SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sodamaster (Back to overview)

SodaMaster

aka: dfls, HEAVYPOT, DelfsCake

Actor(s): Stone Panda


This is a RAT that is usually loaded with one or more shellcode and/or reflective DLL injection techniques. The RAT uses RC4 or a hardcoded RSA key for traffic encryption/decryption. Its communication can either happen via a raw TCP socket or a HTTP POST request. Depending on the version, the RAT may remotely execute DLLs or shellcode.

References
2021-04-27KasperskyGReAT
@online{great:20210427:trends:e1c92a3, author = {GReAT}, title = {{APT trends report Q1 2021}}, date = {2021-04-27}, organization = {Kaspersky}, url = {https://securelist.com/apt-trends-report-q1-2021/101967/}, language = {English}, urldate = {2021-04-29} } APT trends report Q1 2021
PAS Artra Downloader BadNews Bozok DILLJUICE Kazuar Quasar RAT SodaMaster
2021-02-24Yusuke Niwa, Motohiko Sato, Hajime Yanagishita, Charles Li, Suguru Ishimaru
@techreport{niwa:20210224:a41apt:d20a784, author = {Yusuke Niwa and Motohiko Sato and Hajime Yanagishita and Charles Li and Suguru Ishimaru}, title = {{A41APT case - Analysis of the Stealth APT Campaign Threatening Japan}}, date = {2021-02-24}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf}, language = {English}, urldate = {2021-02-26} } A41APT case - Analysis of the Stealth APT Campaign Threatening Japan
SodaMaster
Yara Rules
[TLP:WHITE] win_sodamaster_auto (20210616 | Detects win.sodamaster.)
rule win_sodamaster_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.sodamaster."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4d08 51 8b4d0c e8???????? 83c404 8945f0 }
            // n = 6, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_1 = { 33c0 8b4d08 3b0cc5d0ca0010 740a 40 83f816 72ee }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   3b0cc5d0ca0010       | cmp                 ecx, dword ptr [eax*8 + 0x1000cad0]
            //   740a                 | je                  0xc
            //   40                   | inc                 eax
            //   83f816               | cmp                 eax, 0x16
            //   72ee                 | jb                  0xfffffff0

        $sequence_2 = { 83e103 f3a4 8d8d24ffffff 51 ff15???????? 8d8524ffffff }
            // n = 6, score = 100
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8d8d24ffffff         | lea                 ecx, dword ptr [ebp - 0xdc]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8d8524ffffff         | lea                 eax, dword ptr [ebp - 0xdc]

        $sequence_3 = { e8???????? 83c404 8945f0 ff15???????? 8b4dec 51 ff15???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   ff15????????         |                     
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_4 = { 3bfb 7418 8b4508 8b4d0c 50 e8???????? 83c404 }
            // n = 7, score = 100
            //   3bfb                 | cmp                 edi, ebx
            //   7418                 | je                  0x1a
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_5 = { 83c424 83ffff 5f 5e 5b }
            // n = 5, score = 100
            //   83c424               | add                 esp, 0x24
            //   83ffff               | cmp                 edi, -1
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_6 = { 56 68???????? 6a00 6a00 ff15???????? 5f 5e }
            // n = 7, score = 100
            //   56                   | push                esi
            //   68????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_7 = { 8d8df0efffff 51 8bc8 e8???????? }
            // n = 4, score = 100
            //   8d8df0efffff         | lea                 ecx, dword ptr [ebp - 0x1010]
            //   51                   | push                ecx
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     

        $sequence_8 = { 6a2b 53 c78514fbffffd6000000 ffd7 85c0 0f8495000000 }
            // n = 6, score = 100
            //   6a2b                 | push                0x2b
            //   53                   | push                ebx
            //   c78514fbffffd6000000     | mov    dword ptr [ebp - 0x4ec], 0xd6
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   0f8495000000         | je                  0x9b

        $sequence_9 = { ff15???????? 8b7508 c7465c48cd0010 83660800 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   c7465c48cd0010       | mov                 dword ptr [esi + 0x5c], 0x1000cd48
            //   83660800             | and                 dword ptr [esi + 8], 0

    condition:
        7 of them and filesize < 134144
}
Download all Yara Rules