SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pocodown (Back to overview)

PocoDown

aka: Blitz, PocoDownloader

Actor(s): Sofacy


uses POCO C++ cross-platform library, Xor-based string obfuscation, SSL library code and string overlap with Xtunnel, infrastructure overlap with X-Agent, probably in use since mid-2018

References
2019-08-28CylanceCylance Threat Research Team
@online{team:20190828:inside:c3051c2, author = {Cylance Threat Research Team}, title = {{Inside the APT28 DLL Backdoor Blitz}}, date = {2019-08-28}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html}, language = {English}, urldate = {2020-01-06} } Inside the APT28 DLL Backdoor Blitz
PocoDown
2019-07-10CylanceCylance Threat Research Team
@online{team:20190710:flirting:dbf23d3, author = {Cylance Threat Research Team}, title = {{Flirting With IDA and APT28}}, date = {2019-07-10}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html}, language = {English}, urldate = {2020-01-06} } Flirting With IDA and APT28
PocoDown
2019-05-18Twitter (@cyb3rops)Florian Roth
@online{roth:20190518:yara:b6d66a4, author = {Florian Roth}, title = {{Tweet on YARA and APT28}}, date = {2019-05-18}, organization = {Twitter (@cyb3rops)}, url = {https://twitter.com/cyb3rops/status/1129653190444703744}, language = {English}, urldate = {2020-01-10} } Tweet on YARA and APT28
PocoDown
Yara Rules
[TLP:WHITE] win_pocodown_auto (20230125 | Detects win.pocodown.)
rule win_pocodown_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.pocodown."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pocodown"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb08 c744244000000000 488b4c2470 e8???????? 83e010 85c0 0f8529010000 }
            // n = 7, score = 200
            //   eb08                 | mov                 ecx, dword ptr [ebp + 0xe8]
            //   c744244000000000     | dec                 eax
            //   488b4c2470           | mov                 ecx, dword ptr [esp + 0x100]
            //   e8????????           |                     
            //   83e010               | dec                 eax
            //   85c0                 | mov                 ecx, dword ptr [esp + 0x100]
            //   0f8529010000         | dec                 eax

        $sequence_1 = { ff15???????? 85c0 741e 41b9f8010000 4c8d058bad1c00 ba6a000000 b967000000 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   741e                 | mov                 eax, dword ptr [esp + 0x28]
            //   41b9f8010000         | dec                 eax
            //   4c8d058bad1c00       | mov                 ecx, dword ptr [eax + 0x18]
            //   ba6a000000           | test                eax, eax
            //   b967000000           | jg                  0x1b34

        $sequence_2 = { e9???????? 488b8424f8000000 488b4c2430 8b4910 8b4010 33c1 488b8c24f8000000 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   488b8424f8000000     | dec                 eax
            //   488b4c2430           | mov                 eax, dword ptr [esp + 0x50]
            //   8b4910               | dec                 eax
            //   8b4010               | cmp                 dword ptr [eax + 0x18], 0
            //   33c1                 | je                  0x11e0
            //   488b8c24f8000000     | dec                 eax

        $sequence_3 = { c744242001000000 488b01 48634804 488d05057e1e00 48890419 488d4b08 e8???????? }
            // n = 7, score = 200
            //   c744242001000000     | lea                 eax, [0x1df7c5]
            //   488b01               | dec                 eax
            //   48634804             | lea                 ecx, [esi + 0xb0]
            //   488d05057e1e00       | dec                 eax
            //   48890419             | mov                 dword ptr [esi + 0xb0], eax
            //   488d4b08             | mov                 edi, edx
            //   e8????????           |                     

        $sequence_4 = { e8???????? 488d4db0 e8???????? 807c242801 0f8fef000000 807db801 0f8fe5000000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488d4db0             | inc                 ebp
            //   e8????????           |                     
            //   807c242801           | cmovne              esp, edi
            //   0f8fef000000         | dec                 eax
            //   807db801             | lea                 eax, [0x1e059a]
            //   0f8fe5000000         | dec                 ecx

        $sequence_5 = { c744242070000000 4c8d0d2daa2100 41b87c000000 ba78000000 b90b000000 e8???????? eb54 }
            // n = 7, score = 200
            //   c744242070000000     | lea                 ecx, [esp + 0x50]
            //   4c8d0d2daa2100       | dec                 eax
            //   41b87c000000         | lea                 edx, [0x284242]
            //   ba78000000           | dec                 eax
            //   b90b000000           | lea                 ecx, [esp + 0x50]
            //   e8????????           |                     
            //   eb54                 | nop                 

        $sequence_6 = { ff542450 488b442470 8b00 2500ff0000 3d00030000 7431 c7442420ef000000 }
            // n = 7, score = 200
            //   ff542450             | test                eax, eax
            //   488b442470           | je                  0x15a7
            //   8b00                 | jmp                 0x15bd
            //   2500ff0000           | xor                 edx, edx
            //   3d00030000           | dec                 eax
            //   7431                 | mov                 ecx, dword ptr [esp + 0x20]
            //   c7442420ef000000     | dec                 esp

        $sequence_7 = { e8???????? b8ffffffff e9???????? e8???????? 4889442450 48837c245000 752e }
            // n = 7, score = 200
            //   e8????????           |                     
            //   b8ffffffff           | dec                 eax
            //   e9????????           |                     
            //   e8????????           |                     
            //   4889442450           | lea                 edx, [0x284a2a]
            //   48837c245000         | nop                 
            //   752e                 | inc                 ebp

        $sequence_8 = { f6c108 741f 0fbe0b 48ffc3 48895c2450 438d14bf 448d7c51d0 }
            // n = 7, score = 200
            //   f6c108               | mov                 eax, dword ptr [esp + 0x28]
            //   741f                 | mov                 eax, dword ptr [eax + 8]
            //   0fbe0b               | dec                 eax
            //   48ffc3               | mov                 ecx, dword ptr [esp + 0x20]
            //   48895c2450           | dec                 eax
            //   438d14bf             | add                 eax, dword ptr [ecx]
            //   448d7c51d0           | dec                 eax

        $sequence_9 = { ebca 41b9a8010000 4c8d055a7f2100 ba02000000 b906000000 e8???????? 837c244800 }
            // n = 7, score = 200
            //   ebca                 | mov                 eax, dword ptr [esp + 0x30]
            //   41b9a8010000         | dec                 eax
            //   4c8d055a7f2100       | inc                 eax
            //   ba02000000           | dec                 eax
            //   b906000000           | mov                 dword ptr [esp + 0x30], eax
            //   e8????????           |                     
            //   837c244800           | dec                 eax

    condition:
        7 of them and filesize < 6703104
}
Download all Yara Rules