SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sierras (Back to overview)

Sierra(Alfa,Bravo, ...)

aka: Destover

Actor(s): Lazarus Group

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2017-02-12SymantecA L Johnson
@online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } Attackers target dozens of global banks with new malware
Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group
2016-05-26SymantecSecurity Response
@online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-04-21} } SWIFT attackers’ malware linked to more financial attacks
Contopee Sierra(Alfa,Bravo, ...) Lazarus Group
2016-02Blue Coat Systems IncSnorre Fagerland
@online{fagerland:201602:from:78bc745, author = {Snorre Fagerland}, title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}}, date = {2016-02}, organization = {Blue Coat Systems Inc}, url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4}, language = {English}, urldate = {2020-08-18} } From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover
Joanap Sierra(Alfa,Bravo, ...)
2014-12-19US-CERTUS-CERT
@online{uscert:20141219:alert:b74115d, author = {US-CERT}, title = {{Alert (TA14-353A): Targeted Destructive Malware}}, date = {2014-12-19}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA14-353A}, language = {English}, urldate = {2020-03-19} } Alert (TA14-353A): Targeted Destructive Malware
Sierra(Alfa,Bravo, ...)
Yara Rules
[TLP:WHITE] win_sierras_auto (20211008 | Detects win.sierras.)
rule win_sierras_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.sierras."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c705????????07000000 8935???????? 8935???????? 8935???????? 8935???????? ff15???????? 3bc6 }
            // n = 7, score = 400
            //   c705????????07000000     |     
            //   8935????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     
            //   ff15????????         |                     
            //   3bc6                 | cmp                 eax, esi

        $sequence_1 = { c7060c000000 ebdf 83ff10 7324 837df800 0f84d80f0000 }
            // n = 6, score = 200
            //   c7060c000000         | mov                 dword ptr [esi], 0xc
            //   ebdf                 | jmp                 0xffffffe1
            //   83ff10               | cmp                 edi, 0x10
            //   7324                 | jae                 0x26
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   0f84d80f0000         | je                  0xfde

        $sequence_2 = { d1e2 f2ae f7d1 8db220e24000 2bf9 8bc1 89742428 }
            // n = 7, score = 200
            //   d1e2                 | shl                 edx, 1
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   f7d1                 | not                 ecx
            //   8db220e24000         | lea                 esi, dword ptr [edx + 0x40e220]
            //   2bf9                 | sub                 edi, ecx
            //   8bc1                 | mov                 eax, ecx
            //   89742428             | mov                 dword ptr [esp + 0x28], esi

        $sequence_3 = { ffd7 8b4c2438 6a00 6a00 51 }
            // n = 5, score = 200
            //   ffd7                 | call                edi
            //   8b4c2438             | mov                 ecx, dword ptr [esp + 0x38]
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   51                   | push                ecx

        $sequence_4 = { f3ab 66ab aa ff15???????? 50 ff15???????? }
            // n = 6, score = 200
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_5 = { 52 e8???????? 8b3d???????? 83c404 8bd8 }
            // n = 5, score = 200
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b3d????????         |                     
            //   83c404               | add                 esp, 4
            //   8bd8                 | mov                 ebx, eax

        $sequence_6 = { 8bc3 837d0800 50 8b450c 7511 8b4dec 03c7 }
            // n = 7, score = 200
            //   8bc3                 | mov                 eax, ebx
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   50                   | push                eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   7511                 | jne                 0x13
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   03c7                 | add                 eax, edi

        $sequence_7 = { eb0f 8b4dec 03c7 50 8d45e0 50 }
            // n = 6, score = 200
            //   eb0f                 | jmp                 0x11
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, dword ptr [ebp - 0x20]
            //   50                   | push                eax

        $sequence_8 = { 0f8cc0000000 837d0801 7e58 837d0803 0f8fb0000000 397d10 897df0 }
            // n = 7, score = 200
            //   0f8cc0000000         | jl                  0xc6
            //   837d0801             | cmp                 dword ptr [ebp + 8], 1
            //   7e58                 | jle                 0x5a
            //   837d0803             | cmp                 dword ptr [ebp + 8], 3
            //   0f8fb0000000         | jg                  0xb6
            //   397d10               | cmp                 dword ptr [ebp + 0x10], edi
            //   897df0               | mov                 dword ptr [ebp - 0x10], edi

        $sequence_9 = { 0f84d80f0000 8b4dfc ff4df8 0fb611 8bcf d3e2 03da }
            // n = 7, score = 200
            //   0f84d80f0000         | je                  0xfde
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   ff4df8               | dec                 dword ptr [ebp - 8]
            //   0fb611               | movzx               edx, byte ptr [ecx]
            //   8bcf                 | mov                 ecx, edi
            //   d3e2                 | shl                 edx, cl
            //   03da                 | add                 ebx, edx

        $sequence_10 = { 3bc1 75f3 eb43 50 50 }
            // n = 5, score = 200
            //   3bc1                 | cmp                 eax, ecx
            //   75f3                 | jne                 0xfffffff5
            //   eb43                 | jmp                 0x45
            //   50                   | push                eax
            //   50                   | push                eax

        $sequence_11 = { 017514 03fb 3b7d10 72b0 8b5df0 }
            // n = 5, score = 200
            //   017514               | add                 dword ptr [ebp + 0x14], esi
            //   03fb                 | add                 edi, ebx
            //   3b7d10               | cmp                 edi, dword ptr [ebp + 0x10]
            //   72b0                 | jb                  0xffffffb2
            //   8b5df0               | mov                 ebx, dword ptr [ebp - 0x10]

        $sequence_12 = { 56 8bf1 57 68???????? 8d8608020000 }
            // n = 5, score = 200
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   57                   | push                edi
            //   68????????           |                     
            //   8d8608020000         | lea                 eax, dword ptr [esi + 0x208]

        $sequence_13 = { 8b8424a4220000 8b8c24a0220000 8d942480000000 52 8b9424a0220000 50 }
            // n = 6, score = 200
            //   8b8424a4220000       | mov                 eax, dword ptr [esp + 0x22a4]
            //   8b8c24a0220000       | mov                 ecx, dword ptr [esp + 0x22a0]
            //   8d942480000000       | lea                 edx, dword ptr [esp + 0x80]
            //   52                   | push                edx
            //   8b9424a0220000       | mov                 edx, dword ptr [esp + 0x22a0]
            //   50                   | push                eax

        $sequence_14 = { c3 56 8bf1 e8???????? 8b860c010000 5e c3 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     
            //   8b860c010000         | mov                 eax, dword ptr [esi + 0x10c]
            //   5e                   | pop                 esi
            //   c3                   | ret                 

    condition:
        7 of them and filesize < 131072
}
[TLP:WHITE] win_sierras_w0   (20170517 | No description)
import "pe"

rule win_sierras_w0 {
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		info = "charlie component"
        hash = "f4750e1d82b08318bdc1eb6d3399dee52750250f7959a5e4f83245449f399698"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/SierraCharlie.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
	/*
		8B 0D 50 A7 56 00  mov     ecx, DnsFree
		81 F6 8C 3F 7C 5E  xor     esi, 5E7C3F8Ch
		6A 01              push    1               ; _DWORD
		50                 push    eax             ; _DWORD
		85 C9              test    ecx, ecx
		74 3A              jz      short loc_40580B
		FF D1              call    ecx ; DnsFree
	*/

	$dnsResolve = {
			8B 0D 50 A7 56 00 
			81 F6 8C 3F 7C 5E 
			6A 01 
			50 
			85 C9 
			74 3A 
			FF D1 
		}
		
	$file1 = "wmplog21t.sqm"
	$file2 = "wmplog15r.sqm"
	$file3 = "wmplog09c.sqm"
		

	condition:
		$dnsResolve in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
		or 2 of ($file*)
}
Download all Yara Rules