SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shadowhammer (Back to overview)

shadowhammer

aka: DAYJOB

Actor(s): Operation ShadowHammer


There is no description at this point.

References
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-03-27One Night in NorfolkKevin Perlow
@online{perlow:20200327:first:6b7c827, author = {Kevin Perlow}, title = {{The First Stage of ShadowHammer}}, date = {2020-03-27}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/the-first-stage-of-shadowhammer/}, language = {English}, urldate = {2020-05-19} } The First Stage of ShadowHammer
shadowhammer
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8, author = {Marc-Etienne M.Léveillé and Mathieu Tartare}, title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}}, date = {2019-10-07}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf}, language = {English}, urldate = {2020-01-10} } CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
2019-05-20YouTubeKaspersky
@online{kaspersky:20190520:video:148e81f, author = {Kaspersky}, title = {{Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019}}, date = {2019-05-20}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=T5wPwvLrBYU}, language = {English}, urldate = {2020-01-08} } Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019
shadowhammer
2019-04-23Kaspersky LabsGReAT, AMR
@online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad
2019-04-03One Night in NorfolkKevin Perlow
@online{perlow:20190403:possible:0a08c3a, author = {Kevin Perlow}, title = {{Possible ShadowHammer Targeting (Low Confidence)}}, date = {2019-04-03}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/}, language = {English}, urldate = {2020-05-19} } Possible ShadowHammer Targeting (Low Confidence)
shadowhammer
2019-03-29F-SecureBert Steppe
@online{steppe:20190329:hammer:44fb72d, author = {Bert Steppe}, title = {{A Hammer Lurking In The Shadows}}, date = {2019-03-29}, organization = {F-Secure}, url = {https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows}, language = {English}, urldate = {2019-09-22} } A Hammer Lurking In The Shadows
shadowhammer
2019-03-28Skylight CyberSkylight Cyber
@online{cyber:20190328:unleash:f5f7048, author = {Skylight Cyber}, title = {{Unleash The Hash - ShadowHammer MAC Address List}}, date = {2019-03-28}, organization = {Skylight Cyber}, url = {https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/}, language = {English}, urldate = {2019-10-23} } Unleash The Hash - ShadowHammer MAC Address List
shadowhammer
2019-03-28Vitali Kremez BlogVitali Kremez
@online{kremez:20190328:lets:9a07122, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess}}, date = {2019-03-28}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html}, language = {English}, urldate = {2020-01-10} } Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess
shadowhammer
2019-03-28F-SecureF-Secure Global
@online{global:20190328:analysis:8b788ab, author = {F-Secure Global}, title = {{Analysis of ShadowHammer ASUS Attack First Stage Payload}}, date = {2019-03-28}, organization = {F-Secure}, url = {https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/}, language = {English}, urldate = {2020-01-08} } Analysis of ShadowHammer ASUS Attack First Stage Payload
shadowhammer
2019-03-27ReversingLabsTomislav Pericin
@online{pericin:20190327:forging:a9c71d8, author = {Tomislav Pericin}, title = {{Forging the ShadowHammer}}, date = {2019-03-27}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/forging-the-shadowhammer}, language = {English}, urldate = {2020-01-06} } Forging the ShadowHammer
shadowhammer
2019-03-27mauronz blogmauronz
@online{mauronz:20190327:analysis:99db548, author = {mauronz}, title = {{Analysis of the ShadowHammer backdoor}}, date = {2019-03-27}, organization = {mauronz blog}, url = {https://mauronz.github.io/shadowhammer-backdoor}, language = {English}, urldate = {2020-01-06} } Analysis of the ShadowHammer backdoor
shadowhammer
2019-03-25Kaspersky LabsGReAT, AMR
@online{great:20190325:operation:c4bf341, author = {GReAT and AMR}, title = {{Operation ShadowHammer}}, date = {2019-03-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer/89992/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer
shadowhammer Operation ShadowHammer
Yara Rules
[TLP:WHITE] win_shadowhammer_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_shadowhammer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 754f 895df4 3bfb 7448 8b4508 }
            // n = 5, score = 100
            //   754f                 | jne                 0x51
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   3bfb                 | cmp                 edi, ebx
            //   7448                 | je                  0x4a
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_1 = { 5d c3 8b04c5dc794000 5d c3 8bff 55 }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b04c5dc794000       | mov                 eax, dword ptr [eax*8 + 0x4079dc]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp

        $sequence_2 = { be04a44000 a1???????? c745e401000000 50 ff15???????? }
            // n = 5, score = 100
            //   be04a44000           | mov                 esi, 0x40a404
            //   a1????????           |                     
            //   c745e401000000       | mov                 dword ptr [ebp - 0x1c], 1
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_3 = { 68287c4000 57 ffd6 681c7c4000 57 }
            // n = 5, score = 100
            //   68287c4000           | push                0x407c28
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   681c7c4000           | push                0x407c1c
            //   57                   | push                edi

        $sequence_4 = { 5b 66895dc0 33db 66895dc2 8bd8 }
            // n = 5, score = 100
            //   5b                   | pop                 ebx
            //   66895dc0             | mov                 word ptr [ebp - 0x40], bx
            //   33db                 | xor                 ebx, ebx
            //   66895dc2             | mov                 word ptr [ebp - 0x3e], bx
            //   8bd8                 | mov                 ebx, eax

        $sequence_5 = { 3d40984000 741b 3998b4000000 7513 50 e8???????? }
            // n = 6, score = 100
            //   3d40984000           | cmp                 eax, 0x409840
            //   741b                 | je                  0x1d
            //   3998b4000000         | cmp                 dword ptr [eax + 0xb4], ebx
            //   7513                 | jne                 0x15
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_6 = { ff5624 83c40c 57 8d8530fbffff 50 53 }
            // n = 6, score = 100
            //   ff5624               | call                dword ptr [esi + 0x24]
            //   83c40c               | add                 esp, 0xc
            //   57                   | push                edi
            //   8d8530fbffff         | lea                 eax, [ebp - 0x4d0]
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_7 = { 66c785b0fefffff758 8895b2feffff c785b3feffff4e734077 c785b7feffffc70532e9 8895bbfeffff }
            // n = 5, score = 100
            //   66c785b0fefffff758     | mov    word ptr [ebp - 0x150], 0x58f7
            //   8895b2feffff         | mov                 byte ptr [ebp - 0x14e], dl
            //   c785b3feffff4e734077     | mov    dword ptr [ebp - 0x14d], 0x7740734e
            //   c785b7feffffc70532e9     | mov    dword ptr [ebp - 0x149], 0xe93205c7
            //   8895bbfeffff         | mov                 byte ptr [ebp - 0x145], dl

        $sequence_8 = { c3 33c0 648b0d00000000 817904f0604000 7510 8b510c 8b520c }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax
            //   648b0d00000000       | mov                 ecx, dword ptr fs:[0]
            //   817904f0604000       | cmp                 dword ptr [ecx + 4], 0x4060f0
            //   7510                 | jne                 0x12
            //   8b510c               | mov                 edx, dword ptr [ecx + 0xc]
            //   8b520c               | mov                 edx, dword ptr [edx + 0xc]

        $sequence_9 = { b801000000 c3 53 51 bb109b4000 }
            // n = 5, score = 100
            //   b801000000           | mov                 eax, 1
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   bb109b4000           | mov                 ebx, 0x409b10

    condition:
        7 of them and filesize < 49152
}
Download all Yara Rules