SYMBOLCOMMON_NAMEaka. SYNONYMS
win.remexi (Back to overview)

Remexi

aka: CACHEMONEY

Actor(s): APT39, Chafer


There is no description at this point.

References
2020-05-21BitdefenderLiviu Arsene, Bogdan Rusu
@techreport{arsene:20200521:iranian:d9e1468, author = {Liviu Arsene and Bogdan Rusu}, title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}}, date = {2020-05-21}, institution = {Bitdefender}, url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf}, language = {English}, urldate = {2020-05-23} } Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
MimiKatz Remexi
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:c242388, author = {SecureWorks}, title = {{COBALT HICKMAN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-hickman}, language = {English}, urldate = {2020-05-23} } COBALT HICKMAN
MimiKatz Remexi APT39
2019-02-14Twitter (@QW5kcmV3)Andrew Thompson
@online{thompson:20190214:unpacking:1ff2299, author = {Andrew Thompson}, title = {{Tweet on unpacking Remexi payload}}, date = {2019-02-14}, organization = {Twitter (@QW5kcmV3)}, url = {https://twitter.com/QW5kcmV3/status/1095833216605401088}, language = {English}, urldate = {2020-01-27} } Tweet on unpacking Remexi payload
Remexi
2019-01-30Kaspersky LabsDenis Legezo
@online{legezo:20190130:chafer:bb3ce4d, author = {Denis Legezo}, title = {{Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities}}, date = {2019-01-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/chafer-used-remexi-malware/89538/}, language = {English}, urldate = {2019-12-20} } Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities
Remexi APT39
2018-02-28SymantecCritical Attack Discovery and Intelligence Team
@online{team:20180228:chafer:5b5b77b, author = {Critical Attack Discovery and Intelligence Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-04-21} } Chafer: Latest Attacks Reveal Heightened Ambitions
MimiKatz Remexi
2018-02-28SymantecSecurity Response Attack Investigation Team
@online{team:20180228:chafer:552bafb, author = {Security Response Attack Investigation Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-01-09} } Chafer: Latest Attacks Reveal Heightened Ambitions
Remexi APT39
2015-12-07SymantecSecurity Response
@online{response:20151207:iranbased:5e7136f, author = {Security Response}, title = {{Iran-based attackers use back door threats to spy on Middle Eastern targets}}, date = {2015-12-07}, organization = {Symantec}, url = {https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets}, language = {English}, urldate = {2020-04-21} } Iran-based attackers use back door threats to spy on Middle Eastern targets
CadelSpy Remexi Cadelle
2015-12-07SymantecSymantec
@techreport{symantec:20151207:backdoorcadelspy:6a40e51, author = {Symantec}, title = {{Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise}}, date = {2015-12-07}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf}, language = {English}, urldate = {2020-01-06} } Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise
CadelSpy Remexi
Yara Rules
[TLP:WHITE] win_remexi_auto (20220411 | Detects win.remexi.)
rule win_remexi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.remexi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 c706ffffffff e8???????? 83c404 }
            // n = 4, score = 300
            //   56                   | push                esi
            //   c706ffffffff         | mov                 dword ptr [esi], 0xffffffff
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { 52 56 50 e8???????? 8bf0 eb02 }
            // n = 6, score = 200
            //   52                   | push                edx
            //   56                   | push                esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   eb02                 | jmp                 4

        $sequence_2 = { ff15???????? 8bf0 85f6 7513 8b45d8 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   8bf0                 | lea                 edx, dword ptr [esp + 0x20]
            //   85f6                 | inc                 ecx
            //   7513                 | mov                 eax, 4
            //   8b45d8               | dec                 eax

        $sequence_3 = { ff15???????? 6a10 8d4ddc 8bf0 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   6a10                 | inc                 ecx
            //   8d4ddc               | mov                 ecx, 1
            //   8bf0                 | dec                 eax

        $sequence_4 = { 8945e0 8945e4 8945e8 b802000000 }
            // n = 4, score = 200
            //   8945e0               | test                esi, esi
            //   8945e4               | jne                 0x17
            //   8945e8               | mov                 eax, dword ptr [ebp - 0x28]
            //   b802000000           | mov                 esi, eax

        $sequence_5 = { 41 50 a3???????? c705????????02000000 890d???????? ffd6 6a00 }
            // n = 7, score = 200
            //   41                   | inc                 ecx
            //   50                   | push                eax
            //   a3????????           |                     
            //   c705????????02000000     |     
            //   890d????????         |                     
            //   ffd6                 | call                esi
            //   6a00                 | push                0

        $sequence_6 = { e8???????? 83ec1c 8bcc 89642430 6aff 53 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83ec1c               | sub                 esp, 0x1c
            //   8bcc                 | mov                 ecx, esp
            //   89642430             | mov                 dword ptr [esp + 0x30], esp
            //   6aff                 | push                -1
            //   53                   | push                ebx

        $sequence_7 = { 53 50 ff15???????? 3dffffff00 }
            // n = 4, score = 200
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   3dffffff00           | cmp                 eax, 0xffffff

        $sequence_8 = { 68???????? 50 ff15???????? 8b0d???????? 8b35???????? }
            // n = 5, score = 200
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b0d????????         |                     
            //   8b35????????         |                     

        $sequence_9 = { c705????????01000000 c705????????00000000 ffd6 83ffff }
            // n = 4, score = 200
            //   c705????????01000000     |     
            //   c705????????00000000     |     
            //   ffd6                 | call                esi
            //   83ffff               | cmp                 edi, -1

        $sequence_10 = { 8b45d8 8b4818 8b5104 50 }
            // n = 4, score = 200
            //   8b45d8               | push                0x10
            //   8b4818               | lea                 ecx, dword ptr [ebp - 0x24]
            //   8b5104               | mov                 esi, eax
            //   50                   | push                ecx

        $sequence_11 = { 8907 894704 894708 6a01 89470c }
            // n = 5, score = 200
            //   8907                 | mov                 dword ptr [edi], eax
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   894708               | mov                 dword ptr [edi + 8], eax
            //   6a01                 | push                1
            //   89470c               | mov                 dword ptr [edi + 0xc], eax

        $sequence_12 = { 8bf0 51 56 ff15???????? 85c0 }
            // n = 5, score = 200
            //   8bf0                 | test                esi, esi
            //   51                   | jne                 0x15
            //   56                   | mov                 eax, dword ptr [ebp - 0x28]
            //   ff15????????         |                     
            //   85c0                 | mov                 ecx, dword ptr [eax + 0x18]

        $sequence_13 = { e8???????? 488d542420 41b804000000 488bcf }
            // n = 4, score = 100
            //   e8????????           |                     
            //   488d542420           | mov                 eax, dword ptr [esp + 0x50]
            //   41b804000000         | dec                 eax
            //   488bcf               | arpl                si, cx

        $sequence_14 = { 4883c310 48ffcd 75d4 488d1d23280200 }
            // n = 4, score = 100
            //   4883c310             | dec                 eax
            //   48ffcd               | lea                 edx, dword ptr [ebp + 0x620]
            //   75d4                 | dec                 esp
            //   488d1d23280200       | lea                 ecx, dword ptr [esp + 0x4c]

        $sequence_15 = { 0f84e5000000 49895e10 49837e1810 7205 498b06 eb03 498bc6 }
            // n = 7, score = 100
            //   0f84e5000000         | mov                 dword ptr [esp + 0x70], eax
            //   49895e10             | test                byte ptr [ebp - 0x20], 1
            //   49837e1810           | je                  0xe
            //   7205                 | je                  0xeb
            //   498b06               | dec                 ecx
            //   eb03                 | mov                 dword ptr [esi + 0x10], ebx
            //   498bc6               | dec                 ecx

        $sequence_16 = { 4881ec70010000 48c7442428feffffff 48899c2480010000 488b05???????? }
            // n = 4, score = 100
            //   4881ec70010000       | inc                 eax
            //   48c7442428feffffff     | mov    byte ptr [edi], dh
            //   48899c2480010000     | inc                 eax
            //   488b05????????       |                     

        $sequence_17 = { e9???????? 48c747180f000000 48897710 408837 4038342500000000 }
            // n = 5, score = 100
            //   e9????????           |                     
            //   48c747180f000000     | cmp                 dword ptr [esi + 0x18], 0x10
            //   48897710             | jb                  0x10
            //   408837               | dec                 ecx
            //   4038342500000000     | mov                 eax, dword ptr [esi]

        $sequence_18 = { 48634804 8d9170ffffff 89540c5c 488d05c14e0200 4889442470 f645e001 740c }
            // n = 7, score = 100
            //   48634804             | dec                 eax
            //   8d9170ffffff         | arpl                word ptr [eax + 4], cx
            //   89540c5c             | lea                 edx, dword ptr [ecx - 0x90]
            //   488d05c14e0200       | mov                 dword ptr [esp + ecx + 0x5c], edx
            //   4889442470           | dec                 eax
            //   f645e001             | lea                 eax, dword ptr [0x24ec1]
            //   740c                 | dec                 eax

        $sequence_19 = { 448bc0 488b442450 4863ce 488d9520060000 4c8d4c244c 4803d1 488d0d82b40100 }
            // n = 7, score = 100
            //   448bc0               | jmp                 8
            //   488b442450           | dec                 ecx
            //   4863ce               | mov                 eax, esi
            //   488d9520060000       | dec                 eax
            //   4c8d4c244c           | mov                 dword ptr [edi + 0x18], 0xf
            //   4803d1               | dec                 eax
            //   488d0d82b40100       | mov                 dword ptr [edi + 0x10], esi

        $sequence_20 = { 48837c245010 720a 488b4c2438 e8???????? 41b901000000 }
            // n = 5, score = 100
            //   48837c245010         | cmp                 byte ptr [0], dh
            //   720a                 | inc                 esp
            //   488b4c2438           | mov                 eax, eax
            //   e8????????           |                     
            //   41b901000000         | dec                 eax

    condition:
        7 of them and filesize < 614400
}
[TLP:WHITE] win_remexi_w0   (20170410 | No description)
rule win_remexi_w0 {
    meta:
        author = "Symantec"
        source = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi"
        malpedia_version = "20170410"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $c1   = { 00 3C 65 78 69 74 3E 00 }    /* <exit>  */
        $c2   = { 00 3C 69 64 3E 00 }          /* <id>    */
        $c3   = { 00 3C 72 65 6D 3E 00 }       /* <rem>   */
        $c4   = { 00 3C 63 6C 6F 73 65 3E 00}  /* <close> */
        $c5   = { 00 57 49 4E 00 }             /* WIN     */
        $c6   = { 00 63 6D 64 2E 65 78 65 00 } /* cmd.exe */
        $c7   = { 00 49 44 00 }                /* ID      */ 
        $c8   = { 00 72 65 6D 00 }             /* rem     */
        $d1   = "\\SEA.pdb"
        $d2   = "\\mas.pdb"
        $s1  = "Connecting to the server..."
        $s2  = "cmd.exe /c sc stop sea & sc start sea"
        $s3  = "SYSTEM\\CurrentControlSet\\services\\SEA\\Parameters"
        $s4  = "RecvWrit()-Read_Sock-Failed"
        $s5  = "ReadPipeSendSock()"
    condition:
        (4 of ($c*) and (2 of ($s*) or any of ($d*))) or (5 of ($c*) and any of ($s*))
}
Download all Yara Rules