SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nokki (Back to overview)

Nokki

Actor(s): APT37


Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2018-10-01Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20181001:nokki:b458c95, author = {Josh Grunzweig}, title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}}, date = {2018-10-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/}, language = {English}, urldate = {2019-12-20} } NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT
Nokki
2018-09-27Palo Alto Networks Unit 42Josh Grunzweig, Bryan Lee
@online{grunzweig:20180927:new:d33c053, author = {Josh Grunzweig and Bryan Lee}, title = {{New KONNI Malware attacking Eurasia and Southeast Asia}}, date = {2018-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/}, language = {English}, urldate = {2019-12-20} } New KONNI Malware attacking Eurasia and Southeast Asia
Nokki
Yara Rules
[TLP:WHITE] win_nokki_auto (20230407 | Detects win.nokki.)
rule win_nokki_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.nokki."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 33d2 68ce070000 52 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   68ce070000           | push                0x7ce
            //   52                   | push                edx

        $sequence_1 = { e8???????? 33c9 68ce070000 51 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   68ce070000           | push                0x7ce
            //   51                   | push                ecx

        $sequence_2 = { 75e6 c6460401 830eff 2b34bd80054100 }
            // n = 4, score = 100
            //   75e6                 | jne                 0xffffffe8
            //   c6460401             | mov                 byte ptr [esi + 4], 1
            //   830eff               | or                  dword ptr [esi], 0xffffffff
            //   2b34bd80054100       | sub                 esi, dword ptr [edi*4 + 0x410580]

        $sequence_3 = { c705????????6a464000 8935???????? a3???????? ff15???????? }
            // n = 4, score = 100
            //   c705????????6a464000     |     
            //   8935????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     

        $sequence_4 = { c78568f1ffff00000000 ff15???????? 85c0 7536 8d9564f1ffff 52 8b9570f1ffff }
            // n = 7, score = 100
            //   c78568f1ffff00000000     | mov    dword ptr [ebp - 0xe98], 0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7536                 | jne                 0x38
            //   8d9564f1ffff         | lea                 edx, [ebp - 0xe9c]
            //   52                   | push                edx
            //   8b9570f1ffff         | mov                 edx, dword ptr [ebp - 0xe90]

        $sequence_5 = { e8???????? 85c0 7531 8d95f0feffff 52 e8???????? 8b400c }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7531                 | jne                 0x33
            //   8d95f0feffff         | lea                 edx, [ebp - 0x110]
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]

        $sequence_6 = { e8???????? c70009000000 e8???????? ebd1 8bc8 c1f905 8d3c8d80054100 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c70009000000         | mov                 dword ptr [eax], 9
            //   e8????????           |                     
            //   ebd1                 | jmp                 0xffffffd3
            //   8bc8                 | mov                 ecx, eax
            //   c1f905               | sar                 ecx, 5
            //   8d3c8d80054100       | lea                 edi, [ecx*4 + 0x410580]

        $sequence_7 = { 57 ffd3 85c0 75b3 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   75b3                 | jne                 0xffffffb5

        $sequence_8 = { 8d642400 33c0 68ce070000 50 8d8d2ef8ffff }
            // n = 5, score = 100
            //   8d642400             | lea                 esp, [esp]
            //   33c0                 | xor                 eax, eax
            //   68ce070000           | push                0x7ce
            //   50                   | push                eax
            //   8d8d2ef8ffff         | lea                 ecx, [ebp - 0x7d2]

        $sequence_9 = { 7463 6a00 6a02 8d85e4efffff }
            // n = 4, score = 100
            //   7463                 | je                  0x65
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   8d85e4efffff         | lea                 eax, [ebp - 0x101c]

        $sequence_10 = { 751d 8d04f500ed4000 8938 68a00f0000 ff30 }
            // n = 5, score = 100
            //   751d                 | jne                 0x1f
            //   8d04f500ed4000       | lea                 eax, [esi*8 + 0x40ed00]
            //   8938                 | mov                 dword ptr [eax], edi
            //   68a00f0000           | push                0xfa0
            //   ff30                 | push                dword ptr [eax]

        $sequence_11 = { 8d9520f8ffff 52 e8???????? 83c408 85c0 744a 56 }
            // n = 7, score = 100
            //   8d9520f8ffff         | lea                 edx, [ebp - 0x7e0]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   744a                 | je                  0x4c
            //   56                   | push                esi

        $sequence_12 = { 741a 8b8d08f8ffff 51 8d9520f8ffff 52 e8???????? }
            // n = 6, score = 100
            //   741a                 | je                  0x1c
            //   8b8d08f8ffff         | mov                 ecx, dword ptr [ebp - 0x7f8]
            //   51                   | push                ecx
            //   8d9520f8ffff         | lea                 edx, [ebp - 0x7e0]
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_13 = { 8b8d18f8ffff e9???????? c3 8b542408 8d420c 8b8af8f7ffff 33c8 }
            // n = 7, score = 100
            //   8b8d18f8ffff         | mov                 ecx, dword ptr [ebp - 0x7e8]
            //   e9????????           |                     
            //   c3                   | ret                 
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   8d420c               | lea                 eax, [edx + 0xc]
            //   8b8af8f7ffff         | mov                 ecx, dword ptr [edx - 0x808]
            //   33c8                 | xor                 ecx, eax

    condition:
        7 of them and filesize < 454656
}
Download all Yara Rules