SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nokki (Back to overview)

Nokki

Actor(s): APT37


Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2018-10-01Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20181001:nokki:b458c95, author = {Josh Grunzweig}, title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}}, date = {2018-10-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/}, language = {English}, urldate = {2019-12-20} } NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT
Nokki
2018-09-27Palo Alto Networks Unit 42Josh Grunzweig, Bryan Lee
@online{grunzweig:20180927:new:d33c053, author = {Josh Grunzweig and Bryan Lee}, title = {{New KONNI Malware attacking Eurasia and Southeast Asia}}, date = {2018-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/}, language = {English}, urldate = {2019-12-20} } New KONNI Malware attacking Eurasia and Southeast Asia
Nokki
Yara Rules
[TLP:WHITE] win_nokki_auto (20211008 | Detects win.nokki.)
rule win_nokki_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.nokki."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 33d2 68ce070000 52 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   68ce070000           | push                0x7ce
            //   52                   | push                edx

        $sequence_1 = { e8???????? 33c9 68ce070000 51 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   68ce070000           | push                0x7ce
            //   51                   | push                ecx

        $sequence_2 = { ff15???????? 8bf0 56 6a02 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   56                   | push                esi
            //   6a02                 | push                2

        $sequence_3 = { 51 8d9580e8ffff 68???????? 52 }
            // n = 4, score = 100
            //   51                   | push                ecx
            //   8d9580e8ffff         | lea                 edx, dword ptr [ebp - 0x1780]
            //   68????????           |                     
            //   52                   | push                edx

        $sequence_4 = { 8b85f0fdffff 50 e8???????? 83c41c 6804010000 }
            // n = 5, score = 100
            //   8b85f0fdffff         | mov                 eax, dword ptr [ebp - 0x210]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   6804010000           | push                0x104

        $sequence_5 = { 89b590fbffff ffd2 83c010 8906 }
            // n = 4, score = 100
            //   89b590fbffff         | mov                 dword ptr [ebp - 0x470], esi
            //   ffd2                 | call                edx
            //   83c010               | add                 eax, 0x10
            //   8906                 | mov                 dword ptr [esi], eax

        $sequence_6 = { 8975e0 8b04bd80054100 0500080000 3bf0 0f8396000000 f6460401 }
            // n = 6, score = 100
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   8b04bd80054100       | mov                 eax, dword ptr [edi*4 + 0x410580]
            //   0500080000           | add                 eax, 0x800
            //   3bf0                 | cmp                 esi, eax
            //   0f8396000000         | jae                 0x9c
            //   f6460401             | test                byte ptr [esi + 4], 1

        $sequence_7 = { 8b0c8d80054100 c1e006 8d440104 800820 }
            // n = 4, score = 100
            //   8b0c8d80054100       | mov                 ecx, dword ptr [ecx*4 + 0x410580]
            //   c1e006               | shl                 eax, 6
            //   8d440104             | lea                 eax, dword ptr [ecx + eax + 4]
            //   800820               | or                  byte ptr [eax], 0x20

        $sequence_8 = { e8???????? 8d5584 52 68???????? 8d8514e8ffff 68???????? 50 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d5584               | lea                 edx, dword ptr [ebp - 0x7c]
            //   52                   | push                edx
            //   68????????           |                     
            //   8d8514e8ffff         | lea                 eax, dword ptr [ebp - 0x17ec]
            //   68????????           |                     
            //   50                   | push                eax

        $sequence_9 = { 8d8578e8ffff 50 56 8d8d50e8ffff 51 }
            // n = 5, score = 100
            //   8d8578e8ffff         | lea                 eax, dword ptr [ebp - 0x1788]
            //   50                   | push                eax
            //   56                   | push                esi
            //   8d8d50e8ffff         | lea                 ecx, dword ptr [ebp - 0x17b0]
            //   51                   | push                ecx

        $sequence_10 = { 6a02 6a00 6a01 6800000040 8d9574f1ffff 52 ff15???????? }
            // n = 7, score = 100
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   6800000040           | push                0x40000000
            //   8d9574f1ffff         | lea                 edx, dword ptr [ebp - 0xe8c]
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_11 = { b9???????? 895dfc c78554e8ffff01000000 ffd2 }
            // n = 4, score = 100
            //   b9????????           |                     
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   c78554e8ffff01000000     | mov    dword ptr [ebp - 0x17ac], 1
            //   ffd2                 | call                edx

        $sequence_12 = { 395de4 741d 8bc7 c1f805 83e71f c1e706 8b048580054100 }
            // n = 7, score = 100
            //   395de4               | cmp                 dword ptr [ebp - 0x1c], ebx
            //   741d                 | je                  0x1f
            //   8bc7                 | mov                 eax, edi
            //   c1f805               | sar                 eax, 5
            //   83e71f               | and                 edi, 0x1f
            //   c1e706               | shl                 edi, 6
            //   8b048580054100       | mov                 eax, dword ptr [eax*4 + 0x410580]

        $sequence_13 = { ff15???????? 8bf0 85f6 7463 6a00 6a02 8d85e4efffff }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7463                 | je                  0x65
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   8d85e4efffff         | lea                 eax, dword ptr [ebp - 0x101c]

    condition:
        7 of them and filesize < 454656
}
Download all Yara Rules