SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rokrat (Back to overview)

RokRAT

aka: DOGCALL

Actor(s): APT37


It is a backdoor commonly distributed as an encoded
binary file downloaded and decrypted by shellcode following the
exploitation of weaponized documents. DOGCALL is capable of
capturing screenshots, logging keystrokes, evading analysis with
anti-virtual machine detections, and leveraging cloud storage APIs
such as Cloud, Box, Dropbox, and Yandex.

References
2020-06-16IBMIBM Security X-Force® Incident Responseand Intelligence Services (IRIS)
@online{iris:20200616:cloud:e15a0d5, author = {IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)}, title = {{Cloud ThreatLandscape Report 2020}}, date = {2020-06-16}, organization = {IBM}, url = {https://www.ibm.com/downloads/cas/Z81AVOY7}, language = {English}, urldate = {2020-06-17} } Cloud ThreatLandscape Report 2020
QNAPCrypt RokRAT
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-30Kaspersky SASSeongsu Park
@techreport{park:20200330:behind:7c5548e, author = {Seongsu Park}, title = {{Behind the Mask of ScarCruft}}, date = {2020-03-30}, institution = {Kaspersky SAS}, url = {https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf}, language = {English}, urldate = {2020-03-31} } Behind the Mask of ScarCruft
RokRAT
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-08-12Kindred SecurityKindred Security
@online{security:20190812:overview:0726c0a, author = {Kindred Security}, title = {{An Overview of Public Platform C2’s}}, date = {2019-08-12}, organization = {Kindred Security}, url = {https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/}, language = {English}, urldate = {2020-01-08} } An Overview of Public Platform C2’s
HTML5 Encoding LOWBALL Makadocs MiniDuke RogueRobinNET RokRAT
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2019-05-13Kaspersky LabsGReAT
@online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe ScarCruft
2018-11-16Kim Yejun
@online{yejun:20181116:return:31caa6a, author = {Kim Yejun}, title = {{Return to ROKRAT!! (feat. FAAAA...Sad...)}}, date = {2018-11-16}, url = {http://v3lo.tistory.com/24}, language = {Japanese}, urldate = {2019-11-26} } Return to ROKRAT!! (feat. FAAAA...Sad...)
RokRAT
2018-10-03IntezerJay Rosenberg
@online{rosenberg:20181003:apt37:93a9100, author = {Jay Rosenberg}, title = {{APT37: Final1stspy Reaping the FreeMilk}}, date = {2018-10-03}, organization = {Intezer}, url = {https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/}, language = {English}, urldate = {2020-01-09} } APT37: Final1stspy Reaping the FreeMilk
Final1stSpy RokRAT
2018-02-27VMWare Carbon BlackJared Myers
@online{myers:20180227:threat:11a58a0, author = {Jared Myers}, title = {{Threat Analysis: ROKRAT Malware}}, date = {2018-02-27}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/}, language = {English}, urldate = {2019-10-23} } Threat Analysis: ROKRAT Malware
RokRAT
2018-02-20FireEyeFireEye
@techreport{fireeye:20180220:apt37:bc54ada, author = {FireEye}, title = {{APT37 (REAPER) The Overlooked North Korean Actor}}, date = {2018-02-20}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf}, language = {English}, urldate = {2019-12-20} } APT37 (REAPER) The Overlooked North Korean Actor
RokRAT APT37
2018-01-16Cisco TalosWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20180116:korea:f462331, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-01-06} } Korea In The Crosshairs
Freenki Loader PoohMilk Loader RokRAT APT37
2018-01-16Cisco TalosWarren Mercer, Paul Rascagnères
@online{mercer:20180116:korea:02f4c3c, author = {Warren Mercer and Paul Rascagnères}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-04-06} } Korea In The Crosshairs
Freenki Loader RokRAT APT37
2017-11-28CiscoWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20171128:rokrat:dec34fb, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{ROKRAT Reloaded}}, date = {2017-11-28}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html}, language = {English}, urldate = {2019-11-22} } ROKRAT Reloaded
RokRAT
2017-04-03Cisco TalosWarren Mercer, Paul Rascagnères, Matthew Molyett
@online{mercer:20170403:introducing:d17f359, author = {Warren Mercer and Paul Rascagnères and Matthew Molyett}, title = {{Introducing ROKRAT}}, date = {2017-04-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/04/introducing-rokrat.html}, language = {English}, urldate = {2020-01-09} } Introducing ROKRAT
RokRAT
2017Cisco TalosWarren Mercer, Paul Rascagnères
@techreport{mercer:2017:introducing:04e2ff1, author = {Warren Mercer and Paul Rascagnères}, title = {{Introducing ROKRAT}}, date = {2017}, institution = {Cisco Talos}, url = {http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf}, language = {English}, urldate = {2019-12-20} } Introducing ROKRAT
RokRAT
Yara Rules
[TLP:WHITE] win_rokrat_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_rokrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8965f0 c7411407000000 c7411000000000 83791408 7204 8b01 }
            // n = 6, score = 200
            //   8965f0               | mov                 dword ptr [ebp - 0x10], esp
            //   c7411407000000       | mov                 dword ptr [ecx + 0x14], 7
            //   c7411000000000       | mov                 dword ptr [ecx + 0x10], 0
            //   83791408             | cmp                 dword ptr [ecx + 0x14], 8
            //   7204                 | jb                  6
            //   8b01                 | mov                 eax, dword ptr [ecx]

        $sequence_1 = { 83f801 773d 8b37 85f6 7437 }
            // n = 5, score = 200
            //   83f801               | cmp                 eax, 1
            //   773d                 | ja                  0x3f
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   85f6                 | test                esi, esi
            //   7437                 | je                  0x39

        $sequence_2 = { 8bc6 33c9 668908 894dfc 8b4310 8b7e10 40 }
            // n = 7, score = 200
            //   8bc6                 | mov                 eax, esi
            //   33c9                 | xor                 ecx, ecx
            //   668908               | mov                 word ptr [eax], cx
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8b4310               | mov                 eax, dword ptr [ebx + 0x10]
            //   8b7e10               | mov                 edi, dword ptr [esi + 0x10]
            //   40                   | inc                 eax

        $sequence_3 = { c745fc02000000 eb94 e8???????? 0f28c8 8d4dd8 e8???????? }
            // n = 6, score = 200
            //   c745fc02000000       | mov                 dword ptr [ebp - 4], 2
            //   eb94                 | jmp                 0xffffff96
            //   e8????????           |                     
            //   0f28c8               | movaps              xmm1, xmm0
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     

        $sequence_4 = { ff15???????? e8???????? 40 50 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   e8????????           |                     
            //   40                   | inc                 eax
            //   50                   | push                eax

        $sequence_5 = { eb32 6a08 e8???????? 8bf0 8975ec 8b4508 0f57c0 }
            // n = 7, score = 200
            //   eb32                 | jmp                 0x34
            //   6a08                 | push                8
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   0f57c0               | xorps               xmm0, xmm0

        $sequence_6 = { 5d c3 33c0 c7461407000000 }
            // n = 4, score = 200
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax
            //   c7461407000000       | mov                 dword ptr [esi + 0x14], 7

        $sequence_7 = { 8816 8bd3 8bc2 8954240c }
            // n = 4, score = 200
            //   8816                 | mov                 byte ptr [esi], dl
            //   8bd3                 | mov                 edx, ebx
            //   8bc2                 | mov                 eax, edx
            //   8954240c             | mov                 dword ptr [esp + 0xc], edx

        $sequence_8 = { 6a00 53 e8???????? 8bc3 e9???????? 8b5d10 8d4610 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8bc3                 | mov                 eax, ebx
            //   e9????????           |                     
            //   8b5d10               | mov                 ebx, dword ptr [ebp + 0x10]
            //   8d4610               | lea                 eax, [esi + 0x10]

        $sequence_9 = { c70604000000 eb35 8b8164040000 3bc5 740c 8b9158870000 52 }
            // n = 7, score = 100
            //   c70604000000         | mov                 dword ptr [esi], 4
            //   eb35                 | jmp                 0x37
            //   8b8164040000         | mov                 eax, dword ptr [ecx + 0x464]
            //   3bc5                 | cmp                 eax, ebp
            //   740c                 | je                  0xe
            //   8b9158870000         | mov                 edx, dword ptr [ecx + 0x8758]
            //   52                   | push                edx

        $sequence_10 = { 2bc2 89442424 eb0a 8b742428 895c2424 8bc3 c644243c01 }
            // n = 7, score = 100
            //   2bc2                 | sub                 eax, edx
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   eb0a                 | jmp                 0xc
            //   8b742428             | mov                 esi, dword ptr [esp + 0x28]
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx
            //   8bc3                 | mov                 eax, ebx
            //   c644243c01           | mov                 byte ptr [esp + 0x3c], 1

        $sequence_11 = { ff00 8b08 83e902 898fb41e0000 8d8fb01c0000 8908 }
            // n = 6, score = 100
            //   ff00                 | inc                 dword ptr [eax]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   83e902               | sub                 ecx, 2
            //   898fb41e0000         | mov                 dword ptr [edi + 0x1eb4], ecx
            //   8d8fb01c0000         | lea                 ecx, [edi + 0x1cb0]
            //   8908                 | mov                 dword ptr [eax], ecx

        $sequence_12 = { 5b 33cc e8???????? 81c418080000 }
            // n = 4, score = 100
            //   5b                   | pop                 ebx
            //   33cc                 | xor                 ecx, esp
            //   e8????????           |                     
            //   81c418080000         | add                 esp, 0x818

        $sequence_13 = { 8b4c2404 8d0440 56 8db4c17c010000 8b4610 85c0 7422 }
            // n = 7, score = 100
            //   8b4c2404             | mov                 ecx, dword ptr [esp + 4]
            //   8d0440               | lea                 eax, [eax + eax*2]
            //   56                   | push                esi
            //   8db4c17c010000       | lea                 esi, [ecx + eax*8 + 0x17c]
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   85c0                 | test                eax, eax
            //   7422                 | je                  0x24

        $sequence_14 = { 50 53 e8???????? 8b542448 2b5c2424 8b8798000000 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8b542448             | mov                 edx, dword ptr [esp + 0x48]
            //   2b5c2424             | sub                 ebx, dword ptr [esp + 0x24]
            //   8b8798000000         | mov                 eax, dword ptr [edi + 0x98]

        $sequence_15 = { 83ba2087000000 7407 83c901 894c241c 85c9 7513 51 }
            // n = 7, score = 100
            //   83ba2087000000       | cmp                 dword ptr [edx + 0x8720], 0
            //   7407                 | je                  9
            //   83c901               | or                  ecx, 1
            //   894c241c             | mov                 dword ptr [esp + 0x1c], ecx
            //   85c9                 | test                ecx, ecx
            //   7513                 | jne                 0x15
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 2932736
}
Download all Yara Rules