SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shadowhammer (Back to overview)

shadowhammer

aka: DAYJOB

Actor(s): Operation ShadowHammer


There is no description at this point.

References
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-03-27One Night in NorfolkKevin Perlow
@online{perlow:20200327:first:6b7c827, author = {Kevin Perlow}, title = {{The First Stage of ShadowHammer}}, date = {2020-03-27}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/the-first-stage-of-shadowhammer/}, language = {English}, urldate = {2020-05-19} } The First Stage of ShadowHammer
shadowhammer
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8, author = {Marc-Etienne M.Léveillé and Mathieu Tartare}, title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}}, date = {2019-10-07}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf}, language = {English}, urldate = {2020-01-10} } CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
2019-05-20YouTubeKaspersky
@online{kaspersky:20190520:video:148e81f, author = {Kaspersky}, title = {{Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019}}, date = {2019-05-20}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=T5wPwvLrBYU}, language = {English}, urldate = {2020-01-08} } Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019
shadowhammer
2019-04-23Kaspersky LabsGReAT, AMR
@online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad
2019-04-22Trend MicroMohamad Mokbel
@online{mokbel:20190422:cc:23b1202, author = {Mohamad Mokbel}, title = {{C/C++ Runtime Library Code Tampering in Supply Chain}}, date = {2019-04-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html}, language = {English}, urldate = {2021-09-19} } C/C++ Runtime Library Code Tampering in Supply Chain
shadowhammer ShadowPad Winnti
2019-04-03One Night in NorfolkKevin Perlow
@online{perlow:20190403:possible:0a08c3a, author = {Kevin Perlow}, title = {{Possible ShadowHammer Targeting (Low Confidence)}}, date = {2019-04-03}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/}, language = {English}, urldate = {2020-05-19} } Possible ShadowHammer Targeting (Low Confidence)
shadowhammer
2019-03-29F-SecureBert Steppe
@online{steppe:20190329:hammer:44fb72d, author = {Bert Steppe}, title = {{A Hammer Lurking In The Shadows}}, date = {2019-03-29}, organization = {F-Secure}, url = {https://blog.f-secure.com/a-hammer-lurking-in-the-shadows/}, language = {English}, urldate = {2020-11-04} } A Hammer Lurking In The Shadows
shadowhammer
2019-03-28Skylight CyberSkylight Cyber
@online{cyber:20190328:unleash:f5f7048, author = {Skylight Cyber}, title = {{Unleash The Hash - ShadowHammer MAC Address List}}, date = {2019-03-28}, organization = {Skylight Cyber}, url = {https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/}, language = {English}, urldate = {2019-10-23} } Unleash The Hash - ShadowHammer MAC Address List
shadowhammer
2019-03-28Vitali Kremez BlogVitali Kremez
@online{kremez:20190328:lets:9a07122, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess}}, date = {2019-03-28}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html}, language = {English}, urldate = {2020-01-10} } Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess
shadowhammer
2019-03-28F-SecureF-Secure Global
@online{global:20190328:analysis:8b788ab, author = {F-Secure Global}, title = {{Analysis of ShadowHammer ASUS Attack First Stage Payload}}, date = {2019-03-28}, organization = {F-Secure}, url = {https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/}, language = {English}, urldate = {2020-01-08} } Analysis of ShadowHammer ASUS Attack First Stage Payload
shadowhammer
2019-03-27mauronz blogmauronz
@online{mauronz:20190327:analysis:99db548, author = {mauronz}, title = {{Analysis of the ShadowHammer backdoor}}, date = {2019-03-27}, organization = {mauronz blog}, url = {https://mauronz.github.io/shadowhammer-backdoor}, language = {English}, urldate = {2020-01-06} } Analysis of the ShadowHammer backdoor
shadowhammer
2019-03-27ReversingLabsTomislav Pericin
@online{pericin:20190327:forging:a9c71d8, author = {Tomislav Pericin}, title = {{Forging the ShadowHammer}}, date = {2019-03-27}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/forging-the-shadowhammer}, language = {English}, urldate = {2020-01-06} } Forging the ShadowHammer
shadowhammer
2019-03-25Kaspersky LabsGReAT, AMR
@online{great:20190325:operation:c4bf341, author = {GReAT and AMR}, title = {{Operation ShadowHammer}}, date = {2019-03-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer/89992/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer
shadowhammer Operation ShadowHammer
Yara Rules
[TLP:WHITE] win_shadowhammer_auto (20230715 | Detects win.shadowhammer.)
rule win_shadowhammer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.shadowhammer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff5604 8bf8 8d45fc 50 57 53 53 }
            // n = 7, score = 100
            //   ff5604               | call                dword ptr [esi + 4]
            //   8bf8                 | mov                 edi, eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   57                   | push                edi
            //   53                   | push                ebx
            //   53                   | push                ebx

        $sequence_1 = { 8b5020 56 8b701c 57 8b7824 8b4018 }
            // n = 6, score = 100
            //   8b5020               | mov                 edx, dword ptr [eax + 0x20]
            //   56                   | push                esi
            //   8b701c               | mov                 esi, dword ptr [eax + 0x1c]
            //   57                   | push                edi
            //   8b7824               | mov                 edi, dword ptr [eax + 0x24]
            //   8b4018               | mov                 eax, dword ptr [eax + 0x18]

        $sequence_2 = { 5f 5e 741b 68b4a84000 e8???????? }
            // n = 5, score = 100
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   741b                 | je                  0x1d
            //   68b4a84000           | push                0x40a8b4
            //   e8????????           |                     

        $sequence_3 = { 8d458c 8945a8 8d8574ffffff 33ff }
            // n = 4, score = 100
            //   8d458c               | lea                 eax, [ebp - 0x74]
            //   8945a8               | mov                 dword ptr [ebp - 0x58], eax
            //   8d8574ffffff         | lea                 eax, [ebp - 0x8c]
            //   33ff                 | xor                 edi, edi

        $sequence_4 = { 3d01010000 7d0d 8a4c181c 888838954000 40 ebe9 }
            // n = 6, score = 100
            //   3d01010000           | cmp                 eax, 0x101
            //   7d0d                 | jge                 0xf
            //   8a4c181c             | mov                 cl, byte ptr [eax + ebx + 0x1c]
            //   888838954000         | mov                 byte ptr [eax + 0x409538], cl
            //   40                   | inc                 eax
            //   ebe9                 | jmp                 0xffffffeb

        $sequence_5 = { c785acfdffff4aa5fff2 8895b0fdffff c785b1fdffff0d244779 66c785b5fdffff0d7d c685b7fdffff32 8dbdb8fdffff }
            // n = 6, score = 100
            //   c785acfdffff4aa5fff2     | mov    dword ptr [ebp - 0x254], 0xf2ffa54a
            //   8895b0fdffff         | mov                 byte ptr [ebp - 0x250], dl
            //   c785b1fdffff0d244779     | mov    dword ptr [ebp - 0x24f], 0x7947240d
            //   66c785b5fdffff0d7d     | mov    word ptr [ebp - 0x24b], 0x7d0d
            //   c685b7fdffff32       | mov                 byte ptr [ebp - 0x249], 0x32
            //   8dbdb8fdffff         | lea                 edi, [ebp - 0x248]

        $sequence_6 = { ff45fc 8b45fc 3b45f4 7cb7 ebae 8b45f0 ebab }
            // n = 7, score = 100
            //   ff45fc               | inc                 dword ptr [ebp - 4]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   3b45f4               | cmp                 eax, dword ptr [ebp - 0xc]
            //   7cb7                 | jl                  0xffffffb9
            //   ebae                 | jmp                 0xffffffb0
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   ebab                 | jmp                 0xffffffad

        $sequence_7 = { 740e 6800400000 6800005000 57 ff5618 5f 5b }
            // n = 7, score = 100
            //   740e                 | je                  0x10
            //   6800400000           | push                0x4000
            //   6800005000           | push                0x500000
            //   57                   | push                edi
            //   ff5618               | call                dword ptr [esi + 0x18]
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx

        $sequence_8 = { 7520 81fb18934000 7407 53 e8???????? 59 }
            // n = 6, score = 100
            //   7520                 | jne                 0x22
            //   81fb18934000         | cmp                 ebx, 0x409318
            //   7407                 | je                  9
            //   53                   | push                ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_9 = { 8b401c 8b08 3bc8 7439 }
            // n = 4, score = 100
            //   8b401c               | mov                 eax, dword ptr [eax + 0x1c]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   3bc8                 | cmp                 ecx, eax
            //   7439                 | je                  0x3b

    condition:
        7 of them and filesize < 49152
}
Download all Yara Rules