SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nokki (Back to overview)

Nokki

Actor(s): APT37


Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2018-10-01Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20181001:nokki:b458c95, author = {Josh Grunzweig}, title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}}, date = {2018-10-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/}, language = {English}, urldate = {2019-12-20} } NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT
Nokki
2018-09-27Palo Alto Networks Unit 42Josh Grunzweig, Bryan Lee
@online{grunzweig:20180927:new:d33c053, author = {Josh Grunzweig and Bryan Lee}, title = {{New KONNI Malware attacking Eurasia and Southeast Asia}}, date = {2018-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/}, language = {English}, urldate = {2019-12-20} } New KONNI Malware attacking Eurasia and Southeast Asia
Nokki
Yara Rules
[TLP:WHITE] win_nokki_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_nokki_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 33d2 68ce070000 52 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   68ce070000           | push                0x7ce
            //   52                   | push                edx

        $sequence_1 = { e8???????? 33c9 68ce070000 51 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   68ce070000           | push                0x7ce
            //   51                   | push                ecx

        $sequence_2 = { 89459a 89459e 8945a2 8945a6 668945aa }
            // n = 5, score = 100
            //   89459a               | mov                 dword ptr [ebp - 0x66], eax
            //   89459e               | mov                 dword ptr [ebp - 0x62], eax
            //   8945a2               | mov                 dword ptr [ebp - 0x5e], eax
            //   8945a6               | mov                 dword ptr [ebp - 0x5a], eax
            //   668945aa             | mov                 word ptr [ebp - 0x56], ax

        $sequence_3 = { 83e001 0f8412000000 83a594fbfffffe 8b8d90fbffff e9???????? c3 }
            // n = 6, score = 100
            //   83e001               | and                 eax, 1
            //   0f8412000000         | je                  0x18
            //   83a594fbfffffe       | and                 dword ptr [ebp - 0x46c], 0xfffffffe
            //   8b8d90fbffff         | mov                 ecx, dword ptr [ebp - 0x470]
            //   e9????????           |                     
            //   c3                   | ret                 

        $sequence_4 = { 68???????? 8bce e8???????? 8d8598fbffff 50 57 ffd3 }
            // n = 7, score = 100
            //   68????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8d8598fbffff         | lea                 eax, [ebp - 0x468]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ffd3                 | call                ebx

        $sequence_5 = { 40 80b918e4400000 74e8 8a13 0fb6ca 0fbe8918e44000 85c9 }
            // n = 7, score = 100
            //   40                   | inc                 eax
            //   80b918e4400000       | cmp                 byte ptr [ecx + 0x40e418], 0
            //   74e8                 | je                  0xffffffea
            //   8a13                 | mov                 dl, byte ptr [ebx]
            //   0fb6ca               | movzx               ecx, dl
            //   0fbe8918e44000       | movsx               ecx, byte ptr [ecx + 0x40e418]
            //   85c9                 | test                ecx, ecx

        $sequence_6 = { 51 6689852cf8ffff e8???????? 68???????? 8d952cf8ffff 68???????? 52 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   6689852cf8ffff       | mov                 word ptr [ebp - 0x7d4], ax
            //   e8????????           |                     
            //   68????????           |                     
            //   8d952cf8ffff         | lea                 edx, [ebp - 0x7d4]
            //   68????????           |                     
            //   52                   | push                edx

        $sequence_7 = { 51 8d9518f5ffff 52 ff15???????? bb01000000 }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   8d9518f5ffff         | lea                 edx, [ebp - 0xae8]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   bb01000000           | mov                 ebx, 1

        $sequence_8 = { 6a00 ffd6 8b3d???????? 8d85f4fdffff 50 ffd7 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   ffd6                 | call                esi
            //   8b3d????????         |                     
            //   8d85f4fdffff         | lea                 eax, [ebp - 0x20c]
            //   50                   | push                eax
            //   ffd7                 | call                edi

        $sequence_9 = { 6800010000 8d8df0feffff 51 e8???????? 85c0 7531 }
            // n = 6, score = 100
            //   6800010000           | push                0x100
            //   8d8df0feffff         | lea                 ecx, [ebp - 0x110]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7531                 | jne                 0x33

        $sequence_10 = { 0f8c9f0a0000 8d42e0 6683f858 770f 0fb7c2 0fbe80f0dd4000 83e00f }
            // n = 7, score = 100
            //   0f8c9f0a0000         | jl                  0xaa5
            //   8d42e0               | lea                 eax, [edx - 0x20]
            //   6683f858             | cmp                 ax, 0x58
            //   770f                 | ja                  0x11
            //   0fb7c2               | movzx               eax, dx
            //   0fbe80f0dd4000       | movsx               eax, byte ptr [eax + 0x40ddf0]
            //   83e00f               | and                 eax, 0xf

        $sequence_11 = { 56 e8???????? 8d044524fc4000 8bc8 2bce 6a03 d1f9 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   e8????????           |                     
            //   8d044524fc4000       | lea                 eax, [eax*2 + 0x40fc24]
            //   8bc8                 | mov                 ecx, eax
            //   2bce                 | sub                 ecx, esi
            //   6a03                 | push                3
            //   d1f9                 | sar                 ecx, 1

        $sequence_12 = { 6a00 6a00 68???????? 68???????? 6a00 ff15???????? 8d8d2cf8ffff }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     
            //   68????????           |                     
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8d8d2cf8ffff         | lea                 ecx, [ebp - 0x7d4]

        $sequence_13 = { 8b48f4 51 50 8bce c745fc00000000 e8???????? }
            // n = 6, score = 100
            //   8b48f4               | mov                 ecx, dword ptr [eax - 0xc]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   e8????????           |                     

    condition:
        7 of them and filesize < 454656
}
Download all Yara Rules