SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pushdo (Back to overview)

Pushdo

URLhaus    

Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.

References
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2020-03-15The Shadowserver FoundationShadowserver Foundation
@online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } Has The Sun Set On The Necurs Botnet?
Andromeda Cutwail Kelihos Necurs Pushdo
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65f4550, author = {SecureWorks}, title = {{GOLD ESSEX}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-essex}, language = {English}, urldate = {2020-05-27} } GOLD ESSEX
Cutwail Pony Pushdo NARWHAL SPIDER
2017-04-03Malware Traffic AnalysisBrad Duncan
@online{duncan:20170403:dhl:b9c41a9, author = {Brad Duncan}, title = {{DHL Invoice Malspam/Photo Malspam}}, date = {2017-04-03}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/03/index2.html}, language = {English}, urldate = {2020-01-13} } DHL Invoice Malspam/Photo Malspam
Pushdo
2016-02-01BluelivRaashid Bhat
@online{bhat:20160201:tracking:f5fa1f1, author = {Raashid Bhat}, title = {{Tracking the footprints of PushDo Trojan}}, date = {2016-02-01}, organization = {Blueliv}, url = {https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/}, language = {English}, urldate = {2019-11-20} } Tracking the footprints of PushDo Trojan
Pushdo
2009-05-22Trend MicroAlice Decker, David Sancho, Loucif Kharouni, Max Goncharov, Robert McArdle
@techreport{decker:20090522:pushdo:518e04c, author = {Alice Decker and David Sancho and Loucif Kharouni and Max Goncharov and Robert McArdle}, title = {{Pushdo / Cutwail Botnet}}, date = {2009-05-22}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf}, language = {English}, urldate = {2020-01-13} } Pushdo / Cutwail Botnet
Pushdo
2007-12-16SecureworksJoe Stewart
@online{stewart:20071216:pushdo:6a66753, author = {Joe Stewart}, title = {{Pushdo - Analysis of a Modern Malware Distribution System}}, date = {2007-12-16}, organization = {Secureworks}, url = {https://www.secureworks.com/research/pushdo}, language = {English}, urldate = {2019-07-09} } Pushdo - Analysis of a Modern Malware Distribution System
Pushdo
Yara Rules
[TLP:WHITE] win_pushdo_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_pushdo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff15???????? 33d2 b9ffff0000 f7f1 }
            // n = 5, score = 1200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   33d2                 | xor                 edx, edx
            //   b9ffff0000           | mov                 ecx, 0xffff
            //   f7f1                 | div                 ecx

        $sequence_1 = { f7f9 33c9 ba88020000 f7e2 }
            // n = 4, score = 1200
            //   f7f9                 | idiv                ecx
            //   33c9                 | xor                 ecx, ecx
            //   ba88020000           | mov                 edx, 0x288
            //   f7e2                 | mul                 edx

        $sequence_2 = { 60 8b45fc b10b d3c0 }
            // n = 4, score = 1100
            //   60                   | pushal              
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   b10b                 | mov                 cl, 0xb
            //   d3c0                 | rol                 eax, cl

        $sequence_3 = { 81e1ff000000 0fbe8c0df0feffff 33d1 8b450c 0345fc 8810 e9???????? }
            // n = 7, score = 800
            //   81e1ff000000         | and                 ecx, 0xff
            //   0fbe8c0df0feffff     | movsx               ecx, byte ptr [ebp + ecx - 0x110]
            //   33d1                 | xor                 edx, ecx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   0345fc               | add                 eax, dword ptr [ebp - 4]
            //   8810                 | mov                 byte ptr [eax], dl
            //   e9????????           |                     

        $sequence_4 = { 2bd0 8b4df8 83c101 894df8 81faff000000 7d12 8b55f8 }
            // n = 7, score = 800
            //   2bd0                 | sub                 edx, eax
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   83c101               | add                 ecx, 1
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   81faff000000         | cmp                 edx, 0xff
            //   7d12                 | jge                 0x14
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]

        $sequence_5 = { 7d12 8b55f8 8d85f0feffff 2bd0 }
            // n = 4, score = 800
            //   7d12                 | jge                 0x14
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8d85f0feffff         | lea                 eax, [ebp - 0x110]
            //   2bd0                 | sub                 edx, eax

        $sequence_6 = { 8b45fc 0fbe8c05f0feffff 038de8feffff 8b45fc 33d2 f77518 }
            // n = 6, score = 800
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   0fbe8c05f0feffff     | movsx               ecx, byte ptr [ebp + eax - 0x110]
            //   038de8feffff         | add                 ecx, dword ptr [ebp - 0x118]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   33d2                 | xor                 edx, edx
            //   f77518               | div                 dword ptr [ebp + 0x18]

        $sequence_7 = { 81e1ff000000 898de8feffff 8b85e8feffff 8a8c05f0feffff 888deffeffff }
            // n = 5, score = 800
            //   81e1ff000000         | and                 ecx, 0xff
            //   898de8feffff         | mov                 dword ptr [ebp - 0x118], ecx
            //   8b85e8feffff         | mov                 eax, dword ptr [ebp - 0x118]
            //   8a8c05f0feffff       | mov                 cl, byte ptr [ebp + eax - 0x110]
            //   888deffeffff         | mov                 byte ptr [ebp - 0x111], cl

        $sequence_8 = { 53 8945f0 ff15???????? 8945fc }
            // n = 4, score = 500
            //   53                   | push                ebx
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_9 = { 52 8d8588fbffff 50 e8???????? }
            // n = 4, score = 500
            //   52                   | push                edx
            //   8d8588fbffff         | lea                 eax, [ebp - 0x478]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_10 = { 6a04 53 e8???????? ff75fc }
            // n = 4, score = 500
            //   6a04                 | push                4
            //   53                   | push                ebx
            //   e8????????           |                     
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_11 = { 397d14 0f84bb000000 397d18 0f84b2000000 397d1c 0f84a9000000 }
            // n = 6, score = 500
            //   397d14               | cmp                 dword ptr [ebp + 0x14], edi
            //   0f84bb000000         | je                  0xc1
            //   397d18               | cmp                 dword ptr [ebp + 0x18], edi
            //   0f84b2000000         | je                  0xb8
            //   397d1c               | cmp                 dword ptr [ebp + 0x1c], edi
            //   0f84a9000000         | je                  0xaf

        $sequence_12 = { e8???????? 8d4564 50 8d4594 56 }
            // n = 5, score = 500
            //   e8????????           |                     
            //   8d4564               | lea                 eax, [ebp + 0x64]
            //   50                   | push                eax
            //   8d4594               | lea                 eax, [ebp - 0x6c]
            //   56                   | push                esi

        $sequence_13 = { 8d852cfeffff 50 8d4558 50 8d4554 50 8d4560 }
            // n = 7, score = 500
            //   8d852cfeffff         | lea                 eax, [ebp - 0x1d4]
            //   50                   | push                eax
            //   8d4558               | lea                 eax, [ebp + 0x58]
            //   50                   | push                eax
            //   8d4554               | lea                 eax, [ebp + 0x54]
            //   50                   | push                eax
            //   8d4560               | lea                 eax, [ebp + 0x60]

        $sequence_14 = { 2355ec 8955ec 8b45f0 83e810 8945f0 }
            // n = 5, score = 200
            //   2355ec               | and                 edx, dword ptr [ebp - 0x14]
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   83e810               | sub                 eax, 0x10
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_15 = { b91a000000 f7f1 83c261 8b450c 0345e0 }
            // n = 5, score = 200
            //   b91a000000           | mov                 ecx, 0x1a
            //   f7f1                 | div                 ecx
            //   83c261               | add                 edx, 0x61
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   0345e0               | add                 eax, dword ptr [ebp - 0x20]

        $sequence_16 = { 8b5514 8b02 2b45d8 8945e8 8b4de8 }
            // n = 5, score = 200
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   2b45d8               | sub                 eax, dword ptr [ebp - 0x28]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]

        $sequence_17 = { 8b5508 8b040a 0fbe4801 83f95a 7402 eb48 }
            // n = 6, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b040a               | mov                 eax, dword ptr [edx + ecx]
            //   0fbe4801             | movsx               ecx, byte ptr [eax + 1]
            //   83f95a               | cmp                 ecx, 0x5a
            //   7402                 | je                  4
            //   eb48                 | jmp                 0x4a

        $sequence_18 = { eb09 8b55f0 83c201 8955f0 8b45f0 3b45e0 7351 }
            // n = 7, score = 200
            //   eb09                 | jmp                 0xb
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   83c201               | add                 edx, 1
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   3b45e0               | cmp                 eax, dword ptr [ebp - 0x20]
            //   7351                 | jae                 0x53

        $sequence_19 = { 83c002 8945ec 8b4de0 83c102 894de0 85d2 7406 }
            // n = 7, score = 200
            //   83c002               | add                 eax, 2
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   83c102               | add                 ecx, 2
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   85d2                 | test                edx, edx
            //   7406                 | je                  8

        $sequence_20 = { 8b510c 8b02 50 8b4d0c 51 }
            // n = 5, score = 200
            //   8b510c               | mov                 edx, dword ptr [ecx + 0xc]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   50                   | push                eax
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 163840
}
Download all Yara Rules