SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_080 (Back to overview)

Unidentified 080

Actor(s): EMISSARY PANDA

VTCollection    

This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands.
It is also used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler.Given that the Trojan is an HTTPS server itself, the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.

References
2018-09-10Kaspersky LabsGReAT
LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company
Unidentified 080 APT27
Yara Rules
[TLP:WHITE] win_unidentified_080_auto (20230808 | Detects win.unidentified_080.)
rule win_unidentified_080_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.unidentified_080."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_080"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 53 8bd8 837b2c00 56 7571 8b4324 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   8bd8                 | mov                 ebx, eax
            //   837b2c00             | cmp                 dword ptr [ebx + 0x2c], 0
            //   56                   | push                esi
            //   7571                 | jne                 0x73
            //   8b4324               | mov                 eax, dword ptr [ebx + 0x24]

        $sequence_1 = { 0bf2 89701c 83c020 83c120 ff8d74ffffff 0f8560feffff 8b8570ffffff }
            // n = 7, score = 100
            //   0bf2                 | or                  esi, edx
            //   89701c               | mov                 dword ptr [eax + 0x1c], esi
            //   83c020               | add                 eax, 0x20
            //   83c120               | add                 ecx, 0x20
            //   ff8d74ffffff         | dec                 dword ptr [ebp - 0x8c]
            //   0f8560feffff         | jne                 0xfffffe66
            //   8b8570ffffff         | mov                 eax, dword ptr [ebp - 0x90]

        $sequence_2 = { 8b4508 8b4808 8b500c 2bd1 894dfc 3bd3 7277 }
            // n = 7, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   8b500c               | mov                 edx, dword ptr [eax + 0xc]
            //   2bd1                 | sub                 edx, ecx
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   3bd3                 | cmp                 edx, ebx
            //   7277                 | jb                  0x79

        $sequence_3 = { 3bd6 7312 8b03 833c9000 8d0490 7402 }
            // n = 6, score = 100
            //   3bd6                 | cmp                 edx, esi
            //   7312                 | jae                 0x14
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   833c9000             | cmp                 dword ptr [eax + edx*4], 0
            //   8d0490               | lea                 eax, [eax + edx*4]
            //   7402                 | je                  4

        $sequence_4 = { 8dbd40ffffff e8???????? 8bb53cffffff 83c620 c645fc0f 8b06 33ff }
            // n = 7, score = 100
            //   8dbd40ffffff         | lea                 edi, [ebp - 0xc0]
            //   e8????????           |                     
            //   8bb53cffffff         | mov                 esi, dword ptr [ebp - 0xc4]
            //   83c620               | add                 esi, 0x20
            //   c645fc0f             | mov                 byte ptr [ebp - 4], 0xf
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   33ff                 | xor                 edi, edi

        $sequence_5 = { 83e73f 0b0cbdb8840210 83e03f 0b0c85b8860210 8b42f4 33c6 8bf8 }
            // n = 7, score = 100
            //   83e73f               | and                 edi, 0x3f
            //   0b0cbdb8840210       | or                  ecx, dword ptr [edi*4 + 0x100284b8]
            //   83e03f               | and                 eax, 0x3f
            //   0b0c85b8860210       | or                  ecx, dword ptr [eax*4 + 0x100286b8]
            //   8b42f4               | mov                 eax, dword ptr [edx - 0xc]
            //   33c6                 | xor                 eax, esi
            //   8bf8                 | mov                 edi, eax

        $sequence_6 = { 8bec 83ec10 53 8bd8 ff4320 56 33f6 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10
            //   53                   | push                ebx
            //   8bd8                 | mov                 ebx, eax
            //   ff4320               | inc                 dword ptr [ebx + 0x20]
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi

        $sequence_7 = { 8bf0 83feff 7509 c68568ffffff0b eb66 8b4dbc }
            // n = 6, score = 100
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   7509                 | jne                 0xb
            //   c68568ffffff0b       | mov                 byte ptr [ebp - 0x98], 0xb
            //   eb66                 | jmp                 0x68
            //   8b4dbc               | mov                 ecx, dword ptr [ebp - 0x44]

        $sequence_8 = { 57 50 8d45f4 64a300000000 33ff 33f6 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   33ff                 | xor                 edi, edi
            //   33f6                 | xor                 esi, esi

        $sequence_9 = { 8b4e30 8d5508 52 8b562c 50 51 52 }
            // n = 7, score = 100
            //   8b4e30               | mov                 ecx, dword ptr [esi + 0x30]
            //   8d5508               | lea                 edx, [ebp + 8]
            //   52                   | push                edx
            //   8b562c               | mov                 edx, dword ptr [esi + 0x2c]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   52                   | push                edx

    condition:
        7 of them and filesize < 392192
}
Download all Yara Rules