SYMBOLCOMMON_NAMEaka. SYNONYMS
win.spaceship (Back to overview)

SPACESHIP

Actor(s): APT 30


SPACESHIP searches for files with a specified set of file extensions and copies them to
a removable drive. FireEye believes that SHIPSHAPE is used to copy SPACESHIP to a removable drive,
which could be used to infect another victim computer, including an air-gapped computer. SPACESHIP is
then used to steal documents from the air-gapped system, copying them to a removable drive inserted
into the SPACESHIP-infected system

References
2015-04-15FireEyeFireEye
@techreport{fireeye:20150415:apt30:d09a09c, author = {FireEye}, title = {{APT30 and the Mechanics of a Long-Running Cyber Espionage Campaign}}, date = {2015-04-15}, institution = {FireEye}, url = {https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf}, language = {English}, urldate = {2022-08-25} } APT30 and the Mechanics of a Long-Running Cyber Espionage Campaign
backspace FLASHFLOOD NETEAGLE SHIPSHAPE SPACESHIP APT30
2015-04FireEyeFireEye
@techreport{fireeye:201504:apt30:0129bf7, author = {FireEye}, title = {{APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION}}, date = {2015-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf}, language = {English}, urldate = {2020-01-07} } APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30
Yara Rules
[TLP:WHITE] win_spaceship_auto (20221125 | Detects win.spaceship.)
rule win_spaceship_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.spaceship."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 e8???????? 83c40c 8d942408010000 8d842448020000 52 50 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d942408010000       | lea                 edx, [esp + 0x108]
            //   8d842448020000       | lea                 eax, [esp + 0x248]
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_1 = { 6a11 68???????? e8???????? 56 6a01 6a02 68???????? }
            // n = 7, score = 100
            //   6a11                 | push                0x11
            //   68????????           |                     
            //   e8????????           |                     
            //   56                   | push                esi
            //   6a01                 | push                1
            //   6a02                 | push                2
            //   68????????           |                     

        $sequence_2 = { 56 ffd5 85c0 7446 80bc24380100002e 74e7 f684240c01000010 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   ffd5                 | call                ebp
            //   85c0                 | test                eax, eax
            //   7446                 | je                  0x48
            //   80bc24380100002e     | cmp                 byte ptr [esp + 0x138], 0x2e
            //   74e7                 | je                  0xffffffe9
            //   f684240c01000010     | test                byte ptr [esp + 0x10c], 0x10

        $sequence_3 = { 8bcb eb31 83f85a 7531 8d54240c bf???????? eb09 }
            // n = 7, score = 100
            //   8bcb                 | mov                 ecx, ebx
            //   eb31                 | jmp                 0x33
            //   83f85a               | cmp                 eax, 0x5a
            //   7531                 | jne                 0x33
            //   8d54240c             | lea                 edx, [esp + 0xc]
            //   bf????????           |                     
            //   eb09                 | jmp                 0xb

        $sequence_4 = { 83c404 8d8c2410010000 51 53 ffd5 85c0 0f8550ffffff }
            // n = 7, score = 100
            //   83c404               | add                 esp, 4
            //   8d8c2410010000       | lea                 ecx, [esp + 0x110]
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   ffd5                 | call                ebp
            //   85c0                 | test                eax, eax
            //   0f8550ffffff         | jne                 0xffffff56

        $sequence_5 = { 741f eb0c 68???????? 56 ffd7 85c0 }
            // n = 6, score = 100
            //   741f                 | je                  0x21
            //   eb0c                 | jmp                 0xe
            //   68????????           |                     
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax

        $sequence_6 = { 66899c240e030000 c784241003000094694100 66c78424140300003e00 6689ac2416030000 c78424180300008c694100 66899c241c030000 }
            // n = 6, score = 100
            //   66899c240e030000     | mov                 word ptr [esp + 0x30e], bx
            //   c784241003000094694100     | mov    dword ptr [esp + 0x310], 0x416994
            //   66c78424140300003e00     | mov    word ptr [esp + 0x314], 0x3e
            //   6689ac2416030000     | mov                 word ptr [esp + 0x316], bp
            //   c78424180300008c694100     | mov    dword ptr [esp + 0x318], 0x41698c
            //   66899c241c030000     | mov                 word ptr [esp + 0x31c], bx

        $sequence_7 = { 7522 8a44240c 84c0 7411 fec8 8886947e4100 }
            // n = 6, score = 100
            //   7522                 | jne                 0x24
            //   8a44240c             | mov                 al, byte ptr [esp + 0xc]
            //   84c0                 | test                al, al
            //   7411                 | je                  0x13
            //   fec8                 | dec                 al
            //   8886947e4100         | mov                 byte ptr [esi + 0x417e94], al

        $sequence_8 = { 8d942410020000 33db 52 6800020000 ff15???????? 85c0 7464 }
            // n = 7, score = 100
            //   8d942410020000       | lea                 edx, [esp + 0x210]
            //   33db                 | xor                 ebx, ebx
            //   52                   | push                edx
            //   6800020000           | push                0x200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7464                 | je                  0x66

        $sequence_9 = { f3a4 8d8c2458020000 51 52 68???????? }
            // n = 5, score = 100
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8d8c2458020000       | lea                 ecx, [esp + 0x258]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   68????????           |                     

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules