SYMBOLCOMMON_NAMEaka. SYNONYMS
win.teledoor (Back to overview)

TeleDoor

Actor(s): TeleBots, Sandworm

VTCollection    

There is no description at this point.

References
2020-01-01SecureworksSecureWorks
IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2017-07-05Cisco TalosAleksandar Nikolic, David Maynor, Matt Olney, Yves Younan
The MeDoc Connection
TeleDoor
2017-07-04ESET ResearchAnton Cherepanov
Analysis of TeleBots’ cunning backdoor
TeleDoor
Yara Rules
[TLP:WHITE] win_teledoor_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_teledoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 00b9c90200c5 7400 0006 00ce c9 0200 16 }
            // n = 7, score = 100
            //   00b9c90200c5         | add                 byte ptr [ecx - 0x3afffd37], bh
            //   7400                 | je                  2
            //   0006                 | add                 byte ptr [esi], al
            //   00ce                 | add                 dh, cl
            //   c9                   | leave               
            //   0200                 | add                 al, byte ptr [eax]
            //   16                   | push                ss

        $sequence_1 = { 00ce c9 0200 16 2800 001e 00fc }
            // n = 7, score = 100
            //   00ce                 | add                 dh, cl
            //   c9                   | leave               
            //   0200                 | add                 al, byte ptr [eax]
            //   16                   | push                ss
            //   2800                 | sub                 byte ptr [eax], al
            //   001e                 | add                 byte ptr [esi], bl
            //   00fc                 | add                 ah, bh

        $sequence_2 = { dec9 0200 1e 0073ca 0200 }
            // n = 5, score = 100
            //   dec9                 | fmulp               st(1)
            //   0200                 | add                 al, byte ptr [eax]
            //   1e                   | push                ds
            //   0073ca               | add                 byte ptr [ebx - 0x36], dh
            //   0200                 | add                 al, byte ptr [eax]

        $sequence_3 = { 98 0100 831001 007220 38c3 1400 }
            // n = 6, score = 100
            //   98                   | cwde                
            //   0100                 | add                 dword ptr [eax], eax
            //   831001               | adc                 dword ptr [eax], 1
            //   007220               | add                 byte ptr [edx + 0x20], dh
            //   38c3                 | cmp                 bl, al
            //   1400                 | adc                 al, 0

        $sequence_4 = { e601 e15c 0100 80fb00 }
            // n = 4, score = 100
            //   e601                 | out                 1, al
            //   e15c                 | loope               0x5e
            //   0100                 | add                 dword ptr [eax], eax
            //   80fb00               | cmp                 bl, 0

        $sequence_5 = { 015a5f 0100 e9???????? 1cd8 0913 0000 00e6 }
            // n = 7, score = 100
            //   015a5f               | add                 dword ptr [edx + 0x5f], ebx
            //   0100                 | add                 dword ptr [eax], eax
            //   e9????????           |                     
            //   1cd8                 | sbb                 al, 0xd8
            //   0913                 | or                  dword ptr [ebx], edx
            //   0000                 | add                 byte ptr [eax], al
            //   00e6                 | add                 dh, ah

        $sequence_6 = { c9 0200 16 2800 001e }
            // n = 5, score = 100
            //   c9                   | leave               
            //   0200                 | add                 al, byte ptr [eax]
            //   16                   | push                ss
            //   2800                 | sub                 byte ptr [eax], al
            //   001e                 | add                 byte ptr [esi], bl

        $sequence_7 = { 001e 00b9c90200c5 7400 0006 00ce c9 }
            // n = 6, score = 100
            //   001e                 | add                 byte ptr [esi], bl
            //   00b9c90200c5         | add                 byte ptr [ecx - 0x3afffd37], bh
            //   7400                 | je                  2
            //   0006                 | add                 byte ptr [esi], al
            //   00ce                 | add                 dh, cl
            //   c9                   | leave               

        $sequence_8 = { 3217 189e11327309 2000 0aa2112e1828 }
            // n = 4, score = 100
            //   3217                 | xor                 dl, byte ptr [edi]
            //   189e11327309         | sbb                 byte ptr [esi + 0x9733211], bl
            //   2000                 | and                 byte ptr [eax], al
            //   0aa2112e1828         | or                  ah, byte ptr [edx + 0x28182e11]

        $sequence_9 = { c5740000 1e 007cc902 00c5 }
            // n = 4, score = 100
            //   c5740000             | lds                 esi, ptr [eax + eax]
            //   1e                   | push                ds
            //   007cc902             | add                 byte ptr [ecx + ecx*8 + 2], bh
            //   00c5                 | add                 ch, al

    condition:
        7 of them and filesize < 10454016
}
[TLP:WHITE] win_teledoor_w0   (20170712 | Detects the TeleDoor Backdoor as used in Petya Attack in June 2017)
rule win_teledoor_w0 {
    meta:
        description = "Detects the TeleDoor Backdoor as used in Petya Attack in June 2017"
        author = "Florian Roth"
        reference = "https://goo.gl/CpfJQQ"
        date = "2017-07-05"
        hash = "d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac"
        hash = "f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740"
        hash = "2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor"
        malpedia_version = "20170712"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        /* Payload\x00AutoPayload */
        $c1 = { 50 61 79 6C 6F 61 64 00 41 75 74 6F 50 61 79 6C 6F 61 64 }
        /* RunCmd\x00DumpData */
        $c2 = { 52 75 6E 43 6D 64 00 44 75 6D 70 44 61 74 61 }
        /* ZvitWebClientExt\x00MinInfo */
        $c3 = { 00 5A 76 69 74 57 65 62 43 6C 69 65 6E 74 45 78 74 00 4D 69 6E 49 6E 66 6F }
    
    condition:
        2 of them
}
Download all Yara Rules