SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turnedup (Back to overview)

TURNEDUP

aka: Notestuk

Actor(s): APT33


There is no description at this point.

References
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-03-27SymantecSecurity Response Attack Investigation Team
@online{team:20190327:elfin:836cc39, author = {Security Response Attack Investigation Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-01-06} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33
2018-04-11CyberbitHod Gavriel, Boris Erbesfeld
@online{gavriel:20180411:new:9ed9a94, author = {Hod Gavriel and Boris Erbesfeld}, title = {{New ‘Early Bird’ Code Injection Technique Discovered}}, date = {2018-04-11}, organization = {Cyberbit}, url = {https://www.cyberbit.com/new-early-bird-code-injection-technique-discovered/}, language = {English}, urldate = {2020-08-21} } New ‘Early Bird’ Code Injection Technique Discovered
TURNEDUP
2017-09-20FireEyeJacqueline O’Leary, Josiah Kimble, Kelli Vanderlee, Nalani Fraser
@online{oleary:20170920:insights:27e8253, author = {Jacqueline O’Leary and Josiah Kimble and Kelli Vanderlee and Nalani Fraser}, title = {{Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware}}, date = {2017-09-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html}, language = {English}, urldate = {2019-12-20} } Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware
DROPSHOT Nanocore RAT NetWire RC SHAPESHIFT TURNEDUP APT33
Yara Rules
[TLP:WHITE] win_turnedup_auto (20221125 | Detects win.turnedup.)
rule win_turnedup_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.turnedup."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 8d4dc0 51 52 e8???????? 83c410 8d7d14 }
            // n = 7, score = 400
            //   53                   | push                ebx
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8d7d14               | lea                 edi, [ebp + 0x14]

        $sequence_1 = { 8b7db4 8bf3 e8???????? 84c0 0f8460ffffff }
            // n = 5, score = 400
            //   8b7db4               | mov                 edi, dword ptr [ebp - 0x4c]
            //   8bf3                 | mov                 esi, ebx
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f8460ffffff         | je                  0xffffff66

        $sequence_2 = { 750a d945b8 8b45a8 d918 eb03 }
            // n = 5, score = 400
            //   750a                 | jne                 0xc
            //   d945b8               | fld                 dword ptr [ebp - 0x48]
            //   8b45a8               | mov                 eax, dword ptr [ebp - 0x58]
            //   d918                 | fstp                dword ptr [eax]
            //   eb03                 | jmp                 5

        $sequence_3 = { 897e14 895e10 881e 837d1c10 7324 8b4518 40 }
            // n = 7, score = 400
            //   897e14               | mov                 dword ptr [esi + 0x14], edi
            //   895e10               | mov                 dword ptr [esi + 0x10], ebx
            //   881e                 | mov                 byte ptr [esi], bl
            //   837d1c10             | cmp                 dword ptr [ebp + 0x1c], 0x10
            //   7324                 | jae                 0x26
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   40                   | inc                 eax

        $sequence_4 = { 897e10 8bc6 5f 8be5 5d c20400 8d4dfc }
            // n = 7, score = 400
            //   897e10               | mov                 dword ptr [esi + 0x10], edi
            //   8bc6                 | mov                 eax, esi
            //   5f                   | pop                 edi
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   8d4dfc               | lea                 ecx, [ebp - 4]

        $sequence_5 = { c6032b 8b0e 43 895dbc 85c9 }
            // n = 5, score = 400
            //   c6032b               | mov                 byte ptr [ebx], 0x2b
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   43                   | inc                 ebx
            //   895dbc               | mov                 dword ptr [ebp - 0x44], ebx
            //   85c9                 | test                ecx, ecx

        $sequence_6 = { 7518 81fbffff0000 7710 807ddc2d 7502 f7db 8b55c8 }
            // n = 7, score = 400
            //   7518                 | jne                 0x1a
            //   81fbffff0000         | cmp                 ebx, 0xffff
            //   7710                 | ja                  0x12
            //   807ddc2d             | cmp                 byte ptr [ebp - 0x24], 0x2d
            //   7502                 | jne                 4
            //   f7db                 | neg                 ebx
            //   8b55c8               | mov                 edx, dword ptr [ebp - 0x38]

        $sequence_7 = { 8b00 51 50 8b4508 50 33c0 }
            // n = 6, score = 400
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   33c0                 | xor                 eax, eax

        $sequence_8 = { 8b4da4 8b11 8b4208 ffd0 8845bb 8b7db4 }
            // n = 6, score = 400
            //   8b4da4               | mov                 ecx, dword ptr [ebp - 0x5c]
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b4208               | mov                 eax, dword ptr [edx + 8]
            //   ffd0                 | call                eax
            //   8845bb               | mov                 byte ptr [ebp - 0x45], al
            //   8b7db4               | mov                 edi, dword ptr [ebp - 0x4c]

        $sequence_9 = { f6d2 881408 40 3b06 }
            // n = 4, score = 400
            //   f6d2                 | not                 dl
            //   881408               | mov                 byte ptr [eax + ecx], dl
            //   40                   | inc                 eax
            //   3b06                 | cmp                 eax, dword ptr [esi]

    condition:
        7 of them and filesize < 892928
}
Download all Yara Rules