SYMBOLCOMMON_NAMEaka. SYNONYMS
win.polyglotduke (Back to overview)

PolyglotDuke

Actor(s): APT 29


There is no description at this point.

References
2020-03-26VMWare Carbon BlackScott Knight
@online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:59396c7, author = {SecureWorks}, title = {{IRON HEMLOCK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hemlock}, language = {English}, urldate = {2020-05-23} } IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT 29
2019-10-17ESET ResearchESET Research
@online{research:20191017:operation:812f836, author = {ESET Research}, title = {{Operation Ghost: The Dukes aren’t back – they never left}}, date = {2019-10-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/}, language = {English}, urldate = {2020-01-09} } Operation Ghost: The Dukes aren’t back – they never left
PolyglotDuke
Yara Rules
[TLP:WHITE] win_polyglotduke_auto (20220411 | Detects win.polyglotduke.)
rule win_polyglotduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.polyglotduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8be2 488d8d30020000 ba04010000 ff15???????? 41be23010000 85c0 7474 }
            // n = 7, score = 100
            //   4c8be2               | dec                 eax
            //   488d8d30020000       | mov                 ecx, esi
            //   ba04010000           | dec                 esp
            //   ff15????????         |                     
            //   41be23010000         | lea                 ecx, dword ptr [esp + 0x30]
            //   85c0                 | dec                 esp
            //   7474                 | lea                 eax, dword ptr [0xee9b]

        $sequence_1 = { ff15???????? 488bcb 48894658 e8???????? 488bcf e8???????? 488d0dd6590100 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488bcb               | dec                 eax
            //   48894658             | add                 esp, 0x20
            //   e8????????           |                     
            //   488bcf               | pop                 ebx
            //   e8????????           |                     
            //   488d0dd6590100       | ret                 

        $sequence_2 = { 48894650 e8???????? 488bcf e8???????? 488d0d135a0100 ba11000000 e8???????? }
            // n = 7, score = 100
            //   48894650             | dec                 eax
            //   e8????????           |                     
            //   488bcf               | mov                 ecx, eax
            //   e8????????           |                     
            //   488d0d135a0100       | dec                 eax
            //   ba11000000           | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_3 = { 488bf0 488b4dc8 ff15???????? 488bc6 488b4df0 4833cc e8???????? }
            // n = 7, score = 100
            //   488bf0               | mov                 eax, ebx
            //   488b4dc8             | dec                 eax
            //   ff15????????         |                     
            //   488bc6               | mov                 dword ptr [esp + 0x50], esi
            //   488b4df0             | dec                 eax
            //   4833cc               | mov                 dword ptr [esp + 0x58], eax
            //   e8????????           |                     

        $sequence_4 = { c7442444b8020000 ff15???????? 488d8c24e0000000 ff15???????? 488d8c24e0000000 8d1400 e8???????? }
            // n = 7, score = 100
            //   c7442444b8020000     | dec                 eax
            //   ff15????????         |                     
            //   488d8c24e0000000     | lea                 ecx, dword ptr [ebp - 0x50]
            //   ff15????????         |                     
            //   488d8c24e0000000     | mov                 edx, 0x17
            //   8d1400               | mov                 dword ptr [ebp - 0x50], 0xfa02d66d
            //   e8????????           |                     

        $sequence_5 = { 894710 83f8ff 7518 b956310000 ff15???????? }
            // n = 5, score = 100
            //   894710               | sub                 esp, 0x28
            //   83f8ff               | dec                 esp
            //   7518                 | mov                 eax, ecx
            //   b956310000           | dec                 esp
            //   ff15????????         |                     

        $sequence_6 = { 750f 49ffc0 41ffc1 4b8d0402 493bc3 7ce4 443bcd }
            // n = 7, score = 100
            //   750f                 | inc                 ebx
            //   49ffc0               | jle                 0xd3f
            //   41ffc1               | dec                 ebp
            //   4b8d0402             | mov                 edx, esp
            //   493bc3               | dec                 ebp
            //   7ce4                 | mov                 eax, esp
            //   443bcd               | dec                 ecx

        $sequence_7 = { 488b05???????? 4833c4 488945f0 488b4208 c745d401680000 c745d008020000 c745d810000000 }
            // n = 7, score = 100
            //   488b05????????       |                     
            //   4833c4               | dec                 eax
            //   488945f0             | mov                 ebx, eax
            //   488b4208             | dec                 eax
            //   c745d401680000       | mov                 ecx, ebx
            //   c745d008020000       | dec                 eax
            //   c745d810000000       | mov                 ecx, ebx

        $sequence_8 = { 8b7d97 8d1c3f 4c8be0 8bcb }
            // n = 4, score = 100
            //   8b7d97               | test                ecx, ecx
            //   8d1c3f               | je                  0x1157
            //   4c8be0               | dec                 eax
            //   8bcb                 | lea                 ebp, dword ptr [0x9e5f]

        $sequence_9 = { 664189044e 498bce e8???????? 4533ff 498bce 418bdf ff15???????? }
            // n = 7, score = 100
            //   664189044e           | rep stosd           dword ptr es:[edi], eax
            //   498bce               | dec                 eax
            //   e8????????           |                     
            //   4533ff               | lea                 edi, dword ptr [0xc056]
            //   498bce               | dec                 eax
            //   418bdf               | sub                 edi, ebp
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 222784
}
Download all Yara Rules