SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pocodown (Back to overview)

PocoDown

aka: Blitz, PocoDownloader

Actor(s): APT28


uses POCO C++ cross-platform library, Xor-based string obfuscation, SSL library code and string overlap with Xtunnel, infrastructure overlap with X-Agent, probably in use since mid-2018

References
2019-08-28CylanceCylance Threat Research Team
@online{team:20190828:inside:c3051c2, author = {Cylance Threat Research Team}, title = {{Inside the APT28 DLL Backdoor Blitz}}, date = {2019-08-28}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html}, language = {English}, urldate = {2020-01-06} } Inside the APT28 DLL Backdoor Blitz
PocoDown
2019-07-10CylanceCylance Threat Research Team
@online{team:20190710:flirting:dbf23d3, author = {Cylance Threat Research Team}, title = {{Flirting With IDA and APT28}}, date = {2019-07-10}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html}, language = {English}, urldate = {2020-01-06} } Flirting With IDA and APT28
PocoDown
2019-05-18Twitter (@cyb3rops)Florian Roth
@online{roth:20190518:yara:b6d66a4, author = {Florian Roth}, title = {{Tweet on YARA and APT28}}, date = {2019-05-18}, organization = {Twitter (@cyb3rops)}, url = {https://twitter.com/cyb3rops/status/1129653190444703744}, language = {English}, urldate = {2020-01-10} } Tweet on YARA and APT28
PocoDown
Yara Rules
[TLP:WHITE] win_pocodown_auto (20230715 | Detects win.pocodown.)
rule win_pocodown_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.pocodown."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pocodown"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 482be0 488b05???????? 4833c4 4889442468 488b842490000000 48c70000000000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   482be0               | mov                 dword ptr [ecx + 0x20], eax
            //   488b05????????       |                     
            //   4833c4               | dec                 eax
            //   4889442468           | mov                 eax, ecx
            //   488b842490000000     | mov                 eax, dword ptr [edx + 0x18]
            //   48c70000000000       | cmp                 dword ptr [ecx + 0x18], eax

        $sequence_1 = { f7c180ffffff 7517 4863c1 488d0d6c2f2100 8b0c81 80e108 80f908 }
            // n = 7, score = 200
            //   f7c180ffffff         | mov                 edx, 0x6c
            //   7517                 | mov                 ecx, 0x28
            //   4863c1               | jmp                 0x10cd
            //   488d0d6c2f2100       | dec                 eax
            //   8b0c81               | mov                 eax, dword ptr [esp + 0xa0]
            //   80e108               | dec                 eax
            //   80f908               | mov                 dword ptr [esp + 0x28], eax

        $sequence_2 = { c7442420100a0000 4c8d0d149e1500 41b8f4000000 ba3b010000 b914000000 e8???????? b8ffffffff }
            // n = 7, score = 200
            //   c7442420100a0000     | mov                 dword ptr [esp + 0xbc], 0
            //   4c8d0d149e1500       | mov                 dword ptr [esp + 0x70], eax
            //   41b8f4000000         | dec                 eax
            //   ba3b010000           | mov                 eax, dword ptr [esp + 0x1e0]
            //   b914000000           | mov                 eax, dword ptr [eax]
            //   e8????????           |                     
            //   b8ffffffff           | sar                 eax, 8

        $sequence_3 = { bad4000000 b914000000 e8???????? b8ffffffff e9???????? 33c9 ff15???????? }
            // n = 7, score = 200
            //   bad4000000           | mov                 dword ptr [eax], ecx
            //   b914000000           | mov                 dword ptr [eax], ecx
            //   e8????????           |                     
            //   b8ffffffff           | dec                 eax
            //   e9????????           |                     
            //   33c9                 | cmp                 dword ptr [esp + 0x58], 0
            //   ff15????????         |                     

        $sequence_4 = { ffc0 89442448 8b842488000000 ffc8 89842488000000 488b442468 8b00 }
            // n = 7, score = 200
            //   ffc0                 | shl                 eax, 0xc
            //   89442448             | mov                 ecx, dword ptr [esp + 8]
            //   8b842488000000       | or                  ecx, eax
            //   ffc8                 | mov                 eax, ecx
            //   89842488000000       | mov                 dword ptr [esp + 8], eax
            //   488b442468           | dec                 eax
            //   8b00                 | mov                 eax, dword ptr [esp]

        $sequence_5 = { c644242000 41b810000000 488d1581952500 488d4c2420 e8???????? 90 4533c0 }
            // n = 7, score = 200
            //   c644242000           | cmp                 dword ptr [esp + 0x38], 0
            //   41b810000000         | jge                 0x57
            //   488d1581952500       | mov                 eax, 0xffffffff
            //   488d4c2420           | jmp                 0x5d
            //   e8????????           |                     
            //   90                   | mov                 dword ptr [esp + 0x38], eax
            //   4533c0               | dec                 eax

        $sequence_6 = { e8???????? 84c0 7558 48c74424680f000000 48c744246000000000 88442450 41b813000000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   84c0                 | mov                 edx, dword ptr [esp + 0x68]
            //   7558                 | dec                 eax
            //   48c74424680f000000     | mov    ecx, dword ptr [eax + 0xf8]
            //   48c744246000000000     | dec    eax
            //   88442450             | mov                 dword ptr [esp + 0x48], eax
            //   41b813000000         | cmp                 dword ptr [esp + 0x68], 0

        $sequence_7 = { ebb5 488b8424a8080000 488b00 8b00 8b4c2458 8d440801 488b8c24a8080000 }
            // n = 7, score = 200
            //   ebb5                 | mov                 dword ptr [esp + 0x80], 0
            //   488b8424a8080000     | jmp                 0x17fd
            //   488b00               | mov                 edx, 8
            //   8b00                 | dec                 eax
            //   8b4c2458             | lea                 ecx, [esp + 0x68]
            //   8d440801             | test                eax, eax
            //   488b8c24a8080000     | jne                 0x17ff

        $sequence_8 = { e9???????? ff15???????? 8bd8 e9???????? 8b5c244c e9???????? 488d0547192a00 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   ff15????????         |                     
            //   8bd8                 | lea                 edx, [0x1e2026]
            //   e9????????           |                     
            //   8b5c244c             | mov                 ecx, 0x68
            //   e9????????           |                     
            //   488d0547192a00       | mov                 eax, 0x38

        $sequence_9 = { e9???????? 488b842480010000 488b8080000000 4883c008 41b808000000 33d2 488bc8 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   488b842480010000     | dec                 esp
            //   488b8080000000       | mov                 dword ptr [esp + 0xe0], ebx
            //   4883c008             | dec                 eax
            //   41b808000000         | lea                 ecx, [esp + 0xe0]
            //   33d2                 | nop                 
            //   488bc8               | dec                 eax

    condition:
        7 of them and filesize < 6703104
}
Download all Yara Rules