SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nokki (Back to overview)

Nokki

Actor(s): APT37


Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2018-10-01Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20181001:nokki:b458c95, author = {Josh Grunzweig}, title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}}, date = {2018-10-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/}, language = {English}, urldate = {2019-12-20} } NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT
Nokki
2018-09-27Palo Alto Networks Unit 42Josh Grunzweig, Bryan Lee
@online{grunzweig:20180927:new:d33c053, author = {Josh Grunzweig and Bryan Lee}, title = {{New KONNI Malware attacking Eurasia and Southeast Asia}}, date = {2018-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/}, language = {English}, urldate = {2019-12-20} } New KONNI Malware attacking Eurasia and Southeast Asia
Nokki
Yara Rules
[TLP:WHITE] win_nokki_auto (20230125 | Detects win.nokki.)
rule win_nokki_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.nokki."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f816 72ee 33c0 5d c3 8b04c55cbc4000 }
            // n = 6, score = 200
            //   83f816               | cmp                 eax, 0x16
            //   72ee                 | jb                  0xfffffff0
            //   33c0                 | xor                 eax, eax
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b04c55cbc4000       | mov                 eax, dword ptr [eax*8 + 0x40bc5c]

        $sequence_1 = { 6a00 ffd6 8b35???????? 6a00 6a00 6a00 8d45e4 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   ffd6                 | call                esi
            //   8b35????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d45e4               | lea                 eax, [ebp - 0x1c]

        $sequence_2 = { ff15???????? 6a00 6802000080 6880000000 6a01 68???????? 8d852cf8ffff }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6802000080           | push                0x80000002
            //   6880000000           | push                0x80
            //   6a01                 | push                1
            //   68????????           |                     
            //   8d852cf8ffff         | lea                 eax, [ebp - 0x7d4]

        $sequence_3 = { 6804010000 68???????? 6a00 ffd6 68???????? }
            // n = 5, score = 200
            //   6804010000           | push                0x104
            //   68????????           |                     
            //   6a00                 | push                0
            //   ffd6                 | call                esi
            //   68????????           |                     

        $sequence_4 = { 85c0 740b 68???????? ff15???????? 6a00 6a02 }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   740b                 | je                  0xd
            //   68????????           |                     
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a02                 | push                2

        $sequence_5 = { 51 0fb74dac 52 50 51 8d5584 68???????? }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   0fb74dac             | movzx               ecx, word ptr [ebp - 0x54]
            //   52                   | push                edx
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8d5584               | lea                 edx, [ebp - 0x7c]
            //   68????????           |                     

        $sequence_6 = { 8bc1 c1f805 8bf1 83e61f 8d3c8580054100 }
            // n = 5, score = 200
            //   8bc1                 | mov                 eax, ecx
            //   c1f805               | sar                 eax, 5
            //   8bf1                 | mov                 esi, ecx
            //   83e61f               | and                 esi, 0x1f
            //   8d3c8580054100       | lea                 edi, [eax*4 + 0x410580]

        $sequence_7 = { 68???????? 8d852cf8ffff 50 56 ff15???????? }
            // n = 5, score = 200
            //   68????????           |                     
            //   8d852cf8ffff         | lea                 eax, [ebp - 0x7d4]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_8 = { e8???????? 33d2 68ce070000 52 8d8516e8ffff }
            // n = 5, score = 200
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   68ce070000           | push                0x7ce
            //   52                   | push                edx
            //   8d8516e8ffff         | lea                 eax, [ebp - 0x17ea]

        $sequence_9 = { 8b4de4 83c40c 6bc930 8975e0 8db1a0e94000 8975e4 }
            // n = 6, score = 200
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   83c40c               | add                 esp, 0xc
            //   6bc930               | imul                ecx, ecx, 0x30
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   8db1a0e94000         | lea                 esi, [ecx + 0x40e9a0]
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi

    condition:
        7 of them and filesize < 454656
}
Download all Yara Rules