SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nachocheese (Back to overview)

NACHOCHEESE

aka: Cyruslish, TWOPENCE, VIVACIOUSGIFT

Actor(s): Lazarus Group


According to FireEye, NACHOCHEESE is a command-line tunneler that accepts delimited C&C IPs or domains via command-line and gives actors shell access to a victim's system.

References
2020-08-26CISACISA
@online{cisa:20200826:mar103017062v1:e64b3ac, author = {CISA}, title = {{MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b}, language = {English}, urldate = {2020-09-01} } MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT
NACHOCHEESE
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018-10-03Virus BulletinPeter Kálnai, Michal Poslušný
@techreport{klnai:20181003:lazarus:bebf0ad, author = {Peter Kálnai and Michal Poslušný}, title = {{Lazarus Group A Mahjong Game Played with Different Sets of Tiles}}, date = {2018-10-03}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf}, language = {English}, urldate = {2023-08-31} } Lazarus Group A Mahjong Game Played with Different Sets of Tiles
Bankshot BanPolMex RAT FuwuqiDrama HOTWAX KillDisk (Lazarus) NACHOCHEESE REDSHAWL WannaCryptor
2018FireEyeFireEye
@techreport{fireeye:2018:apt38:c81b87d, author = {FireEye}, title = {{APT38}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf}, language = {English}, urldate = {2020-01-07} } APT38
CHEESETRAY CLEANTOAD NACHOCHEESE
2017-05-30Group-IBGroup-IB
@techreport{groupib:20170530:lazarus:642e890, author = {Group-IB}, title = {{Lazarus Arisen: Architecture, Techniques and Attribution}}, date = {2017-05-30}, institution = {Group-IB}, url = {https://raw.githubusercontent.com/eric-erki/APT_CyberCriminal_Campagin_Collections/master/2017/2017.05.30.Lazarus_Arisen/Group-IB_Lazarus.pdf}, language = {English}, urldate = {2023-08-10} } Lazarus Arisen: Architecture, Techniques and Attribution
HOTWAX NACHOCHEESE Ratankba
2017-02-20BAE SystemsSergei Shevchenko
@online{shevchenko:20170220:lazarus:c608fd5, author = {Sergei Shevchenko}, title = {{Lazarus’ False Flag Malware}}, date = {2017-02-20}, organization = {BAE Systems}, url = {https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html}, language = {English}, urldate = {2023-08-15} } Lazarus’ False Flag Malware
HOTWAX NACHOCHEESE
2017-02-16ESET ResearchPeter Kálnai
@online{klnai:20170216:demystifying:7ae8785, author = {Peter Kálnai}, title = {{Demystifying targeted malware used against Polish banks}}, date = {2017-02-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/}, language = {English}, urldate = {2019-11-14} } Demystifying targeted malware used against Polish banks
BanPolMex RAT HOTWAX NACHOCHEESE
Yara Rules
[TLP:WHITE] win_nachocheese_auto (20230715 | Detects win.nachocheese.)
rule win_nachocheese_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.nachocheese."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nachocheese"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d95e4fdffff 52 8d0c00 56 }
            // n = 4, score = 300
            //   8d95e4fdffff         | lea                 edx, [ebp - 0x21c]
            //   52                   | push                edx
            //   8d0c00               | lea                 ecx, [eax + eax]
            //   56                   | push                esi

        $sequence_1 = { 2d???????? 50 68???????? 8d8df8feffff 6804010000 }
            // n = 5, score = 300
            //   2d????????           |                     
            //   50                   | push                eax
            //   68????????           |                     
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   6804010000           | push                0x104

        $sequence_2 = { 2bfa 8d47fd 3901 8901 }
            // n = 4, score = 300
            //   2bfa                 | sub                 edi, edx
            //   8d47fd               | lea                 eax, [edi - 3]
            //   3901                 | cmp                 dword ptr [ecx], eax
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_3 = { 3d9f000000 7e0d 33c0 c3 05d13fffff 83f801 77f3 }
            // n = 7, score = 300
            //   3d9f000000           | cmp                 eax, 0x9f
            //   7e0d                 | jle                 0xf
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   05d13fffff           | add                 eax, 0xffff3fd1
            //   83f801               | cmp                 eax, 1
            //   77f3                 | ja                  0xfffffff5

        $sequence_4 = { 52 ff15???????? 83f801 754b 8b450c 8b4dfc 6a00 }
            // n = 7, score = 300
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83f801               | cmp                 eax, 1
            //   754b                 | jne                 0x4d
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   6a00                 | push                0

        $sequence_5 = { 3d2cc00000 7f18 3d2bc00000 7d1b 3d9c000000 7c07 3d9f000000 }
            // n = 7, score = 300
            //   3d2cc00000           | cmp                 eax, 0xc02c
            //   7f18                 | jg                  0x1a
            //   3d2bc00000           | cmp                 eax, 0xc02b
            //   7d1b                 | jge                 0x1d
            //   3d9c000000           | cmp                 eax, 0x9c
            //   7c07                 | jl                  9
            //   3d9f000000           | cmp                 eax, 0x9f

        $sequence_6 = { 57 8b7df4 3bfb 0f847f000000 90 8b4704 83f802 }
            // n = 7, score = 300
            //   57                   | push                edi
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   3bfb                 | cmp                 edi, ebx
            //   0f847f000000         | je                  0x85
            //   90                   | nop                 
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   83f802               | cmp                 eax, 2

        $sequence_7 = { 33c0 8945fc eb58 8b0d???????? 8d4604 50 6a00 }
            // n = 7, score = 300
            //   33c0                 | xor                 eax, eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   eb58                 | jmp                 0x5a
            //   8b0d????????         |                     
            //   8d4604               | lea                 eax, [esi + 4]
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_8 = { 68???????? 8d8de4faffff 6804010000 51 0fb7f0 e8???????? b8???????? }
            // n = 7, score = 300
            //   68????????           |                     
            //   8d8de4faffff         | lea                 ecx, [ebp - 0x51c]
            //   6804010000           | push                0x104
            //   51                   | push                ecx
            //   0fb7f0               | movzx               esi, ax
            //   e8????????           |                     
            //   b8????????           |                     

        $sequence_9 = { 81fb80000000 7305 83c302 eb29 }
            // n = 4, score = 300
            //   81fb80000000         | cmp                 ebx, 0x80
            //   7305                 | jae                 7
            //   83c302               | add                 ebx, 2
            //   eb29                 | jmp                 0x2b

        $sequence_10 = { 7305 83c303 eb1c 81fb00000100 }
            // n = 4, score = 300
            //   7305                 | jae                 7
            //   83c303               | add                 ebx, 3
            //   eb1c                 | jmp                 0x1e
            //   81fb00000100         | cmp                 ebx, 0x10000

        $sequence_11 = { 02ca 8b55fc 880c3e 8a540205 32d1 }
            // n = 5, score = 300
            //   02ca                 | add                 cl, dl
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   880c3e               | mov                 byte ptr [esi + edi], cl
            //   8a540205             | mov                 dl, byte ptr [edx + eax + 5]
            //   32d1                 | xor                 dl, cl

        $sequence_12 = { ba???????? 2bd0 83c2fe 8d4813 894dec }
            // n = 5, score = 300
            //   ba????????           |                     
            //   2bd0                 | sub                 edx, eax
            //   83c2fe               | add                 edx, -2
            //   8d4813               | lea                 ecx, [eax + 0x13]
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx

        $sequence_13 = { 33c8 894710 8b4708 33c1 }
            // n = 4, score = 300
            //   33c8                 | xor                 ecx, eax
            //   894710               | mov                 dword ptr [edi + 0x10], eax
            //   8b4708               | mov                 eax, dword ptr [edi + 8]
            //   33c1                 | xor                 eax, ecx

        $sequence_14 = { 7305 83c304 eb0f 81fb00000001 }
            // n = 4, score = 300
            //   7305                 | jae                 7
            //   83c304               | add                 ebx, 4
            //   eb0f                 | jmp                 0x11
            //   81fb00000001         | cmp                 ebx, 0x1000000

        $sequence_15 = { 763a b801011000 f7e6 8bc6 }
            // n = 4, score = 300
            //   763a                 | jbe                 0x3c
            //   b801011000           | mov                 eax, 0x100101
            //   f7e6                 | mul                 esi
            //   8bc6                 | mov                 eax, esi

    condition:
        7 of them and filesize < 1064960
}
Download all Yara Rules