SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shadowhammer (Back to overview)

shadowhammer

aka: DAYJOB

Actor(s): Operation ShadowHammer

There is no description at this point.

References
2020-03-27One Night in NorfolkKevin Perlow
@online{perlow:20200327:first:6b7c827, author = {Kevin Perlow}, title = {{The First Stage of ShadowHammer}}, date = {2020-03-27}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/the-first-stage-of-shadowhammer/}, language = {English}, urldate = {2020-05-19} } The First Stage of ShadowHammer
shadowhammer
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8, author = {Marc-Etienne M.Léveillé and Mathieu Tartare}, title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}}, date = {2019-10-07}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf}, language = {English}, urldate = {2020-01-10} } CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
2019-05-20YouTubeKaspersky
@online{kaspersky:20190520:video:148e81f, author = {Kaspersky}, title = {{Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019}}, date = {2019-05-20}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=T5wPwvLrBYU}, language = {English}, urldate = {2020-01-08} } Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019
shadowhammer
2019-04-23Kaspersky LabsGReAT, AMR
@online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad
2019-04-03One Night in NorfolkKevin Perlow
@online{perlow:20190403:possible:0a08c3a, author = {Kevin Perlow}, title = {{Possible ShadowHammer Targeting (Low Confidence)}}, date = {2019-04-03}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/}, language = {English}, urldate = {2020-05-19} } Possible ShadowHammer Targeting (Low Confidence)
shadowhammer
2019-03-29F-SecureBert Steppe
@online{steppe:20190329:hammer:44fb72d, author = {Bert Steppe}, title = {{A Hammer Lurking In The Shadows}}, date = {2019-03-29}, organization = {F-Secure}, url = {https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows}, language = {English}, urldate = {2019-09-22} } A Hammer Lurking In The Shadows
shadowhammer
2019-03-28Skylight CyberSkylight Cyber
@online{cyber:20190328:unleash:f5f7048, author = {Skylight Cyber}, title = {{Unleash The Hash - ShadowHammer MAC Address List}}, date = {2019-03-28}, organization = {Skylight Cyber}, url = {https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/}, language = {English}, urldate = {2019-10-23} } Unleash The Hash - ShadowHammer MAC Address List
shadowhammer
2019-03-28Vitali Kremez BlogVitali Kremez
@online{kremez:20190328:lets:9a07122, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess}}, date = {2019-03-28}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html}, language = {English}, urldate = {2020-01-10} } Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess
shadowhammer
2019-03-28F-SecureF-Secure Global
@online{global:20190328:analysis:8b788ab, author = {F-Secure Global}, title = {{Analysis of ShadowHammer ASUS Attack First Stage Payload}}, date = {2019-03-28}, organization = {F-Secure}, url = {https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/}, language = {English}, urldate = {2020-01-08} } Analysis of ShadowHammer ASUS Attack First Stage Payload
shadowhammer
2019-03-27ReversingLabsTomislav Pericin
@online{pericin:20190327:forging:a9c71d8, author = {Tomislav Pericin}, title = {{Forging the ShadowHammer}}, date = {2019-03-27}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/forging-the-shadowhammer}, language = {English}, urldate = {2020-01-06} } Forging the ShadowHammer
shadowhammer
2019-03-27mauronz blogmauronz
@online{mauronz:20190327:analysis:99db548, author = {mauronz}, title = {{Analysis of the ShadowHammer backdoor}}, date = {2019-03-27}, organization = {mauronz blog}, url = {https://mauronz.github.io/shadowhammer-backdoor}, language = {English}, urldate = {2020-01-06} } Analysis of the ShadowHammer backdoor
shadowhammer
2019-03-25Kaspersky LabsGReAT, AMR
@online{great:20190325:operation:c4bf341, author = {GReAT and AMR}, title = {{Operation ShadowHammer}}, date = {2019-03-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer/89992/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer
shadowhammer Operation ShadowHammer
Yara Rules
[TLP:WHITE] win_shadowhammer_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_shadowhammer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 6a40 8d852cffffff 53 50 }
            // n = 5, score = 100
            //   57                   | push                edi
            //   6a40                 | push                0x40
            //   8d852cffffff         | lea                 eax, [ebp - 0xd4]
            //   53                   | push                ebx
            //   50                   | push                eax

        $sequence_1 = { ff501c 83c40c 5f 8bc6 }
            // n = 4, score = 100
            //   ff501c               | call                dword ptr [eax + 0x1c]
            //   83c40c               | add                 esp, 0xc
            //   5f                   | pop                 edi
            //   8bc6                 | mov                 eax, esi

        $sequence_2 = { 751f 68e47a4000 53 56 e8???????? 83c40c 85c0 }
            // n = 7, score = 100
            //   751f                 | jne                 0x21
            //   68e47a4000           | push                0x407ae4
            //   53                   | push                ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax

        $sequence_3 = { 58 6a2d 66894584 58 }
            // n = 4, score = 100
            //   58                   | pop                 eax
            //   6a2d                 | push                0x2d
            //   66894584             | mov                 word ptr [ebp - 0x7c], ax
            //   58                   | pop                 eax

        $sequence_4 = { ab ab ab 66ab aa 8955a0 c745a409da9df3 }
            // n = 7, score = 100
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   8955a0               | mov                 dword ptr [ebp - 0x60], edx
            //   c745a409da9df3       | mov                 dword ptr [ebp - 0x5c], 0xf39dda09

        $sequence_5 = { 5d c3 e8???????? c21000 8bff 55 8bec }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   e8????????           |                     
            //   c21000               | ret                 0x10
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_6 = { 8bec 6afe 68e0894000 6840344000 64a100000000 50 83ec08 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   6afe                 | push                -2
            //   68e0894000           | push                0x4089e0
            //   6840344000           | push                0x403440
            //   64a100000000         | mov                 eax, dword ptr fs:[0]
            //   50                   | push                eax
            //   83ec08               | sub                 esp, 8

        $sequence_7 = { 50 8d843d38fdffff 50 ff561c 8b45ec 83c40c ff4df8 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d843d38fdffff       | lea                 eax, [ebp + edi - 0x2c8]
            //   50                   | push                eax
            //   ff561c               | call                dword ptr [esi + 0x1c]
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   83c40c               | add                 esp, 0xc
            //   ff4df8               | dec                 dword ptr [ebp - 8]

        $sequence_8 = { 33c0 8dbd04ffffff ab 889d08ffffff 8dbd09ffffff ab ab }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   8dbd04ffffff         | lea                 edi, [ebp - 0xfc]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   889d08ffffff         | mov                 byte ptr [ebp - 0xf8], bl
            //   8dbd09ffffff         | lea                 edi, [ebp - 0xf7]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_9 = { 83c702 837dec10 72b5 6a02 8d45f8 50 8d856cffffff }
            // n = 7, score = 100
            //   83c702               | add                 edi, 2
            //   837dec10             | cmp                 dword ptr [ebp - 0x14], 0x10
            //   72b5                 | jb                  0xffffffb7
            //   6a02                 | push                2
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   8d856cffffff         | lea                 eax, [ebp - 0x94]

    condition:
        7 of them and filesize < 49152
}
Download all Yara Rules