SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sodamaster (Back to overview)

SodaMaster

aka: dfls, HEAVYPOT, DelfsCake

Actor(s): Stone Panda

VTCollection    

This is a RAT that is usually loaded with one or more shellcode and/or reflective DLL injection techniques. The RAT uses RC4 or a hardcoded RSA key for traffic encryption/decryption. Its communication can either happen via a raw TCP socket or a HTTP POST request. Depending on the version, the RAT may remotely execute DLLs or shellcode.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster BRONZE STARLIGHT
2022-04-05SymantecThreat Hunter Team
Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity
MimiKatz SodaMaster
2022-04-05Bleeping ComputerIonut Ilascu
Chinese hackers abuse VLC Media Player to launch malware loader
SodaMaster
2022-01-27JSAC 2021Hajime Yanagishita, Kiyotaka Tamada, Suguru Ishimaru, You Nakatsuru
What We Can Do against the Chaotic A41APT Campaign
CHINACHOPPER Cobalt Strike HUI Loader SodaMaster
2021-04-27KasperskyGReAT
APT trends report Q1 2021
PAS Artra Downloader BadNews Bozok DILLJUICE Kazuar Quasar RAT SodaMaster
2021-02-24Charles Li, Hajime Yanagishita, Motohiko Sato, Suguru Ishimaru, Yusuke Niwa
A41APT case - Analysis of the Stealth APT Campaign Threatening Japan
SodaMaster
Yara Rules
[TLP:WHITE] win_sodamaster_auto (20230808 | Detects win.sodamaster.)
rule win_sodamaster_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.sodamaster."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? c70009000000 e8???????? ebd2 8bc3 c1f805 8d3c85a0330110 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c70009000000         | mov                 dword ptr [eax], 9
            //   e8????????           |                     
            //   ebd2                 | jmp                 0xffffffd4
            //   8bc3                 | mov                 eax, ebx
            //   c1f805               | sar                 eax, 5
            //   8d3c85a0330110       | lea                 edi, [eax*4 + 0x100133a0]

        $sequence_1 = { 8908 894804 8bf0 eb02 33f6 6a40 6800100000 }
            // n = 7, score = 100
            //   8908                 | mov                 dword ptr [eax], ecx
            //   894804               | mov                 dword ptr [eax + 4], ecx
            //   8bf0                 | mov                 esi, eax
            //   eb02                 | jmp                 4
            //   33f6                 | xor                 esi, esi
            //   6a40                 | push                0x40
            //   6800100000           | push                0x1000

        $sequence_2 = { 8d4900 8d97feefff7f 85d2 7419 8a140e 84d2 7412 }
            // n = 7, score = 100
            //   8d4900               | lea                 ecx, [ecx]
            //   8d97feefff7f         | lea                 edx, [edi + 0x7fffeffe]
            //   85d2                 | test                edx, edx
            //   7419                 | je                  0x1b
            //   8a140e               | mov                 dl, byte ptr [esi + ecx]
            //   84d2                 | test                dl, dl
            //   7412                 | je                  0x14

        $sequence_3 = { 8945e4 3d01010000 7d0d 8a4c181c 888810080110 40 }
            // n = 6, score = 100
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   3d01010000           | cmp                 eax, 0x101
            //   7d0d                 | jge                 0xf
            //   8a4c181c             | mov                 cl, byte ptr [eax + ebx + 0x1c]
            //   888810080110         | mov                 byte ptr [eax + 0x10010810], cl
            //   40                   | inc                 eax

        $sequence_4 = { 33f6 6a40 6800100000 8d4301 50 6a00 ff15???????? }
            // n = 7, score = 100
            //   33f6                 | xor                 esi, esi
            //   6a40                 | push                0x40
            //   6800100000           | push                0x1000
            //   8d4301               | lea                 eax, [ebx + 1]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_5 = { 83c424 83ffff 5f 5e 5b }
            // n = 5, score = 100
            //   83c424               | add                 esp, 0x24
            //   83ffff               | cmp                 edi, -1
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_6 = { 83c8ff e9???????? 8bc6 c1f805 8bfe 53 8d1c85a0330110 }
            // n = 7, score = 100
            //   83c8ff               | or                  eax, 0xffffffff
            //   e9????????           |                     
            //   8bc6                 | mov                 eax, esi
            //   c1f805               | sar                 eax, 5
            //   8bfe                 | mov                 edi, esi
            //   53                   | push                ebx
            //   8d1c85a0330110       | lea                 ebx, [eax*4 + 0x100133a0]

        $sequence_7 = { 33f6 8d45f8 50 8b4508 c745e8636d643d c645ec00 }
            // n = 6, score = 100
            //   33f6                 | xor                 esi, esi
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   c745e8636d643d       | mov                 dword ptr [ebp - 0x18], 0x3d646d63
            //   c645ec00             | mov                 byte ptr [ebp - 0x14], 0

        $sequence_8 = { e8???????? 56 e8???????? 83c418 ff15???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   ff15????????         |                     

        $sequence_9 = { 6a02 53 68ff010f00 52 }
            // n = 4, score = 100
            //   6a02                 | push                2
            //   53                   | push                ebx
            //   68ff010f00           | push                0xf01ff
            //   52                   | push                edx

    condition:
        7 of them and filesize < 134144
}
Download all Yara Rules