SYMBOLCOMMON_NAMEaka. SYNONYMS
win.navrat (Back to overview)

NavRAT

aka: JinhoSpy

Actor(s): APT37


There is no description at this point.

References
2021-05-07TEAMT5Jhih-Lin Kuo, Zih-Cing Liao
@techreport{kuo:20210507:we:cd620c1, author = {Jhih-Lin Kuo and Zih-Cing Liao}, title = {{"We Are About to Land": How CloudDragon Turns a Nightmare Into Reality}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf}, language = {English}, urldate = {2021-09-14} } "We Are About to Land": How CloudDragon Turns a Nightmare Into Reality
FlowerPower Appleseed BabyShark GoldDragon NavRAT
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-02-25One Night in NorfolkKevin Perlow
@online{perlow:20190225:how:d4a68d6, author = {Kevin Perlow}, title = {{How To: Analyzing a Malicious Hangul Word Processor Document from a DPRK Threat Actor Group}}, date = {2019-02-25}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/how-to-analyzing-a-malicious-hangul-word-processor-document-from-a-dprk-threat-actor-group/}, language = {English}, urldate = {2020-05-19} } How To: Analyzing a Malicious Hangul Word Processor Document from a DPRK Threat Actor Group
NavRAT
2018-05-31Cisco TalosWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20180531:navrat:bf68765, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea}}, date = {2018-05-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/05/navrat.html?m=1}, language = {English}, urldate = {2020-01-08} } NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea
NavRAT
Yara Rules
[TLP:WHITE] win_navrat_auto (20220411 | Detects win.navrat.)
rule win_navrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.navrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745d477617265 c745d85c4d6963 c745dc726f736f c745e066745c57 }
            // n = 4, score = 300
            //   c745d477617265       | mov                 dword ptr [ebp - 0x2c], 0x65726177
            //   c745d85c4d6963       | mov                 dword ptr [ebp - 0x28], 0x63694d5c
            //   c745dc726f736f       | mov                 dword ptr [ebp - 0x24], 0x6f736f72
            //   c745e066745c57       | mov                 dword ptr [ebp - 0x20], 0x575c7466

        $sequence_1 = { c745d0536f6674 c745d477617265 c745d85c4d6963 c745dc726f736f c745e066745c57 }
            // n = 5, score = 300
            //   c745d0536f6674       | mov                 dword ptr [ebp - 0x30], 0x74666f53
            //   c745d477617265       | mov                 dword ptr [ebp - 0x2c], 0x65726177
            //   c745d85c4d6963       | mov                 dword ptr [ebp - 0x28], 0x63694d5c
            //   c745dc726f736f       | mov                 dword ptr [ebp - 0x24], 0x6f736f72
            //   c745e066745c57       | mov                 dword ptr [ebp - 0x20], 0x575c7466

        $sequence_2 = { 80f909 7707 0fbec0 83c004 c3 3c2b 7503 }
            // n = 7, score = 300
            //   80f909               | cmp                 cl, 9
            //   7707                 | ja                  9
            //   0fbec0               | movsx               eax, al
            //   83c004               | add                 eax, 4
            //   c3                   | ret                 
            //   3c2b                 | cmp                 al, 0x2b
            //   7503                 | jne                 5

        $sequence_3 = { 8b7608 83461c02 5f 5e }
            // n = 4, score = 300
            //   8b7608               | mov                 esi, dword ptr [esi + 8]
            //   83461c02             | add                 dword ptr [esi + 0x1c], 2
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_4 = { c745e4696e646f c745e877735c43 c745ec75727265 c745f06e745665 c745f47273696f }
            // n = 5, score = 300
            //   c745e4696e646f       | mov                 dword ptr [ebp - 0x1c], 0x6f646e69
            //   c745e877735c43       | mov                 dword ptr [ebp - 0x18], 0x435c7377
            //   c745ec75727265       | mov                 dword ptr [ebp - 0x14], 0x65727275
            //   c745f06e745665       | mov                 dword ptr [ebp - 0x10], 0x6556746e
            //   c745f47273696f       | mov                 dword ptr [ebp - 0xc], 0x6f697372

        $sequence_5 = { c745d85c4d6963 c745dc726f736f c745e066745c57 c745e4696e646f c745e877735c43 c745ec75727265 c745f06e745665 }
            // n = 7, score = 300
            //   c745d85c4d6963       | mov                 dword ptr [ebp - 0x28], 0x63694d5c
            //   c745dc726f736f       | mov                 dword ptr [ebp - 0x24], 0x6f736f72
            //   c745e066745c57       | mov                 dword ptr [ebp - 0x20], 0x575c7466
            //   c745e4696e646f       | mov                 dword ptr [ebp - 0x1c], 0x6f646e69
            //   c745e877735c43       | mov                 dword ptr [ebp - 0x18], 0x435c7377
            //   c745ec75727265       | mov                 dword ptr [ebp - 0x14], 0x65727275
            //   c745f06e745665       | mov                 dword ptr [ebp - 0x10], 0x6556746e

        $sequence_6 = { 1bf6 f7de 56 68???????? e8???????? }
            // n = 5, score = 300
            //   1bf6                 | sbb                 esi, esi
            //   f7de                 | neg                 esi
            //   56                   | push                esi
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_7 = { c745dc726f736f c745e066745c57 c745e4696e646f c745e877735c43 c745ec75727265 c745f06e745665 c745f47273696f }
            // n = 7, score = 300
            //   c745dc726f736f       | mov                 dword ptr [ebp - 0x24], 0x6f736f72
            //   c745e066745c57       | mov                 dword ptr [ebp - 0x20], 0x575c7466
            //   c745e4696e646f       | mov                 dword ptr [ebp - 0x1c], 0x6f646e69
            //   c745e877735c43       | mov                 dword ptr [ebp - 0x18], 0x435c7377
            //   c745ec75727265       | mov                 dword ptr [ebp - 0x14], 0x65727275
            //   c745f06e745665       | mov                 dword ptr [ebp - 0x10], 0x6556746e
            //   c745f47273696f       | mov                 dword ptr [ebp - 0xc], 0x6f697372

        $sequence_8 = { 68???????? 50 8d85f0feffff 8bf1 }
            // n = 4, score = 300
            //   68????????           |                     
            //   50                   | push                eax
            //   8d85f0feffff         | lea                 eax, dword ptr [ebp - 0x110]
            //   8bf1                 | mov                 esi, ecx

        $sequence_9 = { 7407 8b7608 83461c02 5f }
            // n = 4, score = 300
            //   7407                 | je                  9
            //   8b7608               | mov                 esi, dword ptr [esi + 8]
            //   83461c02             | add                 dword ptr [esi + 0x1c], 2
            //   5f                   | pop                 edi

    condition:
        7 of them and filesize < 352256
}
Download all Yara Rules