SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nokki (Back to overview)

Nokki

Actor(s): APT37


Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2018-10-01Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20181001:nokki:b458c95, author = {Josh Grunzweig}, title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}}, date = {2018-10-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/}, language = {English}, urldate = {2019-12-20} } NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT
Nokki
2018-09-27Palo Alto Networks Unit 42Josh Grunzweig, Bryan Lee
@online{grunzweig:20180927:new:d33c053, author = {Josh Grunzweig and Bryan Lee}, title = {{New KONNI Malware attacking Eurasia and Southeast Asia}}, date = {2018-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/}, language = {English}, urldate = {2019-12-20} } New KONNI Malware attacking Eurasia and Southeast Asia
Nokki
Yara Rules
[TLP:WHITE] win_nokki_auto (20220808 | Detects win.nokki.)
rule win_nokki_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.nokki."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 33d2 68ce070000 52 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   68ce070000           | push                0x7ce
            //   52                   | push                edx

        $sequence_1 = { e8???????? 33c9 68ce070000 51 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   68ce070000           | push                0x7ce
            //   51                   | push                ecx

        $sequence_2 = { 51 0fb74dd4 52 0fb755ba 50 }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   0fb74dd4             | movzx               ecx, word ptr [ebp - 0x2c]
            //   52                   | push                edx
            //   0fb755ba             | movzx               edx, word ptr [ebp - 0x46]
            //   50                   | push                eax

        $sequence_3 = { 8b851cf8ffff 8d8d0cf8ffff 51 6a00 6a00 }
            // n = 5, score = 100
            //   8b851cf8ffff         | mov                 eax, dword ptr [ebp - 0x7e4]
            //   8d8d0cf8ffff         | lea                 ecx, [ebp - 0x7f4]
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_4 = { 50 8d8db6f7ffff 51 668985b4f7ffff e8???????? }
            // n = 5, score = 100
            //   50                   | push                eax
            //   8d8db6f7ffff         | lea                 ecx, [ebp - 0x84a]
            //   51                   | push                ecx
            //   668985b4f7ffff       | mov                 word ptr [ebp - 0x84c], ax
            //   e8????????           |                     

        $sequence_5 = { 897e14 897e70 c686c800000043 c6864b01000043 c7466860e54000 }
            // n = 5, score = 100
            //   897e14               | mov                 dword ptr [esi + 0x14], edi
            //   897e70               | mov                 dword ptr [esi + 0x70], edi
            //   c686c800000043       | mov                 byte ptr [esi + 0xc8], 0x43
            //   c6864b01000043       | mov                 byte ptr [esi + 0x14b], 0x43
            //   c7466860e54000       | mov                 dword ptr [esi + 0x68], 0x40e560

        $sequence_6 = { 0fb7f9 6a00 57 e8???????? 83c408 85c0 }
            // n = 6, score = 100
            //   0fb7f9               | movzx               edi, cx
            //   6a00                 | push                0
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax

        $sequence_7 = { 68???????? 68???????? e8???????? 8bf0 56 6a01 6a01 }
            // n = 7, score = 100
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   56                   | push                esi
            //   6a01                 | push                1
            //   6a01                 | push                1

        $sequence_8 = { 52 ff15???????? bb01000000 53 }
            // n = 4, score = 100
            //   52                   | push                edx
            //   ff15????????         |                     
            //   bb01000000           | mov                 ebx, 1
            //   53                   | push                ebx

        $sequence_9 = { 53 8b1d???????? 56 57 8d642400 33c0 }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   8b1d????????         |                     
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d642400             | lea                 esp, [esp]
            //   33c0                 | xor                 eax, eax

        $sequence_10 = { 68???????? 8bce e8???????? 33c9 6806020000 }
            // n = 5, score = 100
            //   68????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   6806020000           | push                0x206

        $sequence_11 = { 8d95ecfbffff 52 6a00 ff15???????? 8d85ecfbffff 50 }
            // n = 6, score = 100
            //   8d95ecfbffff         | lea                 edx, [ebp - 0x414]
            //   52                   | push                edx
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8d85ecfbffff         | lea                 eax, [ebp - 0x414]
            //   50                   | push                eax

        $sequence_12 = { e8???????? 83c430 6a00 6a00 6a00 6a01 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c430               | add                 esp, 0x30
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_13 = { 50 e8???????? 83c410 8b00 8b48f4 51 50 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b48f4               | mov                 ecx, dword ptr [eax - 0xc]
            //   51                   | push                ecx
            //   50                   | push                eax

    condition:
        7 of them and filesize < 454656
}
Download all Yara Rules