SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sierras (Back to overview)

Sierra(Alfa,Bravo, ...)

aka: Destover

Actor(s): Lazarus Group

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2017-02-12SymantecA L Johnson
@online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } Attackers target dozens of global banks with new malware
Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group
2016-05-26SymantecSecurity Response
@online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-04-21} } SWIFT attackers’ malware linked to more financial attacks
Contopee Sierra(Alfa,Bravo, ...) Lazarus Group
2014-12-19US-CERTUS-CERT
@online{uscert:20141219:alert:b74115d, author = {US-CERT}, title = {{Alert (TA14-353A): Targeted Destructive Malware}}, date = {2014-12-19}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA14-353A}, language = {English}, urldate = {2020-03-19} } Alert (TA14-353A): Targeted Destructive Malware
Sierra(Alfa,Bravo, ...)
Yara Rules
[TLP:WHITE] win_sierras_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_sierras_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c705????????07000000 8935???????? 8935???????? 8935???????? 8935???????? ff15???????? 3bc6 }
            // n = 7, score = 400
            //   c705????????07000000     |     
            //   8935????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     
            //   ff15????????         |                     
            //   3bc6                 | cmp                 eax, esi

        $sequence_1 = { e8???????? 8bd8 83c408 85db 7430 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   83c408               | add                 esp, 8
            //   85db                 | test                ebx, ebx
            //   7430                 | je                  0x32

        $sequence_2 = { e8???????? 8b8698010000 5e c3 56 8bf1 e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b8698010000         | mov                 eax, dword ptr [esi + 0x198]
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     

        $sequence_3 = { 8bf1 57 68???????? 8d8608020000 50 }
            // n = 5, score = 200
            //   8bf1                 | mov                 esi, ecx
            //   57                   | push                edi
            //   68????????           |                     
            //   8d8608020000         | lea                 eax, [esi + 0x208]
            //   50                   | push                eax

        $sequence_4 = { 895db8 8945c0 8975c4 0f84d8000000 3bc3 0f84d0000000 }
            // n = 6, score = 200
            //   895db8               | mov                 dword ptr [ebp - 0x48], ebx
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   8975c4               | mov                 dword ptr [ebp - 0x3c], esi
            //   0f84d8000000         | je                  0xde
            //   3bc3                 | cmp                 eax, ebx
            //   0f84d0000000         | je                  0xd6

        $sequence_5 = { 8945f4 7624 837df800 0f842a030000 8b45fc ff4df8 8bcf }
            // n = 7, score = 200
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   7624                 | jbe                 0x26
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   0f842a030000         | je                  0x330
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   ff4df8               | dec                 dword ptr [ebp - 8]
            //   8bcf                 | mov                 ecx, edi

        $sequence_6 = { 85c0 7e15 8bf0 8bcf e8???????? 8b4f04 }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   7e15                 | jle                 0x17
            //   8bf0                 | mov                 esi, eax
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8b4f04               | mov                 ecx, dword ptr [edi + 4]

        $sequence_7 = { f6461108 7478 837df800 0f843e0c0000 }
            // n = 4, score = 200
            //   f6461108             | test                byte ptr [esi + 0x11], 8
            //   7478                 | je                  0x7a
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   0f843e0c0000         | je                  0xc44

        $sequence_8 = { 8b450c 7511 8b4dec 03c7 50 8d45e0 50 }
            // n = 7, score = 200
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   7511                 | jne                 0x13
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax

        $sequence_9 = { 0175f0 017514 03fb 3b7d10 72b0 8b5df0 834dfcff }
            // n = 7, score = 200
            //   0175f0               | add                 dword ptr [ebp - 0x10], esi
            //   017514               | add                 dword ptr [ebp + 0x14], esi
            //   03fb                 | add                 edi, ebx
            //   3b7d10               | cmp                 edi, dword ptr [ebp + 0x10]
            //   72b0                 | jb                  0xffffffb2
            //   8b5df0               | mov                 ebx, dword ptr [ebp - 0x10]
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff

        $sequence_10 = { e8???????? 83c430 683f000f00 6a00 6a00 ff15???????? }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c430               | add                 esp, 0x30
            //   683f000f00           | push                0xf003f
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_11 = { 3908 7509 394804 0f8523110000 }
            // n = 4, score = 200
            //   3908                 | cmp                 dword ptr [eax], ecx
            //   7509                 | jne                 0xb
            //   394804               | cmp                 dword ptr [eax + 4], ecx
            //   0f8523110000         | jne                 0x1129

        $sequence_12 = { 8bf1 33db 6a01 6a78 }
            // n = 4, score = 200
            //   8bf1                 | mov                 esi, ecx
            //   33db                 | xor                 ebx, ebx
            //   6a01                 | push                1
            //   6a78                 | push                0x78

        $sequence_13 = { 8d842428060000 50 51 52 53 e8???????? }
            // n = 6, score = 200
            //   8d842428060000       | lea                 eax, [esp + 0x628]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   52                   | push                edx
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_14 = { 85c0 7439 3bf8 7321 837df800 0f844a020000 }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   7439                 | je                  0x3b
            //   3bf8                 | cmp                 edi, eax
            //   7321                 | jae                 0x23
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   0f844a020000         | je                  0x250

    condition:
        7 of them and filesize < 131072
}
[TLP:WHITE] win_sierras_w0   (20170517 | No description)
import "pe"

rule win_sierras_w0 {
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		info = "charlie component"
        hash = "f4750e1d82b08318bdc1eb6d3399dee52750250f7959a5e4f83245449f399698.bin"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/SierraCharlie.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
	/*
		8B 0D 50 A7 56 00  mov     ecx, DnsFree
		81 F6 8C 3F 7C 5E  xor     esi, 5E7C3F8Ch
		6A 01              push    1               ; _DWORD
		50                 push    eax             ; _DWORD
		85 C9              test    ecx, ecx
		74 3A              jz      short loc_40580B
		FF D1              call    ecx ; DnsFree
	*/

	$dnsResolve = {
			8B 0D 50 A7 56 00 
			81 F6 8C 3F 7C 5E 
			6A 01 
			50 
			85 C9 
			74 3A 
			FF D1 
		}
		
	$file1 = "wmplog21t.sqm"
	$file2 = "wmplog15r.sqm"
	$file3 = "wmplog09c.sqm"
		

	condition:
		$dnsResolve in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
		or 2 of ($file*)
}
Download all Yara Rules