NetTraveler (Malware Family)

NetTraveler

aka: TravNet

There is no description at this point.

References

2020-11-27 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV
Dissecting APT21 samples using a step-by-step approach
NetTraveler

2016-07-07 ⋅ Proofpoint ⋅ Axel F
NetTraveler APT Targets Russian, European Interests
NetTraveler NetTraveler

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

Yara Rules

[TLP:WHITE] win_nettraveler_auto (20201023 \| autogenerated rule brought to you by yara-signator) rule win_nettraveler_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { e8???????? 68???????? 56 e8???????? 83c41c ff750c ff7508 } // n = 7, score = 100 // e8???????? \| // 68???????? \| // 56 \| push esi // e8???????? \| // 83c41c \| add esp, 0x1c // ff750c \| push dword ptr [ebp + 0xc] // ff7508 \| push dword ptr [ebp + 8] $sequence_1 = { 83c102 8b15???????? 8b520c 8a54022a c0ea03 80e201 } // n = 6, score = 100 // 83c102 \| add ecx, 2 // 8b15???????? \| // 8b520c \| mov edx, dword ptr [edx + 0xc] // 8a54022a \| mov dl, byte ptr [edx + eax + 0x2a] // c0ea03 \| shr dl, 3 // 80e201 \| and dl, 1 $sequence_2 = { 53 8d85a0f6ffff 53 50 e8???????? 59 50 } // n = 7, score = 100 // 53 \| push ebx // 8d85a0f6ffff \| lea eax, [ebp - 0x960] // 53 \| push ebx // 50 \| push eax // e8???????? \| // 59 \| pop ecx // 50 \| push eax $sequence_3 = { 0fb7ce 8d3449 8bcf d1e6 0fb70430 50 ff7510 } // n = 7, score = 100 // 0fb7ce \| movzx ecx, si // 8d3449 \| lea esi, [ecx + ecx2] // 8bcf \| mov ecx, edi // d1e6 \| shl esi, 1 // 0fb70430 \| movzx eax, word ptr [eax + esi] // 50 \| push eax // ff7510 \| push dword ptr [ebp + 0x10] $sequence_4 = { ffd6 8d4508 6a04 50 6a05 ff750c } // n = 6, score = 100 // ffd6 \| call esi // 8d4508 \| lea eax, [ebp + 8] // 6a04 \| push 4 // 50 \| push eax // 6a05 \| push 5 // ff750c \| push dword ptr [ebp + 0xc] $sequence_5 = { 750b ff45fc 837dfc03 7d34 ebd5 8b45f0 2b4508 } // n = 7, score = 100 // 750b \| jne 0xd // ff45fc \| inc dword ptr [ebp - 4] // 837dfc03 \| cmp dword ptr [ebp - 4], 3 // 7d34 \| jge 0x36 // ebd5 \| jmp 0xffffffd7 // 8b45f0 \| mov eax, dword ptr [ebp - 0x10] // 2b4508 \| sub eax, dword ptr [ebp + 8] $sequence_6 = { 895d10 ff7518 ff15???????? 85c0 } // n = 4, score = 100 // 895d10 \| mov dword ptr [ebp + 0x10], ebx // ff7518 \| push dword ptr [ebp + 0x18] // ff15???????? \| // 85c0 \| test eax, eax $sequence_7 = { 50 8d850cfaffff 50 ff15???????? 85c0 0f84b1070000 8b45d8 } // n = 7, score = 100 // 50 \| push eax // 8d850cfaffff \| lea eax, [ebp - 0x5f4] // 50 \| push eax // ff15???????? \| // 85c0 \| test eax, eax // 0f84b1070000 \| je 0x7b7 // 8b45d8 \| mov eax, dword ptr [ebp - 0x28] $sequence_8 = { 33c0 59 8dbd7cffffff ff7514 f3ab 8d8578ffffff 50 } // n = 7, score = 100 // 33c0 \| xor eax, eax // 59 \| pop ecx // 8dbd7cffffff \| lea edi, [ebp - 0x84] // ff7514 \| push dword ptr [ebp + 0x14] // f3ab \| rep stosd dword ptr es:[edi], eax // 8d8578ffffff \| lea eax, [ebp - 0x88] // 50 \| push eax $sequence_9 = { 59 33c0 8d7dac 895dfc f3ab 8d8584f6ffff 8d8d80f5ffff } // n = 7, score = 100 // 59 \| pop ecx // 33c0 \| xor eax, eax // 8d7dac \| lea edi, [ebp - 0x54] // 895dfc \| mov dword ptr [ebp - 4], ebx // f3ab \| rep stosd dword ptr es:[edi], eax // 8d8584f6ffff \| lea eax, [ebp - 0x97c] // 8d8d80f5ffff \| lea ecx, [ebp - 0xa80] condition: 7 of them and filesize < 106496 }
[TLP:WHITE] win_nettraveler_w0 (20170521 \| Identifiers for NetTraveler DLL) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule win_nettraveler_w0 { meta: description = "Identifiers for NetTraveler DLL" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //network strings $n1 = "?action=updated&hostid=" $n2 = "travlerbackinfo" $n3 = "?action=getcmd&hostid=" $n4 = "%s?action=gotcmd&hostid=" $n5 = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=" //debugging strings $d1 = "\x00Method1 Fail!!!!!\x00" $d2 = "\x00Method3 Fail!!!!!\x00" $d3 = "\x00method currect:\x00" $d4 = /\x00\x00[\w\-]+ is Running!\x00\x00/ $d5 = "\x00OtherTwo\x00" condition: any of them }
[TLP:WHITE] win_nettraveler_w1 (20170521 \| Identifiers for netpass variant) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. / rule win_nettraveler_w1 { meta: description = "Identifiers for netpass variant" author = "Katie Kleemola" last_updated = "2014-05-29" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $exif1 = "Device Protect ApplicatioN" wide $exif2 = "beep.sys" wide //embedded exe name $exif3 = "BEEP Driver" wide //embedded exe description $string1 = "\x00NetPass Update\x00" $string2 = "\x00%s:DOWNLOAD\x00" $string3 = "\x00%s:UPDATE\x00" $string4 = "\x00%s:uNINSTALL\x00" condition: all of ($exif) or any of ($string*) }
[TLP:WHITE] win_nettraveler_w2 (20170521 \| Export names for dll component) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_nettraveler_w2 { meta: description = "Export names for dll component" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //dll component exports $d1 = "?InjectDll@@YAHPAUHWND__@@K@Z" $d2 = "?UnmapDll@@YAHXZ" $d3 = "?g_bSubclassed@@3HA" condition: any of them }

Download all Yara Rules

[TLP:WHITE] win_nettraveler_auto (20201023 \| autogenerated rule brought to you by yara-signator) rule win_nettraveler_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { e8???????? 68???????? 56 e8???????? 83c41c ff750c ff7508 } // n = 7, score = 100 // e8???????? \| // 68???????? \| // 56 \| push esi // e8???????? \| // 83c41c \| add esp, 0x1c // ff750c \| push dword ptr [ebp + 0xc] // ff7508 \| push dword ptr [ebp + 8] $sequence_1 = { 83c102 8b15???????? 8b520c 8a54022a c0ea03 80e201 } // n = 6, score = 100 // 83c102 \| add ecx, 2 // 8b15???????? \| // 8b520c \| mov edx, dword ptr [edx + 0xc] // 8a54022a \| mov dl, byte ptr [edx + eax + 0x2a] // c0ea03 \| shr dl, 3 // 80e201 \| and dl, 1 $sequence_2 = { 53 8d85a0f6ffff 53 50 e8???????? 59 50 } // n = 7, score = 100 // 53 \| push ebx // 8d85a0f6ffff \| lea eax, [ebp - 0x960] // 53 \| push ebx // 50 \| push eax // e8???????? \| // 59 \| pop ecx // 50 \| push eax $sequence_3 = { 0fb7ce 8d3449 8bcf d1e6 0fb70430 50 ff7510 } // n = 7, score = 100 // 0fb7ce \| movzx ecx, si // 8d3449 \| lea esi, [ecx + ecx2] // 8bcf \| mov ecx, edi // d1e6 \| shl esi, 1 // 0fb70430 \| movzx eax, word ptr [eax + esi] // 50 \| push eax // ff7510 \| push dword ptr [ebp + 0x10] $sequence_4 = { ffd6 8d4508 6a04 50 6a05 ff750c } // n = 6, score = 100 // ffd6 \| call esi // 8d4508 \| lea eax, [ebp + 8] // 6a04 \| push 4 // 50 \| push eax // 6a05 \| push 5 // ff750c \| push dword ptr [ebp + 0xc] $sequence_5 = { 750b ff45fc 837dfc03 7d34 ebd5 8b45f0 2b4508 } // n = 7, score = 100 // 750b \| jne 0xd // ff45fc \| inc dword ptr [ebp - 4] // 837dfc03 \| cmp dword ptr [ebp - 4], 3 // 7d34 \| jge 0x36 // ebd5 \| jmp 0xffffffd7 // 8b45f0 \| mov eax, dword ptr [ebp - 0x10] // 2b4508 \| sub eax, dword ptr [ebp + 8] $sequence_6 = { 895d10 ff7518 ff15???????? 85c0 } // n = 4, score = 100 // 895d10 \| mov dword ptr [ebp + 0x10], ebx // ff7518 \| push dword ptr [ebp + 0x18] // ff15???????? \| // 85c0 \| test eax, eax $sequence_7 = { 50 8d850cfaffff 50 ff15???????? 85c0 0f84b1070000 8b45d8 } // n = 7, score = 100 // 50 \| push eax // 8d850cfaffff \| lea eax, [ebp - 0x5f4] // 50 \| push eax // ff15???????? \| // 85c0 \| test eax, eax // 0f84b1070000 \| je 0x7b7 // 8b45d8 \| mov eax, dword ptr [ebp - 0x28] $sequence_8 = { 33c0 59 8dbd7cffffff ff7514 f3ab 8d8578ffffff 50 } // n = 7, score = 100 // 33c0 \| xor eax, eax // 59 \| pop ecx // 8dbd7cffffff \| lea edi, [ebp - 0x84] // ff7514 \| push dword ptr [ebp + 0x14] // f3ab \| rep stosd dword ptr es:[edi], eax // 8d8578ffffff \| lea eax, [ebp - 0x88] // 50 \| push eax $sequence_9 = { 59 33c0 8d7dac 895dfc f3ab 8d8584f6ffff 8d8d80f5ffff } // n = 7, score = 100 // 59 \| pop ecx // 33c0 \| xor eax, eax // 8d7dac \| lea edi, [ebp - 0x54] // 895dfc \| mov dword ptr [ebp - 4], ebx // f3ab \| rep stosd dword ptr es:[edi], eax // 8d8584f6ffff \| lea eax, [ebp - 0x97c] // 8d8d80f5ffff \| lea ecx, [ebp - 0xa80] condition: 7 of them and filesize < 106496 }
[TLP:WHITE] win_nettraveler_w0 (20170521 \| Identifiers for NetTraveler DLL) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule win_nettraveler_w0 { meta: description = "Identifiers for NetTraveler DLL" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //network strings $n1 = "?action=updated&hostid=" $n2 = "travlerbackinfo" $n3 = "?action=getcmd&hostid=" $n4 = "%s?action=gotcmd&hostid=" $n5 = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=" //debugging strings $d1 = "\x00Method1 Fail!!!!!\x00" $d2 = "\x00Method3 Fail!!!!!\x00" $d3 = "\x00method currect:\x00" $d4 = /\x00\x00[\w\-]+ is Running!\x00\x00/ $d5 = "\x00OtherTwo\x00" condition: any of them }
[TLP:WHITE] win_nettraveler_w1 (20170521 \| Identifiers for netpass variant) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. / rule win_nettraveler_w1 { meta: description = "Identifiers for netpass variant" author = "Katie Kleemola" last_updated = "2014-05-29" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $exif1 = "Device Protect ApplicatioN" wide $exif2 = "beep.sys" wide //embedded exe name $exif3 = "BEEP Driver" wide //embedded exe description $string1 = "\x00NetPass Update\x00" $string2 = "\x00%s:DOWNLOAD\x00" $string3 = "\x00%s:UPDATE\x00" $string4 = "\x00%s:uNINSTALL\x00" condition: all of ($exif) or any of ($string*) }
[TLP:WHITE] win_nettraveler_w2 (20170521 \| Export names for dll component) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_nettraveler_w2 { meta: description = "Export names for dll component" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //dll component exports $d1 = "?InjectDll@@YAHPAUHWND__@@K@Z" $d2 = "?UnmapDll@@YAHXZ" $d3 = "?g_bSubclassed@@3HA" condition: any of them }

NetTraveler Propose Change

References

Yara Rules

NetTraveler