SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sodamaster (Back to overview)

SodaMaster

aka: dfls, HEAVYPOT, DelfsCake

Actor(s): Stone Panda


This is a RAT that is usually loaded with one or more shellcode and/or reflective DLL injection techniques. The RAT uses RC4 or a hardcoded RSA key for traffic encryption/decryption. Its communication can either happen via a raw TCP socket or a HTTP POST request. Depending on the version, the RAT may remotely execute DLLs or shellcode.

References
2021-04-27KasperskyGReAT
@online{great:20210427:trends:e1c92a3, author = {GReAT}, title = {{APT trends report Q1 2021}}, date = {2021-04-27}, organization = {Kaspersky}, url = {https://securelist.com/apt-trends-report-q1-2021/101967/}, language = {English}, urldate = {2021-04-29} } APT trends report Q1 2021
PAS Artra Downloader BadNews Bozok DILLJUICE Kazuar Quasar RAT SodaMaster
2021-02-24Yusuke Niwa, Motohiko Sato, Hajime Yanagishita, Charles Li, Suguru Ishimaru
@techreport{niwa:20210224:a41apt:d20a784, author = {Yusuke Niwa and Motohiko Sato and Hajime Yanagishita and Charles Li and Suguru Ishimaru}, title = {{A41APT case - Analysis of the Stealth APT Campaign Threatening Japan}}, date = {2021-02-24}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf}, language = {English}, urldate = {2021-02-26} } A41APT case - Analysis of the Stealth APT Campaign Threatening Japan
SodaMaster
Yara Rules
[TLP:WHITE] win_sodamaster_auto (20211008 | Detects win.sodamaster.)
rule win_sodamaster_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.sodamaster."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8b45fc 50 e8???????? 8b7d14 4f 57 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b7d14               | mov                 edi, dword ptr [ebp + 0x14]
            //   4f                   | dec                 edi
            //   57                   | push                edi

        $sequence_1 = { 8d85dcefffff 50 8d8df4efffff 51 6a09 52 }
            // n = 6, score = 100
            //   8d85dcefffff         | lea                 eax, dword ptr [ebp - 0x1024]
            //   50                   | push                eax
            //   8d8df4efffff         | lea                 ecx, dword ptr [ebp - 0x100c]
            //   51                   | push                ecx
            //   6a09                 | push                9
            //   52                   | push                edx

        $sequence_2 = { 893e 895e04 ff15???????? 5f 5e }
            // n = 5, score = 100
            //   893e                 | mov                 dword ptr [esi], edi
            //   895e04               | mov                 dword ptr [esi + 4], ebx
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_3 = { ebb9 be341d0110 a1???????? eb16 }
            // n = 4, score = 100
            //   ebb9                 | jmp                 0xffffffbb
            //   be341d0110           | mov                 esi, 0x10011d34
            //   a1????????           |                     
            //   eb16                 | jmp                 0x18

        $sequence_4 = { 8bd8 8b4510 8bc8 83c404 8d7902 8d642400 }
            // n = 6, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8bc8                 | mov                 ecx, eax
            //   83c404               | add                 esp, 4
            //   8d7902               | lea                 edi, dword ptr [ecx + 2]
            //   8d642400             | lea                 esp, dword ptr [esp]

        $sequence_5 = { 83c408 8d95ecefffff 52 8bf8 }
            // n = 4, score = 100
            //   83c408               | add                 esp, 8
            //   8d95ecefffff         | lea                 edx, dword ptr [ebp - 0x1014]
            //   52                   | push                edx
            //   8bf8                 | mov                 edi, eax

        $sequence_6 = { 8bc8 c1f905 8b0c8da0330110 83e01f c1e006 f644080401 }
            // n = 6, score = 100
            //   8bc8                 | mov                 ecx, eax
            //   c1f905               | sar                 ecx, 5
            //   8b0c8da0330110       | mov                 ecx, dword ptr [ecx*4 + 0x100133a0]
            //   83e01f               | and                 eax, 0x1f
            //   c1e006               | shl                 eax, 6
            //   f644080401           | test                byte ptr [eax + ecx + 4], 1

        $sequence_7 = { 3bca 7622 8b8520fbffff 8b08 03f6 }
            // n = 5, score = 100
            //   3bca                 | cmp                 ecx, edx
            //   7622                 | jbe                 0x24
            //   8b8520fbffff         | mov                 eax, dword ptr [ebp - 0x4e0]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   03f6                 | add                 esi, esi

        $sequence_8 = { e8???????? 56 e8???????? 83c418 ff15???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   ff15????????         |                     

        $sequence_9 = { 8975f8 8975f4 8975f0 8975fc e8???????? }
            // n = 5, score = 100
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   8975f4               | mov                 dword ptr [ebp - 0xc], esi
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   e8????????           |                     

    condition:
        7 of them and filesize < 134144
}
Download all Yara Rules