SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nachocheese (Back to overview)

NACHOCHEESE

Actor(s): Lazarus Group


According to FireEye, NACHOCHEESE is a command-line tunneler that accepts delimited C&C IPs or domains via command-line and gives actors shell access to a victim's system.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018FireEyeFireEye
@techreport{fireeye:2018:apt38:c81b87d, author = {FireEye}, title = {{APT38}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf}, language = {English}, urldate = {2020-01-07} } APT38
CHEESETRAY CLEANTOAD NACHOCHEESE
2017-02-20BAE SystemsSergei Shevchenko
@online{shevchenko:20170220:lazarus:c608fd5, author = {Sergei Shevchenko}, title = {{Lazarus’ False Flag Malware}}, date = {2017-02-20}, organization = {BAE Systems}, url = {https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html}, language = {English}, urldate = {2019-12-20} } Lazarus’ False Flag Malware
NACHOCHEESE
2017-02-16ESET ResearchPeter Kálnai
@online{klnai:20170216:demystifying:7ae8785, author = {Peter Kálnai}, title = {{Demystifying targeted malware used against Polish banks}}, date = {2017-02-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/}, language = {English}, urldate = {2019-11-14} } Demystifying targeted malware used against Polish banks
HOTWAX NACHOCHEESE
Yara Rules
[TLP:WHITE] win_nachocheese_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_nachocheese_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nachocheese"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d8ddcfaffff e8???????? eb0b 8d95f4fdffff e8???????? }
            // n = 5, score = 300
            //   8d8ddcfaffff         | lea                 ecx, [ebp - 0x524]
            //   e8????????           |                     
            //   eb0b                 | jmp                 0xd
            //   8d95f4fdffff         | lea                 edx, [ebp - 0x20c]
            //   e8????????           |                     

        $sequence_1 = { 7d1b 3d9c000000 7c07 3d9f000000 7e0d }
            // n = 5, score = 300
            //   7d1b                 | jge                 0x1d
            //   3d9c000000           | cmp                 eax, 0x9c
            //   7c07                 | jl                  9
            //   3d9f000000           | cmp                 eax, 0x9f
            //   7e0d                 | jle                 0xf

        $sequence_2 = { 7f18 3d2bc00000 7d1b 3d9c000000 }
            // n = 4, score = 300
            //   7f18                 | jg                  0x1a
            //   3d2bc00000           | cmp                 eax, 0xc02b
            //   7d1b                 | jge                 0x1d
            //   3d9c000000           | cmp                 eax, 0x9c

        $sequence_3 = { b801011000 f7e6 8bc6 2bc2 }
            // n = 4, score = 300
            //   b801011000           | mov                 eax, 0x100101
            //   f7e6                 | mul                 esi
            //   8bc6                 | mov                 eax, esi
            //   2bc2                 | sub                 eax, edx

        $sequence_4 = { b805000000 c3 b806000000 c3 b80c000000 }
            // n = 5, score = 300
            //   b805000000           | mov                 eax, 5
            //   c3                   | ret                 
            //   b806000000           | mov                 eax, 6
            //   c3                   | ret                 
            //   b80c000000           | mov                 eax, 0xc

        $sequence_5 = { 85f6 7507 33c0 8945fc eb58 8b0d???????? }
            // n = 6, score = 300
            //   85f6                 | test                esi, esi
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   eb58                 | jmp                 0x5a
            //   8b0d????????         |                     

        $sequence_6 = { e8???????? 8945f8 8b5dfc 8b7f1c 85ff 7585 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b5dfc               | mov                 ebx, dword ptr [ebp - 4]
            //   8b7f1c               | mov                 edi, dword ptr [edi + 0x1c]
            //   85ff                 | test                edi, edi
            //   7585                 | jne                 0xffffff87

        $sequence_7 = { 7305 83c302 eb29 81fb00010000 7305 }
            // n = 5, score = 300
            //   7305                 | jae                 7
            //   83c302               | add                 ebx, 2
            //   eb29                 | jmp                 0x2b
            //   81fb00010000         | cmp                 ebx, 0x100
            //   7305                 | jae                 7

        $sequence_8 = { 7305 83c303 eb1c 81fb00000100 7305 83c304 }
            // n = 6, score = 300
            //   7305                 | jae                 7
            //   83c303               | add                 ebx, 3
            //   eb1c                 | jmp                 0x1e
            //   81fb00000100         | cmp                 ebx, 0x10000
            //   7305                 | jae                 7
            //   83c304               | add                 ebx, 4

        $sequence_9 = { b80c000000 c3 b813000000 c3 }
            // n = 4, score = 300
            //   b80c000000           | mov                 eax, 0xc
            //   c3                   | ret                 
            //   b813000000           | mov                 eax, 0x13
            //   c3                   | ret                 

        $sequence_10 = { 8955f4 8d4900 8a0c3e 8b45ec c745f004000000 8d4900 020c03 }
            // n = 7, score = 300
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8d4900               | lea                 ecx, [ecx]
            //   8a0c3e               | mov                 cl, byte ptr [esi + edi]
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   c745f004000000       | mov                 dword ptr [ebp - 0x10], 4
            //   8d4900               | lea                 ecx, [ecx]
            //   020c03               | add                 cl, byte ptr [ebx + eax]

        $sequence_11 = { 83c2fc 894df8 8955f4 8d4900 }
            // n = 4, score = 300
            //   83c2fc               | add                 edx, -4
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8d4900               | lea                 ecx, [ecx]

        $sequence_12 = { 6a3d 56 e8???????? 50 e8???????? 8d8f0e010000 }
            // n = 6, score = 300
            //   6a3d                 | push                0x3d
            //   56                   | push                esi
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8f0e010000         | lea                 ecx, [edi + 0x10e]

        $sequence_13 = { 66c1c008 53 0fb7c0 53 52 8945f0 895dfc }
            // n = 7, score = 300
            //   66c1c008             | rol                 ax, 8
            //   53                   | push                ebx
            //   0fb7c0               | movzx               eax, ax
            //   53                   | push                ebx
            //   52                   | push                edx
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx

        $sequence_14 = { c3 b816000000 c3 b817000000 c3 b830000000 c3 }
            // n = 7, score = 300
            //   c3                   | ret                 
            //   b816000000           | mov                 eax, 0x16
            //   c3                   | ret                 
            //   b817000000           | mov                 eax, 0x17
            //   c3                   | ret                 
            //   b830000000           | mov                 eax, 0x30
            //   c3                   | ret                 

        $sequence_15 = { e8???????? 83c408 85c0 7411 8bc6 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   7411                 | je                  0x13
            //   8bc6                 | mov                 eax, esi

        $sequence_16 = { 5e 83e8ff 2d8705f57f 2dce183d2f 81c6184eb964 e9???????? }
            // n = 6, score = 100
            //   5e                   | pop                 esi
            //   83e8ff               | sub                 eax, -1
            //   2d8705f57f           | sub                 eax, 0x7ff50587
            //   2dce183d2f           | sub                 eax, 0x2f3d18ce
            //   81c6184eb964         | add                 esi, 0x64b94e18
            //   e9????????           |                     

        $sequence_17 = { bf5830f679 e9???????? ba7e50be36 e9???????? 58 }
            // n = 5, score = 100
            //   bf5830f679           | mov                 edi, 0x79f63058
            //   e9????????           |                     
            //   ba7e50be36           | mov                 edx, 0x36be507e
            //   e9????????           |                     
            //   58                   | pop                 eax

        $sequence_18 = { 30e3 58 e9???????? 83c104 }
            // n = 4, score = 100
            //   30e3                 | xor                 bl, ah
            //   58                   | pop                 eax
            //   e9????????           |                     
            //   83c104               | add                 ecx, 4

        $sequence_19 = { 81eb00000080 0d40000000 81e340000000 81c713000000 01f3 81ea80000000 8137377e4e4c }
            // n = 7, score = 100
            //   81eb00000080         | sub                 ebx, 0x80000000
            //   0d40000000           | or                  eax, 0x40
            //   81e340000000         | and                 ebx, 0x40
            //   81c713000000         | add                 edi, 0x13
            //   01f3                 | add                 ebx, esi
            //   81ea80000000         | sub                 edx, 0x80
            //   8137377e4e4c         | xor                 dword ptr [edi], 0x4c4e7e37

        $sequence_20 = { 81f600000080 81ce00080000 6681ea46e6 be01000000 be00020000 81c61c000000 }
            // n = 6, score = 100
            //   81f600000080         | xor                 esi, 0x80000000
            //   81ce00080000         | or                  esi, 0x800
            //   6681ea46e6           | sub                 dx, 0xe646
            //   be01000000           | mov                 esi, 1
            //   be00020000           | mov                 esi, 0x200
            //   81c61c000000         | add                 esi, 0x1c

        $sequence_21 = { 8b2424 e9???????? 83c404 31ce 59 e9???????? }
            // n = 6, score = 100
            //   8b2424               | mov                 esp, dword ptr [esp]
            //   e9????????           |                     
            //   83c404               | add                 esp, 4
            //   31ce                 | xor                 esi, ecx
            //   59                   | pop                 ecx
            //   e9????????           |                     

        $sequence_22 = { 81c640000000 81c729000000 89c2 81f200000080 0fb73f 6681f7ae88 }
            // n = 6, score = 100
            //   81c640000000         | add                 esi, 0x40
            //   81c729000000         | add                 edi, 0x29
            //   89c2                 | mov                 edx, eax
            //   81f200000080         | xor                 edx, 0x80000000
            //   0fb73f               | movzx               edi, word ptr [edi]
            //   6681f7ae88           | xor                 di, 0x88ae

        $sequence_23 = { 83bd872b760c00 0f84ef2b0000 83bd732b760c02 0f840d000000 83bd832d760c01 }
            // n = 5, score = 100
            //   83bd872b760c00       | cmp                 dword ptr [ebp + 0xc762b87], 0
            //   0f84ef2b0000         | je                  0x2bf5
            //   83bd732b760c02       | cmp                 dword ptr [ebp + 0xc762b73], 2
            //   0f840d000000         | je                  0x13
            //   83bd832d760c01       | cmp                 dword ptr [ebp + 0xc762d83], 1

    condition:
        7 of them and filesize < 8626176
}
Download all Yara Rules