SYMBOLCOMMON_NAMEaka. SYNONYMS
win.portdoor (Back to overview)

PortDoor


There is no description at this point.

References
2023-04-05Medium IlanduIlan Duhin
@online{duhin:20230405:portdoor:e39d907, author = {Ilan Duhin}, title = {{PortDoor - APT Backdoor analysis}}, date = {2023-04-05}, organization = {Medium Ilandu}, url = {https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba}, language = {English}, urldate = {2023-04-06} } PortDoor - APT Backdoor analysis
ACBackdoor 8.t Dropper PortDoor
2022-08-08KasperskyKaspersky Lab ICS CERT
@techreport{cert:20220808:targeted:61c5617, author = {Kaspersky Lab ICS CERT}, title = {{Targeted attack on industrial enterprises and public institutions}}, date = {2022-08-08}, institution = {Kaspersky}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf}, language = {English}, urldate = {2022-08-11} } Targeted attack on industrial enterprises and public institutions
Cotx RAT Logtu nccTrojan PortDoor
2022-04-30CybereasonDaniel Frank, Assaf Dahan
@online{frank:20220430:portdoor:1dca82a, author = {Daniel Frank and Assaf Dahan}, title = {{PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense Sector}}, date = {2022-04-30}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector}, language = {English}, urldate = {2022-08-09} } PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense Sector
PortDoor
Yara Rules
[TLP:WHITE] win_portdoor_auto (20230407 | Detects win.portdoor.)
rule win_portdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.portdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.portdoor"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb64101 50 0fb601 50 8d45a8 68???????? 50 }
            // n = 7, score = 100
            //   0fb64101             | movzx               eax, byte ptr [ecx + 1]
            //   50                   | push                eax
            //   0fb601               | movzx               eax, byte ptr [ecx]
            //   50                   | push                eax
            //   8d45a8               | lea                 eax, [ebp - 0x58]
            //   68????????           |                     
            //   50                   | push                eax

        $sequence_1 = { 53 56 57 33db 8d85fdfbffff }
            // n = 5, score = 100
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   33db                 | xor                 ebx, ebx
            //   8d85fdfbffff         | lea                 eax, [ebp - 0x403]

        $sequence_2 = { 68???????? ff35???????? 68???????? 8b4db4 e8???????? 8945b0 eb04 }
            // n = 7, score = 100
            //   68????????           |                     
            //   ff35????????         |                     
            //   68????????           |                     
            //   8b4db4               | mov                 ecx, dword ptr [ebp - 0x4c]
            //   e8????????           |                     
            //   8945b0               | mov                 dword ptr [ebp - 0x50], eax
            //   eb04                 | jmp                 6

        $sequence_3 = { 80f90d 741a 80f920 7415 80f922 751f c645ff01 }
            // n = 7, score = 100
            //   80f90d               | cmp                 cl, 0xd
            //   741a                 | je                  0x1c
            //   80f920               | cmp                 cl, 0x20
            //   7415                 | je                  0x17
            //   80f922               | cmp                 cl, 0x22
            //   751f                 | jne                 0x21
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1

        $sequence_4 = { a5 e8???????? 8bbdf0feffff 83c40c 85c0 }
            // n = 5, score = 100
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   e8????????           |                     
            //   8bbdf0feffff         | mov                 edi, dword ptr [ebp - 0x110]
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax

        $sequence_5 = { 56 ff15???????? 8bf8 83ffff 7507 32c0 e9???????? }
            // n = 7, score = 100
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83ffff               | cmp                 edi, -1
            //   7507                 | jne                 9
            //   32c0                 | xor                 al, al
            //   e9????????           |                     

        $sequence_6 = { 8d55fc 53 56 33db 57 895dfc }
            // n = 6, score = 100
            //   8d55fc               | lea                 edx, [ebp - 4]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   33db                 | xor                 ebx, ebx
            //   57                   | push                edi
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx

        $sequence_7 = { 8945e0 8d8050f40110 8945e4 803800 8bc8 7435 8a4101 }
            // n = 7, score = 100
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8d8050f40110         | lea                 eax, [eax + 0x1001f450]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   803800               | cmp                 byte ptr [eax], 0
            //   8bc8                 | mov                 ecx, eax
            //   7435                 | je                  0x37
            //   8a4101               | mov                 al, byte ptr [ecx + 1]

        $sequence_8 = { ff35???????? e8???????? 6800001000 6a00 ff35???????? 8bf0 }
            // n = 6, score = 100
            //   ff35????????         |                     
            //   e8????????           |                     
            //   6800001000           | push                0x100000
            //   6a00                 | push                0
            //   ff35????????         |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_9 = { 59 85c0 7810 3de4000000 7309 8b04c5189e0110 }
            // n = 6, score = 100
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   7810                 | js                  0x12
            //   3de4000000           | cmp                 eax, 0xe4
            //   7309                 | jae                 0xb
            //   8b04c5189e0110       | mov                 eax, dword ptr [eax*8 + 0x10019e18]

    condition:
        7 of them and filesize < 297984
}
Download all Yara Rules