SPACESHIP (Malware Family)

SPACESHIP

Actor(s): APT 30

SPACESHIP searches for files with a specified set of file extensions and copies them to
a removable drive. FireEye believes that SHIPSHAPE is used to copy SPACESHIP to a removable drive,
which could be used to infect another victim computer, including an air-gapped computer. SPACESHIP is
then used to steal documents from the air-gapped system, copying them to a removable drive inserted
into the SPACESHIP-infected system

References

2015-04-15 ⋅ FireEye ⋅ FireEye
APT30 and the Mechanics of a Long-Running Cyber Espionage Campaign
backspace FLASHFLOOD NETEAGLE SHIPSHAPE SPACESHIP APT30

2015-04 ⋅ FireEye ⋅ FireEye
APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30

Yara Rules

[TLP:WHITE] win_spaceship_auto (20230125 | Detects win.spaceship.)

rule win_spaceship_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.spaceship."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 895c2434 89442438 895c2448 e8???????? 85c0 7531 }
            // n = 6, score = 100
            //   895c2434             | mov                 dword ptr [esp + 0x34], ebx
            //   89442438             | mov                 dword ptr [esp + 0x38], eax
            //   895c2448             | mov                 dword ptr [esp + 0x48], ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7531                 | jne                 0x33

        $sequence_1 = { 66c78424bc0200001200 66898c24be020000 c78424c0020000006a4100 66899c24c4020000 66898424c6020000 c78424c8020000ec694100 66c78424cc0200006000 }
            // n = 7, score = 100
            //   66c78424bc0200001200     | mov    word ptr [esp + 0x2bc], 0x12
            //   66898c24be020000     | mov                 word ptr [esp + 0x2be], cx
            //   c78424c0020000006a4100     | mov    dword ptr [esp + 0x2c0], 0x416a00
            //   66899c24c4020000     | mov                 word ptr [esp + 0x2c4], bx
            //   66898424c6020000     | mov                 word ptr [esp + 0x2c6], ax
            //   c78424c8020000ec694100     | mov    dword ptr [esp + 0x2c8], 0x4169ec
            //   66c78424cc0200006000     | mov    word ptr [esp + 0x2cc], 0x60

        $sequence_2 = { 8b8c24e8000000 52 50 51 6a00 ff15???????? }
            // n = 6, score = 100
            //   8b8c24e8000000       | mov                 ecx, dword ptr [esp + 0xe8]
            //   52                   | push                edx
            //   50                   | push                eax
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_3 = { 52 e8???????? 83c408 85c0 0f849f000000 }
            // n = 5, score = 100
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   0f849f000000         | je                  0xa5

        $sequence_4 = { 5d 8b842414020000 33c9 3bc1 7520 33c0 39881c7b4100 }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   8b842414020000       | mov                 eax, dword ptr [esp + 0x214]
            //   33c9                 | xor                 ecx, ecx
            //   3bc1                 | cmp                 eax, ecx
            //   7520                 | jne                 0x22
            //   33c0                 | xor                 eax, eax
            //   39881c7b4100         | cmp                 dword ptr [eax + 0x417b1c], ecx

        $sequence_5 = { 741f eb0c 68???????? 56 ffd7 85c0 }
            // n = 6, score = 100
            //   741f                 | je                  0x21
            //   eb0c                 | jmp                 0xe
            //   68????????           |                     
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax

        $sequence_6 = { 8d942454010000 8bc1 8bf7 8bfa c1e902 f3a5 8bc8 }
            // n = 7, score = 100
            //   8d942454010000       | lea                 edx, [esp + 0x154]
            //   8bc1                 | mov                 eax, ecx
            //   8bf7                 | mov                 esi, edi
            //   8bfa                 | mov                 edi, edx
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bc8                 | mov                 ecx, eax

        $sequence_7 = { c7442448146d4100 66897c244c 668944244e c7442450086d4100 6689742454 6689442456 c7442458fc6c4100 }
            // n = 7, score = 100
            //   c7442448146d4100     | mov                 dword ptr [esp + 0x48], 0x416d14
            //   66897c244c           | mov                 word ptr [esp + 0x4c], di
            //   668944244e           | mov                 word ptr [esp + 0x4e], ax
            //   c7442450086d4100     | mov                 dword ptr [esp + 0x50], 0x416d08
            //   6689742454           | mov                 word ptr [esp + 0x54], si
            //   6689442456           | mov                 word ptr [esp + 0x56], ax
            //   c7442458fc6c4100     | mov                 dword ptr [esp + 0x58], 0x416cfc

        $sequence_8 = { 6a00 6810040000 ff15???????? 8bf0 56 ffd5 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   6810040000           | push                0x410
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   56                   | push                esi
            //   ffd5                 | call                ebp

        $sequence_9 = { 52 e8???????? 8b442414 56 }
            // n = 4, score = 100
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   56                   | push                esi

    condition:
        7 of them and filesize < 262144
}

Download all Yara Rules

SPACESHIP Propose Change

References

Yara Rules

SPACESHIP