SYMBOLCOMMON_NAMEaka. SYNONYMS
win.redsalt (Back to overview)

REDSALT

aka: Dipsind

Actor(s): PLATINUM


There is no description at this point.

References
2019-06-05Twitter (@ItsReallyNick)Nick Carr
@online{carr:20190605:malware:a6892ae, author = {Nick Carr}, title = {{Tweet on Malware Sample}}, date = {2019-06-05}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1136502701301346305}, language = {English}, urldate = {2020-01-07} } Tweet on Malware Sample
REDPEPPER REDSALT
2018-10FireEyeAdrian Bataille, Matias Bevilacqua
@techreport{bataille:201810:hunting:c5ffe40, author = {Adrian Bataille and Matias Bevilacqua}, title = {{Hunting for PLATINUM}}, date = {2018-10}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf}, language = {English}, urldate = {2020-01-07} } Hunting for PLATINUM
REDSALT
2015-09-08FireEyeFireEye
@techreport{fireeye:20150908:two:c836c9a, author = {FireEye}, title = {{Two for One: Microsoft Office Encapsulated PostScriptand Windows Privilege Escalation Zero-Days}}, date = {2015-09-08}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf}, language = {English}, urldate = {2020-01-20} } Two for One: Microsoft Office Encapsulated PostScriptand Windows Privilege Escalation Zero-Days
REDSALT
Yara Rules
[TLP:WHITE] win_redsalt_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_redsalt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redsalt"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7515 c705????????01000000 ff15???????? e9???????? }
            // n = 4, score = 600
            //   7515                 | jne                 0x17
            //   c705????????01000000     |     
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_1 = { 750b 68e8030000 ff15???????? e8???????? }
            // n = 4, score = 600
            //   750b                 | jne                 0xd
            //   68e8030000           | push                0x3e8
            //   ff15????????         |                     
            //   e8????????           |                     

        $sequence_2 = { e8???????? 83c414 33c9 83f8ff }
            // n = 4, score = 600
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   33c9                 | xor                 ecx, ecx
            //   83f8ff               | cmp                 eax, -1

        $sequence_3 = { 85c0 7413 e8???????? 85c0 750a 6a32 ff15???????? }
            // n = 7, score = 500
            //   85c0                 | test                eax, eax
            //   7413                 | je                  0x15
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   6a32                 | push                0x32
            //   ff15????????         |                     

        $sequence_4 = { c745d060ea0000 6a04 8d45d0 50 6806100000 68ffff0000 }
            // n = 6, score = 500
            //   c745d060ea0000       | mov                 dword ptr [ebp - 0x30], 0xea60
            //   6a04                 | push                4
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   50                   | push                eax
            //   6806100000           | push                0x1006
            //   68ffff0000           | push                0xffff

        $sequence_5 = { 51 ffd6 85c0 7510 }
            // n = 4, score = 500
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   7510                 | jne                 0x12

        $sequence_6 = { 83c9ff 85f6 7c0e 83fe7f }
            // n = 4, score = 500
            //   83c9ff               | or                  ecx, 0xffffffff
            //   85f6                 | test                esi, esi
            //   7c0e                 | jl                  0x10
            //   83fe7f               | cmp                 esi, 0x7f

        $sequence_7 = { 50 57 56 e8???????? 83c414 83f8ff }
            // n = 6, score = 400
            //   50                   | push                0x32
            //   57                   | push                ecx
            //   56                   | call                esi
            //   e8????????           |                     
            //   83c414               | test                eax, eax
            //   83f8ff               | jne                 0x14

        $sequence_8 = { 7509 80780120 7503 83c002 }
            // n = 4, score = 400
            //   7509                 | jne                 0xb
            //   80780120             | cmp                 byte ptr [eax + 1], 0x20
            //   7503                 | jne                 5
            //   83c002               | add                 eax, 2

        $sequence_9 = { 7303 c60100 5f 5e }
            // n = 4, score = 400
            //   7303                 | jae                 5
            //   c60100               | mov                 byte ptr [ecx], 0
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_10 = { c685befeffff55 c685bffeffff50 c685c0feffff38 c685c1feffff27 }
            // n = 4, score = 400
            //   c685befeffff55       | mov                 byte ptr [ebp - 0x142], 0x55
            //   c685bffeffff50       | mov                 byte ptr [ebp - 0x141], 0x50
            //   c685c0feffff38       | mov                 byte ptr [ebp - 0x140], 0x38
            //   c685c1feffff27       | mov                 byte ptr [ebp - 0x13f], 0x27

        $sequence_11 = { 6a00 52 c744242401000000 8944242c c744243002000000 }
            // n = 5, score = 400
            //   6a00                 | xor                 eax, eax
            //   52                   | jae                 5
            //   c744242401000000     | mov                 byte ptr [ecx], 0
            //   8944242c             | pop                 edi
            //   c744243002000000     | pop                 esi

        $sequence_12 = { c6859cfeffff41 c6859dfeffff57 c6859efeffff55 c6859ffeffff50 c685a0feffff36 }
            // n = 5, score = 400
            //   c6859cfeffff41       | mov                 byte ptr [ebp - 0x164], 0x41
            //   c6859dfeffff57       | mov                 byte ptr [ebp - 0x163], 0x57
            //   c6859efeffff55       | mov                 byte ptr [ebp - 0x162], 0x55
            //   c6859ffeffff50       | mov                 byte ptr [ebp - 0x161], 0x50
            //   c685a0feffff36       | mov                 byte ptr [ebp - 0x160], 0x36

        $sequence_13 = { 0ad3 83c004 885500 8b542410 45 42 }
            // n = 6, score = 300
            //   0ad3                 | or                  dl, bl
            //   83c004               | add                 eax, 4
            //   885500               | mov                 byte ptr [ebp], dl
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   45                   | inc                 ebp
            //   42                   | inc                 edx

        $sequence_14 = { 833800 750f c705????????01000000 e9???????? }
            // n = 4, score = 300
            //   833800               | cmp                 dword ptr [eax], 0
            //   750f                 | jne                 0x11
            //   c705????????01000000     |     
            //   e9????????           |                     

        $sequence_15 = { 55 56 84d2 57 750b 5f }
            // n = 6, score = 300
            //   55                   | push                ebp
            //   56                   | push                esi
            //   84d2                 | test                dl, dl
            //   57                   | push                edi
            //   750b                 | jne                 0xd
            //   5f                   | pop                 edi

        $sequence_16 = { e8???????? 83c408 6800010000 68???????? }
            // n = 4, score = 300
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   6800010000           | push                0x100
            //   68????????           |                     

        $sequence_17 = { eb0a c705????????00080000 eb0a c705????????00070000 }
            // n = 4, score = 300
            //   eb0a                 | jmp                 0xc
            //   c705????????00080000     |     
            //   eb0a                 | jmp                 0xc
            //   c705????????00070000     |     

        $sequence_18 = { 750a b857000000 e9???????? 833d????????00 }
            // n = 4, score = 300
            //   750a                 | jne                 0xc
            //   b857000000           | mov                 eax, 0x57
            //   e9????????           |                     
            //   833d????????00       |                     

        $sequence_19 = { 83fe7f 0f8f7affffff 80be????????ff 0f846dffffff c1fa04 c0e302 }
            // n = 6, score = 300
            //   83fe7f               | cmp                 esi, 0x7f
            //   0f8f7affffff         | jg                  0xffffff80
            //   80be????????ff       |                     
            //   0f846dffffff         | je                  0xffffff73
            //   c1fa04               | sar                 edx, 4
            //   c0e302               | shl                 bl, 2

        $sequence_20 = { c644243423 c644243572 c64424367a c644243700 }
            // n = 4, score = 200
            //   c644243423           | mov                 byte ptr [esp + 0x34], 0x23
            //   c644243572           | mov                 byte ptr [esp + 0x35], 0x72
            //   c64424367a           | mov                 byte ptr [esp + 0x36], 0x7a
            //   c644243700           | mov                 byte ptr [esp + 0x37], 0

        $sequence_21 = { 0f84014d0700 0fb73c06 6621ff 0f84f44c0700 }
            // n = 4, score = 100
            //   0f84014d0700         | dec                 esp
            //   0fb73c06             | lea                 eax, [0x135c7]
            //   6621ff               | sete                cl
            //   0f84f44c0700         | je                  0x74d07

        $sequence_22 = { 7406 f6c120 0f44c6 40f6c502 7406 f6c102 }
            // n = 6, score = 100
            //   7406                 | movzx               edi, word ptr [esi + eax]
            //   f6c120               | and                 di, di
            //   0f44c6               | je                  0x74d01
            //   40f6c502             | je                  8
            //   7406                 | test                cl, 0x20
            //   f6c102               | cmove               eax, esi

        $sequence_23 = { 4438ac2498000000 4c89e9 4c8d05c7350100 0f94c1 }
            // n = 4, score = 100
            //   4438ac2498000000     | inc                 esp
            //   4c89e9               | cmp                 byte ptr [esp + 0x98], ch
            //   4c8d05c7350100       | dec                 esp
            //   0f94c1               | mov                 ecx, ebp

    condition:
        7 of them and filesize < 2957312
}
[TLP:WHITE] win_redsalt_w0   (20200103 | Dipsind variant)
rule win_redsalt_w0 {
	meta:
		author = "Microsoft"
		description = "Dipsind variant"
		activity_group = "Platinum"
		version = "1.0"
		last_modified = "2016-04-12"
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redsalt"
		malpedia_version = "20200103"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings:
		$str1 = "VPLRXZHTU"
		$str2 = {64 6F 67 32 6A 7E 6C}
		$str3 = "Dqpqftk(Wou\"Isztk)"
		$str4 = "StartThreadAtWinLogon"
   condition:
		all of them
}
Download all Yara Rules