SYMBOLCOMMON_NAMEaka. SYNONYMS
win.olympic_destroyer (Back to overview)

Olympic Destroyer

aka: SOURGRAPE

Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event.

References
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2019-10-17WiredAndy Greenberg
@online{greenberg:20191017:untold:c257d22, author = {Andy Greenberg}, title = {{The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History}}, date = {2019-10-17}, organization = {Wired}, url = {https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/}, language = {English}, urldate = {2020-01-13} } The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History
Olympic Destroyer
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2018-06-19Kaspersky LabsGReAT
@online{great:20180619:hades:99ff28a, author = {GReAT}, title = {{Hades, the actor behind Olympic Destroyer is still alive}}, date = {2018-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/olympic-destroyer-is-still-alive/86169/}, language = {English}, urldate = {2019-12-20} } Hades, the actor behind Olympic Destroyer is still alive
Olympic Destroyer
2018-03-28Robert Michel
@online{michel:20180328:dissecting:ee6a118, author = {Robert Michel}, title = {{Dissecting Olympic Destroyer – a walk-through}}, date = {2018-03-28}, url = {https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/}, language = {English}, urldate = {2019-12-06} } Dissecting Olympic Destroyer – a walk-through
Olympic Destroyer
2018-03-09Lastlinelastline Labs Team
@online{team:20180309:from:7820406, author = {lastline Labs Team}, title = {{From Russia(?) with Code}}, date = {2018-03-09}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/attribution-from-russia-with-code/}, language = {English}, urldate = {2020-01-07} } From Russia(?) with Code
Olympic Destroyer
2018-03-08Kaspersky LabsGReAT
@online{great:20180308:olympicdestroyer:79780c9, author = {GReAT}, title = {{OlympicDestroyer is here to trick the industry}}, date = {2018-03-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/}, language = {English}, urldate = {2019-12-20} } OlympicDestroyer is here to trick the industry
Olympic Destroyer
2018-03-08Kaspersky LabsGReAT
@online{great:20180308:devils:3373375, author = {GReAT}, title = {{The devil’s in the Rich header}}, date = {2018-03-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-devils-in-the-rich-header/84348/}, language = {English}, urldate = {2019-12-20} } The devil’s in the Rich header
Olympic Destroyer
2018-02-26Cisco TalosPaul Rascagnères, Martin Lee
@online{rascagnres:20180226:who:095ce83, author = {Paul Rascagnères and Martin Lee}, title = {{Who Wasn’t Responsible for Olympic Destroyer?}}, date = {2018-02-26}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html}, language = {English}, urldate = {2020-01-06} } Who Wasn’t Responsible for Olympic Destroyer?
Olympic Destroyer
2018-02-21LastlineAlexander Sevtsov, Stefano Ortolani
@online{sevtsov:20180221:olympic:6584ecb, author = {Alexander Sevtsov and Stefano Ortolani}, title = {{Olympic Destroyer: A new Candidate in South Korea}}, date = {2018-02-21}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/olympic-destroyer-south-korea/}, language = {English}, urldate = {2019-10-23} } Olympic Destroyer: A new Candidate in South Korea
Olympic Destroyer
2018-02-15MBSDTakashi Yoshikawa, Satoshi Sugawara
@online{yoshikawa:20180215:olympic:a36f959, author = {Takashi Yoshikawa and Satoshi Sugawara}, title = {{Olympic Destroyer}}, date = {2018-02-15}, organization = {MBSD}, url = {https://www.mbsd.jp/blog/20180215.html}, language = {Japanese}, urldate = {2019-12-10} } Olympic Destroyer
Olympic Destroyer
2018-02-13EndgameDevon Kerr
@online{kerr:20180213:stopping:14ebecf, author = {Devon Kerr}, title = {{Stopping Olympic Destroyer: New Process Injection Insights}}, date = {2018-02-13}, organization = {Endgame}, url = {https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights}, language = {English}, urldate = {2020-01-08} } Stopping Olympic Destroyer: New Process Injection Insights
Olympic Destroyer
2018-02-12CiscoWarren Mercer, Paul Rascagnères, Ben Baker, Matthew Molyett
@online{mercer:20180212:olympic:f3f8f87, author = {Warren Mercer and Paul Rascagnères and Ben Baker and Matthew Molyett}, title = {{Olympic Destroyer Takes Aim At Winter Olympics}}, date = {2018-02-12}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2018/02/olympic-destroyer.html}, language = {English}, urldate = {2019-11-20} } Olympic Destroyer Takes Aim At Winter Olympics
Olympic Destroyer
2018Virus BulletinPaul Rascagnères, Warren Mercer
@online{rascagnres:2018:vb2018:121b1de, author = {Paul Rascagnères and Warren Mercer}, title = {{VB2018 paper: Who wasn’t responsible for Olympic Destroyer}}, date = {2018}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/}, language = {English}, urldate = {2020-01-09} } VB2018 paper: Who wasn’t responsible for Olympic Destroyer
Olympic Destroyer
Yara Rules
[TLP:WHITE] win_olympic_destroyer_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_olympic_destroyer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 33c0 89542414 57 }
            // n = 4, score = 200
            //   56                   | push                esi
            //   33c0                 | xor                 eax, eax
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   57                   | push                edi

        $sequence_1 = { eb17 8b442424 6a00 56 51 }
            // n = 5, score = 100
            //   eb17                 | jmp                 0x19
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   6a00                 | push                0
            //   56                   | push                esi
            //   51                   | push                ecx

        $sequence_2 = { c9 c3 55 8bec b82c100000 e8???????? }
            // n = 6, score = 100
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   b82c100000           | mov                 eax, 0x102c
            //   e8????????           |                     

        $sequence_3 = { 6a08 ffd6 50 ff15???????? 8d8594f9ffff 50 ffb58cf9ffff }
            // n = 7, score = 100
            //   6a08                 | push                8
            //   ffd6                 | call                esi
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d8594f9ffff         | lea                 eax, [ebp - 0x66c]
            //   50                   | push                eax
            //   ffb58cf9ffff         | push                dword ptr [ebp - 0x674]

        $sequence_4 = { 83c408 85c0 0f848e000000 8b4614 8d4c2418 }
            // n = 5, score = 100
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   0f848e000000         | je                  0x94
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   8d4c2418             | lea                 ecx, [esp + 0x18]

        $sequence_5 = { 8d3c9da41a0002 f00fb10f 8bc8 85c9 740b 8d4101 f7d8 }
            // n = 7, score = 100
            //   8d3c9da41a0002       | lea                 edi, [ebx*4 + 0x2001aa4]
            //   f00fb10f             | lock cmpxchg        dword ptr [edi], ecx
            //   8bc8                 | mov                 ecx, eax
            //   85c9                 | test                ecx, ecx
            //   740b                 | je                  0xd
            //   8d4101               | lea                 eax, [ecx + 1]
            //   f7d8                 | neg                 eax

        $sequence_6 = { 8b87d0000000 53 57 ffd0 806715fd 8bf0 }
            // n = 6, score = 100
            //   8b87d0000000         | mov                 eax, dword ptr [edi + 0xd0]
            //   53                   | push                ebx
            //   57                   | push                edi
            //   ffd0                 | call                eax
            //   806715fd             | and                 byte ptr [edi + 0x15], 0xfd
            //   8bf0                 | mov                 esi, eax

        $sequence_7 = { 742c 8b4614 8d542424 03442438 8d4c2414 6a04 }
            // n = 6, score = 100
            //   742c                 | je                  0x2e
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   8d542424             | lea                 edx, [esp + 0x24]
            //   03442438             | add                 eax, dword ptr [esp + 0x38]
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   6a04                 | push                4

        $sequence_8 = { 56 56 6aff 57 ff15???????? 56 8d85f8efffff }
            // n = 7, score = 100
            //   56                   | push                esi
            //   56                   | push                esi
            //   6aff                 | push                -1
            //   57                   | push                edi
            //   ff15????????         |                     
            //   56                   | push                esi
            //   8d85f8efffff         | lea                 eax, [ebp - 0x1008]

        $sequence_9 = { 8b5c2410 8b542420 85db 0f84defdffff }
            // n = 4, score = 100
            //   8b5c2410             | mov                 ebx, dword ptr [esp + 0x10]
            //   8b542420             | mov                 edx, dword ptr [esp + 0x20]
            //   85db                 | test                ebx, ebx
            //   0f84defdffff         | je                  0xfffffde4

        $sequence_10 = { 0f85a9190000 8b75ec 83c714 8b45e8 }
            // n = 4, score = 100
            //   0f85a9190000         | jne                 0x19af
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]
            //   83c714               | add                 edi, 0x14
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]

        $sequence_11 = { ffb590f9ffff 33c0 898d7cf9ffff 8dbd80f9ffff ab }
            // n = 5, score = 100
            //   ffb590f9ffff         | push                dword ptr [ebp - 0x670]
            //   33c0                 | xor                 eax, eax
            //   898d7cf9ffff         | mov                 dword ptr [ebp - 0x684], ecx
            //   8dbd80f9ffff         | lea                 edi, [ebp - 0x680]
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_12 = { 8975dc ffd3 ff75fc 8b3d???????? 6a08 ffd7 }
            // n = 6, score = 100
            //   8975dc               | mov                 dword ptr [ebp - 0x24], esi
            //   ffd3                 | call                ebx
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   8b3d????????         |                     
            //   6a08                 | push                8
            //   ffd7                 | call                edi

        $sequence_13 = { 8b7d08 6689442418 8944242a 668944242e 8b0f 89442410 }
            // n = 6, score = 100
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   6689442418           | mov                 word ptr [esp + 0x18], ax
            //   8944242a             | mov                 dword ptr [esp + 0x2a], eax
            //   668944242e           | mov                 word ptr [esp + 0x2e], ax
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   89442410             | mov                 dword ptr [esp + 0x10], eax

        $sequence_14 = { 53 ffd7 56 8d85e4efffff 50 }
            // n = 5, score = 100
            //   53                   | push                ebx
            //   ffd7                 | call                edi
            //   56                   | push                esi
            //   8d85e4efffff         | lea                 eax, [ebp - 0x101c]
            //   50                   | push                eax

        $sequence_15 = { 8b542418 83c404 8b5d08 33c0 83e3f8 }
            // n = 5, score = 100
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]
            //   83c404               | add                 esp, 4
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   33c0                 | xor                 eax, eax
            //   83e3f8               | and                 ebx, 0xfffffff8

        $sequence_16 = { 56 57 8b7c240c 33f6 0f1f840000000000 8b4710 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7c240c             | mov                 edi, dword ptr [esp + 0xc]
            //   33f6                 | xor                 esi, esi
            //   0f1f840000000000     | nop                 dword ptr [eax + eax]
            //   8b4710               | mov                 eax, dword ptr [edi + 0x10]

        $sequence_17 = { ff15???????? 8b7508 c7465cd86b4000 83660800 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   c7465cd86b4000       | mov                 dword ptr [esi + 0x5c], 0x406bd8
            //   83660800             | and                 dword ptr [esi + 8], 0

        $sequence_18 = { 2bca 7523 2bde 84c0 742b 0fb64c3301 }
            // n = 6, score = 100
            //   2bca                 | sub                 ecx, edx
            //   7523                 | jne                 0x25
            //   2bde                 | sub                 ebx, esi
            //   84c0                 | test                al, al
            //   742b                 | je                  0x2d
            //   0fb64c3301           | movzx               ecx, byte ptr [ebx + esi + 1]

        $sequence_19 = { ff75ec ffd3 85c0 740c }
            // n = 4, score = 100
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   740c                 | je                  0xe

        $sequence_20 = { e9???????? c745e00042ff01 e9???????? c745dc02000000 c745e00042ff01 8b4508 8bcf }
            // n = 7, score = 100
            //   e9????????           |                     
            //   c745e00042ff01       | mov                 dword ptr [ebp - 0x20], 0x1ff4200
            //   e9????????           |                     
            //   c745dc02000000       | mov                 dword ptr [ebp - 0x24], 2
            //   c745e00042ff01       | mov                 dword ptr [ebp - 0x20], 0x1ff4200
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8bcf                 | mov                 ecx, edi

        $sequence_21 = { 6a40 ff15???????? 8bd0 85d2 7421 33c9 85f6 }
            // n = 7, score = 100
            //   6a40                 | push                0x40
            //   ff15????????         |                     
            //   8bd0                 | mov                 edx, eax
            //   85d2                 | test                edx, edx
            //   7421                 | je                  0x23
            //   33c9                 | xor                 ecx, ecx
            //   85f6                 | test                esi, esi

        $sequence_22 = { 81ff040000c0 74ce 5e 8bc7 5f 5d }
            // n = 6, score = 100
            //   81ff040000c0         | cmp                 edi, 0xc0000004
            //   74ce                 | je                  0xffffffd0
            //   5e                   | pop                 esi
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp

    condition:
        7 of them and filesize < 1392640
}
Download all Yara Rules