SYMBOLCOMMON_NAMEaka. SYNONYMS
win.polyglotduke (Back to overview)

PolyglotDuke

Actor(s): APT 29

There is no description at this point.

References
2020-03-26VMWare Carbon BlackScott Knight
@online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:59396c7, author = {SecureWorks}, title = {{IRON HEMLOCK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hemlock}, language = {English}, urldate = {2020-05-23} } IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT 29
2019-10-17ESET ResearchESET Research
@online{research:20191017:operation:812f836, author = {ESET Research}, title = {{Operation Ghost: The Dukes aren’t back – they never left}}, date = {2019-10-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/}, language = {English}, urldate = {2020-01-09} } Operation Ghost: The Dukes aren’t back – they never left
PolyglotDuke
Yara Rules
[TLP:WHITE] win_polyglotduke_auto (20211008 | Detects win.polyglotduke.)
rule win_polyglotduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.polyglotduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8915???????? 488b5308 33c0 488d3d6e3a0100 b900040000 f3aa }
            // n = 6, score = 100
            //   8915????????         |                     
            //   488b5308             | dec                 esp
            //   33c0                 | lea                 eax, dword ptr [0x6b]
            //   488d3d6e3a0100       | dec                 esp
            //   b900040000           | mov                 dword ptr [esp + 0x28], ebx
            //   f3aa                 | and                 dword ptr [esp + 0x20], 0

        $sequence_1 = { 4889442420 ff15???????? 85c0 7436 48897c2440 488d442470 }
            // n = 6, score = 100
            //   4889442420           | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 ecx, esi
            //   7436                 | dec                 ecx
            //   48897c2440           | add                 esi, edi
            //   488d442470           | test                edi, edi

        $sequence_2 = { 482bcf e8???????? 488b8b30010000 e8???????? 488b8b58010000 488d0574bb0000 483bc8 }
            // n = 7, score = 100
            //   482bcf               | mov                 ecx, ebx
            //   e8????????           |                     
            //   488b8b30010000       | dec                 esp
            //   e8????????           |                     
            //   488b8b58010000       | mov                 esp, eax
            //   488d0574bb0000       | dec                 eax
            //   483bc8               | mov                 edi, dword ptr [esp + 0x48]

        $sequence_3 = { 4c8be9 e8???????? 33db 48391d???????? 488bf8 0f85d5000000 488d0d534f0000 }
            // n = 7, score = 100
            //   4c8be9               | and                 al, 0x3f
            //   e8????????           |                     
            //   33db                 | shl                 dx, 8
            //   48391d????????       |                     
            //   488bf8               | inc                 eax
            //   0f85d5000000         | or                  al, bh
            //   488d0d534f0000       | movzx               eax, al

        $sequence_4 = { 488bcf e8???????? 4c8b7c2428 488b742420 }
            // n = 4, score = 100
            //   488bcf               | test                edx, edx
            //   e8????????           |                     
            //   4c8b7c2428           | je                  0x829
            //   488b742420           | dec                 eax

        $sequence_5 = { eb07 488d0daf6a0000 f6410820 7417 33d2 8bce 448d4202 }
            // n = 7, score = 100
            //   eb07                 | mov                 edx, dword ptr [ebx + 8]
            //   488d0daf6a0000       | xor                 eax, eax
            //   f6410820             | dec                 eax
            //   7417                 | lea                 edi, dword ptr [0x13a6e]
            //   33d2                 | dec                 eax
            //   8bce                 | lea                 ecx, dword ptr [0x17027]
            //   448d4202             | dec                 eax

        $sequence_6 = { e8???????? 488bce e8???????? 488bcd e8???????? 488bc7 488b5c2430 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bce               | dec                 eax
            //   e8????????           |                     
            //   488bcd               | test                esi, esi
            //   e8????????           |                     
            //   488bc7               | dec                 eax
            //   488b5c2430           | mov                 ecx, edi

        $sequence_7 = { 488bd6 488bc8 48894308 e8???????? 488bc3 488b5c2430 488b742438 }
            // n = 7, score = 100
            //   488bd6               | dec                 eax
            //   488bc8               | mov                 eax, dword ptr [ebx]
            //   48894308             | dec                 eax
            //   e8????????           |                     
            //   488bc3               | test                eax, eax
            //   488b5c2430           | je                  0x24
            //   488b742438           | call                eax

        $sequence_8 = { 7449 488d4e04 8bd3 e8???????? 8d4b01 488bf8 e8???????? }
            // n = 7, score = 100
            //   7449                 | jge                 0xa8c
            //   488d4e04             | dec                 eax
            //   8bd3                 | arpl                di, cx
            //   e8????????           |                     
            //   8d4b01               | mov                 al, byte ptr [ecx + ebx + 0x11d]
            //   488bf8               | inc                 edx
            //   e8????????           |                     

        $sequence_9 = { 4c8bd8 488905???????? 4885c0 7422 488d15394e0000 488bce ff15???????? }
            // n = 7, score = 100
            //   4c8bd8               | mov                 dword ptr [esp + 0x28], edx
            //   488905????????       |                     
            //   4885c0               | inc                 ebp
            //   7422                 | xor                 eax, eax
            //   488d15394e0000       | xor                 ecx, ecx
            //   488bce               | dec                 esp
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 222784
}
Download all Yara Rules