SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rifdoor (Back to overview)

Rifdoor

Actor(s): Lazarus Group


There is no description at this point.

References
2020-04-16VMWare Carbon BlackScott Knight
@online{knight:20200416:evolution:39b90c0, author = {Scott Knight}, title = {{The Evolution of Lazarus}}, date = {2020-04-16}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/}, language = {English}, urldate = {2020-04-17} } The Evolution of Lazarus
HOTCROISSANT Rifdoor
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2018-06-23AhnLabAhnLab
@techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } Full Discloser of Andariel, A Subgroup of Lazarus Threat Group
PhanDoor Rifdoor
Yara Rules
[TLP:WHITE] win_rifdoor_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_rifdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4314 b9???????? 895c2414 e8???????? 8b542414 8be8 52 }
            // n = 7, score = 100
            //   8d4314               | lea                 eax, [ebx + 0x14]
            //   b9????????           |                     
            //   895c2414             | mov                 dword ptr [esp + 0x14], ebx
            //   e8????????           |                     
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   8be8                 | mov                 ebp, eax
            //   52                   | push                edx

        $sequence_1 = { a1???????? a3???????? a1???????? c705????????4c944000 8935???????? a3???????? ff15???????? }
            // n = 7, score = 100
            //   a1????????           |                     
            //   a3????????           |                     
            //   a1????????           |                     
            //   c705????????4c944000     |     
            //   8935????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     

        $sequence_2 = { 33f6 33ff 897dfc 3b1cfd78414100 }
            // n = 4, score = 100
            //   33f6                 | xor                 esi, esi
            //   33ff                 | xor                 edi, edi
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   3b1cfd78414100       | cmp                 ebx, dword ptr [edi*8 + 0x414178]

        $sequence_3 = { 32db 3bc1 7d0e 885c301c 017e5c 8b465c }
            // n = 6, score = 100
            //   32db                 | xor                 bl, bl
            //   3bc1                 | cmp                 eax, ecx
            //   7d0e                 | jge                 0x10
            //   885c301c             | mov                 byte ptr [eax + esi + 0x1c], bl
            //   017e5c               | add                 dword ptr [esi + 0x5c], edi
            //   8b465c               | mov                 eax, dword ptr [esi + 0x5c]

        $sequence_4 = { 8bc6 5e 5d 59 c3 5b 5e }
            // n = 7, score = 100
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   59                   | pop                 ecx
            //   c3                   | ret                 
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi

        $sequence_5 = { 83e804 83c104 83f804 73e9 c744241801000000 8b442410 8b08 }
            // n = 7, score = 100
            //   83e804               | sub                 eax, 4
            //   83c104               | add                 ecx, 4
            //   83f804               | cmp                 eax, 4
            //   73e9                 | jae                 0xffffffeb
            //   c744241801000000     | mov                 dword ptr [esp + 0x18], 1
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_6 = { 8bc8 c1f905 83e01f c1e006 03048d605d4100 eb05 }
            // n = 6, score = 100
            //   8bc8                 | mov                 ecx, eax
            //   c1f905               | sar                 ecx, 5
            //   83e01f               | and                 eax, 0x1f
            //   c1e006               | shl                 eax, 6
            //   03048d605d4100       | add                 eax, dword ptr [ecx*4 + 0x415d60]
            //   eb05                 | jmp                 7

        $sequence_7 = { 50 ff15???????? 8d4c2408 51 b80c000000 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d4c2408             | lea                 ecx, [esp + 8]
            //   51                   | push                ecx
            //   b80c000000           | mov                 eax, 0xc

        $sequence_8 = { 57 8d3c85605d4100 8b07 83e61f }
            // n = 4, score = 100
            //   57                   | push                edi
            //   8d3c85605d4100       | lea                 edi, [eax*4 + 0x415d60]
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   83e61f               | and                 esi, 0x1f

        $sequence_9 = { 7313 6a64 ff15???????? 3bf7 7cc8 5b 8bc6 }
            // n = 7, score = 100
            //   7313                 | jae                 0x15
            //   6a64                 | push                0x64
            //   ff15????????         |                     
            //   3bf7                 | cmp                 esi, edi
            //   7cc8                 | jl                  0xffffffca
            //   5b                   | pop                 ebx
            //   8bc6                 | mov                 eax, esi

    condition:
        7 of them and filesize < 212992
}
Download all Yara Rules