SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rokrat (Back to overview)

RokRAT

aka: DOGCALL

Actor(s): APT37


It is a backdoor commonly distributed as an encoded
binary file downloaded and decrypted by shellcode following the
exploitation of weaponized documents. DOGCALL is capable of
capturing screenshots, logging keystrokes, evading analysis with
anti-virtual machine detections, and leveraging cloud storage APIs
such as Cloud, Box, Dropbox, and Yandex.

References
2021-02-18PTSecurityPTSecurity
@online{ptsecurity:20210218:httpswwwptsecuritycomwwenanalyticsantisandboxtechniques:d616c1f, author = {PTSecurity}, title = {{https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}}, date = {2021-02-18}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}, language = {English}, urldate = {2021-02-25} } https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader
2021-01-06MalwarebytesHossein Jazi
@online{jazi:20210106:retrohunting:65f1492, author = {Hossein Jazi}, title = {{Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat}}, date = {2021-01-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/}, language = {English}, urldate = {2021-01-11} } Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat
RokRAT
2020-06-16IBMIBM Security X-Force® Incident Responseand Intelligence Services (IRIS)
@online{iris:20200616:cloud:e15a0d5, author = {IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)}, title = {{Cloud ThreatLandscape Report 2020}}, date = {2020-06-16}, organization = {IBM}, url = {https://www.ibm.com/downloads/cas/Z81AVOY7}, language = {English}, urldate = {2020-06-17} } Cloud ThreatLandscape Report 2020
QNAPCrypt RokRAT
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-30Kaspersky SASSeongsu Park
@techreport{park:20200330:behind:7c5548e, author = {Seongsu Park}, title = {{Behind the Mask of ScarCruft}}, date = {2020-03-30}, institution = {Kaspersky SAS}, url = {https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf}, language = {English}, urldate = {2020-03-31} } Behind the Mask of ScarCruft
RokRAT
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-08-12Kindred SecurityKindred Security
@online{security:20190812:overview:0726c0a, author = {Kindred Security}, title = {{An Overview of Public Platform C2’s}}, date = {2019-08-12}, organization = {Kindred Security}, url = {https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/}, language = {English}, urldate = {2020-01-08} } An Overview of Public Platform C2’s
HTML5 Encoding LOWBALL Makadocs MiniDuke RogueRobinNET RokRAT
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2019-05-13Kaspersky LabsGReAT
@online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe APT37
2018-11-16Kim Yejun
@online{yejun:20181116:return:31caa6a, author = {Kim Yejun}, title = {{Return to ROKRAT!! (feat. FAAAA...Sad...)}}, date = {2018-11-16}, url = {http://v3lo.tistory.com/24}, language = {Japanese}, urldate = {2019-11-26} } Return to ROKRAT!! (feat. FAAAA...Sad...)
RokRAT
2018-10-03IntezerJay Rosenberg
@online{rosenberg:20181003:apt37:93a9100, author = {Jay Rosenberg}, title = {{APT37: Final1stspy Reaping the FreeMilk}}, date = {2018-10-03}, organization = {Intezer}, url = {https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/}, language = {English}, urldate = {2020-01-09} } APT37: Final1stspy Reaping the FreeMilk
Final1stSpy RokRAT
2018-02-27VMWare Carbon BlackJared Myers
@online{myers:20180227:threat:11a58a0, author = {Jared Myers}, title = {{Threat Analysis: ROKRAT Malware}}, date = {2018-02-27}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/}, language = {English}, urldate = {2019-10-23} } Threat Analysis: ROKRAT Malware
RokRAT
2018-02-20FireEyeFireEye
@techreport{fireeye:20180220:apt37:bc54ada, author = {FireEye}, title = {{APT37 (REAPER) The Overlooked North Korean Actor}}, date = {2018-02-20}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf}, language = {English}, urldate = {2019-12-20} } APT37 (REAPER) The Overlooked North Korean Actor
RokRAT APT37
2018-01-16Cisco TalosWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20180116:korea:f462331, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-01-06} } Korea In The Crosshairs
Freenki Loader PoohMilk Loader RokRAT APT37
2018-01-16Cisco TalosWarren Mercer, Paul Rascagnères
@online{mercer:20180116:korea:02f4c3c, author = {Warren Mercer and Paul Rascagnères}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-04-06} } Korea In The Crosshairs
Freenki Loader RokRAT APT37
2017-11-28CiscoWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20171128:rokrat:dec34fb, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{ROKRAT Reloaded}}, date = {2017-11-28}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html}, language = {English}, urldate = {2019-11-22} } ROKRAT Reloaded
RokRAT
2017-04-03Cisco TalosWarren Mercer, Paul Rascagnères, Matthew Molyett
@online{mercer:20170403:introducing:d17f359, author = {Warren Mercer and Paul Rascagnères and Matthew Molyett}, title = {{Introducing ROKRAT}}, date = {2017-04-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/04/introducing-rokrat.html}, language = {English}, urldate = {2020-01-09} } Introducing ROKRAT
RokRAT
2017Cisco TalosWarren Mercer, Paul Rascagnères
@techreport{mercer:2017:introducing:04e2ff1, author = {Warren Mercer and Paul Rascagnères}, title = {{Introducing ROKRAT}}, date = {2017}, institution = {Cisco Talos}, url = {http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf}, language = {English}, urldate = {2019-12-20} } Introducing ROKRAT
RokRAT
Yara Rules
[TLP:WHITE] win_rokrat_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_rokrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f801 773d 8b37 85f6 7437 }
            // n = 5, score = 200
            //   83f801               | cmp                 eax, 1
            //   773d                 | ja                  0x3f
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   85f6                 | test                esi, esi
            //   7437                 | je                  0x39

        $sequence_1 = { 50 ff15???????? e8???????? 40 50 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   e8????????           |                     
            //   40                   | inc                 eax
            //   50                   | push                eax

        $sequence_2 = { 660fd645e8 c745e800000000 8975ec 8d45e8 }
            // n = 4, score = 200
            //   660fd645e8           | movq                qword ptr [ebp - 0x18], xmm0
            //   c745e800000000       | mov                 dword ptr [ebp - 0x18], 0
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   8d45e8               | lea                 eax, [ebp - 0x18]

        $sequence_3 = { 668907 8d7e68 8b4714 83f808 720b }
            // n = 5, score = 200
            //   668907               | mov                 word ptr [edi], ax
            //   8d7e68               | lea                 edi, [esi + 0x68]
            //   8b4714               | mov                 eax, dword ptr [edi + 0x14]
            //   83f808               | cmp                 eax, 8
            //   720b                 | jb                  0xd

        $sequence_4 = { 8d45c0 c645fc01 3bc7 733f 3bd8 773b }
            // n = 6, score = 200
            //   8d45c0               | lea                 eax, [ebp - 0x40]
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   3bc7                 | cmp                 eax, edi
            //   733f                 | jae                 0x41
            //   3bd8                 | cmp                 ebx, eax
            //   773b                 | ja                  0x3d

        $sequence_5 = { 57 ff7508 8d442478 f20f114c243c 8bf9 c744244800000000 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8d442478             | lea                 eax, [esp + 0x78]
            //   f20f114c243c         | movsd               qword ptr [esp + 0x3c], xmm1
            //   8bf9                 | mov                 edi, ecx
            //   c744244800000000     | mov                 dword ptr [esp + 0x48], 0

        $sequence_6 = { e8???????? 814b0800010000 8903 eb3d 816308fffeffff 8913 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   814b0800010000       | or                  dword ptr [ebx + 8], 0x100
            //   8903                 | mov                 dword ptr [ebx], eax
            //   eb3d                 | jmp                 0x3f
            //   816308fffeffff       | and                 dword ptr [ebx + 8], 0xfffffeff
            //   8913                 | mov                 dword ptr [ebx], edx

        $sequence_7 = { 8b0e eb02 8bce 8d041a 50 51 }
            // n = 6, score = 200
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   eb02                 | jmp                 4
            //   8bce                 | mov                 ecx, esi
            //   8d041a               | lea                 eax, [edx + ebx]
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_8 = { 0f84f3000000 8975d8 0f1f4000 807f0800 7507 e8???????? eb41 }
            // n = 7, score = 200
            //   0f84f3000000         | je                  0xf9
            //   8975d8               | mov                 dword ptr [ebp - 0x28], esi
            //   0f1f4000             | nop                 dword ptr [eax]
            //   807f0800             | cmp                 byte ptr [edi + 8], 0
            //   7507                 | jne                 9
            //   e8????????           |                     
            //   eb41                 | jmp                 0x43

        $sequence_9 = { 89770c 7507 8bd7 e8???????? 8b7c2410 }
            // n = 5, score = 100
            //   89770c               | mov                 dword ptr [edi + 0xc], esi
            //   7507                 | jne                 9
            //   8bd7                 | mov                 edx, edi
            //   e8????????           |                     
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]

        $sequence_10 = { 8d4c241c 51 56 e8???????? 8b542424 8b4c2428 83c408 }
            // n = 7, score = 100
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b542424             | mov                 edx, dword ptr [esp + 0x24]
            //   8b4c2428             | mov                 ecx, dword ptr [esp + 0x28]
            //   83c408               | add                 esp, 8

        $sequence_11 = { 68???????? 56 89aea8040000 c786ac04000001000000 e8???????? }
            // n = 5, score = 100
            //   68????????           |                     
            //   56                   | push                esi
            //   89aea8040000         | mov                 dword ptr [esi + 0x4a8], ebp
            //   c786ac04000001000000     | mov    dword ptr [esi + 0x4ac], 1
            //   e8????????           |                     

        $sequence_12 = { 894c2414 89442418 0f85defeffff 8b4504 85c0 7e18 8b5500 }
            // n = 7, score = 100
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   0f85defeffff         | jne                 0xfffffee4
            //   8b4504               | mov                 eax, dword ptr [ebp + 4]
            //   85c0                 | test                eax, eax
            //   7e18                 | jle                 0x1a
            //   8b5500               | mov                 edx, dword ptr [ebp]

        $sequence_13 = { 85c0 0f84b5010000 45 3bfd }
            // n = 4, score = 100
            //   85c0                 | test                eax, eax
            //   0f84b5010000         | je                  0x1bb
            //   45                   | inc                 ebp
            //   3bfd                 | cmp                 edi, ebp

        $sequence_14 = { 8b4c2418 8b54241c 90 0fb63410 }
            // n = 4, score = 100
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   90                   | nop                 
            //   0fb63410             | movzx               esi, byte ptr [eax + edx]

        $sequence_15 = { 89542410 13463c 83f80f 0f8717020000 }
            // n = 4, score = 100
            //   89542410             | mov                 dword ptr [esp + 0x10], edx
            //   13463c               | adc                 eax, dword ptr [esi + 0x3c]
            //   83f80f               | cmp                 eax, 0xf
            //   0f8717020000         | ja                  0x21d

    condition:
        7 of them and filesize < 2932736
}
Download all Yara Rules