SYMBOLCOMMON_NAMEaka. SYNONYMS
win.soundbite (Back to overview)

SOUNDBITE

aka: denis

Actor(s): APT32

There is no description at this point.

References
2020-11-10Recorded FutureInsikt Group®
@techreport{group:20201110:new:97e5657, author = {Insikt Group®}, title = {{New APT32 Malware Campaign Targets Cambodian Government}}, date = {2020-11-10}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf}, language = {English}, urldate = {2020-11-11} } New APT32 Malware Campaign Targets Cambodian Government
KerrDown METALJACK SOUNDBITE
2020-09-02Viettel Cybersecurityvuonglvm
@online{vuonglvm:20200902:apt32:34d9d9b, author = {vuonglvm}, title = {{APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 1)}}, date = {2020-09-02}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/}, language = {Vietnamese}, urldate = {2020-09-09} } APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 1)
METALJACK SOUNDBITE
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020SecureworksSecureWorks
@online{secureworks:2020:tin:ccd6795, author = {SecureWorks}, title = {{TIN WOODLAWN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn}, language = {English}, urldate = {2020-05-23} } TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32
2019-04-24WeixinTencent
@online{tencent:20190424:sea:a722d68, author = {Tencent}, title = {{"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed}}, date = {2019-04-24}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A}, language = {English}, urldate = {2020-01-13} } "Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed
Cobalt Strike SOUNDBITE
2017-12-14MITRE ATT&CKVarious
@online{various:20171214:soundbite:7095700, author = {Various}, title = {{SOUNDBITE}}, date = {2017-12-14}, organization = {MITRE ATT&CK}, url = {https://attack.mitre.org/wiki/Software/S0157}, language = {English}, urldate = {2020-01-08} } SOUNDBITE
SOUNDBITE
2017-05-14FireEyeNick Carr
@online{carr:20170514:cyber:0ac720f, author = {Nick Carr}, title = {{Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations}}, date = {2017-05-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html}, language = {English}, urldate = {2019-12-20} } Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations
OceanLotus Cuegoe KOMPROGO SOUNDBITE APT32
2017-04-28Kaspersky LabsAlexey Shulmin, Sergey Yunakovsky
@online{shulmin:20170428:use:585320c, author = {Alexey Shulmin and Sergey Yunakovsky}, title = {{Use of DNS Tunneling for C&C Communications}}, date = {2017-04-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/}, language = {English}, urldate = {2019-12-20} } Use of DNS Tunneling for C&C Communications
SOUNDBITE
2017FireEyeBart Inglot, Byrne Ghavalas
@online{inglot:2017:attacker:3af6c23, author = {Bart Inglot and Byrne Ghavalas}, title = {{ATTACKER ANTICS: Illustrations of Ingenuity}}, date = {2017}, organization = {FireEye}, url = {https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx}, language = {English}, urldate = {2020-01-08} } ATTACKER ANTICS: Illustrations of Ingenuity
KOMPROGO SOUNDBITE
Yara Rules
[TLP:WHITE] win_soundbite_auto (20230125 | Detects win.soundbite.)
rule win_soundbite_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.soundbite."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b9564ffffff 51 52 ff15???????? 8b4d8c }
            // n = 5, score = 100
            //   8b9564ffffff         | mov                 edx, dword ptr [ebp - 0x9c]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8b4d8c               | mov                 ecx, dword ptr [ebp - 0x74]

        $sequence_1 = { 8b4610 8b550c 89480c 8b4d08 8b4610 3b480c 0f8f86000000 }
            // n = 7, score = 100
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   89480c               | mov                 dword ptr [eax + 0xc], ecx
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   3b480c               | cmp                 ecx, dword ptr [eax + 0xc]
            //   0f8f86000000         | jg                  0x8c

        $sequence_2 = { 7e30 8bc7 8d7dec e8???????? 8b5310 8b45ec }
            // n = 6, score = 100
            //   7e30                 | jle                 0x32
            //   8bc7                 | mov                 eax, edi
            //   8d7dec               | lea                 edi, [ebp - 0x14]
            //   e8????????           |                     
            //   8b5310               | mov                 edx, dword ptr [ebx + 0x10]
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]

        $sequence_3 = { 8b55e8 895628 c745fc09000000 8b45c4 8b4dc0 50 }
            // n = 6, score = 100
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   895628               | mov                 dword ptr [esi + 0x28], edx
            //   c745fc09000000       | mov                 dword ptr [ebp - 4], 9
            //   8b45c4               | mov                 eax, dword ptr [ebp - 0x3c]
            //   8b4dc0               | mov                 ecx, dword ptr [ebp - 0x40]
            //   50                   | push                eax

        $sequence_4 = { 8db5bcfcffff e9???????? 8db500ffffff e9???????? 8db574fcffff e9???????? }
            // n = 6, score = 100
            //   8db5bcfcffff         | lea                 esi, [ebp - 0x344]
            //   e9????????           |                     
            //   8db500ffffff         | lea                 esi, [ebp - 0x100]
            //   e9????????           |                     
            //   8db574fcffff         | lea                 esi, [ebp - 0x38c]
            //   e9????????           |                     

        $sequence_5 = { 53 56 57 83f820 7f23 }
            // n = 5, score = 100
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   83f820               | cmp                 eax, 0x20
            //   7f23                 | jg                  0x25

        $sequence_6 = { c745d8d0ffc1ff c745dcd0ffc9ff 8d45d0 b980000000 660108 83c002 66833800 }
            // n = 7, score = 100
            //   c745d8d0ffc1ff       | mov                 dword ptr [ebp - 0x28], 0xffc1ffd0
            //   c745dcd0ffc9ff       | mov                 dword ptr [ebp - 0x24], 0xffc9ffd0
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   b980000000           | mov                 ecx, 0x80
            //   660108               | add                 word ptr [eax], cx
            //   83c002               | add                 eax, 2
            //   66833800             | cmp                 word ptr [eax], 0

        $sequence_7 = { 33ff 8d041b 3b4520 897dfc 8b5528 8b452c }
            // n = 6, score = 100
            //   33ff                 | xor                 edi, edi
            //   8d041b               | lea                 eax, [ebx + ebx]
            //   3b4520               | cmp                 eax, dword ptr [ebp + 0x20]
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   8b5528               | mov                 edx, dword ptr [ebp + 0x28]
            //   8b452c               | mov                 eax, dword ptr [ebp + 0x2c]

        $sequence_8 = { c785f8feffffeff2f9d7 889dfcfeffff c74594c3f2e5e1 c74598f4e5c6e9 c7459cece5d700 c745dcd2e5e1e4 c745e0c6e9ece5 }
            // n = 7, score = 100
            //   c785f8feffffeff2f9d7     | mov    dword ptr [ebp - 0x108], 0xd7f9f2ef
            //   889dfcfeffff         | mov                 byte ptr [ebp - 0x104], bl
            //   c74594c3f2e5e1       | mov                 dword ptr [ebp - 0x6c], 0xe1e5f2c3
            //   c74598f4e5c6e9       | mov                 dword ptr [ebp - 0x68], 0xe9c6e5f4
            //   c7459cece5d700       | mov                 dword ptr [ebp - 0x64], 0xd7e5ec
            //   c745dcd2e5e1e4       | mov                 dword ptr [ebp - 0x24], 0xe4e1e5d2
            //   c745e0c6e9ece5       | mov                 dword ptr [ebp - 0x20], 0xe5ece9c6

        $sequence_9 = { 6806100000 68ffff0000 51 c785b8fcffff10270000 ff15???????? 8b95f0fcffff 8b85ecfcffff }
            // n = 7, score = 100
            //   6806100000           | push                0x1006
            //   68ffff0000           | push                0xffff
            //   51                   | push                ecx
            //   c785b8fcffff10270000     | mov    dword ptr [ebp - 0x348], 0x2710
            //   ff15????????         |                     
            //   8b95f0fcffff         | mov                 edx, dword ptr [ebp - 0x310]
            //   8b85ecfcffff         | mov                 eax, dword ptr [ebp - 0x314]

    condition:
        7 of them and filesize < 409600
}
Download all Yara Rules