SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nachocheese (Back to overview)

NACHOCHEESE

aka: Cyruslish, TWOPENCE, VIVACIOUSGIFT

Actor(s): Lazarus Group


According to FireEye, NACHOCHEESE is a command-line tunneler that accepts delimited C&C IPs or domains via command-line and gives actors shell access to a victim's system.

References
2020-08-26CISACISA
@online{cisa:20200826:mar103017062v1:e64b3ac, author = {CISA}, title = {{MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b}, language = {English}, urldate = {2020-09-01} } MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT
NACHOCHEESE
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018FireEyeFireEye
@techreport{fireeye:2018:apt38:c81b87d, author = {FireEye}, title = {{APT38}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf}, language = {English}, urldate = {2020-01-07} } APT38
CHEESETRAY CLEANTOAD NACHOCHEESE
2017-02-20BAE SystemsSergei Shevchenko
@online{shevchenko:20170220:lazarus:c608fd5, author = {Sergei Shevchenko}, title = {{Lazarus’ False Flag Malware}}, date = {2017-02-20}, organization = {BAE Systems}, url = {https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html}, language = {English}, urldate = {2019-12-20} } Lazarus’ False Flag Malware
NACHOCHEESE
2017-02-16ESET ResearchPeter Kálnai
@online{klnai:20170216:demystifying:7ae8785, author = {Peter Kálnai}, title = {{Demystifying targeted malware used against Polish banks}}, date = {2017-02-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/}, language = {English}, urldate = {2019-11-14} } Demystifying targeted malware used against Polish banks
HOTWAX NACHOCHEESE
Yara Rules
[TLP:WHITE] win_nachocheese_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_nachocheese_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nachocheese"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c302 eb29 81fb00010000 7305 83c303 eb1c }
            // n = 6, score = 300
            //   83c302               | add                 ebx, 2
            //   eb29                 | jmp                 0x2b
            //   81fb00010000         | cmp                 ebx, 0x100
            //   7305                 | jae                 7
            //   83c303               | add                 ebx, 3
            //   eb1c                 | jmp                 0x1e

        $sequence_1 = { 68???????? eb55 8dbc24a0010000 8bce e8???????? 8bcf }
            // n = 6, score = 300
            //   68????????           |                     
            //   eb55                 | jmp                 0x57
            //   8dbc24a0010000       | lea                 edi, [esp + 0x1a0]
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8bcf                 | mov                 ecx, edi

        $sequence_2 = { b813000000 c3 b816000000 c3 }
            // n = 4, score = 300
            //   b813000000           | mov                 eax, 0x13
            //   c3                   | ret                 
            //   b816000000           | mov                 eax, 0x16
            //   c3                   | ret                 

        $sequence_3 = { 3bfb 0f847f000000 90 8b4704 83f802 }
            // n = 5, score = 300
            //   3bfb                 | cmp                 edi, ebx
            //   0f847f000000         | je                  0x85
            //   90                   | nop                 
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   83f802               | cmp                 eax, 2

        $sequence_4 = { b801011000 f7e6 8bc6 2bc2 }
            // n = 4, score = 300
            //   b801011000           | mov                 eax, 0x100101
            //   f7e6                 | mul                 esi
            //   8bc6                 | mov                 eax, esi
            //   2bc2                 | sub                 eax, edx

        $sequence_5 = { 7d1b 3d9c000000 7c07 3d9f000000 }
            // n = 4, score = 300
            //   7d1b                 | jge                 0x1d
            //   3d9c000000           | cmp                 eax, 0x9c
            //   7c07                 | jl                  9
            //   3d9f000000           | cmp                 eax, 0x9f

        $sequence_6 = { e8???????? e8???????? ff15???????? 803d????????00 740d }
            // n = 5, score = 300
            //   e8????????           |                     
            //   e8????????           |                     
            //   ff15????????         |                     
            //   803d????????00       |                     
            //   740d                 | je                  0xf

        $sequence_7 = { 48 ba???????? 2bd0 83c2fe 8d4813 894dec }
            // n = 6, score = 300
            //   48                   | dec                 eax
            //   ba????????           |                     
            //   2bd0                 | sub                 edx, eax
            //   83c2fe               | add                 edx, -2
            //   8d4813               | lea                 ecx, [eax + 0x13]
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx

        $sequence_8 = { 7e0d 33c0 c3 05d13fffff 83f801 77f3 }
            // n = 6, score = 300
            //   7e0d                 | jle                 0xf
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   05d13fffff           | add                 eax, 0xffff3fd1
            //   83f801               | cmp                 eax, 1
            //   77f3                 | ja                  0xfffffff5

        $sequence_9 = { b806000000 c3 b80c000000 c3 }
            // n = 4, score = 300
            //   b806000000           | mov                 eax, 6
            //   c3                   | ret                 
            //   b80c000000           | mov                 eax, 0xc
            //   c3                   | ret                 

        $sequence_10 = { 50 e8???????? 6a0a 6a4e }
            // n = 4, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a0a                 | push                0xa
            //   6a4e                 | push                0x4e

        $sequence_11 = { eb1c 81fb00000100 7305 83c304 eb0f 81fb00000001 }
            // n = 6, score = 300
            //   eb1c                 | jmp                 0x1e
            //   81fb00000100         | cmp                 ebx, 0x10000
            //   7305                 | jae                 7
            //   83c304               | add                 ebx, 4
            //   eb0f                 | jmp                 0x11
            //   81fb00000001         | cmp                 ebx, 0x1000000

        $sequence_12 = { ff15???????? 56 ff15???????? 8b4dfc 33cd 83c8ff 5e }
            // n = 7, score = 300
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33cd                 | xor                 ecx, ebp
            //   83c8ff               | or                  eax, 0xffffffff
            //   5e                   | pop                 esi

        $sequence_13 = { 53 52 8945f0 895dfc 895df8 ff15???????? }
            // n = 6, score = 300
            //   53                   | push                ebx
            //   52                   | push                edx
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   ff15????????         |                     

        $sequence_14 = { 750f 668b4df0 66894f02 e8???????? 8bf0 85db 7410 }
            // n = 7, score = 300
            //   750f                 | jne                 0x11
            //   668b4df0             | mov                 cx, word ptr [ebp - 0x10]
            //   66894f02             | mov                 word ptr [edi + 2], cx
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   85db                 | test                ebx, ebx
            //   7410                 | je                  0x12

        $sequence_15 = { 68???????? 56 c745f463457a51 c745f8666f5077 33db ff15???????? 8a06 }
            // n = 7, score = 300
            //   68????????           |                     
            //   56                   | push                esi
            //   c745f463457a51       | mov                 dword ptr [ebp - 0xc], 0x517a4563
            //   c745f8666f5077       | mov                 dword ptr [ebp - 8], 0x77506f66
            //   33db                 | xor                 ebx, ebx
            //   ff15????????         |                     
            //   8a06                 | mov                 al, byte ptr [esi]

    condition:
        7 of them and filesize < 1064960
}
Download all Yara Rules