SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rokrat (Back to overview)

RokRAT

aka: DOGCALL

Actor(s): APT37


It is a backdoor commonly distributed as an encoded
binary file downloaded and decrypted by shellcode following the
exploitation of weaponized documents. DOGCALL is capable of
capturing screenshots, logging keystrokes, evading analysis with
anti-virtual machine detections, and leveraging cloud storage APIs
such as Cloud, Box, Dropbox, and Yandex.

References
2020-06-16IBMIBM Security X-Force® Incident Responseand Intelligence Services (IRIS)
@online{iris:20200616:cloud:e15a0d5, author = {IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)}, title = {{Cloud ThreatLandscape Report 2020}}, date = {2020-06-16}, organization = {IBM}, url = {https://www.ibm.com/downloads/cas/Z81AVOY7}, language = {English}, urldate = {2020-06-17} } Cloud ThreatLandscape Report 2020
QNAPCrypt RokRAT
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-30Kaspersky SASSeongsu Park
@techreport{park:20200330:behind:7c5548e, author = {Seongsu Park}, title = {{Behind the Mask of ScarCruft}}, date = {2020-03-30}, institution = {Kaspersky SAS}, url = {https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf}, language = {English}, urldate = {2020-03-31} } Behind the Mask of ScarCruft
RokRAT
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-08-12Kindred SecurityKindred Security
@online{security:20190812:overview:0726c0a, author = {Kindred Security}, title = {{An Overview of Public Platform C2’s}}, date = {2019-08-12}, organization = {Kindred Security}, url = {https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/}, language = {English}, urldate = {2020-01-08} } An Overview of Public Platform C2’s
HTML5 Encoding LOWBALL Makadocs MiniDuke RogueRobinNET RokRAT
2019-05-13Kaspersky LabsGReAT
@online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe ScarCruft
2018-11-16Kim Yejun
@online{yejun:20181116:return:31caa6a, author = {Kim Yejun}, title = {{Return to ROKRAT!! (feat. FAAAA...Sad...)}}, date = {2018-11-16}, url = {http://v3lo.tistory.com/24}, language = {Japanese}, urldate = {2019-11-26} } Return to ROKRAT!! (feat. FAAAA...Sad...)
RokRAT
2018-10-03IntezerJay Rosenberg
@online{rosenberg:20181003:apt37:93a9100, author = {Jay Rosenberg}, title = {{APT37: Final1stspy Reaping the FreeMilk}}, date = {2018-10-03}, organization = {Intezer}, url = {https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/}, language = {English}, urldate = {2020-01-09} } APT37: Final1stspy Reaping the FreeMilk
Final1stSpy RokRAT
2018-02-27VMWare Carbon BlackJared Myers
@online{myers:20180227:threat:11a58a0, author = {Jared Myers}, title = {{Threat Analysis: ROKRAT Malware}}, date = {2018-02-27}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/}, language = {English}, urldate = {2019-10-23} } Threat Analysis: ROKRAT Malware
RokRAT
2018-02-20FireEyeFireEye
@techreport{fireeye:20180220:apt37:bc54ada, author = {FireEye}, title = {{APT37 (REAPER) The Overlooked North Korean Actor}}, date = {2018-02-20}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf}, language = {English}, urldate = {2019-12-20} } APT37 (REAPER) The Overlooked North Korean Actor
RokRAT APT37
2018-01-16Cisco TalosWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20180116:korea:f462331, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-01-06} } Korea In The Crosshairs
Freenki Loader PoohMilk Loader RokRAT APT37
2018-01-16Cisco TalosWarren Mercer, Paul Rascagnères
@online{mercer:20180116:korea:02f4c3c, author = {Warren Mercer and Paul Rascagnères}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-04-06} } Korea In The Crosshairs
Freenki Loader RokRAT APT37
2017-11-28CiscoWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20171128:rokrat:dec34fb, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{ROKRAT Reloaded}}, date = {2017-11-28}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html}, language = {English}, urldate = {2019-11-22} } ROKRAT Reloaded
RokRAT
2017-04-03Cisco TalosWarren Mercer, Paul Rascagnères, Matthew Molyett
@online{mercer:20170403:introducing:d17f359, author = {Warren Mercer and Paul Rascagnères and Matthew Molyett}, title = {{Introducing ROKRAT}}, date = {2017-04-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/04/introducing-rokrat.html}, language = {English}, urldate = {2020-01-09} } Introducing ROKRAT
RokRAT
2017Cisco TalosWarren Mercer, Paul Rascagnères
@techreport{mercer:2017:introducing:04e2ff1, author = {Warren Mercer and Paul Rascagnères}, title = {{Introducing ROKRAT}}, date = {2017}, institution = {Cisco Talos}, url = {http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf}, language = {English}, urldate = {2019-12-20} } Introducing ROKRAT
RokRAT
Yara Rules
[TLP:WHITE] win_rokrat_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_rokrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89442424 56 57 8bfa }
            // n = 4, score = 200
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bfa                 | mov                 edi, edx

        $sequence_1 = { 47 803f00 0f852bfeffff 6a01 }
            // n = 4, score = 200
            //   47                   | inc                 edi
            //   803f00               | cmp                 byte ptr [edi], 0
            //   0f852bfeffff         | jne                 0xfffffe31
            //   6a01                 | push                1

        $sequence_2 = { 8bce 50 e8???????? 8d4db4 e8???????? }
            // n = 5, score = 200
            //   8bce                 | mov                 ecx, esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]
            //   e8????????           |                     

        $sequence_3 = { 8b4df0 8a45fb 5f 5e 0801 }
            // n = 5, score = 200
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   8a45fb               | mov                 al, byte ptr [ebp - 5]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   0801                 | or                  byte ptr [ecx], al

        $sequence_4 = { 894dd8 3b75dc 0f8217ffffff 8b45d4 c6404800 84db }
            // n = 6, score = 200
            //   894dd8               | mov                 dword ptr [ebp - 0x28], ecx
            //   3b75dc               | cmp                 esi, dword ptr [ebp - 0x24]
            //   0f8217ffffff         | jb                  0xffffff1d
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   c6404800             | mov                 byte ptr [eax + 0x48], 0
            //   84db                 | test                bl, bl

        $sequence_5 = { 50 ff15???????? e8???????? 40 }
            // n = 4, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   e8????????           |                     
            //   40                   | inc                 eax

        $sequence_6 = { 0f28c8 8d4dd8 e8???????? c745fc03000000 e9???????? 8d45b8 }
            // n = 6, score = 200
            //   0f28c8               | movaps              xmm1, xmm0
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   c745fc03000000       | mov                 dword ptr [ebp - 4], 3
            //   e9????????           |                     
            //   8d45b8               | lea                 eax, [ebp - 0x48]

        $sequence_7 = { eb14 68???????? e8???????? c745fc05000000 }
            // n = 4, score = 200
            //   eb14                 | jmp                 0x16
            //   68????????           |                     
            //   e8????????           |                     
            //   c745fc05000000       | mov                 dword ptr [ebp - 4], 5

        $sequence_8 = { 8be5 5d c3 33c0 c7461407000000 6aff 50 }
            // n = 7, score = 200
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax
            //   c7461407000000       | mov                 dword ptr [esi + 0x14], 7
            //   6aff                 | push                -1
            //   50                   | push                eax

        $sequence_9 = { 83c410 8d7b07 e9???????? 8bdf 8d4c2424 }
            // n = 5, score = 100
            //   83c410               | add                 esp, 0x10
            //   8d7b07               | lea                 edi, [ebx + 7]
            //   e9????????           |                     
            //   8bdf                 | mov                 ebx, edi
            //   8d4c2424             | lea                 ecx, [esp + 0x24]

        $sequence_10 = { 83f801 761d 8a5101 3a5701 0f8590000000 83f802 760c }
            // n = 7, score = 100
            //   83f801               | cmp                 eax, 1
            //   761d                 | jbe                 0x1f
            //   8a5101               | mov                 dl, byte ptr [ecx + 1]
            //   3a5701               | cmp                 dl, byte ptr [edi + 1]
            //   0f8590000000         | jne                 0x96
            //   83f802               | cmp                 eax, 2
            //   760c                 | jbe                 0xe

        $sequence_11 = { 8b4dfc d1c3 895f08 c1c105 8b5df0 8bfa 33fe }
            // n = 7, score = 100
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   d1c3                 | rol                 ebx, 1
            //   895f08               | mov                 dword ptr [edi + 8], ebx
            //   c1c105               | rol                 ecx, 5
            //   8b5df0               | mov                 ebx, dword ptr [ebp - 0x10]
            //   8bfa                 | mov                 edi, edx
            //   33fe                 | xor                 edi, esi

        $sequence_12 = { c744240c01000000 b810000000 8bce e8???????? }
            // n = 4, score = 100
            //   c744240c01000000     | mov                 dword ptr [esp + 0xc], 1
            //   b810000000           | mov                 eax, 0x10
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_13 = { 50 51 53 e8???????? 83c414 83f851 0f84d5040000 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   83f851               | cmp                 eax, 0x51
            //   0f84d5040000         | je                  0x4db

        $sequence_14 = { 83f805 0f87dafeffff ff2485e4ee4600 896e50 56 e8???????? 83c404 }
            // n = 7, score = 100
            //   83f805               | cmp                 eax, 5
            //   0f87dafeffff         | ja                  0xfffffee0
            //   ff2485e4ee4600       | jmp                 dword ptr [eax*4 + 0x46eee4]
            //   896e50               | mov                 dword ptr [esi + 0x50], ebp
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_15 = { 56 e8???????? 8be8 8b442428 50 55 e8???????? }
            // n = 7, score = 100
            //   56                   | push                esi
            //   e8????????           |                     
            //   8be8                 | mov                 ebp, eax
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   50                   | push                eax
            //   55                   | push                ebp
            //   e8????????           |                     

    condition:
        7 of them and filesize < 2932736
}
Download all Yara Rules