SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pushdo (Back to overview)

Pushdo

URLhaus    

Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.

References
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-03-15The Shadowserver FoundationShadowserver Foundation
@online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } Has The Sun Set On The Necurs Botnet?
Andromeda Cutwail Kelihos Necurs Pushdo
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65f4550, author = {SecureWorks}, title = {{GOLD ESSEX}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-essex}, language = {English}, urldate = {2020-05-27} } GOLD ESSEX
Cutwail Pony Pushdo NARWHAL SPIDER
2017-04-03Malware Traffic AnalysisBrad Duncan
@online{duncan:20170403:dhl:b9c41a9, author = {Brad Duncan}, title = {{DHL Invoice Malspam/Photo Malspam}}, date = {2017-04-03}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/03/index2.html}, language = {English}, urldate = {2020-01-13} } DHL Invoice Malspam/Photo Malspam
Pushdo
2016-02-01BluelivRaashid Bhat
@online{bhat:20160201:tracking:f5fa1f1, author = {Raashid Bhat}, title = {{Tracking the footprints of PushDo Trojan}}, date = {2016-02-01}, organization = {Blueliv}, url = {https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/}, language = {English}, urldate = {2019-11-20} } Tracking the footprints of PushDo Trojan
Pushdo
2009-05-22Trend MicroAlice Decker, David Sancho, Loucif Kharouni, Max Goncharov, Robert McArdle
@techreport{decker:20090522:pushdo:518e04c, author = {Alice Decker and David Sancho and Loucif Kharouni and Max Goncharov and Robert McArdle}, title = {{Pushdo / Cutwail Botnet}}, date = {2009-05-22}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf}, language = {English}, urldate = {2020-01-13} } Pushdo / Cutwail Botnet
Pushdo
2007-12-16SecureworksJoe Stewart
@online{stewart:20071216:pushdo:6a66753, author = {Joe Stewart}, title = {{Pushdo - Analysis of a Modern Malware Distribution System}}, date = {2007-12-16}, organization = {Secureworks}, url = {https://www.secureworks.com/research/pushdo}, language = {English}, urldate = {2019-07-09} } Pushdo - Analysis of a Modern Malware Distribution System
Pushdo
Yara Rules
[TLP:WHITE] win_pushdo_auto (20210616 | Detects win.pushdo.)
rule win_pushdo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.pushdo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7f9 33c9 ba88020000 f7e2 0f90c1 f7d9 0bc8 }
            // n = 7, score = 1200
            //   f7f9                 | idiv                ecx
            //   33c9                 | xor                 ecx, ecx
            //   ba88020000           | mov                 edx, 0x288
            //   f7e2                 | mul                 edx
            //   0f90c1               | seto                cl
            //   f7d9                 | neg                 ecx
            //   0bc8                 | or                  ecx, eax

        $sequence_1 = { 50 ff15???????? 33d2 b9ffff0000 }
            // n = 4, score = 1200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   33d2                 | xor                 edx, edx
            //   b9ffff0000           | mov                 ecx, 0xffff

        $sequence_2 = { 60 8b45fc b10b d3c0 61 }
            // n = 5, score = 1100
            //   60                   | pushal              
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   b10b                 | mov                 cl, 0xb
            //   d3c0                 | rol                 eax, cl
            //   61                   | popal               

        $sequence_3 = { 83c201 8955fc 817dfc00010000 736a 8b45fc 0fbe8c05f0feffff 038de8feffff }
            // n = 7, score = 800
            //   83c201               | add                 edx, 1
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   817dfc00010000       | cmp                 dword ptr [ebp - 4], 0x100
            //   736a                 | jae                 0x6c
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   0fbe8c05f0feffff     | movsx               ecx, byte ptr [ebp + eax - 0x110]
            //   038de8feffff         | add                 ecx, dword ptr [ebp - 0x118]

        $sequence_4 = { 888deffeffff 8b95e8feffff 8b45fc 8a8c05f0feffff 888c15f0feffff 8b55fc 8a85effeffff }
            // n = 7, score = 800
            //   888deffeffff         | mov                 byte ptr [ebp - 0x111], cl
            //   8b95e8feffff         | mov                 edx, dword ptr [ebp - 0x118]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8a8c05f0feffff       | mov                 cl, byte ptr [ebp + eax - 0x110]
            //   888c15f0feffff       | mov                 byte ptr [ebp + edx - 0x110], cl
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8a85effeffff         | mov                 al, byte ptr [ebp - 0x111]

        $sequence_5 = { 0fbe8c0df0feffff 33d1 8b450c 0345fc 8810 }
            // n = 5, score = 800
            //   0fbe8c0df0feffff     | movsx               ecx, byte ptr [ebp + ecx - 0x110]
            //   33d1                 | xor                 edx, ecx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   0345fc               | add                 eax, dword ptr [ebp - 4]
            //   8810                 | mov                 byte ptr [eax], dl

        $sequence_6 = { 888c15f0feffff 8b95e8feffff 8a85effeffff 888415f0feffff }
            // n = 4, score = 800
            //   888c15f0feffff       | mov                 byte ptr [ebp + edx - 0x110], cl
            //   8b95e8feffff         | mov                 edx, dword ptr [ebp - 0x118]
            //   8a85effeffff         | mov                 al, byte ptr [ebp - 0x111]
            //   888415f0feffff       | mov                 byte ptr [ebp + edx - 0x110], al

        $sequence_7 = { 0fbe8c05f0feffff 038de8feffff 8b45fc 33d2 }
            // n = 4, score = 800
            //   0fbe8c05f0feffff     | movsx               ecx, byte ptr [ebp + eax - 0x110]
            //   038de8feffff         | add                 ecx, dword ptr [ebp - 0x118]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   33d2                 | xor                 edx, edx

        $sequence_8 = { c3 837c240400 57 7424 8b7c2408 8a44240c }
            // n = 6, score = 500
            //   c3                   | ret                 
            //   837c240400           | cmp                 dword ptr [esp + 4], 0
            //   57                   | push                edi
            //   7424                 | je                  0x26
            //   8b7c2408             | mov                 edi, dword ptr [esp + 8]
            //   8a44240c             | mov                 al, byte ptr [esp + 0xc]

        $sequence_9 = { 50 50 8d857cf5ffff 68???????? 50 }
            // n = 5, score = 500
            //   50                   | push                eax
            //   50                   | push                eax
            //   8d857cf5ffff         | lea                 eax, dword ptr [ebp - 0xa84]
            //   68????????           |                     
            //   50                   | push                eax

        $sequence_10 = { 2b7df8 03d3 013a ff45fc 394dfc 72c8 034004 }
            // n = 7, score = 500
            //   2b7df8               | sub                 edi, dword ptr [ebp - 8]
            //   03d3                 | add                 edx, ebx
            //   013a                 | add                 dword ptr [edx], edi
            //   ff45fc               | inc                 dword ptr [ebp - 4]
            //   394dfc               | cmp                 dword ptr [ebp - 4], ecx
            //   72c8                 | jb                  0xffffffca
            //   034004               | add                 eax, dword ptr [eax + 4]

        $sequence_11 = { 50 ff15???????? 8b45f8 33d2 6a3e 59 f7f1 }
            // n = 7, score = 500
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   33d2                 | xor                 edx, edx
            //   6a3e                 | push                0x3e
            //   59                   | pop                 ecx
            //   f7f1                 | div                 ecx

        $sequence_12 = { 6a02 53 ff35???????? 895dfc }
            // n = 4, score = 500
            //   6a02                 | push                2
            //   53                   | push                ebx
            //   ff35????????         |                     
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx

        $sequence_13 = { 52 8d8588fbffff 50 e8???????? }
            // n = 4, score = 500
            //   52                   | push                edx
            //   8d8588fbffff         | lea                 eax, dword ptr [ebp - 0x478]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_14 = { 83c261 8b450c 0345e0 8810 ebd6 }
            // n = 5, score = 200
            //   83c261               | add                 edx, 0x61
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   0345e0               | add                 eax, dword ptr [ebp - 0x20]
            //   8810                 | mov                 byte ptr [eax], dl
            //   ebd6                 | jmp                 0xffffffd8

        $sequence_15 = { 7c12 0fbe4508 83f87a 7f09 0fbe4508 83e847 eb2a }
            // n = 7, score = 200
            //   7c12                 | jl                  0x14
            //   0fbe4508             | movsx               eax, byte ptr [ebp + 8]
            //   83f87a               | cmp                 eax, 0x7a
            //   7f09                 | jg                  0xb
            //   0fbe4508             | movsx               eax, byte ptr [ebp + 8]
            //   83e847               | sub                 eax, 0x47
            //   eb2a                 | jmp                 0x2c

        $sequence_16 = { 0fb7550c 83fa01 750f 8b4508 }
            // n = 4, score = 200
            //   0fb7550c             | movzx               edx, word ptr [ebp + 0xc]
            //   83fa01               | cmp                 edx, 1
            //   750f                 | jne                 0x11
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_17 = { e9???????? 837dec00 7404 33c0 eb08 8b550c }
            // n = 6, score = 200
            //   e9????????           |                     
            //   837dec00             | cmp                 dword ptr [ebp - 0x14], 0
            //   7404                 | je                  6
            //   33c0                 | xor                 eax, eax
            //   eb08                 | jmp                 0xa
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]

        $sequence_18 = { 83c104 894dd8 8b55dc 83c204 }
            // n = 4, score = 200
            //   83c104               | add                 ecx, 4
            //   894dd8               | mov                 dword ptr [ebp - 0x28], ecx
            //   8b55dc               | mov                 edx, dword ptr [ebp - 0x24]
            //   83c204               | add                 edx, 4

        $sequence_19 = { 8d95a0fcffff 52 e8???????? 83c404 8945fc 8b45fc }
            // n = 6, score = 200
            //   8d95a0fcffff         | lea                 edx, dword ptr [ebp - 0x360]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_20 = { 894dd4 8b55ec 8b4508 03420c 8945d0 }
            // n = 5, score = 200
            //   894dd4               | mov                 dword ptr [ebp - 0x2c], ecx
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   03420c               | add                 eax, dword ptr [edx + 0xc]
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax

    condition:
        7 of them and filesize < 163840
}
Download all Yara Rules