SYMBOLCOMMON_NAMEaka. SYNONYMS
win.polyglotduke (Back to overview)

PolyglotDuke

Actor(s): APT29

VTCollection    

There is no description at this point.

References
2020-03-26VMWare Carbon BlackScott Knight
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT29
2019-10-17ESET ResearchESET Research
Operation Ghost: The Dukes aren’t back – they never left
PolyglotDuke
Yara Rules
[TLP:WHITE] win_polyglotduke_auto (20230808 | Detects win.polyglotduke.)
rule win_polyglotduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.polyglotduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488b5608 448bc7 488bc8 488bd8 e8???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488b5608             | dec                 ecx
            //   448bc7               | mov                 ecx, dword ptr [edi + 8]
            //   488bc8               | dec                 eax
            //   488bd8               | mov                 dword ptr [esp + 0x28], eax
            //   e8????????           |                     

        $sequence_1 = { 0fb7f9 492bf3 498bcb 33d2 33c0 }
            // n = 5, score = 100
            //   0fb7f9               | dec                 eax
            //   492bf3               | mov                 dword ptr [esp + 0x30], edx
            //   498bcb               | dec                 eax
            //   33d2                 | mov                 dword ptr [esp + 0x28], edx
            //   33c0                 | dec                 esp

        $sequence_2 = { 48895c2408 57 4883ec20 488bfa 488bd9 488d0595970000 488981a0000000 }
            // n = 7, score = 100
            //   48895c2408           | mov                 ecx, edi
            //   57                   | dec                 eax
            //   4883ec20             | lea                 ecx, [0x15b2a]
            //   488bfa               | dec                 eax
            //   488bd9               | lea                 ecx, [ebp + 0x30]
            //   488d0595970000       | dec                 esp
            //   488981a0000000       | mov                 eax, eax

        $sequence_3 = { 4c8be8 e8???????? 488d0d88120100 e8???????? 488d4c2430 8bd3 4c8bc0 }
            // n = 7, score = 100
            //   4c8be8               | dec                 eax
            //   e8????????           |                     
            //   488d0d88120100       | mov                 ecx, eax
            //   e8????????           |                     
            //   488d4c2430           | dec                 eax
            //   8bd3                 | mov                 edi, eax
            //   4c8bc0               | lea                 ecx, [ebx + 1]

        $sequence_4 = { 488be8 498bcc e8???????? 488bcf e8???????? }
            // n = 5, score = 100
            //   488be8               | jmp                 0xa0d
            //   498bcc               | dec                 eax
            //   e8????????           |                     
            //   488bcf               | mov                 dword ptr [ebp + 7], ebx
            //   e8????????           |                     

        $sequence_5 = { 48894518 e8???????? 488d0dbae30000 48894520 e8???????? 488d0daee30000 }
            // n = 6, score = 100
            //   48894518             | jne                 0x13f3
            //   e8????????           |                     
            //   488d0dbae30000       | dec                 ecx
            //   48894520             | mov                 ecx, esi
            //   e8????????           |                     
            //   488d0daee30000       | dec                 eax

        $sequence_6 = { 42392c3e 0f849bfaffff 428b143e 4a8d4c3e04 e8???????? 488d0dec0c0100 ba10000000 }
            // n = 7, score = 100
            //   42392c3e             | mov                 ebx, dword ptr [esp + 0x40]
            //   0f849bfaffff         | dec                 eax
            //   428b143e             | mov                 ebp, dword ptr [esp + 0x48]
            //   4a8d4c3e04           | dec                 eax
            //   e8????????           |                     
            //   488d0dec0c0100       | mov                 esi, dword ptr [esp + 0x50]
            //   ba10000000           | dec                 eax

        $sequence_7 = { e8???????? b8cdcccccc f7e5 c1ea02 8d0492 2be8 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   b8cdcccccc           | xor                 eax, eax
            //   f7e5                 | xor                 ecx, ecx
            //   c1ea02               | mov                 dword ptr [esp + 0x20], eax
            //   8d0492               | dec                 esp
            //   2be8                 | lea                 ebx, [esp + 0x60]

        $sequence_8 = { 99 f77c2428 4863c2 410fb70c46 488b442440 4533f6 66894c4450 }
            // n = 7, score = 100
            //   99                   | mov                 ecx, ebp
            //   f77c2428             | inc                 esp
            //   4863c2               | mov                 esp, dword ptr [eax]
            //   410fb70c46           | dec                 eax
            //   488b442440           | mov                 eax, dword ptr [esp + 0x68]
            //   4533f6               | jmp                 0x1029
            //   66894c4450           | dec                 eax

        $sequence_9 = { 488bf1 8d4301 ba02000000 498be8 }
            // n = 4, score = 100
            //   488bf1               | lea                 ecx, [0xe3be]
            //   8d4301               | dec                 eax
            //   ba02000000           | mov                 dword ptr [ebp + 0x10], eax
            //   498be8               | dec                 eax

    condition:
        7 of them and filesize < 222784
}
Download all Yara Rules