SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pushdo (Back to overview)

Pushdo

URLhaus    

Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.

References
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-03-15The Shadowserver FoundationShadowserver Foundation
@online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } Has The Sun Set On The Necurs Botnet?
Andromeda Cutwail Kelihos Necurs Pushdo
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65f4550, author = {SecureWorks}, title = {{GOLD ESSEX}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-essex}, language = {English}, urldate = {2020-05-27} } GOLD ESSEX
Cutwail Pony Pushdo NARWHAL SPIDER
2017-04-03Malware Traffic AnalysisBrad Duncan
@online{duncan:20170403:dhl:b9c41a9, author = {Brad Duncan}, title = {{DHL Invoice Malspam/Photo Malspam}}, date = {2017-04-03}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/03/index2.html}, language = {English}, urldate = {2020-01-13} } DHL Invoice Malspam/Photo Malspam
Pushdo
2016-02-01BluelivRaashid Bhat
@online{bhat:20160201:tracking:f5fa1f1, author = {Raashid Bhat}, title = {{Tracking the footprints of PushDo Trojan}}, date = {2016-02-01}, organization = {Blueliv}, url = {https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/}, language = {English}, urldate = {2019-11-20} } Tracking the footprints of PushDo Trojan
Pushdo
2009-05-22Trend MicroAlice Decker, David Sancho, Loucif Kharouni, Max Goncharov, Robert McArdle
@techreport{decker:20090522:pushdo:518e04c, author = {Alice Decker and David Sancho and Loucif Kharouni and Max Goncharov and Robert McArdle}, title = {{Pushdo / Cutwail Botnet}}, date = {2009-05-22}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf}, language = {English}, urldate = {2020-01-13} } Pushdo / Cutwail Botnet
Pushdo
2007-12-16SecureworksJoe Stewart
@online{stewart:20071216:pushdo:6a66753, author = {Joe Stewart}, title = {{Pushdo - Analysis of a Modern Malware Distribution System}}, date = {2007-12-16}, organization = {Secureworks}, url = {https://www.secureworks.com/research/pushdo}, language = {English}, urldate = {2019-07-09} } Pushdo - Analysis of a Modern Malware Distribution System
Pushdo
Yara Rules
[TLP:WHITE] win_pushdo_auto (20230125 | Detects win.pushdo.)
rule win_pushdo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.pushdo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff15???????? 33d2 b9ffff0000 }
            // n = 4, score = 1200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   33d2                 | xor                 edx, edx
            //   b9ffff0000           | mov                 ecx, 0xffff

        $sequence_1 = { f7f9 33c9 ba88020000 f7e2 0f90c1 f7d9 }
            // n = 6, score = 1200
            //   f7f9                 | idiv                ecx
            //   33c9                 | xor                 ecx, ecx
            //   ba88020000           | mov                 edx, 0x288
            //   f7e2                 | mul                 edx
            //   0f90c1               | seto                cl
            //   f7d9                 | neg                 ecx

        $sequence_2 = { 8b45fc b10b d3c0 61 }
            // n = 4, score = 1100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   b10b                 | mov                 cl, 0xb
            //   d3c0                 | rol                 eax, cl
            //   61                   | popal               

        $sequence_3 = { 8955fc 817dfc00010000 736a 8b45fc 0fbe8c05f0feffff }
            // n = 5, score = 800
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   817dfc00010000       | cmp                 dword ptr [ebp - 4], 0x100
            //   736a                 | jae                 0x6c
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   0fbe8c05f0feffff     | movsx               ecx, byte ptr [ebp + eax - 0x110]

        $sequence_4 = { 894dfc 8b55fc 3b5510 0f83a6000000 8b45f4 83c001 25ff000000 }
            // n = 7, score = 800
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   3b5510               | cmp                 edx, dword ptr [ebp + 0x10]
            //   0f83a6000000         | jae                 0xac
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   83c001               | add                 eax, 1
            //   25ff000000           | and                 eax, 0xff

        $sequence_5 = { 0fbe940df0feffff 0395e8feffff 81e2ff000000 8995e8feffff 8b45f4 8a8c05f0feffff }
            // n = 6, score = 800
            //   0fbe940df0feffff     | movsx               edx, byte ptr [ebp + ecx - 0x110]
            //   0395e8feffff         | add                 edx, dword ptr [ebp - 0x118]
            //   81e2ff000000         | and                 edx, 0xff
            //   8995e8feffff         | mov                 dword ptr [ebp - 0x118], edx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8a8c05f0feffff       | mov                 cl, byte ptr [ebp + eax - 0x110]

        $sequence_6 = { 7d12 8b55f8 8d85f0feffff 2bd0 }
            // n = 4, score = 800
            //   7d12                 | jge                 0x14
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8d85f0feffff         | lea                 eax, [ebp - 0x110]
            //   2bd0                 | sub                 edx, eax

        $sequence_7 = { 888deffeffff 8b55f4 8b85e8feffff 8a8c05f0feffff 888c15f0feffff 8b95e8feffff }
            // n = 6, score = 800
            //   888deffeffff         | mov                 byte ptr [ebp - 0x111], cl
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   8b85e8feffff         | mov                 eax, dword ptr [ebp - 0x118]
            //   8a8c05f0feffff       | mov                 cl, byte ptr [ebp + eax - 0x110]
            //   888c15f0feffff       | mov                 byte ptr [ebp + edx - 0x110], cl
            //   8b95e8feffff         | mov                 edx, dword ptr [ebp - 0x118]

        $sequence_8 = { 55 e8???????? 6a20 e8???????? 8b0e }
            // n = 5, score = 500
            //   55                   | push                ebp
            //   e8????????           |                     
            //   6a20                 | push                0x20
            //   e8????????           |                     
            //   8b0e                 | mov                 ecx, dword ptr [esi]

        $sequence_9 = { 50 e8???????? 83c40c f6460c08 746d 6a10 e8???????? }
            // n = 7, score = 500
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   f6460c08             | test                byte ptr [esi + 0xc], 8
            //   746d                 | je                  0x6f
            //   6a10                 | push                0x10
            //   e8????????           |                     

        $sequence_10 = { 56 33c0 57 395d08 0f8417010000 8b4d0c 3bcb }
            // n = 7, score = 500
            //   56                   | push                esi
            //   33c0                 | xor                 eax, eax
            //   57                   | push                edi
            //   395d08               | cmp                 dword ptr [ebp + 8], ebx
            //   0f8417010000         | je                  0x11d
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   3bcb                 | cmp                 ecx, ebx

        $sequence_11 = { 756a 6a10 5e 8d45f4 50 8d45d4 }
            // n = 6, score = 500
            //   756a                 | jne                 0x6c
            //   6a10                 | push                0x10
            //   5e                   | pop                 esi
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   8d45d4               | lea                 eax, [ebp - 0x2c]

        $sequence_12 = { 52 8d8588fbffff 50 e8???????? }
            // n = 4, score = 500
            //   52                   | push                edx
            //   8d8588fbffff         | lea                 eax, [ebp - 0x478]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_13 = { 395d00 7424 8b460c 53 53 }
            // n = 5, score = 500
            //   395d00               | cmp                 dword ptr [ebp], ebx
            //   7424                 | je                  0x26
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   53                   | push                ebx
            //   53                   | push                ebx

        $sequence_14 = { eb13 8b55fc 83c201 8955fc 0fb745f8 d1e0 }
            // n = 6, score = 200
            //   eb13                 | jmp                 0x15
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   83c201               | add                 edx, 1
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   0fb745f8             | movzx               eax, word ptr [ebp - 8]
            //   d1e0                 | shl                 eax, 1

        $sequence_15 = { 6a04 8d55f8 52 8b856cfdffff 83c008 50 8b4de4 }
            // n = 7, score = 200
            //   6a04                 | push                4
            //   8d55f8               | lea                 edx, [ebp - 8]
            //   52                   | push                edx
            //   8b856cfdffff         | mov                 eax, dword ptr [ebp - 0x294]
            //   83c008               | add                 eax, 8
            //   50                   | push                eax
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]

        $sequence_16 = { 83c203 81e203000080 7905 4a 83cafc 42 b804000000 }
            // n = 7, score = 200
            //   83c203               | add                 edx, 3
            //   81e203000080         | and                 edx, 0x80000003
            //   7905                 | jns                 7
            //   4a                   | dec                 edx
            //   83cafc               | or                  edx, 0xfffffffc
            //   42                   | inc                 edx
            //   b804000000           | mov                 eax, 4

        $sequence_17 = { 83c104 894dec c745f400000000 eb12 }
            // n = 4, score = 200
            //   83c104               | add                 ecx, 4
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0
            //   eb12                 | jmp                 0x14

        $sequence_18 = { 8b55e0 035128 899578fdffff 8d85c8fcffff }
            // n = 4, score = 200
            //   8b55e0               | mov                 edx, dword ptr [ebp - 0x20]
            //   035128               | add                 edx, dword ptr [ecx + 0x28]
            //   899578fdffff         | mov                 dword ptr [ebp - 0x288], edx
            //   8d85c8fcffff         | lea                 eax, [ebp - 0x338]

        $sequence_19 = { 41 ba10000000 2bd1 83ea01 }
            // n = 4, score = 200
            //   41                   | inc                 ecx
            //   ba10000000           | mov                 edx, 0x10
            //   2bd1                 | sub                 edx, ecx
            //   83ea01               | sub                 edx, 1

        $sequence_20 = { e8???????? 894508 8b550c 81e2ffff0000 52 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   81e2ffff0000         | and                 edx, 0xffff
            //   52                   | push                edx

    condition:
        7 of them and filesize < 163840
}
Download all Yara Rules