SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nokki (Back to overview)

Nokki

Actor(s): APT37


Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2018-10-01Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20181001:nokki:b458c95, author = {Josh Grunzweig}, title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}}, date = {2018-10-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/}, language = {English}, urldate = {2019-12-20} } NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT
Nokki
2018-09-27Palo Alto Networks Unit 42Josh Grunzweig, Bryan Lee
@online{grunzweig:20180927:new:d33c053, author = {Josh Grunzweig and Bryan Lee}, title = {{New KONNI Malware attacking Eurasia and Southeast Asia}}, date = {2018-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/}, language = {English}, urldate = {2019-12-20} } New KONNI Malware attacking Eurasia and Southeast Asia
Nokki
Yara Rules
[TLP:WHITE] win_nokki_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_nokki_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 50 e8???????? 83c408 c785f0fdffffe0f64000 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   c785f0fdffffe0f64000     | mov    dword ptr [ebp - 0x210], 0x40f6e0

        $sequence_1 = { 68???????? 6a00 ff15???????? 8d8d2cf8ffff 51 56 }
            // n = 6, score = 100
            //   68????????           |                     
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8d8d2cf8ffff         | lea                 ecx, [ebp - 0x7d4]
            //   51                   | push                ecx
            //   56                   | push                esi

        $sequence_2 = { 7353 8bc1 c1f805 8bf1 83e61f 8d3c8580054100 8b07 }
            // n = 7, score = 100
            //   7353                 | jae                 0x55
            //   8bc1                 | mov                 eax, ecx
            //   c1f805               | sar                 eax, 5
            //   8bf1                 | mov                 esi, ecx
            //   83e61f               | and                 esi, 0x1f
            //   8d3c8580054100       | lea                 edi, [eax*4 + 0x410580]
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_3 = { c745e08cb14000 817de090b14000 7311 8b45e0 }
            // n = 4, score = 100
            //   c745e08cb14000       | mov                 dword ptr [ebp - 0x20], 0x40b18c
            //   817de090b14000       | cmp                 dword ptr [ebp - 0x20], 0x40b190
            //   7311                 | jae                 0x13
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]

        $sequence_4 = { e8???????? c1f805 56 8d3c8580054100 e8???????? 83e01f }
            // n = 6, score = 100
            //   e8????????           |                     
            //   c1f805               | sar                 eax, 5
            //   56                   | push                esi
            //   8d3c8580054100       | lea                 edi, [eax*4 + 0x410580]
            //   e8????????           |                     
            //   83e01f               | and                 eax, 0x1f

        $sequence_5 = { 7fdd 83cbff 8b06 8bc8 c1f905 8b0c8d80054100 83e01f }
            // n = 7, score = 100
            //   7fdd                 | jg                  0xffffffdf
            //   83cbff               | or                  ebx, 0xffffffff
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8bc8                 | mov                 ecx, eax
            //   c1f905               | sar                 ecx, 5
            //   8b0c8d80054100       | mov                 ecx, dword ptr [ecx*4 + 0x410580]
            //   83e01f               | and                 eax, 0x1f

        $sequence_6 = { 897e14 897e70 c686c800000043 c6864b01000043 c7466860e54000 6a0d }
            // n = 6, score = 100
            //   897e14               | mov                 dword ptr [esi + 0x14], edi
            //   897e70               | mov                 dword ptr [esi + 0x70], edi
            //   c686c800000043       | mov                 byte ptr [esi + 0xc8], 0x43
            //   c6864b01000043       | mov                 byte ptr [esi + 0x14b], 0x43
            //   c7466860e54000       | mov                 dword ptr [esi + 0x68], 0x40e560
            //   6a0d                 | push                0xd

        $sequence_7 = { 8b85f0fdffff 83c002 8985f0fdffff 83c241 668950fe 3d???????? }
            // n = 6, score = 100
            //   8b85f0fdffff         | mov                 eax, dword ptr [ebp - 0x210]
            //   83c002               | add                 eax, 2
            //   8985f0fdffff         | mov                 dword ptr [ebp - 0x210], eax
            //   83c241               | add                 edx, 0x41
            //   668950fe             | mov                 word ptr [eax - 2], dx
            //   3d????????           |                     

        $sequence_8 = { 8d42e0 6683f858 770f 0fb7c2 0fbe80b8c14000 83e00f eb02 }
            // n = 7, score = 100
            //   8d42e0               | lea                 eax, [edx - 0x20]
            //   6683f858             | cmp                 ax, 0x58
            //   770f                 | ja                  0x11
            //   0fb7c2               | movzx               eax, dx
            //   0fbe80b8c14000       | movsx               eax, byte ptr [eax + 0x40c1b8]
            //   83e00f               | and                 eax, 0xf
            //   eb02                 | jmp                 4

        $sequence_9 = { 57 33f6 bf???????? 833cf504ed400001 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   33f6                 | xor                 esi, esi
            //   bf????????           |                     
            //   833cf504ed400001     | cmp                 dword ptr [esi*8 + 0x40ed04], 1

    condition:
        7 of them and filesize < 172032
}
Download all Yara Rules