SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nokki (Back to overview)

Nokki

Actor(s): APT37

VTCollection    

Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.

References
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2018-10-01Palo Alto Networks Unit 42Josh Grunzweig
NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT
Nokki
2018-09-27Palo Alto Networks Unit 42Bryan Lee, Josh Grunzweig
New KONNI Malware attacking Eurasia and Southeast Asia
Nokki
Yara Rules
[TLP:WHITE] win_nokki_auto (20230808 | Detects win.nokki.)
rule win_nokki_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.nokki."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 33d2 68ce070000 52 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   68ce070000           | push                0x7ce
            //   52                   | push                edx

        $sequence_1 = { e8???????? 33c9 68ce070000 51 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   68ce070000           | push                0x7ce
            //   51                   | push                ecx

        $sequence_2 = { 8b420c 898d08f8ffff b9???????? 89b518f8ffff ffd0 }
            // n = 5, score = 100
            //   8b420c               | mov                 eax, dword ptr [edx + 0xc]
            //   898d08f8ffff         | mov                 dword ptr [ebp - 0x7f8], ecx
            //   b9????????           |                     
            //   89b518f8ffff         | mov                 dword ptr [ebp - 0x7e8], esi
            //   ffd0                 | call                eax

        $sequence_3 = { 884c0204 8b06 8bd0 83e01f c1fa05 8b149580054100 c1e006 }
            // n = 7, score = 100
            //   884c0204             | mov                 byte ptr [edx + eax + 4], cl
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8bd0                 | mov                 edx, eax
            //   83e01f               | and                 eax, 0x1f
            //   c1fa05               | sar                 edx, 5
            //   8b149580054100       | mov                 edx, dword ptr [edx*4 + 0x410580]
            //   c1e006               | shl                 eax, 6

        $sequence_4 = { 8d8daaddffff 51 668985a8ddffff e8???????? 6800010000 8d95f0feffff 6a00 }
            // n = 7, score = 100
            //   8d8daaddffff         | lea                 ecx, [ebp - 0x2256]
            //   51                   | push                ecx
            //   668985a8ddffff       | mov                 word ptr [ebp - 0x2258], ax
            //   e8????????           |                     
            //   6800010000           | push                0x100
            //   8d95f0feffff         | lea                 edx, [ebp - 0x110]
            //   6a00                 | push                0

        $sequence_5 = { 6a01 6a00 ff15???????? 8bf8 85ff 0f848a000000 6a00 }
            // n = 7, score = 100
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   0f848a000000         | je                  0x90
            //   6a00                 | push                0

        $sequence_6 = { 51 8d9520f8ffff 52 e8???????? 83c408 85c0 744a }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   8d9520f8ffff         | lea                 edx, [ebp - 0x7e0]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   744a                 | je                  0x4c

        $sequence_7 = { ffd6 57 ffd6 68a0bb0d00 }
            // n = 4, score = 100
            //   ffd6                 | call                esi
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   68a0bb0d00           | push                0xdbba0

        $sequence_8 = { 8a8c181d010000 888888054100 40 ebe6 ff35???????? }
            // n = 5, score = 100
            //   8a8c181d010000       | mov                 cl, byte ptr [eax + ebx + 0x11d]
            //   888888054100         | mov                 byte ptr [eax + 0x410588], cl
            //   40                   | inc                 eax
            //   ebe6                 | jmp                 0xffffffe8
            //   ff35????????         |                     

        $sequence_9 = { 33ff ffb7d4ec4000 ff15???????? 8987d4ec4000 83c704 83ff28 }
            // n = 6, score = 100
            //   33ff                 | xor                 edi, edi
            //   ffb7d4ec4000         | push                dword ptr [edi + 0x40ecd4]
            //   ff15????????         |                     
            //   8987d4ec4000         | mov                 dword ptr [edi + 0x40ecd4], eax
            //   83c704               | add                 edi, 4
            //   83ff28               | cmp                 edi, 0x28

        $sequence_10 = { 83c40c 6804010000 8d95f4fdffff 52 6a00 ffd6 }
            // n = 6, score = 100
            //   83c40c               | add                 esp, 0xc
            //   6804010000           | push                0x104
            //   8d95f4fdffff         | lea                 edx, [ebp - 0x20c]
            //   52                   | push                edx
            //   6a00                 | push                0
            //   ffd6                 | call                esi

        $sequence_11 = { 8d7810 89bd68e8ffff 8b8d60e8ffff 8b9564e8ffff 8d856ce8ffff 50 }
            // n = 6, score = 100
            //   8d7810               | lea                 edi, [eax + 0x10]
            //   89bd68e8ffff         | mov                 dword ptr [ebp - 0x1798], edi
            //   8b8d60e8ffff         | mov                 ecx, dword ptr [ebp - 0x17a0]
            //   8b9564e8ffff         | mov                 edx, dword ptr [ebp - 0x179c]
            //   8d856ce8ffff         | lea                 eax, [ebp - 0x1794]
            //   50                   | push                eax

        $sequence_12 = { 8bce e8???????? 33d2 6806020000 52 8d85eafdffff 50 }
            // n = 7, score = 100
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   6806020000           | push                0x206
            //   52                   | push                edx
            //   8d85eafdffff         | lea                 eax, [ebp - 0x216]
            //   50                   | push                eax

        $sequence_13 = { 8d8df4fdffff 51 ffd3 8d95f4fdffff 68???????? }
            // n = 5, score = 100
            //   8d8df4fdffff         | lea                 ecx, [ebp - 0x20c]
            //   51                   | push                ecx
            //   ffd3                 | call                ebx
            //   8d95f4fdffff         | lea                 edx, [ebp - 0x20c]
            //   68????????           |                     

    condition:
        7 of them and filesize < 454656
}
Download all Yara Rules