SYMBOLCOMMON_NAMEaka. SYNONYMS
win.remexi (Back to overview)

Remexi

aka: CACHEMONEY

Actor(s): APT39, Chafer


There is no description at this point.

References
2020-05-21BitdefenderLiviu Arsene, Bogdan Rusu
@techreport{arsene:20200521:iranian:d9e1468, author = {Liviu Arsene and Bogdan Rusu}, title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}}, date = {2020-05-21}, institution = {Bitdefender}, url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf}, language = {English}, urldate = {2020-05-23} } Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
MimiKatz Remexi
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:c242388, author = {SecureWorks}, title = {{COBALT HICKMAN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-hickman}, language = {English}, urldate = {2020-05-23} } COBALT HICKMAN
MimiKatz Remexi APT39
2019-02-14Twitter (@QW5kcmV3)Andrew Thompson
@online{thompson:20190214:unpacking:1ff2299, author = {Andrew Thompson}, title = {{Tweet on unpacking Remexi payload}}, date = {2019-02-14}, organization = {Twitter (@QW5kcmV3)}, url = {https://twitter.com/QW5kcmV3/status/1095833216605401088}, language = {English}, urldate = {2020-01-27} } Tweet on unpacking Remexi payload
Remexi
2019-01-30Kaspersky LabsDenis Legezo
@online{legezo:20190130:chafer:bb3ce4d, author = {Denis Legezo}, title = {{Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities}}, date = {2019-01-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/chafer-used-remexi-malware/89538/}, language = {English}, urldate = {2019-12-20} } Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities
Remexi APT39
2018-02-28SymantecCritical Attack Discovery and Intelligence Team
@online{team:20180228:chafer:5b5b77b, author = {Critical Attack Discovery and Intelligence Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-04-21} } Chafer: Latest Attacks Reveal Heightened Ambitions
MimiKatz Remexi
2018-02-28SymantecSecurity Response Attack Investigation Team
@online{team:20180228:chafer:552bafb, author = {Security Response Attack Investigation Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-01-09} } Chafer: Latest Attacks Reveal Heightened Ambitions
Remexi APT39
2015-12-07SymantecSecurity Response
@online{response:20151207:iranbased:5e7136f, author = {Security Response}, title = {{Iran-based attackers use back door threats to spy on Middle Eastern targets}}, date = {2015-12-07}, organization = {Symantec}, url = {https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets}, language = {English}, urldate = {2020-04-21} } Iran-based attackers use back door threats to spy on Middle Eastern targets
CadelSpy Remexi Cadelle
2015-12-07SymantecSymantec
@techreport{symantec:20151207:backdoorcadelspy:6a40e51, author = {Symantec}, title = {{Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise}}, date = {2015-12-07}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf}, language = {English}, urldate = {2020-01-06} } Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise
CadelSpy Remexi
Yara Rules
[TLP:WHITE] win_remexi_auto (20211008 | Detects win.remexi.)
rule win_remexi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.remexi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 c706ffffffff e8???????? 83c404 }
            // n = 4, score = 300
            //   56                   | push                esi
            //   c706ffffffff         | mov                 dword ptr [esi], 0xffffffff
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { 8b95d4feffff 52 6a00 68ffff1f00 ffd7 }
            // n = 5, score = 200
            //   8b95d4feffff         | mov                 edx, dword ptr [ebp - 0x12c]
            //   52                   | push                edx
            //   6a00                 | push                0
            //   68ffff1f00           | push                0x1fffff
            //   ffd7                 | call                edi

        $sequence_2 = { ff15???????? 8bf0 85f6 7513 8b45d8 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7513                 | jne                 0x15
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]

        $sequence_3 = { ff15???????? 6a10 8d4ddc 8bf0 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   6a10                 | push                0x10
            //   8d4ddc               | lea                 ecx, dword ptr [ebp - 0x24]
            //   8bf0                 | mov                 esi, eax

        $sequence_4 = { e8???????? 83ec1c 8bcc 89642430 6aff 53 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83ec1c               | sub                 esp, 0x1c
            //   8bcc                 | mov                 ecx, esp
            //   89642430             | mov                 dword ptr [esp + 0x30], esp
            //   6aff                 | push                -1
            //   53                   | push                ebx

        $sequence_5 = { 8945e4 8945e8 b802000000 51 668945dc ff15???????? }
            // n = 6, score = 200
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   b802000000           | mov                 eax, 2
            //   51                   | push                ecx
            //   668945dc             | mov                 word ptr [ebp - 0x24], ax
            //   ff15????????         |                     

        $sequence_6 = { 53 50 ff15???????? 3dffffff00 }
            // n = 4, score = 200
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   3dffffff00           | cmp                 eax, 0xffffff

        $sequence_7 = { c705????????01000000 c705????????00000000 ff15???????? 8b0d???????? 51 ff15???????? }
            // n = 6, score = 200
            //   c705????????01000000     |     
            //   c705????????00000000     |     
            //   ff15????????         |                     
            //   8b0d????????         |                     
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_8 = { 6a01 89470c 57 894710 ff15???????? }
            // n = 5, score = 200
            //   6a01                 | push                1
            //   89470c               | mov                 dword ptr [edi + 0xc], eax
            //   57                   | push                edi
            //   894710               | mov                 dword ptr [edi + 0x10], eax
            //   ff15????????         |                     

        $sequence_9 = { 68???????? 41 50 a3???????? }
            // n = 4, score = 200
            //   68????????           |                     
            //   41                   | inc                 ecx
            //   50                   | push                eax
            //   a3????????           |                     

        $sequence_10 = { 890d???????? ffd6 6a00 6a00 6a00 }
            // n = 5, score = 200
            //   890d????????         |                     
            //   ffd6                 | call                esi
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_11 = { 8bf0 51 56 ff15???????? 85c0 }
            // n = 5, score = 200
            //   8bf0                 | mov                 esi, eax
            //   51                   | push                ecx
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_12 = { eb23 488d0deba00100 48890c03 4883c130 488d5b08 }
            // n = 5, score = 100
            //   eb23                 | mov                 dword ptr [esp + 0x20], 0xfffffffe
            //   488d0deba00100       | mov                 ebx, ecx
            //   48890c03             | mov                 ecx, 0x8050000
            //   4883c130             | dec                 eax
            //   488d5b08             | cmp                 dword ptr [edi + 0x10], eax

        $sequence_13 = { 4053 4883ec30 48c7442420feffffff 8bd9 b900000508 e8???????? }
            // n = 6, score = 100
            //   4053                 | cmp                 dword ptr [esp + 0xd8], 0x10
            //   4883ec30             | dec                 eax
            //   48c7442420feffffff     | lea    ecx, dword ptr [esi + 0x20]
            //   8bd9                 | dec                 eax
            //   b900000508           | lea                 ecx, dword ptr [esi + 0x28]
            //   e8????????           |                     

        $sequence_14 = { 4c897c2470 c644246000 488bd6 488d4c2460 e8???????? 4883bc24d800000010 }
            // n = 6, score = 100
            //   4c897c2470           | dec                 esp
            //   c644246000           | mov                 dword ptr [esp + 0x70], edi
            //   488bd6               | mov                 byte ptr [esp + 0x60], 0
            //   488d4c2460           | dec                 eax
            //   e8????????           |                     
            //   4883bc24d800000010     | mov    edx, esi

        $sequence_15 = { 48394710 0f95c0 85c0 0f94c0 84c0 7422 }
            // n = 6, score = 100
            //   48394710             | mov                 ecx, dword ptr [esi + 0x10]
            //   0f95c0               | inc                 eax
            //   85c0                 | push                ebx
            //   0f94c0               | dec                 eax
            //   84c0                 | sub                 esp, 0x30
            //   7422                 | dec                 eax

        $sequence_16 = { 4889842498000000 48898424a0000000 c744247038000000 488d0530590200 }
            // n = 4, score = 100
            //   4889842498000000     | lea                 ecx, dword ptr [0x1a0eb]
            //   48898424a0000000     | dec                 eax
            //   c744247038000000     | mov                 dword ptr [ebx + eax], ecx
            //   488d0530590200       | dec                 eax

        $sequence_17 = { 48898424600e0300 498bd8 b9000003a0 e8???????? 48c74424680f000000 }
            // n = 5, score = 100
            //   48898424600e0300     | setne               al
            //   498bd8               | test                eax, eax
            //   b9000003a0           | sete                al
            //   e8????????           |                     
            //   48c74424680f000000     | test    al, al

        $sequence_18 = { e8???????? 498bc7 488b8d30880100 4833cc }
            // n = 4, score = 100
            //   e8????????           |                     
            //   498bc7               | je                  0x2e
            //   488b8d30880100       | jmp                 0x25
            //   4833cc               | dec                 eax

        $sequence_19 = { e8???????? 488d4e20 e8???????? 488d4e28 e8???????? 8b4e10 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488d4e20             | dec                 eax
            //   e8????????           |                     
            //   488d4e28             | lea                 ecx, dword ptr [esp + 0x60]
            //   e8????????           |                     
            //   8b4e10               | dec                 eax

    condition:
        7 of them and filesize < 614400
}
[TLP:WHITE] win_remexi_w0   (20170410 | No description)
rule win_remexi_w0 {
    meta:
        author = "Symantec"
        source = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi"
        malpedia_version = "20170410"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $c1   = { 00 3C 65 78 69 74 3E 00 }    /* <exit>  */
        $c2   = { 00 3C 69 64 3E 00 }          /* <id>    */
        $c3   = { 00 3C 72 65 6D 3E 00 }       /* <rem>   */
        $c4   = { 00 3C 63 6C 6F 73 65 3E 00}  /* <close> */
        $c5   = { 00 57 49 4E 00 }             /* WIN     */
        $c6   = { 00 63 6D 64 2E 65 78 65 00 } /* cmd.exe */
        $c7   = { 00 49 44 00 }                /* ID      */ 
        $c8   = { 00 72 65 6D 00 }             /* rem     */
        $d1   = "\\SEA.pdb"
        $d2   = "\\mas.pdb"
        $s1  = "Connecting to the server..."
        $s2  = "cmd.exe /c sc stop sea & sc start sea"
        $s3  = "SYSTEM\\CurrentControlSet\\services\\SEA\\Parameters"
        $s4  = "RecvWrit()-Read_Sock-Failed"
        $s5  = "ReadPipeSendSock()"
    condition:
        (4 of ($c*) and (2 of ($s*) or any of ($d*))) or (5 of ($c*) and any of ($s*))
}
Download all Yara Rules