SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rokrat (Back to overview)

RokRAT

aka: DOGCALL

Actor(s): APT37


It is a backdoor commonly distributed as an encoded
binary file downloaded and decrypted by shellcode following the
exploitation of weaponized documents. DOGCALL is capable of
capturing screenshots, logging keystrokes, evading analysis with
anti-virtual machine detections, and leveraging cloud storage APIs
such as Cloud, Box, Dropbox, and Yandex.

References
2020-06-16IBMIBM Security X-Force® Incident Responseand Intelligence Services (IRIS)
@online{iris:20200616:cloud:e15a0d5, author = {IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)}, title = {{Cloud ThreatLandscape Report 2020}}, date = {2020-06-16}, organization = {IBM}, url = {https://www.ibm.com/downloads/cas/Z81AVOY7}, language = {English}, urldate = {2020-06-17} } Cloud ThreatLandscape Report 2020
QNAPCrypt RokRAT
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-30Kaspersky SASSeongsu Park
@techreport{park:20200330:behind:7c5548e, author = {Seongsu Park}, title = {{Behind the Mask of ScarCruft}}, date = {2020-03-30}, institution = {Kaspersky SAS}, url = {https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf}, language = {English}, urldate = {2020-03-31} } Behind the Mask of ScarCruft
RokRAT
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-08-12Kindred SecurityKindred Security
@online{security:20190812:overview:0726c0a, author = {Kindred Security}, title = {{An Overview of Public Platform C2’s}}, date = {2019-08-12}, organization = {Kindred Security}, url = {https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/}, language = {English}, urldate = {2020-01-08} } An Overview of Public Platform C2’s
HTML5 Encoding LOWBALL Makadocs MiniDuke RogueRobinNET RokRAT
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2019-05-13Kaspersky LabsGReAT
@online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe ScarCruft
2018-11-16Kim Yejun
@online{yejun:20181116:return:31caa6a, author = {Kim Yejun}, title = {{Return to ROKRAT!! (feat. FAAAA...Sad...)}}, date = {2018-11-16}, url = {http://v3lo.tistory.com/24}, language = {Japanese}, urldate = {2019-11-26} } Return to ROKRAT!! (feat. FAAAA...Sad...)
RokRAT
2018-10-03IntezerJay Rosenberg
@online{rosenberg:20181003:apt37:93a9100, author = {Jay Rosenberg}, title = {{APT37: Final1stspy Reaping the FreeMilk}}, date = {2018-10-03}, organization = {Intezer}, url = {https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/}, language = {English}, urldate = {2020-01-09} } APT37: Final1stspy Reaping the FreeMilk
Final1stSpy RokRAT
2018-02-27VMWare Carbon BlackJared Myers
@online{myers:20180227:threat:11a58a0, author = {Jared Myers}, title = {{Threat Analysis: ROKRAT Malware}}, date = {2018-02-27}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/}, language = {English}, urldate = {2019-10-23} } Threat Analysis: ROKRAT Malware
RokRAT
2018-02-20FireEyeFireEye
@techreport{fireeye:20180220:apt37:bc54ada, author = {FireEye}, title = {{APT37 (REAPER) The Overlooked North Korean Actor}}, date = {2018-02-20}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf}, language = {English}, urldate = {2019-12-20} } APT37 (REAPER) The Overlooked North Korean Actor
RokRAT APT37
2018-01-16Cisco TalosWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20180116:korea:f462331, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-01-06} } Korea In The Crosshairs
Freenki Loader PoohMilk Loader RokRAT APT37
2018-01-16Cisco TalosWarren Mercer, Paul Rascagnères
@online{mercer:20180116:korea:02f4c3c, author = {Warren Mercer and Paul Rascagnères}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-04-06} } Korea In The Crosshairs
Freenki Loader RokRAT APT37
2017-11-28CiscoWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20171128:rokrat:dec34fb, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{ROKRAT Reloaded}}, date = {2017-11-28}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html}, language = {English}, urldate = {2019-11-22} } ROKRAT Reloaded
RokRAT
2017-04-03Cisco TalosWarren Mercer, Paul Rascagnères, Matthew Molyett
@online{mercer:20170403:introducing:d17f359, author = {Warren Mercer and Paul Rascagnères and Matthew Molyett}, title = {{Introducing ROKRAT}}, date = {2017-04-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/04/introducing-rokrat.html}, language = {English}, urldate = {2020-01-09} } Introducing ROKRAT
RokRAT
2017Cisco TalosWarren Mercer, Paul Rascagnères
@techreport{mercer:2017:introducing:04e2ff1, author = {Warren Mercer and Paul Rascagnères}, title = {{Introducing ROKRAT}}, date = {2017}, institution = {Cisco Talos}, url = {http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf}, language = {English}, urldate = {2019-12-20} } Introducing ROKRAT
RokRAT
Yara Rules
[TLP:WHITE] win_rokrat_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_rokrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 68e9fd0000 ff15???????? 6a00 50 8d4c241c 89442414 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   68e9fd0000           | push                0xfde9
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   50                   | push                eax
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   89442414             | mov                 dword ptr [esp + 0x14], eax

        $sequence_1 = { 8d4dd8 668945d8 e8???????? c745fc01000000 }
            // n = 4, score = 200
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   668945d8             | mov                 word ptr [ebp - 0x28], ax
            //   e8????????           |                     
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1

        $sequence_2 = { 50 ff15???????? e8???????? 40 50 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   e8????????           |                     
            //   40                   | inc                 eax
            //   50                   | push                eax

        $sequence_3 = { 8918 5b 5d c21400 51 e8???????? 83c404 }
            // n = 7, score = 200
            //   8918                 | mov                 dword ptr [eax], ebx
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c21400               | ret                 0x14
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_4 = { e8???????? 8b0e 8b00 3b01 7504 33f6 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   3b01                 | cmp                 eax, dword ptr [ecx]
            //   7504                 | jne                 6
            //   33f6                 | xor                 esi, esi

        $sequence_5 = { 80f906 7405 80f907 750f 8bc8 e8???????? 85c0 }
            // n = 7, score = 200
            //   80f906               | cmp                 cl, 6
            //   7405                 | je                  7
            //   80f907               | cmp                 cl, 7
            //   750f                 | jne                 0x11
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_6 = { 50 8d442454 6a24 50 e8???????? }
            // n = 5, score = 200
            //   50                   | push                eax
            //   8d442454             | lea                 eax, [esp + 0x54]
            //   6a24                 | push                0x24
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 33f6 85c9 7441 0f1f440000 837f1408 7204 8b1f }
            // n = 7, score = 200
            //   33f6                 | xor                 esi, esi
            //   85c9                 | test                ecx, ecx
            //   7441                 | je                  0x43
            //   0f1f440000           | nop                 dword ptr [eax + eax]
            //   837f1408             | cmp                 dword ptr [edi + 0x14], 8
            //   7204                 | jb                  6
            //   8b1f                 | mov                 ebx, dword ptr [edi]

        $sequence_8 = { 8d4dd8 84c0 741a 8b45b8 8b55d4 }
            // n = 5, score = 200
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   84c0                 | test                al, al
            //   741a                 | je                  0x1c
            //   8b45b8               | mov                 eax, dword ptr [ebp - 0x48]
            //   8b55d4               | mov                 edx, dword ptr [ebp - 0x2c]

        $sequence_9 = { 50 e8???????? 83c440 8d85f8fbffff 8db78c000000 50 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c440               | add                 esp, 0x40
            //   8d85f8fbffff         | lea                 eax, [ebp - 0x408]
            //   8db78c000000         | lea                 esi, [edi + 0x8c]
            //   50                   | push                eax

        $sequence_10 = { 7455 83e801 7449 83e801 743d }
            // n = 5, score = 100
            //   7455                 | je                  0x57
            //   83e801               | sub                 eax, 1
            //   7449                 | je                  0x4b
            //   83e801               | sub                 eax, 1
            //   743d                 | je                  0x3f

        $sequence_11 = { e9???????? 83c504 83f801 750d 8b4dfc }
            // n = 5, score = 100
            //   e9????????           |                     
            //   83c504               | add                 ebp, 4
            //   83f801               | cmp                 eax, 1
            //   750d                 | jne                 0xf
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_12 = { 83c418 8be8 39742418 0f84c0040000 8b97c0000000 8bb29c000000 53 }
            // n = 7, score = 100
            //   83c418               | add                 esp, 0x18
            //   8be8                 | mov                 ebp, eax
            //   39742418             | cmp                 dword ptr [esp + 0x18], esi
            //   0f84c0040000         | je                  0x4c6
            //   8b97c0000000         | mov                 edx, dword ptr [edi + 0xc0]
            //   8bb29c000000         | mov                 esi, dword ptr [edx + 0x9c]
            //   53                   | push                ebx

        $sequence_13 = { 3bf3 e9???????? 8b4c2428 8b7c2420 8d442444 }
            // n = 5, score = 100
            //   3bf3                 | cmp                 esi, ebx
            //   e9????????           |                     
            //   8b4c2428             | mov                 ecx, dword ptr [esp + 0x28]
            //   8b7c2420             | mov                 edi, dword ptr [esp + 0x20]
            //   8d442444             | lea                 eax, [esp + 0x44]

        $sequence_14 = { 894c2410 7513 8b54241c 5e }
            // n = 4, score = 100
            //   894c2410             | mov                 dword ptr [esp + 0x10], ecx
            //   7513                 | jne                 0x15
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   5e                   | pop                 esi

        $sequence_15 = { e9???????? f6c101 7445 bd???????? }
            // n = 4, score = 100
            //   e9????????           |                     
            //   f6c101               | test                cl, 1
            //   7445                 | je                  0x47
            //   bd????????           |                     

    condition:
        7 of them and filesize < 2932736
}
Download all Yara Rules