SYMBOLCOMMON_NAMEaka. SYNONYMS
win.orchard (Back to overview)

Orchard

aka: Antavmu

A malware generating DGA domains seeded by the Bitcoin Genesis Block.

References
2022-10-17Malversegreenplan
@online{greenplan:20221017:stack:5c74181, author = {greenplan}, title = {{Stack String Decryption with Ghidra Emulator (Orchard)}}, date = {2022-10-17}, organization = {Malverse}, url = {https://malverse.it/stack-string-decryptor-con-ghidra-emulator-orchard}, language = {Italian}, urldate = {2022-10-18} } Stack String Decryption with Ghidra Emulator (Orchard)
Orchard
2022-08-05360 netlab360 Netlab
@online{netlab:20220805:new:d4f6a02, author = {360 Netlab}, title = {{A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information}}, date = {2022-08-05}, organization = {360 netlab}, url = {https://blog.netlab.360.com/a-new-botnet-orchard-generates-dga-domains-with-bitcoin-transaction-information/}, language = {English}, urldate = {2022-08-30} } A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
Orchard
2022-08-05360 netlabDaji, suqitian
@online{daji:20220805:dga:b184bd8, author = {Daji and suqitian}, title = {{The DGA family Orchard continues to change, and the new version generates DGA domain names using Bitcoin transaction information}}, date = {2022-08-05}, organization = {360 netlab}, url = {https://blog.netlab.360.com/orchard-dga/}, language = {Chinese}, urldate = {2022-09-21} } The DGA family Orchard continues to change, and the new version generates DGA domain names using Bitcoin transaction information
Orchard
2022-07-24bin.reJohannes Bader
@online{bader:20220724:dga:cf56d0c, author = {Johannes Bader}, title = {{A DGA Seeded by the Bitcoin Genesis Block}}, date = {2022-07-24}, organization = {bin.re}, url = {https://bin.re/blog/a-dga-seeded-by-the-bitcoin-genesis-block/}, language = {English}, urldate = {2022-08-08} } A DGA Seeded by the Bitcoin Genesis Block
Orchard
Yara Rules
[TLP:WHITE] win_orchard_auto (20230407 | Detects win.orchard.)
rule win_orchard_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.orchard."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.orchard"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f84f8060000 8d4f30 e8???????? 894728 83f80c 0f854e020000 8d45e7 }
            // n = 7, score = 100
            //   0f84f8060000         | je                  0x6fe
            //   8d4f30               | lea                 ecx, [edi + 0x30]
            //   e8????????           |                     
            //   894728               | mov                 dword ptr [edi + 0x28], eax
            //   83f80c               | cmp                 eax, 0xc
            //   0f854e020000         | jne                 0x254
            //   8d45e7               | lea                 eax, [ebp - 0x19]

        $sequence_1 = { 7729 8d040f 894310 8bc3 83fa10 7202 8b03 }
            // n = 7, score = 100
            //   7729                 | ja                  0x2b
            //   8d040f               | lea                 eax, [edi + ecx]
            //   894310               | mov                 dword ptr [ebx + 0x10], eax
            //   8bc3                 | mov                 eax, ebx
            //   83fa10               | cmp                 edx, 0x10
            //   7202                 | jb                  4
            //   8b03                 | mov                 eax, dword ptr [ebx]

        $sequence_2 = { 7428 ff75e0 c7470400000000 c7470801000000 ff15???????? 8907 85c0 }
            // n = 7, score = 100
            //   7428                 | je                  0x2a
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   c7470400000000       | mov                 dword ptr [edi + 4], 0
            //   c7470801000000       | mov                 dword ptr [edi + 8], 1
            //   ff15????????         |                     
            //   8907                 | mov                 dword ptr [edi], eax
            //   85c0                 | test                eax, eax

        $sequence_3 = { 0f82de000000 46 83c128 3bf3 72e4 33c9 8b55f8 }
            // n = 7, score = 100
            //   0f82de000000         | jb                  0xe4
            //   46                   | inc                 esi
            //   83c128               | add                 ecx, 0x28
            //   3bf3                 | cmp                 esi, ebx
            //   72e4                 | jb                  0xffffffe6
            //   33c9                 | xor                 ecx, ecx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]

        $sequence_4 = { 897a0c 8945d4 894dd8 c645fc02 8d4dd4 ff750c e8???????? }
            // n = 7, score = 100
            //   897a0c               | mov                 dword ptr [edx + 0xc], edi
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   894dd8               | mov                 dword ptr [ebp - 0x28], ecx
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     

        $sequence_5 = { c645cc00 e8???????? c645fc26 8d4dc4 6a00 c645bc00 e8???????? }
            // n = 7, score = 100
            //   c645cc00             | mov                 byte ptr [ebp - 0x34], 0
            //   e8????????           |                     
            //   c645fc26             | mov                 byte ptr [ebp - 4], 0x26
            //   8d4dc4               | lea                 ecx, [ebp - 0x3c]
            //   6a00                 | push                0
            //   c645bc00             | mov                 byte ptr [ebp - 0x44], 0
            //   e8????????           |                     

        $sequence_6 = { ff75ec 8d4d80 e8???????? c745e403000000 68???????? 8d4d80 c745fc01000000 }
            // n = 7, score = 100
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   8d4d80               | lea                 ecx, [ebp - 0x80]
            //   e8????????           |                     
            //   c745e403000000       | mov                 dword ptr [ebp - 0x1c], 3
            //   68????????           |                     
            //   8d4d80               | lea                 ecx, [ebp - 0x80]
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1

        $sequence_7 = { 83c223 2bc1 83c0fc 83f81f 0f87580f0000 52 51 }
            // n = 7, score = 100
            //   83c223               | add                 edx, 0x23
            //   2bc1                 | sub                 eax, ecx
            //   83c0fc               | add                 eax, -4
            //   83f81f               | cmp                 eax, 0x1f
            //   0f87580f0000         | ja                  0xf5e
            //   52                   | push                edx
            //   51                   | push                ecx

        $sequence_8 = { 884dd4 8b4de0 894708 894f0c 8955dc 8975e0 ff75e4 }
            // n = 7, score = 100
            //   884dd4               | mov                 byte ptr [ebp - 0x2c], cl
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   894708               | mov                 dword ptr [edi + 8], eax
            //   894f0c               | mov                 dword ptr [edi + 0xc], ecx
            //   8955dc               | mov                 dword ptr [ebp - 0x24], edx
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   ff75e4               | push                dword ptr [ebp - 0x1c]

        $sequence_9 = { d3ee 23741001 83fe02 7541 6aff ff770c ff55c0 }
            // n = 7, score = 100
            //   d3ee                 | shr                 esi, cl
            //   23741001             | and                 esi, dword ptr [eax + edx + 1]
            //   83fe02               | cmp                 esi, 2
            //   7541                 | jne                 0x43
            //   6aff                 | push                -1
            //   ff770c               | push                dword ptr [edi + 0xc]
            //   ff55c0               | call                dword ptr [ebp - 0x40]

    condition:
        7 of them and filesize < 855040
}
Download all Yara Rules