SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nokki (Back to overview)

Nokki

Actor(s): APT37


Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2018-10-01Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20181001:nokki:b458c95, author = {Josh Grunzweig}, title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}}, date = {2018-10-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/}, language = {English}, urldate = {2019-12-20} } NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT
Nokki
2018-09-27Palo Alto Networks Unit 42Josh Grunzweig, Bryan Lee
@online{grunzweig:20180927:new:d33c053, author = {Josh Grunzweig and Bryan Lee}, title = {{New KONNI Malware attacking Eurasia and Southeast Asia}}, date = {2018-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/}, language = {English}, urldate = {2019-12-20} } New KONNI Malware attacking Eurasia and Southeast Asia
Nokki
Yara Rules
[TLP:WHITE] win_nokki_auto (20210616 | Detects win.nokki.)
rule win_nokki_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.nokki."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 33d2 68ce070000 52 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   68ce070000           | push                0x7ce
            //   52                   | push                edx

        $sequence_1 = { e8???????? 33c9 68ce070000 51 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   68ce070000           | push                0x7ce
            //   51                   | push                ecx

        $sequence_2 = { 8b45e0 8a808c064100 08443b1d 0fb64601 47 3bf8 }
            // n = 6, score = 100
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8a808c064100         | mov                 al, byte ptr [eax + 0x41068c]
            //   08443b1d             | or                  byte ptr [ebx + edi + 0x1d], al
            //   0fb64601             | movzx               eax, byte ptr [esi + 1]
            //   47                   | inc                 edi
            //   3bf8                 | cmp                 edi, eax

        $sequence_3 = { 8d3c8d80054100 8b0f c1e606 833c0eff 7535 833d????????01 }
            // n = 6, score = 100
            //   8d3c8d80054100       | lea                 edi, dword ptr [ecx*4 + 0x410580]
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   c1e606               | shl                 esi, 6
            //   833c0eff             | cmp                 dword ptr [esi + ecx], -1
            //   7535                 | jne                 0x37
            //   833d????????01       |                     

        $sequence_4 = { 68???????? 56 ffd3 6a00 6a02 8d8db4f7ffff 51 }
            // n = 7, score = 100
            //   68????????           |                     
            //   56                   | push                esi
            //   ffd3                 | call                ebx
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   8d8db4f7ffff         | lea                 ecx, dword ptr [ebp - 0x84c]
            //   51                   | push                ecx

        $sequence_5 = { c7461058c74000 e8???????? 85c0 7907 c605????????01 8bc6 5e }
            // n = 7, score = 100
            //   c7461058c74000       | mov                 dword ptr [esi + 0x10], 0x40c758
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7907                 | jns                 9
            //   c605????????01       |                     
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi

        $sequence_6 = { 740b 68???????? ff15???????? 6a00 6a02 8d9514e8ffff }
            // n = 6, score = 100
            //   740b                 | je                  0xd
            //   68????????           |                     
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   8d9514e8ffff         | lea                 edx, dword ptr [ebp - 0x17ec]

        $sequence_7 = { 8d42e0 6683f858 770f 0fb7c2 0fbe80b8c14000 }
            // n = 5, score = 100
            //   8d42e0               | lea                 eax, dword ptr [edx - 0x20]
            //   6683f858             | cmp                 ax, 0x58
            //   770f                 | ja                  0x11
            //   0fb7c2               | movzx               eax, dx
            //   0fbe80b8c14000       | movsx               eax, byte ptr [eax + 0x40c1b8]

        $sequence_8 = { 85c0 744a 56 e8???????? 8b8510f8ffff }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   744a                 | je                  0x4c
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b8510f8ffff         | mov                 eax, dword ptr [ebp - 0x7f0]

        $sequence_9 = { 2b34bd80054100 c1fe06 8bc7 c1e005 03f0 8975e4 837de4ff }
            // n = 7, score = 100
            //   2b34bd80054100       | sub                 esi, dword ptr [edi*4 + 0x410580]
            //   c1fe06               | sar                 esi, 6
            //   8bc7                 | mov                 eax, edi
            //   c1e005               | shl                 eax, 5
            //   03f0                 | add                 esi, eax
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   837de4ff             | cmp                 dword ptr [ebp - 0x1c], -1

        $sequence_10 = { ff2485722f4000 33c0 838df4fbffffff 8985a0fbffff 8985b8fbffff }
            // n = 5, score = 100
            //   ff2485722f4000       | jmp                 dword ptr [eax*4 + 0x402f72]
            //   33c0                 | xor                 eax, eax
            //   838df4fbffffff       | or                  dword ptr [ebp - 0x40c], 0xffffffff
            //   8985a0fbffff         | mov                 dword ptr [ebp - 0x460], eax
            //   8985b8fbffff         | mov                 dword ptr [ebp - 0x448], eax

        $sequence_11 = { 8b8594fbffff 83e001 0f8412000000 83a594fbfffffe 8b8d90fbffff e9???????? }
            // n = 6, score = 100
            //   8b8594fbffff         | mov                 eax, dword ptr [ebp - 0x46c]
            //   83e001               | and                 eax, 1
            //   0f8412000000         | je                  0x18
            //   83a594fbfffffe       | and                 dword ptr [ebp - 0x46c], 0xfffffffe
            //   8b8d90fbffff         | mov                 ecx, dword ptr [ebp - 0x470]
            //   e9????????           |                     

        $sequence_12 = { 50 52 89855ce8ffff c78578e8ffffe8030000 ff15???????? }
            // n = 5, score = 100
            //   50                   | push                eax
            //   52                   | push                edx
            //   89855ce8ffff         | mov                 dword ptr [ebp - 0x17a4], eax
            //   c78578e8ffffe8030000     | mov    dword ptr [ebp - 0x1788], 0x3e8
            //   ff15????????         |                     

        $sequence_13 = { 8d8d20f8ffff 51 52 ff15???????? 85c0 0f853a010000 }
            // n = 6, score = 100
            //   8d8d20f8ffff         | lea                 ecx, dword ptr [ebp - 0x7e0]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f853a010000         | jne                 0x140

    condition:
        7 of them and filesize < 454656
}
Download all Yara Rules