SYMBOLCOMMON_NAMEaka. SYNONYMS
win.soundbite (Back to overview)

SOUNDBITE

aka: denis

Actor(s): APT32


There is no description at this point.

References
2020-09-02Viettel Cybersecurityvuonglvm
@online{vuonglvm:20200902:apt32:34d9d9b, author = {vuonglvm}, title = {{APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 1)}}, date = {2020-09-02}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/}, language = {Vietnamese}, urldate = {2020-09-09} } APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 1)
METALJACK SOUNDBITE
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020SecureworksSecureWorks
@online{secureworks:2020:tin:ccd6795, author = {SecureWorks}, title = {{TIN WOODLAWN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn}, language = {English}, urldate = {2020-05-23} } TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32
2019-04-24WeixinTencent
@online{tencent:20190424:sea:a722d68, author = {Tencent}, title = {{"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed}}, date = {2019-04-24}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A}, language = {English}, urldate = {2020-01-13} } "Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed
Cobalt Strike SOUNDBITE
2017-12-14MITRE ATT&CKVarious
@online{various:20171214:soundbite:7095700, author = {Various}, title = {{SOUNDBITE}}, date = {2017-12-14}, organization = {MITRE ATT&CK}, url = {https://attack.mitre.org/wiki/Software/S0157}, language = {English}, urldate = {2020-01-08} } SOUNDBITE
SOUNDBITE
2017-05-14FireEyeNick Carr
@online{carr:20170514:cyber:0ac720f, author = {Nick Carr}, title = {{Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations}}, date = {2017-05-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html}, language = {English}, urldate = {2019-12-20} } Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations
OceanLotus Cuegoe KOMPROGO SOUNDBITE APT32
2017-04-28Kaspersky LabsAlexey Shulmin, Sergey Yunakovsky
@online{shulmin:20170428:use:585320c, author = {Alexey Shulmin and Sergey Yunakovsky}, title = {{Use of DNS Tunneling for C&C Communications}}, date = {2017-04-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/}, language = {English}, urldate = {2019-12-20} } Use of DNS Tunneling for C&C Communications
SOUNDBITE
2017FireEyeBart Inglot, Byrne Ghavalas
@online{inglot:2017:attacker:3af6c23, author = {Bart Inglot and Byrne Ghavalas}, title = {{ATTACKER ANTICS: Illustrations of Ingenuity}}, date = {2017}, organization = {FireEye}, url = {https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx}, language = {English}, urldate = {2020-01-08} } ATTACKER ANTICS: Illustrations of Ingenuity
KOMPROGO SOUNDBITE
Yara Rules
[TLP:WHITE] win_soundbite_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_soundbite_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f83c4000000 0fb717 8d7c5702 4b ebea 3bf8 }
            // n = 6, score = 100
            //   0f83c4000000         | jae                 0xca
            //   0fb717               | movzx               edx, word ptr [edi]
            //   8d7c5702             | lea                 edi, [edi + edx*2 + 2]
            //   4b                   | dec                 ebx
            //   ebea                 | jmp                 0xffffffec
            //   3bf8                 | cmp                 edi, eax

        $sequence_1 = { 8b48f8 83c40c 85c0 740e 51 50 e8???????? }
            // n = 7, score = 100
            //   8b48f8               | mov                 ecx, dword ptr [eax - 8]
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   740e                 | je                  0x10
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_2 = { 83c428 8d7dd0 89451c e8???????? 8b4d40 8b553c 8b4538 }
            // n = 7, score = 100
            //   83c428               | add                 esp, 0x28
            //   8d7dd0               | lea                 edi, [ebp - 0x30]
            //   89451c               | mov                 dword ptr [ebp + 0x1c], eax
            //   e8????????           |                     
            //   8b4d40               | mov                 ecx, dword ptr [ebp + 0x40]
            //   8b553c               | mov                 edx, dword ptr [ebp + 0x3c]
            //   8b4538               | mov                 eax, dword ptr [ebp + 0x38]

        $sequence_3 = { 85f6 7446 8b9d50ffffff 3bf3 7430 90 837e1410 }
            // n = 7, score = 100
            //   85f6                 | test                esi, esi
            //   7446                 | je                  0x48
            //   8b9d50ffffff         | mov                 ebx, dword ptr [ebp - 0xb0]
            //   3bf3                 | cmp                 esi, ebx
            //   7430                 | je                  0x32
            //   90                   | nop                 
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10

        $sequence_4 = { c22000 894f18 394f20 750a c74720c01d4100 894f28 }
            // n = 6, score = 100
            //   c22000               | ret                 0x20
            //   894f18               | mov                 dword ptr [edi + 0x18], ecx
            //   394f20               | cmp                 dword ptr [edi + 0x20], ecx
            //   750a                 | jne                 0xc
            //   c74720c01d4100       | mov                 dword ptr [edi + 0x20], 0x411dc0
            //   894f28               | mov                 dword ptr [edi + 0x28], ecx

        $sequence_5 = { 7406 50 ffd6 897d84 8b4588 3bc7 7406 }
            // n = 7, score = 100
            //   7406                 | je                  8
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   897d84               | mov                 dword ptr [ebp - 0x7c], edi
            //   8b4588               | mov                 eax, dword ptr [ebp - 0x78]
            //   3bc7                 | cmp                 eax, edi
            //   7406                 | je                  8

        $sequence_6 = { e8???????? 83c404 807e1500 8bfe 74c3 5f 5e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   807e1500             | cmp                 byte ptr [esi + 0x15], 0
            //   8bfe                 | mov                 edi, esi
            //   74c3                 | je                  0xffffffc5
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_7 = { a1???????? 33c5 50 8d45f4 64a300000000 8b4710 }
            // n = 6, score = 100
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b4710               | mov                 eax, dword ptr [edi + 0x10]

        $sequence_8 = { c7461000000000 c60600 83c61c ebd9 8b8df8fcffff 51 e8???????? }
            // n = 7, score = 100
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0
            //   c60600               | mov                 byte ptr [esi], 0
            //   83c61c               | add                 esi, 0x1c
            //   ebd9                 | jmp                 0xffffffdb
            //   8b8df8fcffff         | mov                 ecx, dword ptr [ebp - 0x308]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_9 = { e8???????? 8b5610 895710 8b4614 894714 8b4e18 894f18 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b5610               | mov                 edx, dword ptr [esi + 0x10]
            //   895710               | mov                 dword ptr [edi + 0x10], edx
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   894714               | mov                 dword ptr [edi + 0x14], eax
            //   8b4e18               | mov                 ecx, dword ptr [esi + 0x18]
            //   894f18               | mov                 dword ptr [edi + 0x18], ecx

    condition:
        7 of them and filesize < 409600
}
Download all Yara Rules