SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pocodown (Back to overview)

PocoDown

aka: Blitz, PocoDownloader

Actor(s): Sofacy


uses POCO C++ cross-platform library, Xor-based string obfuscation, SSL library code and string overlap with Xtunnel, infrastructure overlap with X-Agent, probably in use since mid-2018

References
2019-08-28CylanceCylance Threat Research Team
@online{team:20190828:inside:c3051c2, author = {Cylance Threat Research Team}, title = {{Inside the APT28 DLL Backdoor Blitz}}, date = {2019-08-28}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html}, language = {English}, urldate = {2020-01-06} } Inside the APT28 DLL Backdoor Blitz
PocoDown
2019-07-10CylanceCylance Threat Research Team
@online{team:20190710:flirting:dbf23d3, author = {Cylance Threat Research Team}, title = {{Flirting With IDA and APT28}}, date = {2019-07-10}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html}, language = {English}, urldate = {2020-01-06} } Flirting With IDA and APT28
PocoDown
2019-05-18Twitter (@cyb3rops)Florian Roth
@online{roth:20190518:yara:b6d66a4, author = {Florian Roth}, title = {{Tweet on YARA and APT28}}, date = {2019-05-18}, organization = {Twitter (@cyb3rops)}, url = {https://twitter.com/cyb3rops/status/1129653190444703744}, language = {English}, urldate = {2020-01-10} } Tweet on YARA and APT28
PocoDown
Yara Rules
[TLP:WHITE] win_pocodown_auto (20220808 | Detects win.pocodown.)
rule win_pocodown_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.pocodown."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pocodown"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffc8 4898 488b4c2450 0fbe84015a060000 83f83d 752f 8b442470 }
            // n = 7, score = 200
            //   ffc8                 | mov                 ecx, 4
            //   4898                 | dec                 esp
            //   488b4c2450           | lea                 eax, [0x279e44]
            //   0fbe84015a060000     | dec                 eax
            //   83f83d               | mov                 dword ptr [esp + 0xe8], 0
            //   752f                 | mov                 dword ptr [esp + 0x20], 0x60
            //   8b442470             | dec                 esp

        $sequence_1 = { eb27 488b442470 4889442420 4c8b4c2430 4c8b442460 488b542458 488b4c2450 }
            // n = 7, score = 200
            //   eb27                 | dec                 eax
            //   488b442470           | mov                 dword ptr [esp + 0x68], eax
            //   4889442420           | dec                 eax
            //   4c8b4c2430           | mov                 ecx, dword ptr [esp + 0xc0]
            //   4c8b442460           | dec                 eax
            //   488b542458           | mov                 dword ptr [esp + 0x70], eax
            //   488b4c2450           | dec                 eax

        $sequence_2 = { ba02000000 488b8c24a0000000 e8???????? 488b8424a0000000 488b8070010000 8b4074 ffc0 }
            // n = 7, score = 200
            //   ba02000000           | cmp                 eax, dword ptr [esp + 0x90]
            //   488b8c24a0000000     | jle                 0x151b
            //   e8????????           |                     
            //   488b8424a0000000     | mov                 dword ptr [esp + 0x20], 0x511
            //   488b8070010000       | dec                 esp
            //   8b4074               | lea                 ecx, [0x1f1eb5]
            //   ffc0                 | inc                 ecx

        $sequence_3 = { e8???????? 488d1593e52600 488d4d07 e8???????? 90 4885db 7e19 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488d1593e52600       | jmp                 0xe7
            //   488d4d07             | dec                 esp
            //   e8????????           |                     
            //   90                   | mov                 eax, dword ptr [esp + 0x50]
            //   4885db               | dec                 eax
            //   7e19                 | mov                 edx, dword ptr [esp + 0x48]

        $sequence_4 = { f7d0 4184c4 0f84b1000000 488d4d07 e8???????? 488d55d7 488d4d17 }
            // n = 7, score = 200
            //   f7d0                 | mov                 ecx, dword ptr [esp + 0xc8]
            //   4184c4               | mov                 dword ptr [esp + 0x28], ecx
            //   0f84b1000000         | dec                 eax
            //   488d4d07             | mov                 ecx, dword ptr [esp + 0xd8]
            //   e8????????           |                     
            //   488d55d7             | dec                 eax
            //   488d4d17             | mov                 eax, dword ptr [esp + 0x580]

        $sequence_5 = { f7f9 8b4c2468 8d440102 89442440 8b442440 99 b913000000 }
            // n = 7, score = 200
            //   f7f9                 | mov                 ecx, dword ptr [esp + 0x38]
            //   8b4c2468             | dec                 eax
            //   8d440102             | mov                 ecx, eax
            //   89442440             | dec                 eax
            //   8b442440             | mov                 dword ptr [esp + 0x38], eax
            //   99                   | cmp                 dword ptr [esp + 0x80], 0
            //   b913000000           | je                  0x79a

        $sequence_6 = { e9???????? e8???????? 4889442460 48837c246000 7529 c744242011010000 4c8d0d0aca1e00 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   e8????????           |                     
            //   4889442460           | dec                 eax
            //   48837c246000         | mov                 eax, dword ptr [esp + 0x60]
            //   7529                 | dec                 eax
            //   c744242011010000     | sub                 esp, eax
            //   4c8d0d0aca1e00       | cmp                 dword ptr [esp + 0x70], 0

        $sequence_7 = { eb0a 8b442428 ffc0 89442428 488b442430 8b4010 39442428 }
            // n = 7, score = 200
            //   eb0a                 | dec                 eax
            //   8b442428             | mov                 edx, eax
            //   ffc0                 | dec                 eax
            //   89442428             | test                eax, eax
            //   488b442430           | jne                 0x167c
            //   8b4010               | dec                 eax
            //   39442428             | mov                 eax, dword ptr [esp + 0x90]

        $sequence_8 = { 8b8c2400010000 ffc9 4863c9 488b00 488d04c8 48898424f8000000 eb10 }
            // n = 7, score = 200
            //   8b8c2400010000       | inc                 eax
            //   ffc9                 | mov                 dword ptr [esp + 0x20], eax
            //   4863c9               | cmp                 dword ptr [esp + 0x20], 0x100
            //   488b00               | jge                 0x60c
            //   488d04c8             | dec                 eax
            //   48898424f8000000     | arpl                word ptr [esp + 0x20], ax
            //   eb10                 | dec                 eax

        $sequence_9 = { eb4f 8b4c2448 e8???????? 89442428 837c2428ff 7516 448b442450 }
            // n = 7, score = 200
            //   eb4f                 | dec                 eax
            //   8b4c2448             | mov                 ecx, eax
            //   e8????????           |                     
            //   89442428             | dec                 eax
            //   837c2428ff           | mov                 eax, dword ptr [esp + 0x38]
            //   7516                 | dec                 eax
            //   448b442450           | imul                eax, eax, 0x200

    condition:
        7 of them and filesize < 6703104
}
Download all Yara Rules