SYMBOLCOMMON_NAMEaka. SYNONYMS
win.slickshoes (Back to overview)

SLICKSHOES

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-25SentinelOneJim Walter
@online{walter:20200225:dprk:735f095, author = {Jim Walter}, title = {{DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity}}, date = {2020-02-25}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/}, language = {English}, urldate = {2020-02-27} } DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity
ARTFULPIE BISTROMATH BUFFETLINE CHEESETRAY HOPLIGHT HOTCROISSANT SLICKSHOES
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:e48897a, author = {US-CERT}, title = {{Malware Analysis Report (AR20–045B): MAR-10265965-2.v1 - North Korean Trojan: SLICKSHOES}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045b}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20–045B): MAR-10265965-2.v1 - North Korean Trojan: SLICKSHOES
SLICKSHOES
Yara Rules
[TLP:WHITE] win_slickshoes_auto (20221125 | Detects win.slickshoes.)
rule win_slickshoes_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.slickshoes."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slickshoes"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 8b2c24 81c404000000 c12c2401 813424b3ba0a68 890424 ffb5f5110b12 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b2c24               | mov                 ebp, dword ptr [esp]
            //   81c404000000         | add                 esp, 4
            //   c12c2401             | shr                 dword ptr [esp], 1
            //   813424b3ba0a68       | xor                 dword ptr [esp], 0x680abab3
            //   890424               | mov                 dword ptr [esp], eax
            //   ffb5f5110b12         | push                dword ptr [ebp + 0x120b11f5]

        $sequence_1 = { e9???????? 81f2761a7b1f 29d3 5a 53 ff742404 e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81f2761a7b1f         | xor                 edx, 0x1f7b1a76
            //   29d3                 | sub                 ebx, edx
            //   5a                   | pop                 edx
            //   53                   | push                ebx
            //   ff742404             | push                dword ptr [esp + 4]
            //   e9????????           |                     

        $sequence_2 = { e9???????? 5b 814424042057ff3f 55 890424 b86f16ce53 01442408 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   5b                   | pop                 ebx
            //   814424042057ff3f     | add                 dword ptr [esp + 4], 0x3fff5720
            //   55                   | push                ebp
            //   890424               | mov                 dword ptr [esp], eax
            //   b86f16ce53           | mov                 eax, 0x53ce166f
            //   01442408             | add                 dword ptr [esp + 8], eax

        $sequence_3 = { e9???????? 81c704000000 83ec04 890424 b804000000 81c7cd1e7677 81c71b46c737 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81c704000000         | add                 edi, 4
            //   83ec04               | sub                 esp, 4
            //   890424               | mov                 dword ptr [esp], eax
            //   b804000000           | mov                 eax, 4
            //   81c7cd1e7677         | add                 edi, 0x77761ecd
            //   81c71b46c737         | add                 edi, 0x37c7461b

        $sequence_4 = { ff3424 8b0424 50 89e0 52 ba352cdf46 e9???????? }
            // n = 7, score = 100
            //   ff3424               | push                dword ptr [esp]
            //   8b0424               | mov                 eax, dword ptr [esp]
            //   50                   | push                eax
            //   89e0                 | mov                 eax, esp
            //   52                   | push                edx
            //   ba352cdf46           | mov                 edx, 0x46df2c35
            //   e9????????           |                     

        $sequence_5 = { e9???????? 81c104000000 e9???????? 8b1c24 81c404000000 51 89e1 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81c104000000         | add                 ecx, 4
            //   e9????????           |                     
            //   8b1c24               | mov                 ebx, dword ptr [esp]
            //   81c404000000         | add                 esp, 4
            //   51                   | push                ecx
            //   89e1                 | mov                 ecx, esp

        $sequence_6 = { e9???????? 891c24 51 89e1 57 e9???????? 891c24 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   891c24               | mov                 dword ptr [esp], ebx
            //   51                   | push                ecx
            //   89e1                 | mov                 ecx, esp
            //   57                   | push                edi
            //   e9????????           |                     
            //   891c24               | mov                 dword ptr [esp], ebx

        $sequence_7 = { f8 0f8507000000 0f8001000000 f9 5a 0f8101000000 f5 }
            // n = 7, score = 100
            //   f8                   | clc                 
            //   0f8507000000         | jne                 0xd
            //   0f8001000000         | jo                  7
            //   f9                   | stc                 
            //   5a                   | pop                 edx
            //   0f8101000000         | jno                 7
            //   f5                   | cmc                 

        $sequence_8 = { ff3424 8b1c24 81c404000000 52 e9???????? 81ea2115465f 81ea47d5ee7d }
            // n = 7, score = 100
            //   ff3424               | push                dword ptr [esp]
            //   8b1c24               | mov                 ebx, dword ptr [esp]
            //   81c404000000         | add                 esp, 4
            //   52                   | push                edx
            //   e9????????           |                     
            //   81ea2115465f         | sub                 edx, 0x5f461521
            //   81ea47d5ee7d         | sub                 edx, 0x7deed547

        $sequence_9 = { ff3424 58 68???????? 891c24 89e3 81c304000000 81eb04000000 }
            // n = 7, score = 100
            //   ff3424               | push                dword ptr [esp]
            //   58                   | pop                 eax
            //   68????????           |                     
            //   891c24               | mov                 dword ptr [esp], ebx
            //   89e3                 | mov                 ebx, esp
            //   81c304000000         | add                 ebx, 4
            //   81eb04000000         | sub                 ebx, 4

    condition:
        7 of them and filesize < 11198464
}
Download all Yara Rules