SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shadowhammer (Back to overview)

shadowhammer

aka: DAYJOB

Actor(s): Operation ShadowHammer

VTCollection    

There is no description at this point.

References
2020-07-29Kaspersky LabsGReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-03-27One Night in NorfolkKevin Perlow
The First Stage of ShadowHammer
shadowhammer
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
2019-05-20YouTubeKaspersky
Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019
shadowhammer
2019-04-23Kaspersky LabsAMR, GReAT
Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad
2019-04-22Trend MicroMohamad Mokbel
C/C++ Runtime Library Code Tampering in Supply Chain
shadowhammer ShadowPad Winnti
2019-04-03One Night in NorfolkKevin Perlow
Possible ShadowHammer Targeting (Low Confidence)
shadowhammer
2019-03-29F-SecureBert Steppe
A Hammer Lurking In The Shadows
shadowhammer
2019-03-28F-SecureF-Secure Global
Analysis of ShadowHammer ASUS Attack First Stage Payload
shadowhammer
2019-03-28Skylight CyberSkylight Cyber
Unleash The Hash - ShadowHammer MAC Address List
shadowhammer
2019-03-28Vitali Kremez BlogVitali Kremez
Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess
shadowhammer
2019-03-27ReversingLabsTomislav Pericin
Forging the ShadowHammer
shadowhammer
2019-03-27mauronz blogmauronz
Analysis of the ShadowHammer backdoor
shadowhammer
2019-03-25Kaspersky LabsAMR, GReAT
Operation ShadowHammer
shadowhammer Operation ShadowHammer
Yara Rules
[TLP:WHITE] win_shadowhammer_auto (20230808 | Detects win.shadowhammer.)
rule win_shadowhammer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.shadowhammer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 03d3 03f3 03fb 894dfc 8945f4 }
            // n = 5, score = 100
            //   03d3                 | add                 edx, ebx
            //   03f3                 | add                 esi, ebx
            //   03fb                 | add                 edi, ebx
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax

        $sequence_1 = { c3 e8???????? c21000 8bff 55 8bec 833d????????01 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   e8????????           |                     
            //   c21000               | ret                 0x10
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   833d????????01       |                     

        $sequence_2 = { 8dbd7dfdffff ab ab ab ab }
            // n = 5, score = 100
            //   8dbd7dfdffff         | lea                 edi, [ebp - 0x283]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_3 = { 58 6a2d 66894584 58 }
            // n = 4, score = 100
            //   58                   | pop                 eax
            //   6a2d                 | push                0x2d
            //   66894584             | mov                 word ptr [ebp - 0x7c], ax
            //   58                   | pop                 eax

        $sequence_4 = { 685ac1cbc2 56 e8???????? 59 59 85c0 }
            // n = 6, score = 100
            //   685ac1cbc2           | push                0xc2cbc15a
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax

        $sequence_5 = { c78564ffffff103ee0fc c78568ffffffb0cf4161 c7856cffffffb0fafb19 8dbd70ffffff }
            // n = 4, score = 100
            //   c78564ffffff103ee0fc     | mov    dword ptr [ebp - 0x9c], 0xfce03e10
            //   c78568ffffffb0cf4161     | mov    dword ptr [ebp - 0x98], 0x6141cfb0
            //   c7856cffffffb0fafb19     | mov    dword ptr [ebp - 0x94], 0x19fbfab0
            //   8dbd70ffffff         | lea                 edi, [ebp - 0x90]

        $sequence_6 = { 8d45e8 50 ff75fc 895de8 8b07 }
            // n = 5, score = 100
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_7 = { c78544fdffff6a0ad740 c78548fdffff667aadbd 33c0 8dbd4cfdffff ab 889d50fdffff 8dbd51fdffff }
            // n = 7, score = 100
            //   c78544fdffff6a0ad740     | mov    dword ptr [ebp - 0x2bc], 0x40d70a6a
            //   c78548fdffff667aadbd     | mov    dword ptr [ebp - 0x2b8], 0xbdad7a66
            //   33c0                 | xor                 eax, eax
            //   8dbd4cfdffff         | lea                 edi, [ebp - 0x2b4]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   889d50fdffff         | mov                 byte ptr [ebp - 0x2b0], bl
            //   8dbd51fdffff         | lea                 edi, [ebp - 0x2af]

        $sequence_8 = { 8dbdfcfdffff ab 889d00feffff 8dbd01feffff ab ab }
            // n = 6, score = 100
            //   8dbdfcfdffff         | lea                 edi, [ebp - 0x204]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   889d00feffff         | mov                 byte ptr [ebp - 0x200], bl
            //   8dbd01feffff         | lea                 edi, [ebp - 0x1ff]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_9 = { 8945a8 8d8574ffffff 33ff 8945ac 8d45b8 }
            // n = 5, score = 100
            //   8945a8               | mov                 dword ptr [ebp - 0x58], eax
            //   8d8574ffffff         | lea                 eax, [ebp - 0x8c]
            //   33ff                 | xor                 edi, edi
            //   8945ac               | mov                 dword ptr [ebp - 0x54], eax
            //   8d45b8               | lea                 eax, [ebp - 0x48]

    condition:
        7 of them and filesize < 49152
}
Download all Yara Rules