SYMBOLCOMMON_NAMEaka. SYNONYMS
win.polyglotduke (Back to overview)

PolyglotDuke

Actor(s): APT 29


There is no description at this point.

References
2020-03-26VMWare Carbon BlackScott Knight
@online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:59396c7, author = {SecureWorks}, title = {{IRON HEMLOCK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hemlock}, language = {English}, urldate = {2020-05-23} } IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT29
2019-10-17ESET ResearchESET Research
@online{research:20191017:operation:812f836, author = {ESET Research}, title = {{Operation Ghost: The Dukes aren’t back – they never left}}, date = {2019-10-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/}, language = {English}, urldate = {2020-01-09} } Operation Ghost: The Dukes aren’t back – they never left
PolyglotDuke
Yara Rules
[TLP:WHITE] win_polyglotduke_auto (20220808 | Detects win.polyglotduke.)
rule win_polyglotduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.polyglotduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 41b900000010 488bd7 448bc0 498bcc }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   41b900000010         | dec                 eax
            //   488bd7               | mov                 esi, eax
            //   448bc0               | dec                 esp
            //   498bcc               | mov                 esi, dword ptr [esp + 0x38]

        $sequence_1 = { b956310000 ff15???????? 66ff4704 66837f0402 72da eb0c b001 }
            // n = 7, score = 100
            //   b956310000           | dec                 eax
            //   ff15????????         |                     
            //   66ff4704             | mov                 ecx, dword ptr [edi + 0x38]
            //   66837f0402           | mov                 edx, dword ptr [ecx]
            //   72da                 | dec                 eax
            //   eb0c                 | mov                 ecx, dword ptr [ecx + 8]
            //   b001                 | dec                 eax

        $sequence_2 = { 488bd8 e8???????? 4885db 7505 488bfd eb0e 498bd6 }
            // n = 7, score = 100
            //   488bd8               | dec                 eax
            //   e8????????           |                     
            //   4885db               | xor                 ecx, esp
            //   7505                 | dec                 eax
            //   488bfd               | lea                 edi, [esp + 0x20]
            //   eb0e                 | mov                 ecx, 0x3ee
            //   498bd6               | dec                 eax

        $sequence_3 = { 88442420 4c8d442420 488d5501 488bce e8???????? 4883c9ff }
            // n = 6, score = 100
            //   88442420             | add                 edi, 2
            //   4c8d442420           | movzx               eax, word ptr [ebp + eax*2]
            //   488d5501             | mov                 word ptr [ecx], ax
            //   488bce               | dec                 eax
            //   e8????????           |                     
            //   4883c9ff             | add                 ecx, 2

        $sequence_4 = { 488bce 8bd8 ff15???????? 8bf8 }
            // n = 4, score = 100
            //   488bce               | dec                 eax
            //   8bd8                 | mov                 dword ptr [ebx + 0x20], eax
            //   ff15????????         |                     
            //   8bf8                 | dec                 eax

        $sequence_5 = { 4c8d4de0 4889542420 4c8d05d90b0100 488d8d20070000 ba53020000 e8???????? }
            // n = 6, score = 100
            //   4c8d4de0             | dec                 eax
            //   4889542420           | lea                 esi, [edi - 1]
            //   4c8d05d90b0100       | dec                 eax
            //   488d8d20070000       | test                esi, esi
            //   ba53020000           | dec                 eax
            //   e8????????           |                     

        $sequence_6 = { 488d4c2420 488bd3 ff15???????? 488bcb e8???????? 488d4c2420 ff15???????? }
            // n = 7, score = 100
            //   488d4c2420           | mov                 ebx, edx
            //   488bd3               | dec                 eax
            //   ff15????????         |                     
            //   488bcb               | mov                 edi, ecx
            //   e8????????           |                     
            //   488d4c2420           | dec                 ebp
            //   ff15????????         |                     

        $sequence_7 = { 488b05???????? 4833c4 4889842450020000 488bf1 e8???????? 488bce 8bd8 }
            // n = 7, score = 100
            //   488b05????????       |                     
            //   4833c4               | je                  0x35f
            //   4889842450020000     | dec                 eax
            //   488bf1               | mov                 ecx, edi
            //   e8????????           |                     
            //   488bce               | dec                 eax
            //   8bd8                 | mov                 edi, eax

        $sequence_8 = { 2c30 eb02 2c57 4002f8 }
            // n = 4, score = 100
            //   2c30                 | lea                 edx, [0xd3fd]
            //   eb02                 | jne                 0xfffffab2
            //   2c57                 | inc                 edx
            //   4002f8               | cmp                 dword ptr [esi + edi], ebp

        $sequence_9 = { 243f 66c1e208 400ac7 0fb6c0 660bc2 664389444d00 49ffc1 }
            // n = 7, score = 100
            //   243f                 | dec                 eax
            //   66c1e208             | cmp                 dword ptr [eax], edi
            //   400ac7               | je                  0x110
            //   0fb6c0               | dec                 eax
            //   660bc2               | mov                 ecx, dword ptr [eax + 8]
            //   664389444d00         | dec                 eax
            //   49ffc1               | test                ecx, ecx

    condition:
        7 of them and filesize < 222784
}
Download all Yara Rules