SYMBOLCOMMON_NAMEaka. SYNONYMS
win.polyglotduke (Back to overview)

PolyglotDuke

Actor(s): APT29


There is no description at this point.

References
2020-03-26VMWare Carbon BlackScott Knight
@online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:59396c7, author = {SecureWorks}, title = {{IRON HEMLOCK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hemlock}, language = {English}, urldate = {2020-05-23} } IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT29
2019-10-17ESET ResearchESET Research
@online{research:20191017:operation:812f836, author = {ESET Research}, title = {{Operation Ghost: The Dukes aren’t back – they never left}}, date = {2019-10-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/}, language = {English}, urldate = {2020-01-09} } Operation Ghost: The Dukes aren’t back – they never left
PolyglotDuke
Yara Rules
[TLP:WHITE] win_polyglotduke_auto (20230125 | Detects win.polyglotduke.)
rule win_polyglotduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.polyglotduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b4dc8 4533c9 488d45c0 897c2430 458d4101 4889442428 }
            // n = 6, score = 100
            //   488b4dc8             | sub                 esp, 0x20
            //   4533c9               | xor                 ebx, ebx
            //   488d45c0             | dec                 eax
            //   897c2430             | mov                 esi, eax
            //   458d4101             | push                edi
            //   4889442428           | dec                 eax

        $sequence_1 = { 488bd3 e8???????? 4885c0 75ec }
            // n = 4, score = 100
            //   488bd3               | test                ebp, ebp
            //   e8????????           |                     
            //   4885c0               | je                  0x45f
            //   75ec                 | dec                 eax

        $sequence_2 = { 0f8292000000 488b4e08 80397b 0f8585000000 80790122 }
            // n = 5, score = 100
            //   0f8292000000         | lea                 edx, [ebp - 0x30]
            //   488b4e08             | inc                 esp
            //   80397b               | lea                 eax, [esi + 0x1c]
            //   0f8585000000         | dec                 esp
            //   80790122             | mov                 ebp, edx

        $sequence_3 = { 40b704 4532e4 48d1e9 e8???????? 4c8be8 488bf0 }
            // n = 6, score = 100
            //   40b704               | lea                 edx, [0x4ec0]
            //   4532e4               | dec                 eax
            //   48d1e9               | mov                 ecx, esi
            //   e8????????           |                     
            //   4c8be8               | dec                 eax
            //   488bf0               | mov                 ecx, eax

        $sequence_4 = { 66c741010100 6644896104 448821 4c89a118040000 4489a114040000 33c0 b900040000 }
            // n = 7, score = 100
            //   66c741010100         | mov                 ecx, 0x27a
            //   6644896104           | rep stosb           byte ptr es:[edi], al
            //   448821               | mov                 dword ptr [esp + 0x20], ebx
            //   4c89a118040000       | cmp                 ebx, 0x1f
            //   4489a114040000       | jb                  0x68d
            //   33c0                 | inc                 ebp
            //   b900040000           | xor                 edi, edi

        $sequence_5 = { 488d0ddee30000 488945b8 e8???????? 488d0ddee30000 488945c0 e8???????? 488d0ddae30000 }
            // n = 7, score = 100
            //   488d0ddee30000       | lea                 edx, [ebp - 0x80]
            //   488945b8             | xor                 ecx, ecx
            //   e8????????           |                     
            //   488d0ddee30000       | mov                 dword ptr [esp + 0x44], 0x2c2
            //   488945c0             | test                eax, eax
            //   e8????????           |                     
            //   488d0ddae30000       | dec                 esp

        $sequence_6 = { e8???????? 488bce e8???????? 488bcd e8???????? 488bc7 488b5c2430 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bce               | mov                 edi, eax
            //   e8????????           |                     
            //   488bcd               | xor                 eax, eax
            //   e8????????           |                     
            //   488bc7               | dec                 eax
            //   488b5c2430           | cmp                 dword ptr [esp + 0x58], eax

        $sequence_7 = { 488d0dd6e30000 488945d0 e8???????? 488d0dd6e30000 488945d8 e8???????? 488d0ddae30000 }
            // n = 7, score = 100
            //   488d0dd6e30000       | mov                 edi, 1
            //   488945d0             | cmp                 dword ptr [ebx + esi + 0xc], 0
            //   e8????????           |                     
            //   488d0dd6e30000       | dec                 esp
            //   488945d8             | lea                 esi, [0xb65c]
            //   e8????????           |                     
            //   488d0ddae30000       | and                 ebx, 0x1f

        $sequence_8 = { 7537 4839442450 7530 4d85ff 752b 4839442468 7524 }
            // n = 7, score = 100
            //   7537                 | lea                 ebx, [0x9cfb]
            //   4839442450           | dec                 eax
            //   7530                 | and                 dword ptr [esp + 0x58], 0
            //   4d85ff               | dec                 eax
            //   752b                 | mov                 dword ptr [esp + 0x50], ebx
            //   4839442468           | dec                 eax
            //   7524                 | and                 dword ptr [esp + 0x48], 0

        $sequence_9 = { 488b8c2410040000 4833cc e8???????? 4c8d9c2420040000 498b5b10 }
            // n = 5, score = 100
            //   488b8c2410040000     | mov                 edx, edi
            //   4833cc               | dec                 eax
            //   e8????????           |                     
            //   4c8d9c2420040000     | mov                 dword ptr [esp + 0x48], eax
            //   498b5b10             | dec                 eax

    condition:
        7 of them and filesize < 222784
}
Download all Yara Rules