SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pteranodon (Back to overview)

Pteranodon

Actor(s): Gamaredon Group, Operation Armageddon


There is no description at this point.

References
2020-02-17YoroiYoroi
@online{yoroi:20200217:cyberwarfare:5b28cf2, author = {Yoroi}, title = {{Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign}}, date = {2020-02-17}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/}, language = {English}, urldate = {2020-02-20} } Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign
Pteranodon
2020-02-13ElasticDaniel Stepanic, Andrew Pease, Seth Goodwin
@online{stepanic:20200213:playing:ae77be6, author = {Daniel Stepanic and Andrew Pease and Seth Goodwin}, title = {{Playing defense against Gamaredon Group}}, date = {2020-02-13}, organization = {Elastic}, url = {https://www.elastic.co/blog/playing-defense-against-gamaredon-group}, language = {English}, urldate = {2020-06-26} } Playing defense against Gamaredon Group
Pteranodon
2020-02-05SentinelOneVitali Kremez
@online{kremez:20200205:prorussian:4fab984, author = {Vitali Kremez}, title = {{Pro-Russian CyberSpy Gamaredon Intensifies Ukrainian Security Targeting}}, date = {2020-02-05}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/}, language = {English}, urldate = {2020-02-09} } Pro-Russian CyberSpy Gamaredon Intensifies Ukrainian Security Targeting
Pteranodon
2019-02-07ThreatStopJohn Bambenek
@online{bambenek:20190207:inside:2a18c89, author = {John Bambenek}, title = {{An Inside Look at the Infrastructure Behind the Russian APT Gamaredon Group}}, date = {2019-02-07}, organization = {ThreatStop}, url = {https://blog.threatstop.com/russian-apt-gamaredon-group}, language = {English}, urldate = {2020-01-06} } An Inside Look at the Infrastructure Behind the Russian APT Gamaredon Group
Pteranodon
2019-01-07Vitali Kremez
@online{kremez:20190107:lets:07f4941, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into Gamaredon Group Pteranodon Implant Version '_512'}}, date = {2019-01-07}, url = {https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html}, language = {English}, urldate = {2020-01-07} } Let's Learn: Deeper Dive into Gamaredon Group Pteranodon Implant Version '_512'
Pteranodon
2018-11-15Cert-UACert-UA
@online{certua:20181115:pterodo:3ed19e5, author = {Cert-UA}, title = {{Виявлена підготовка до проведення кібератаки з використанням ШПЗ типу Pterodo}}, date = {2018-11-15}, organization = {Cert-UA}, url = {https://cert.gov.ua/news/46}, language = {Ukrainian}, urldate = {2020-01-13} } Виявлена підготовка до проведення кібератаки з використанням ШПЗ типу Pterodo
Pteranodon
2018-09-03Cert-UACert-UA
@online{certua:20180903:bulk:09fa177, author = {Cert-UA}, title = {{Bulk mailing of spyware like Pterodo}}, date = {2018-09-03}, organization = {Cert-UA}, url = {https://cert.gov.ua/news/42}, language = {Ukrainian}, urldate = {2020-01-08} } Bulk mailing of spyware like Pterodo
Pteranodon
2017-02-27Palo Alto Networks Unit 42Anthony Kasza, Dominik Reichel
@online{kasza:20170227:gamaredon:322eb5f, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/}, language = {English}, urldate = {2019-12-20} } The Gamaredon Group Toolset Evolution
Pteranodon
2016-06-25NSHCNSHC Threatrecon Team
@online{team:20160625:sectorc08:84b8f56, author = {NSHC Threatrecon Team}, title = {{SectorC08: Multi-Layered SFX in Recent Campaigns Target Ukraine}}, date = {2016-06-25}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/}, language = {English}, urldate = {2020-01-07} } SectorC08: Multi-Layered SFX in Recent Campaigns Target Ukraine
Pteranodon
Yara Rules
[TLP:WHITE] win_pteranodon_auto (20210616 | Detects win.pteranodon.)
rule win_pteranodon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.pteranodon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c746140f000000 895e10 837e1410 7202 8b36 33c0 c6041e00 }
            // n = 7, score = 100
            //   c746140f000000       | mov                 dword ptr [esi + 0x14], 0xf
            //   895e10               | mov                 dword ptr [esi + 0x10], ebx
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   33c0                 | xor                 eax, eax
            //   c6041e00             | mov                 byte ptr [esi + ebx], 0

        $sequence_1 = { 5f 0bc0 5e 8b4dfc 33cd e8???????? 8be5 }
            // n = 7, score = 100
            //   5f                   | pop                 edi
            //   0bc0                 | or                  eax, eax
            //   5e                   | pop                 esi
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33cd                 | xor                 ecx, ebp
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp

        $sequence_2 = { ffb590feffff e8???????? 8b858cfeffff c785a4feffff0f000000 c785a0feffff00000000 }
            // n = 5, score = 100
            //   ffb590feffff         | push                dword ptr [ebp - 0x170]
            //   e8????????           |                     
            //   8b858cfeffff         | mov                 eax, dword ptr [ebp - 0x174]
            //   c785a4feffff0f000000     | mov    dword ptr [ebp - 0x15c], 0xf
            //   c785a0feffff00000000     | mov    dword ptr [ebp - 0x160], 0

        $sequence_3 = { e8???????? 68???????? 8bd0 c645fc0d 8d8d48f8ffff e8???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   68????????           |                     
            //   8bd0                 | mov                 edx, eax
            //   c645fc0d             | mov                 byte ptr [ebp - 4], 0xd
            //   8d8d48f8ffff         | lea                 ecx, dword ptr [ebp - 0x7b8]
            //   e8????????           |                     

        $sequence_4 = { 8b4004 8a8810650310 884def 8b8808650310 8b4120 833800 7420 }
            // n = 7, score = 100
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   8a8810650310         | mov                 cl, byte ptr [eax + 0x10036510]
            //   884def               | mov                 byte ptr [ebp - 0x11], cl
            //   8b8808650310         | mov                 ecx, dword ptr [eax + 0x10036508]
            //   8b4120               | mov                 eax, dword ptr [ecx + 0x20]
            //   833800               | cmp                 dword ptr [eax], 0
            //   7420                 | je                  0x22

        $sequence_5 = { 0f57c0 80fb7d 0f1145e8 0f95c2 33c0 84db 0f95c0 }
            // n = 7, score = 100
            //   0f57c0               | xorps               xmm0, xmm0
            //   80fb7d               | cmp                 bl, 0x7d
            //   0f1145e8             | movups              xmmword ptr [ebp - 0x18], xmm0
            //   0f95c2               | setne               dl
            //   33c0                 | xor                 eax, eax
            //   84db                 | test                bl, bl
            //   0f95c0               | setne               al

        $sequence_6 = { 0103 8b8590feffff ff00 80bdc4feffff00 7504 33c0 eb12 }
            // n = 7, score = 100
            //   0103                 | add                 dword ptr [ebx], eax
            //   8b8590feffff         | mov                 eax, dword ptr [ebp - 0x170]
            //   ff00                 | inc                 dword ptr [eax]
            //   80bdc4feffff00       | cmp                 byte ptr [ebp - 0x13c], 0
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb12                 | jmp                 0x14

        $sequence_7 = { 84c0 75f3 8d55c8 8bf2 }
            // n = 4, score = 100
            //   84c0                 | test                al, al
            //   75f3                 | jne                 0xfffffff5
            //   8d55c8               | lea                 edx, dword ptr [ebp - 0x38]
            //   8bf2                 | mov                 esi, edx

        $sequence_8 = { 8b55e8 8b0485b8690310 f644022880 74a9 807dff02 }
            // n = 5, score = 100
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   8b0485b8690310       | mov                 eax, dword ptr [eax*4 + 0x100369b8]
            //   f644022880           | test                byte ptr [edx + eax + 0x28], 0x80
            //   74a9                 | je                  0xffffffab
            //   807dff02             | cmp                 byte ptr [ebp - 1], 2

        $sequence_9 = { 84c0 750a be04000000 e9???????? c645fc02 8b81e4640310 }
            // n = 6, score = 100
            //   84c0                 | test                al, al
            //   750a                 | jne                 0xc
            //   be04000000           | mov                 esi, 4
            //   e9????????           |                     
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   8b81e4640310         | mov                 eax, dword ptr [ecx + 0x100364e4]

    condition:
        7 of them and filesize < 499712
}
Download all Yara Rules