SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rifdoor (Back to overview)

Rifdoor

Actor(s): Lazarus Group


There is no description at this point.

References
2020-04-16VMWare Carbon BlackScott Knight
@online{knight:20200416:evolution:39b90c0, author = {Scott Knight}, title = {{The Evolution of Lazarus}}, date = {2020-04-16}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/}, language = {English}, urldate = {2020-04-17} } The Evolution of Lazarus
HOTCROISSANT Rifdoor
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2018-06-23AhnLabAhnLab
@techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } Full Discloser of Andariel, A Subgroup of Lazarus Threat Group
PhanDoor Rifdoor
Yara Rules
[TLP:WHITE] win_rifdoor_auto (20220808 | Detects win.rifdoor.)
rule win_rifdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.rifdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1f805 83e71f c1e706 8b0485605d4100 8d44380c 50 }
            // n = 6, score = 200
            //   c1f805               | sar                 eax, 5
            //   83e71f               | and                 edi, 0x1f
            //   c1e706               | shl                 edi, 6
            //   8b0485605d4100       | mov                 eax, dword ptr [eax*4 + 0x415d60]
            //   8d44380c             | lea                 eax, [eax + edi + 0xc]
            //   50                   | push                eax

        $sequence_1 = { 41 83f903 771e ff248dd8164000 50 e8???????? 83c404 }
            // n = 7, score = 200
            // 
            //   83f903               | cmp                 ecx, 3
            //   771e                 | ja                  0x20
            //   ff248dd8164000       | jmp                 dword ptr [ecx*4 + 0x4016d8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_2 = { 55 57 ffd6 a3???????? 895c2410 8d4c2410 }
            // n = 6, score = 200
            //   55                   | push                ebp
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   a3????????           |                     
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx
            //   8d4c2410             | lea                 ecx, [esp + 0x10]

        $sequence_3 = { 89842484000000 53 57 33ff 57 897c2410 897c240c }
            // n = 7, score = 200
            //   89842484000000       | mov                 dword ptr [esp + 0x84], eax
            //   53                   | push                ebx
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   57                   | push                edi
            //   897c2410             | mov                 dword ptr [esp + 0x10], edi
            //   897c240c             | mov                 dword ptr [esp + 0xc], edi

        $sequence_4 = { 68???????? 668907 e8???????? 83c408 8bc6 8d5001 5f }
            // n = 7, score = 200
            //   68????????           |                     
            //   668907               | mov                 word ptr [edi], ax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8bc6                 | mov                 eax, esi
            //   8d5001               | lea                 edx, [eax + 1]
            //   5f                   | pop                 edi

        $sequence_5 = { 8b465c 885c061c 017e5c 394e5c 7cf1 eb19 }
            // n = 6, score = 200
            //   8b465c               | mov                 eax, dword ptr [esi + 0x5c]
            //   885c061c             | mov                 byte ptr [esi + eax + 0x1c], bl
            //   017e5c               | add                 dword ptr [esi + 0x5c], edi
            //   394e5c               | cmp                 dword ptr [esi + 0x5c], ecx
            //   7cf1                 | jl                  0xfffffff3
            //   eb19                 | jmp                 0x1b

        $sequence_6 = { 66890c45f4594100 40 ebe8 33c0 8945e4 3d01010000 7d0d }
            // n = 7, score = 200
            //   66890c45f4594100     | mov                 word ptr [eax*2 + 0x4159f4], cx
            //   40                   | inc                 eax
            //   ebe8                 | jmp                 0xffffffea
            //   33c0                 | xor                 eax, eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   3d01010000           | cmp                 eax, 0x101
            //   7d0d                 | jge                 0xf

        $sequence_7 = { 8d4318 b9???????? 895c2414 e8???????? 8be8 }
            // n = 5, score = 200
            //   8d4318               | lea                 eax, [ebx + 0x18]
            //   b9????????           |                     
            //   895c2414             | mov                 dword ptr [esp + 0x14], ebx
            //   e8????????           |                     
            //   8be8                 | mov                 ebp, eax

        $sequence_8 = { 53 6800000040 57 899df4f7ffff ff15???????? 8bf8 }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   6800000040           | push                0x40000000
            //   57                   | push                edi
            //   899df4f7ffff         | mov                 dword ptr [ebp - 0x80c], ebx
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_9 = { 8b4e04 e8???????? 85c0 7521 68???????? }
            // n = 5, score = 100
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7521                 | jne                 0x23
            //   68????????           |                     

        $sequence_10 = { ff15???????? 68???????? 8d4d98 51 ff15???????? 807d9800 8d4598 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   68????????           |                     
            //   8d4d98               | lea                 ecx, [ebp - 0x68]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   807d9800             | cmp                 byte ptr [ebp - 0x68], 0
            //   8d4598               | lea                 eax, [ebp - 0x68]

        $sequence_11 = { 8bf0 83e680 33d6 8bf0 c1ee08 c1e211 0bd6 }
            // n = 7, score = 100
            //   8bf0                 | mov                 esi, eax
            //   83e680               | and                 esi, 0xffffff80
            //   33d6                 | xor                 edx, esi
            //   8bf0                 | mov                 esi, eax
            //   c1ee08               | shr                 esi, 8
            //   c1e211               | shl                 edx, 0x11
            //   0bd6                 | or                  edx, esi

        $sequence_12 = { 50 ff15???????? c744240c60ea0000 eba0 53 e8???????? }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   c744240c60ea0000     | mov                 dword ptr [esp + 0xc], 0xea60
            //   eba0                 | jmp                 0xffffffa2
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_13 = { 85c0 7e06 03f8 2bf0 eb2d 83f8ff 0f85ee000000 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   7e06                 | jle                 8
            //   03f8                 | add                 edi, eax
            //   2bf0                 | sub                 esi, eax
            //   eb2d                 | jmp                 0x2f
            //   83f8ff               | cmp                 eax, -1
            //   0f85ee000000         | jne                 0xf4

        $sequence_14 = { 50 8d4de8 51 8d95e8fbffff 68???????? 52 ff15???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   51                   | push                ecx
            //   8d95e8fbffff         | lea                 edx, [ebp - 0x418]
            //   68????????           |                     
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_15 = { 68???????? 8d95e8fbffff 52 ffd3 8d85e8fbffff }
            // n = 5, score = 100
            //   68????????           |                     
            //   8d95e8fbffff         | lea                 edx, [ebp - 0x418]
            //   52                   | push                edx
            //   ffd3                 | call                ebx
            //   8d85e8fbffff         | lea                 eax, [ebp - 0x418]

    condition:
        7 of them and filesize < 212992
}
Download all Yara Rules