SYMBOLCOMMON_NAMEaka. SYNONYMS
win.spaceship (Back to overview)

SPACESHIP

Actor(s): APT 30


SPACESHIP searches for files with a specified set of file extensions and copies them to
a removable drive. FireEye believes that SHIPSHAPE is used to copy SPACESHIP to a removable drive,
which could be used to infect another victim computer, including an air-gapped computer. SPACESHIP is
then used to steal documents from the air-gapped system, copying them to a removable drive inserted
into the SPACESHIP-infected system

References
2015-04-15FireEyeFireEye
@techreport{fireeye:20150415:apt30:d09a09c, author = {FireEye}, title = {{APT30 and the Mechanics of a Long-Running Cyber Espionage Campaign}}, date = {2015-04-15}, institution = {FireEye}, url = {https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf}, language = {English}, urldate = {2022-08-25} } APT30 and the Mechanics of a Long-Running Cyber Espionage Campaign
backspace FLASHFLOOD NETEAGLE SHIPSHAPE SPACESHIP APT30
2015-04FireEyeFireEye
@techreport{fireeye:201504:apt30:0129bf7, author = {FireEye}, title = {{APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION}}, date = {2015-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf}, language = {English}, urldate = {2020-01-07} } APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30
Yara Rules
[TLP:WHITE] win_spaceship_auto (20230715 | Detects win.spaceship.)
rule win_spaceship_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.spaceship."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c414 be???????? 8d442410 8a10 8a1e 8aca 3ad3 }
            // n = 7, score = 100
            //   83c414               | add                 esp, 0x14
            //   be????????           |                     
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   8a1e                 | mov                 bl, byte ptr [esi]
            //   8aca                 | mov                 cl, dl
            //   3ad3                 | cmp                 dl, bl

        $sequence_1 = { e8???????? 83c404 68d0070000 ff15???????? 8d442450 6a00 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   68d0070000           | push                0x7d0
            //   ff15????????         |                     
            //   8d442450             | lea                 eax, [esp + 0x50]
            //   6a00                 | push                0

        $sequence_2 = { 8d842448020000 52 50 ff15???????? 8bf0 83feff 7464 }
            // n = 7, score = 100
            //   8d842448020000       | lea                 eax, [esp + 0x248]
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   7464                 | je                  0x66

        $sequence_3 = { 52 6a40 ff15???????? 8be8 }
            // n = 4, score = 100
            //   52                   | push                edx
            //   6a40                 | push                0x40
            //   ff15????????         |                     
            //   8be8                 | mov                 ebp, eax

        $sequence_4 = { 85c0 7531 8b442438 8b4c2434 56 53 }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   7531                 | jne                 0x33
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   8b4c2434             | mov                 ecx, dword ptr [esp + 0x34]
            //   56                   | push                esi
            //   53                   | push                ebx

        $sequence_5 = { 89442410 56 ff15???????? 8b442414 8d542420 52 50 }
            // n = 7, score = 100
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   8d542420             | lea                 edx, [esp + 0x20]
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_6 = { 668984247e040000 c7842480040000b0674100 66c78424840400000e00 6689842486040000 c7842488040000a4674100 66c784248c0400000f00 668984248e040000 }
            // n = 7, score = 100
            //   668984247e040000     | mov                 word ptr [esp + 0x47e], ax
            //   c7842480040000b0674100     | mov    dword ptr [esp + 0x480], 0x4167b0
            //   66c78424840400000e00     | mov    word ptr [esp + 0x484], 0xe
            //   6689842486040000     | mov                 word ptr [esp + 0x486], ax
            //   c7842488040000a4674100     | mov    dword ptr [esp + 0x488], 0x4167a4
            //   66c784248c0400000f00     | mov    word ptr [esp + 0x48c], 0xf
            //   668984248e040000     | mov                 word ptr [esp + 0x48e], ax

        $sequence_7 = { 53 8bf1 e8???????? 83c40c 85c0 }
            // n = 5, score = 100
            //   53                   | push                ebx
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax

        $sequence_8 = { 50 e8???????? 83c408 8b4c2414 51 ff15???????? 8b442410 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]

        $sequence_9 = { f3a4 8d8c2458020000 51 52 68???????? }
            // n = 5, score = 100
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8d8c2458020000       | lea                 ecx, [esp + 0x258]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   68????????           |                     

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules