SYMBOLCOMMON_NAMEaka. SYNONYMS
win.slickshoes (Back to overview)

SLICKSHOES

Actor(s): Lazarus Group

VTCollection    

There is no description at this point.

References
2020-02-25SentinelOneJim Walter
DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity
ARTFULPIE BISTROMATH BUFFETLINE CHEESETRAY HOPLIGHT HOTCROISSANT SLICKSHOES
2020-02-14US-CERTUS-CERT
Malware Analysis Report (AR20–045B): MAR-10265965-2.v1 - North Korean Trojan: SLICKSHOES
SLICKSHOES
Yara Rules
[TLP:WHITE] win_slickshoes_auto (20230808 | Detects win.slickshoes.)
rule win_slickshoes_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.slickshoes."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slickshoes"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 81c204000000 55 bd2a3bff63 81e5fb17be7f e9???????? 57 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81c204000000         | add                 edx, 4
            //   55                   | push                ebp
            //   bd2a3bff63           | mov                 ebp, 0x63ff3b2a
            //   81e5fb17be7f         | and                 ebp, 0x7fbe17fb
            //   e9????????           |                     
            //   57                   | push                edi

        $sequence_1 = { e9???????? f7d2 50 e9???????? b87073f77f f7d8 0d90f1fe6f }
            // n = 7, score = 100
            //   e9????????           |                     
            //   f7d2                 | not                 edx
            //   50                   | push                eax
            //   e9????????           |                     
            //   b87073f77f           | mov                 eax, 0x7ff77370
            //   f7d8                 | neg                 eax
            //   0d90f1fe6f           | or                  eax, 0x6ffef190

        $sequence_2 = { 81f61f000000 2d01000000 6681ebb987 81f704000000 b800020000 89fa b800000000 }
            // n = 7, score = 100
            //   81f61f000000         | xor                 esi, 0x1f
            //   2d01000000           | sub                 eax, 1
            //   6681ebb987           | sub                 bx, 0x87b9
            //   81f704000000         | xor                 edi, 4
            //   b800020000           | mov                 eax, 0x200
            //   89fa                 | mov                 edx, edi
            //   b800000000           | mov                 eax, 0

        $sequence_3 = { e9???????? b804000000 01c1 58 81c104000000 e9???????? 83c404 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   b804000000           | mov                 eax, 4
            //   01c1                 | add                 ecx, eax
            //   58                   | pop                 eax
            //   81c104000000         | add                 ecx, 4
            //   e9????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_4 = { e9???????? b931bbb979 81e13b81af7f e9???????? 5a 01d1 81e91dadf56e }
            // n = 7, score = 100
            //   e9????????           |                     
            //   b931bbb979           | mov                 ecx, 0x79b9bb31
            //   81e13b81af7f         | and                 ecx, 0x7faf813b
            //   e9????????           |                     
            //   5a                   | pop                 edx
            //   01d1                 | add                 ecx, edx
            //   81e91dadf56e         | sub                 ecx, 0x6ef5ad1d

        $sequence_5 = { ff3424 5f 83c404 50 54 58 0504000000 }
            // n = 7, score = 100
            //   ff3424               | push                dword ptr [esp]
            //   5f                   | pop                 edi
            //   83c404               | add                 esp, 4
            //   50                   | push                eax
            //   54                   | push                esp
            //   58                   | pop                 eax
            //   0504000000           | add                 eax, 4

        $sequence_6 = { e9???????? bd40d86e7e 81c74b047f7d 29ef 81ef4b047f7d 5d 81f75adb6482 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   bd40d86e7e           | mov                 ebp, 0x7e6ed840
            //   81c74b047f7d         | add                 edi, 0x7d7f044b
            //   29ef                 | sub                 edi, ebp
            //   81ef4b047f7d         | sub                 edi, 0x7d7f044b
            //   5d                   | pop                 ebp
            //   81f75adb6482         | xor                 edi, 0x8264db5a

        $sequence_7 = { e9???????? 81c104000000 57 52 68f987eb16 8b1424 81c404000000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81c104000000         | add                 ecx, 4
            //   57                   | push                edi
            //   52                   | push                edx
            //   68f987eb16           | push                0x16eb87f9
            //   8b1424               | mov                 edx, dword ptr [esp]
            //   81c404000000         | add                 esp, 4

        $sequence_8 = { 89ee b80a000000 81cf40000000 2d04000000 09c7 81c302000000 01d7 }
            // n = 7, score = 100
            //   89ee                 | mov                 esi, ebp
            //   b80a000000           | mov                 eax, 0xa
            //   81cf40000000         | or                  edi, 0x40
            //   2d04000000           | sub                 eax, 4
            //   09c7                 | or                  edi, eax
            //   81c302000000         | add                 ebx, 2
            //   01d7                 | add                 edi, edx

        $sequence_9 = { 8b12 81c206000000 0fb732 81f128000000 09d1 01d1 31c3 }
            // n = 7, score = 100
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   81c206000000         | add                 edx, 6
            //   0fb732               | movzx               esi, word ptr [edx]
            //   81f128000000         | xor                 ecx, 0x28
            //   09d1                 | or                  ecx, edx
            //   01d1                 | add                 ecx, edx
            //   31c3                 | xor                 ebx, eax

    condition:
        7 of them and filesize < 11198464
}
Download all Yara Rules