SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nokki (Back to overview)

Nokki

Actor(s): APT37


Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2018-10-01Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20181001:nokki:b458c95, author = {Josh Grunzweig}, title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}}, date = {2018-10-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/}, language = {English}, urldate = {2019-12-20} } NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT
Nokki
2018-09-27Palo Alto Networks Unit 42Josh Grunzweig, Bryan Lee
@online{grunzweig:20180927:new:d33c053, author = {Josh Grunzweig and Bryan Lee}, title = {{New KONNI Malware attacking Eurasia and Southeast Asia}}, date = {2018-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/}, language = {English}, urldate = {2019-12-20} } New KONNI Malware attacking Eurasia and Southeast Asia
Nokki
Yara Rules
[TLP:WHITE] win_nokki_auto (20220411 | Detects win.nokki.)
rule win_nokki_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.nokki."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 33d2 68ce070000 52 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   68ce070000           | push                0x7ce
            //   52                   | push                edx

        $sequence_1 = { e8???????? 33c9 68ce070000 51 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   68ce070000           | push                0x7ce
            //   51                   | push                ecx

        $sequence_2 = { 6802000080 6880000000 6a01 68???????? }
            // n = 4, score = 100
            //   6802000080           | push                0x80000002
            //   6880000000           | push                0x80
            //   6a01                 | push                1
            //   68????????           |                     

        $sequence_3 = { 8bff 55 8bec 8b4508 ff34c500ed4000 ff15???????? }
            // n = 6, score = 100
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ff34c500ed4000       | push                dword ptr [eax*8 + 0x40ed00]
            //   ff15????????         |                     

        $sequence_4 = { 0f8553020000 899d70e8ffff 8b8d70e8ffff 8b956ce8ffff 68e8030000 }
            // n = 5, score = 100
            //   0f8553020000         | jne                 0x259
            //   899d70e8ffff         | mov                 dword ptr [ebp - 0x1790], ebx
            //   8b8d70e8ffff         | mov                 ecx, dword ptr [ebp - 0x1790]
            //   8b956ce8ffff         | mov                 edx, dword ptr [ebp - 0x1794]
            //   68e8030000           | push                0x3e8

        $sequence_5 = { 47 897e14 897e70 c686c800000043 c6864b01000043 c7466860e54000 }
            // n = 6, score = 100
            //   47                   | inc                 edi
            //   897e14               | mov                 dword ptr [esi + 0x14], edi
            //   897e70               | mov                 dword ptr [esi + 0x70], edi
            //   c686c800000043       | mov                 byte ptr [esi + 0xc8], 0x43
            //   c6864b01000043       | mov                 byte ptr [esi + 0x14b], 0x43
            //   c7466860e54000       | mov                 dword ptr [esi + 0x68], 0x40e560

        $sequence_6 = { 68???????? 8d8d68e8ffff e8???????? 8bbd68e8ffff 3bfb 742a 8b9574e8ffff }
            // n = 7, score = 100
            //   68????????           |                     
            //   8d8d68e8ffff         | lea                 ecx, dword ptr [ebp - 0x1798]
            //   e8????????           |                     
            //   8bbd68e8ffff         | mov                 edi, dword ptr [ebp - 0x1798]
            //   3bfb                 | cmp                 edi, ebx
            //   742a                 | je                  0x2c
            //   8b9574e8ffff         | mov                 edx, dword ptr [ebp - 0x178c]

        $sequence_7 = { ffd2 83c010 8906 b8???????? bb01000000 }
            // n = 5, score = 100
            //   ffd2                 | call                edx
            //   83c010               | add                 eax, 0x10
            //   8906                 | mov                 dword ptr [esi], eax
            //   b8????????           |                     
            //   bb01000000           | mov                 ebx, 1

        $sequence_8 = { 6a00 ff15???????? 8d8d2cf8ffff 51 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8d8d2cf8ffff         | lea                 ecx, dword ptr [ebp - 0x7d4]
            //   51                   | push                ecx

        $sequence_9 = { 33c0 52 0fb755da 894586 89458a }
            // n = 5, score = 100
            //   33c0                 | xor                 eax, eax
            //   52                   | push                edx
            //   0fb755da             | movzx               edx, word ptr [ebp - 0x26]
            //   894586               | mov                 dword ptr [ebp - 0x7a], eax
            //   89458a               | mov                 dword ptr [ebp - 0x76], eax

        $sequence_10 = { 6a01 6a00 6a00 6800000040 52 ff15???????? }
            // n = 6, score = 100
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6800000040           | push                0x40000000
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_11 = { c1fa05 8b149580054100 c1e006 8d440224 802080 884dfd }
            // n = 6, score = 100
            //   c1fa05               | sar                 edx, 5
            //   8b149580054100       | mov                 edx, dword ptr [edx*4 + 0x410580]
            //   c1e006               | shl                 eax, 6
            //   8d440224             | lea                 eax, dword ptr [edx + eax + 0x24]
            //   802080               | and                 byte ptr [eax], 0x80
            //   884dfd               | mov                 byte ptr [ebp - 3], cl

        $sequence_12 = { bfe8030000 51 89bd40d4ffff ff15???????? 6a1a }
            // n = 5, score = 100
            //   bfe8030000           | mov                 edi, 0x3e8
            //   51                   | push                ecx
            //   89bd40d4ffff         | mov                 dword ptr [ebp - 0x2bc0], edi
            //   ff15????????         |                     
            //   6a1a                 | push                0x1a

        $sequence_13 = { 897e70 c686c800000043 c6864b01000043 c7466860024100 6a0d e8???????? 59 }
            // n = 7, score = 100
            //   897e70               | mov                 dword ptr [esi + 0x70], edi
            //   c686c800000043       | mov                 byte ptr [esi + 0xc8], 0x43
            //   c6864b01000043       | mov                 byte ptr [esi + 0x14b], 0x43
            //   c7466860024100       | mov                 dword ptr [esi + 0x68], 0x410260
            //   6a0d                 | push                0xd
            //   e8????????           |                     
            //   59                   | pop                 ecx

    condition:
        7 of them and filesize < 454656
}
Download all Yara Rules