 = { 3d9f000000 7e0d 33c0 c3 05d13fffff 83f801 }
            // n = 6, score = 300
            //   3d9f000000           | cmp                 eax, 0x9f
            //   7e0d                 | jle                 0xf
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   05d13fffff           | add                 eax, 0xffff3fd1
            //   83f801               | cmp                 eax, 1

        $sequence_7 = { 7f18 3d2bc00000 7d1b 3d9c000000 7c07 3d9f000000 7e0d }
            // n = 7, score = 300
            //   7f18                 | jg                  0x1a
            //   3d2bc00000           | cmp                 eax, 0xc02b
            //   7d1b                 | jge                 0x1d
            //   3d9c000000           | cmp                 eax, 0x9c
            //   7c07                 | jl                  9
            //   3d9f000000           | cmp                 eax, 0x9f
            //   7e0d                 | jle                 0xf

        $sequence_8 = { 8b4dfc 6a00 6a52 50 51 }
            // n = 5, score = 200
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   6a00                 | push                0
            //   6a52                 | push                0x52
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_9 = { 8b0d???????? 8b5104 52 8d8424b0110000 }
            // n = 4, score = 200
            //   8b0d????????         |                     
            //   8b5104               | mov                 edx, dword ptr [ecx + 4]
            //   52                   | push                edx
            //   8d8424b0110000       | lea                 eax, [esp + 0x11b0]

        $sequence_10 = { 83e830 eb03 83e837 c0e004 8ac8 8a06 3c39 }
            // n = 7, score = 200
            //   83e830               | sub                 eax, 0x30
            //   eb03                 | jmp                 5
            //   83e837               | sub                 eax, 0x37
            //   c0e004               | shl                 al, 4
            //   8ac8                 | mov                 cl, al
            //   8a06                 | mov                 al, byte ptr [esi]
            //   3c39                 | cmp                 al, 0x39

        $sequence_11 = { 7585 8b7df4 57 ff15???????? }
            // n = 4, score = 200
            //   7585                 | jne                 0xffffff87
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_12 = { 6a3a 68???????? e8???????? 40 50 e8???????? 0fb7c0 }
            // n = 7, score = 200
            //   6a3a                 | push                0x3a
            //   68????????           |                     
            //   e8????????           |                     
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   e8????????           |                     
            //   0fb7c0               | movzx               eax, ax

        $sequence_13 = { 50 e8???????? 83c440 8d4f08 }
            // n = 4, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c440               | add                 esp, 0x40
            //   8d4f08               | lea                 ecx, [edi + 8]

        $sequence_14 = { 8b0d???????? 68f0000000 899500ffffff 8985f8feffff a1???????? 898dfcfeffff }
            // n = 6, score = 200
            //   8b0d????????         |                     
            //   68f0000000           | push                0xf0
            //   899500ffffff         | mov                 dword ptr [ebp - 0x100], edx
            //   8985f8feffff         | mov                 dword ptr [ebp - 0x108], eax
            //   a1????????           |                     
            //   898dfcfeffff         | mov                 dword ptr [ebp - 0x104], ecx

        $sequence_15 = { e8???????? 8bf0 83c420 32db 85f6 0f84c7000000 68ff0f0000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c420               | add                 esp, 0x20
            //   32db                 | xor                 bl, bl
            //   85f6                 | test                esi, esi
            //   0f84c7000000         | je                  0xcd
            //   68ff0f0000           | push                0xfff

    condition:
        7 of them and filesize < 1064960
}
Download all Yara Rules