SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pushdo (Back to overview)

Pushdo

URLhaus    

Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.

References
2020-03-15The Shadowserver FoundationShadowserver Foundation
@online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } Has The Sun Set On The Necurs Botnet?
Andromeda Cutwail Kelihos Necurs Pushdo
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65f4550, author = {SecureWorks}, title = {{GOLD ESSEX}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-essex}, language = {English}, urldate = {2020-05-27} } GOLD ESSEX
Cutwail Pony Pushdo NARWHAL SPIDER
2017-04-03Malware Traffic AnalysisBrad Duncan
@online{duncan:20170403:dhl:b9c41a9, author = {Brad Duncan}, title = {{DHL Invoice Malspam/Photo Malspam}}, date = {2017-04-03}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/03/index2.html}, language = {English}, urldate = {2020-01-13} } DHL Invoice Malspam/Photo Malspam
Pushdo
2016-02-01BluelivRaashid Bhat
@online{bhat:20160201:tracking:f5fa1f1, author = {Raashid Bhat}, title = {{Tracking the footprints of PushDo Trojan}}, date = {2016-02-01}, organization = {Blueliv}, url = {https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/}, language = {English}, urldate = {2019-11-20} } Tracking the footprints of PushDo Trojan
Pushdo
2009-05-22Trend MicroAlice Decker, David Sancho, Loucif Kharouni, Max Goncharov, Robert McArdle
@techreport{decker:20090522:pushdo:518e04c, author = {Alice Decker and David Sancho and Loucif Kharouni and Max Goncharov and Robert McArdle}, title = {{Pushdo / Cutwail Botnet}}, date = {2009-05-22}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf}, language = {English}, urldate = {2020-01-13} } Pushdo / Cutwail Botnet
Pushdo
2007-12-16SecureworksJoe Stewart
@online{stewart:20071216:pushdo:6a66753, author = {Joe Stewart}, title = {{Pushdo - Analysis of a Modern Malware Distribution System}}, date = {2007-12-16}, organization = {Secureworks}, url = {https://www.secureworks.com/research/pushdo}, language = {English}, urldate = {2019-07-09} } Pushdo - Analysis of a Modern Malware Distribution System
Pushdo
Yara Rules
[TLP:WHITE] win_pushdo_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_pushdo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7f9 33c9 ba88020000 f7e2 0f90c1 f7d9 }
            // n = 6, score = 1000
            //   f7f9                 | idiv                ecx
            //   33c9                 | xor                 ecx, ecx
            //   ba88020000           | mov                 edx, 0x288
            //   f7e2                 | mul                 edx
            //   0f90c1               | seto                cl
            //   f7d9                 | neg                 ecx

        $sequence_1 = { 8b45f8 69c00d661900 055ff36e3c 33d2 f77508 }
            // n = 5, score = 1000
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   69c00d661900         | imul                eax, eax, 0x19660d
            //   055ff36e3c           | add                 eax, 0x3c6ef35f
            //   33d2                 | xor                 edx, edx
            //   f77508               | div                 dword ptr [ebp + 8]

        $sequence_2 = { 50 ff15???????? 33d2 b9ffff0000 f7f1 }
            // n = 5, score = 1000
            //   50                   | push                eax
            //   ff15????????         |                     
            //   33d2                 | xor                 edx, edx
            //   b9ffff0000           | mov                 ecx, 0xffff
            //   f7f1                 | div                 ecx

        $sequence_3 = { 8d45f8 50 ff15???????? 8b45f8 69c00d661900 }
            // n = 5, score = 1000
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   69c00d661900         | imul                eax, eax, 0x19660d

        $sequence_4 = { 8b45fc b10b d3c0 61 }
            // n = 4, score = 900
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   b10b                 | mov                 cl, 0xb
            //   d3c0                 | rol                 eax, cl
            //   61                   | popal               

        $sequence_5 = { 0f83a6000000 8b45f4 83c001 25ff000000 }
            // n = 4, score = 700
            //   0f83a6000000         | jae                 0xac
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   83c001               | add                 eax, 1
            //   25ff000000           | and                 eax, 0xff

        $sequence_6 = { 8b95e8feffff 8b45fc 8a8c05f0feffff 888c15f0feffff 8b55fc 8a85effeffff }
            // n = 6, score = 700
            //   8b95e8feffff         | mov                 edx, dword ptr [ebp - 0x118]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8a8c05f0feffff       | mov                 cl, byte ptr [ebp + eax - 0x110]
            //   888c15f0feffff       | mov                 byte ptr [ebp + edx - 0x110], cl
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8a85effeffff         | mov                 al, byte ptr [ebp - 0x111]

        $sequence_7 = { 8bec 81ec18010000 6800010000 6a00 8d85f0feffff 50 }
            // n = 6, score = 700
            //   8bec                 | mov                 ebp, esp
            //   81ec18010000         | sub                 esp, 0x118
            //   6800010000           | push                0x100
            //   6a00                 | push                0
            //   8d85f0feffff         | lea                 eax, [ebp - 0x110]
            //   50                   | push                eax

        $sequence_8 = { 52 8d8588fbffff 50 e8???????? }
            // n = 4, score = 500
            //   52                   | push                edx
            //   8d8588fbffff         | lea                 eax, [ebp - 0x478]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_9 = { 0345fc 83ff03 7d10 6a03 59 2bcf 99 }
            // n = 7, score = 400
            //   0345fc               | add                 eax, dword ptr [ebp - 4]
            //   83ff03               | cmp                 edi, 3
            //   7d10                 | jge                 0x12
            //   6a03                 | push                3
            //   59                   | pop                 ecx
            //   2bcf                 | sub                 ecx, edi
            //   99                   | cdq                 

        $sequence_10 = { 397510 7447 397514 7442 397518 743d }
            // n = 6, score = 400
            //   397510               | cmp                 dword ptr [ebp + 0x10], esi
            //   7447                 | je                  0x49
            //   397514               | cmp                 dword ptr [ebp + 0x14], esi
            //   7442                 | je                  0x44
            //   397518               | cmp                 dword ptr [ebp + 0x18], esi
            //   743d                 | je                  0x3f

        $sequence_11 = { 59 8be8 7410 8b442410 894500 }
            // n = 5, score = 400
            //   59                   | pop                 ecx
            //   8be8                 | mov                 ebp, eax
            //   7410                 | je                  0x12
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   894500               | mov                 dword ptr [ebp], eax

        $sequence_12 = { 8945fc 8b4d08 51 8d95d8feffff 52 e8???????? 85c0 }
            // n = 7, score = 200
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   8d95d8feffff         | lea                 edx, [ebp - 0x128]
            //   52                   | push                edx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_13 = { 8b45f0 83e810 8945f0 837dfc00 741e }
            // n = 5, score = 200
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   83e810               | sub                 eax, 0x10
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   741e                 | je                  0x20

        $sequence_14 = { 6a00 8d55dc 52 6811020000 8b859cfdffff 50 6a21 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   8d55dc               | lea                 edx, [ebp - 0x24]
            //   52                   | push                edx
            //   6811020000           | push                0x211
            //   8b859cfdffff         | mov                 eax, dword ptr [ebp - 0x264]
            //   50                   | push                eax
            //   6a21                 | push                0x21

        $sequence_15 = { 8bec 81ec68030000 8d85d3feffff 898598fcffff 8b8d98fcffff }
            // n = 5, score = 200
            //   8bec                 | mov                 ebp, esp
            //   81ec68030000         | sub                 esp, 0x368
            //   8d85d3feffff         | lea                 eax, [ebp - 0x12d]
            //   898598fcffff         | mov                 dword ptr [ebp - 0x368], eax
            //   8b8d98fcffff         | mov                 ecx, dword ptr [ebp - 0x368]

        $sequence_16 = { 6a20 8d55b8 52 6a00 }
            // n = 4, score = 200
            //   6a20                 | push                0x20
            //   8d55b8               | lea                 edx, [ebp - 0x48]
            //   52                   | push                edx
            //   6a00                 | push                0

        $sequence_17 = { eb11 8b4dd4 83c102 51 }
            // n = 4, score = 200
            //   eb11                 | jmp                 0x13
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   83c102               | add                 ecx, 2
            //   51                   | push                ecx

        $sequence_18 = { 83bd60feffff00 0f842cffffff 83bd60feffff00 7405 }
            // n = 4, score = 200
            //   83bd60feffff00       | cmp                 dword ptr [ebp - 0x1a0], 0
            //   0f842cffffff         | je                  0xffffff32
            //   83bd60feffff00       | cmp                 dword ptr [ebp - 0x1a0], 0
            //   7405                 | je                  7

    condition:
        7 of them and filesize < 163840
}
Download all Yara Rules