SYMBOLCOMMON_NAMEaka. SYNONYMS
win.orchard (Back to overview)

Orchard


A malware generating DGA domains seeded by the Bitcoin Genesis Block.

References
2022-10-17Malversegreenplan
@online{greenplan:20221017:stack:5c74181, author = {greenplan}, title = {{Stack String Decryption with Ghidra Emulator (Orchard)}}, date = {2022-10-17}, organization = {Malverse}, url = {https://malverse.it/stack-string-decryptor-con-ghidra-emulator-orchard}, language = {Italian}, urldate = {2022-10-18} } Stack String Decryption with Ghidra Emulator (Orchard)
Orchard
2022-08-05360 netlab360 Netlab
@online{netlab:20220805:new:d4f6a02, author = {360 Netlab}, title = {{A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information}}, date = {2022-08-05}, organization = {360 netlab}, url = {https://blog.netlab.360.com/a-new-botnet-orchard-generates-dga-domains-with-bitcoin-transaction-information/}, language = {English}, urldate = {2022-08-30} } A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
Orchard
2022-08-05360 netlabDaji, suqitian
@online{daji:20220805:dga:b184bd8, author = {Daji and suqitian}, title = {{The DGA family Orchard continues to change, and the new version generates DGA domain names using Bitcoin transaction information}}, date = {2022-08-05}, organization = {360 netlab}, url = {https://blog.netlab.360.com/orchard-dga/}, language = {Chinese}, urldate = {2022-09-21} } The DGA family Orchard continues to change, and the new version generates DGA domain names using Bitcoin transaction information
Orchard
2022-07-24bin.reJohannes Bader
@online{bader:20220724:dga:cf56d0c, author = {Johannes Bader}, title = {{A DGA Seeded by the Bitcoin Genesis Block}}, date = {2022-07-24}, organization = {bin.re}, url = {https://bin.re/blog/a-dga-seeded-by-the-bitcoin-genesis-block/}, language = {English}, urldate = {2022-08-08} } A DGA Seeded by the Bitcoin Genesis Block
Orchard
Yara Rules
[TLP:WHITE] win_orchard_auto (20230125 | Detects win.orchard.)
rule win_orchard_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.orchard."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.orchard"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff9530ffffff 83ee01 75f0 8d45e8 50 56 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff9530ffffff         | call                dword ptr [ebp - 0xd0]
            //   83ee01               | sub                 esi, 1
            //   75f0                 | jne                 0xfffffff2
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_1 = { 83781408 7202 8b08 ff7010 51 8d4db0 e8???????? }
            // n = 7, score = 100
            //   83781408             | cmp                 dword ptr [eax + 0x14], 8
            //   7202                 | jb                  4
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   ff7010               | push                dword ptr [eax + 0x10]
            //   51                   | push                ecx
            //   8d4db0               | lea                 ecx, [ebp - 0x50]
            //   e8????????           |                     

        $sequence_2 = { 51 8d4e44 e8???????? 8b5654 8bcb c1e90c 80e13f }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   8d4e44               | lea                 ecx, [esi + 0x44]
            //   e8????????           |                     
            //   8b5654               | mov                 edx, dword ptr [esi + 0x54]
            //   8bcb                 | mov                 ecx, ebx
            //   c1e90c               | shr                 ecx, 0xc
            //   80e13f               | and                 cl, 0x3f

        $sequence_3 = { 8b45e8 0f434dd8 03c1 897b04 837dec10 8d4dd8 }
            // n = 6, score = 100
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   0f434dd8             | cmovae              ecx, dword ptr [ebp - 0x28]
            //   03c1                 | add                 eax, ecx
            //   897b04               | mov                 dword ptr [ebx + 4], edi
            //   837dec10             | cmp                 dword ptr [ebp - 0x14], 0x10
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]

        $sequence_4 = { a1???????? 8945d8 a1???????? 8945d4 a1???????? 8975e8 8945d0 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   a1????????           |                     
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   a1????????           |                     
            //   8975e8               | mov                 dword ptr [ebp - 0x18], esi
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax

        $sequence_5 = { c744243c0f000000 c644242800 85ff 7416 8d442408 50 ffd7 }
            // n = 7, score = 100
            //   c744243c0f000000     | mov                 dword ptr [esp + 0x3c], 0xf
            //   c644242800           | mov                 byte ptr [esp + 0x28], 0
            //   85ff                 | test                edi, edi
            //   7416                 | je                  0x18
            //   8d442408             | lea                 eax, [esp + 8]
            //   50                   | push                eax
            //   ffd7                 | call                edi

        $sequence_6 = { 0f2805???????? 0f1185a0feffff 0f2805???????? 0f1185b0feffff 0f2805???????? 0f1185c0feffff e8???????? }
            // n = 7, score = 100
            //   0f2805????????       |                     
            //   0f1185a0feffff       | movups              xmmword ptr [ebp - 0x160], xmm0
            //   0f2805????????       |                     
            //   0f1185b0feffff       | movups              xmmword ptr [ebp - 0x150], xmm0
            //   0f2805????????       |                     
            //   0f1185c0feffff       | movups              xmmword ptr [ebp - 0x140], xmm0
            //   e8????????           |                     

        $sequence_7 = { 8b4714 2bc1 8b4dc0 3bc8 772f 837f1410 8b75e0 }
            // n = 7, score = 100
            //   8b4714               | mov                 eax, dword ptr [edi + 0x14]
            //   2bc1                 | sub                 eax, ecx
            //   8b4dc0               | mov                 ecx, dword ptr [ebp - 0x40]
            //   3bc8                 | cmp                 ecx, eax
            //   772f                 | ja                  0x31
            //   837f1410             | cmp                 dword ptr [edi + 0x14], 0x10
            //   8b75e0               | mov                 esi, dword ptr [ebp - 0x20]

        $sequence_8 = { 8b4508 56 57 8d3c85f0274600 8b07 83ceff 3bc6 }
            // n = 7, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d3c85f0274600       | lea                 edi, [eax*4 + 0x4627f0]
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   83ceff               | or                  esi, 0xffffffff
            //   3bc6                 | cmp                 eax, esi

        $sequence_9 = { 8b0c18 8b45fc 03c1 8b4de8 890419 8b5df8 8b4dd0 }
            // n = 7, score = 100
            //   8b0c18               | mov                 ecx, dword ptr [eax + ebx]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   03c1                 | add                 eax, ecx
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   890419               | mov                 dword ptr [ecx + ebx], eax
            //   8b5df8               | mov                 ebx, dword ptr [ebp - 8]
            //   8b4dd0               | mov                 ecx, dword ptr [ebp - 0x30]

    condition:
        7 of them and filesize < 855040
}
Download all Yara Rules