SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nokki (Back to overview)

Nokki

Actor(s): APT37


Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2018-10-01Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20181001:nokki:b458c95, author = {Josh Grunzweig}, title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}}, date = {2018-10-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/}, language = {English}, urldate = {2019-12-20} } NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT
Nokki
2018-09-27Palo Alto Networks Unit 42Josh Grunzweig, Bryan Lee
@online{grunzweig:20180927:new:d33c053, author = {Josh Grunzweig and Bryan Lee}, title = {{New KONNI Malware attacking Eurasia and Southeast Asia}}, date = {2018-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/}, language = {English}, urldate = {2019-12-20} } New KONNI Malware attacking Eurasia and Southeast Asia
Nokki
Yara Rules
[TLP:WHITE] win_nokki_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_nokki_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 33d2 68ce070000 52 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   68ce070000           | push                0x7ce
            //   52                   | push                edx

        $sequence_1 = { e8???????? 33c9 68ce070000 51 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   68ce070000           | push                0x7ce
            //   51                   | push                ecx

        $sequence_2 = { 56 50 51 e8???????? 83c410 5e 83f850 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   5e                   | pop                 esi
            //   83f850               | cmp                 eax, 0x50

        $sequence_3 = { ffd0 8345e404 ebe6 c745e08cb14000 817de090b14000 7311 8b45e0 }
            // n = 7, score = 100
            //   ffd0                 | call                eax
            //   8345e404             | add                 dword ptr [ebp - 0x1c], 4
            //   ebe6                 | jmp                 0xffffffe8
            //   c745e08cb14000       | mov                 dword ptr [ebp - 0x20], 0x40b18c
            //   817de090b14000       | cmp                 dword ptr [ebp - 0x20], 0x40b190
            //   7311                 | jae                 0x13
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]

        $sequence_4 = { 770f 0fb7c2 0fbe80b8c14000 83e00f eb02 }
            // n = 5, score = 100
            //   770f                 | ja                  0x11
            //   0fb7c2               | movzx               eax, dx
            //   0fbe80b8c14000       | movsx               eax, byte ptr [eax + 0x40c1b8]
            //   83e00f               | and                 eax, 0xf
            //   eb02                 | jmp                 4

        $sequence_5 = { 55 8bec 8b4508 ff34c5100a4100 ff15???????? 5d }
            // n = 6, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ff34c5100a4100       | push                dword ptr [eax*8 + 0x410a10]
            //   ff15????????         |                     
            //   5d                   | pop                 ebp

        $sequence_6 = { 85c0 740b 68???????? ff15???????? 6a00 }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   740b                 | je                  0xd
            //   68????????           |                     
            //   ff15????????         |                     
            //   6a00                 | push                0

        $sequence_7 = { 51 8d5584 68???????? 52 }
            // n = 4, score = 100
            //   51                   | push                ecx
            //   8d5584               | lea                 edx, [ebp - 0x7c]
            //   68????????           |                     
            //   52                   | push                edx

        $sequence_8 = { 68???????? 8d95e4efffff 68???????? 52 e8???????? 83c430 }
            // n = 6, score = 100
            //   68????????           |                     
            //   8d95e4efffff         | lea                 edx, [ebp - 0x101c]
            //   68????????           |                     
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c430               | add                 esp, 0x30

        $sequence_9 = { 8d85f4fdffff 50 ffd7 8b1d???????? 68???????? }
            // n = 5, score = 100
            //   8d85f4fdffff         | lea                 eax, [ebp - 0x20c]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8b1d????????         |                     
            //   68????????           |                     

        $sequence_10 = { 8b1d???????? 8da42400000000 6683bdc4fbffff2e 7435 8d85c4fbffff 8d5002 }
            // n = 6, score = 100
            //   8b1d????????         |                     
            //   8da42400000000       | lea                 esp, [esp]
            //   6683bdc4fbffff2e     | cmp                 word ptr [ebp - 0x43c], 0x2e
            //   7435                 | je                  0x37
            //   8d85c4fbffff         | lea                 eax, [ebp - 0x43c]
            //   8d5002               | lea                 edx, [eax + 2]

        $sequence_11 = { 7229 f3a5 ff2495c0334000 8bc7 ba03000000 83e904 }
            // n = 6, score = 100
            //   7229                 | jb                  0x2b
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff2495c0334000       | jmp                 dword ptr [edx*4 + 0x4033c0]
            //   8bc7                 | mov                 eax, edi
            //   ba03000000           | mov                 edx, 3
            //   83e904               | sub                 ecx, 4

        $sequence_12 = { ffd3 85c0 0f8402ffffff eb15 8b8d18f8ffff 56 }
            // n = 6, score = 100
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   0f8402ffffff         | je                  0xffffff08
            //   eb15                 | jmp                 0x17
            //   8b8d18f8ffff         | mov                 ecx, dword ptr [ebp - 0x7e8]
            //   56                   | push                esi

        $sequence_13 = { c705????????b7634000 8935???????? a3???????? ff15???????? a3???????? }
            // n = 5, score = 100
            //   c705????????b7634000     |     
            //   8935????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     
            //   a3????????           |                     

    condition:
        7 of them and filesize < 454656
}
Download all Yara Rules