SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_099 (Back to overview)

Unidentified 099 (APT29 Dropbox Loader)

Actor(s): APT29


This malware uses DropBox for C2 and was spread via spear-phishing attack at government organizations. It is different from win.boombox, which is another APT29 attributed malware using DropBox (written in .NET).

References
2022-09-06INCIBE-CERTINCIBE
@techreport{incibe:20220906:estudio:20f14b0, author = {INCIBE}, title = {{Estudio del análisis de Nobelium}}, date = {2022-09-06}, institution = {INCIBE-CERT}, url = {https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf}, language = {Spanish}, urldate = {2022-11-22} } Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage
2022-05-16Github (Dump-GUY)Jiří Vinopal
@online{vinopal:20220516:malware:f716c6a, author = {Jiří Vinopal}, title = {{Malware Analysis Report – APT29 C2-Client Dropbox Loader}}, date = {2022-05-16}, organization = {Github (Dump-GUY)}, url = {https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md}, language = {English}, urldate = {2022-05-25} } Malware Analysis Report – APT29 C2-Client Dropbox Loader
Unidentified 099 (APT29 Dropbox Loader)
Yara Rules
[TLP:WHITE] win_unidentified_099_auto (20230407 | Detects win.unidentified_099.)
rule win_unidentified_099_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.unidentified_099."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_099"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f84ac000000 e9???????? 4d8bb4f680510100 33d2 }
            // n = 4, score = 100
            //   0f84ac000000         | je                  0x4a4
            //   e9????????           |                     
            //   4d8bb4f680510100     | dec                 esp
            //   33d2                 | mov                 eax, esi

        $sequence_1 = { 488d8d10040000 e8???????? 33c0 488dbd00030000 b904010000 }
            // n = 5, score = 100
            //   488d8d10040000       | movzx               ecx, byte ptr [edx + esi + 0x1eb48]
            //   e8????????           |                     
            //   33c0                 | dec                 eax
            //   488dbd00030000       | add                 edx, 3
            //   b904010000           | mov                 byte ptr [edi], cl

        $sequence_2 = { 4885c0 75b7 4885d2 0f848d010000 48895c2430 8b5a18 48896c2438 }
            // n = 7, score = 100
            //   4885c0               | mov                 ecx, dword ptr [edx + ecx + 0xc]
            //   75b7                 | inc                 edx
            //   4885d2               | mov                 eax, dword ptr [ecx + edx]
            //   0f848d010000         | or                  eax, 0x20202020
            //   48895c2430           | cmp                 eax, 0x6c64746e
            //   8b5a18               | jne                 0x7d6
            //   48896c2438           | dec                 ecx

        $sequence_3 = { 488bd0 48d3ca 4933d0 4b8794fe40fa0100 eb2d }
            // n = 5, score = 100
            //   488bd0               | dec                 ecx
            //   48d3ca               | cmp                 eax, 0x25
            //   4933d0               | mov                 dword ptr [eax], 0x16
            //   4b8794fe40fa0100     | jmp                 0x540
            //   eb2d                 | dec                 ebp

        $sequence_4 = { 0f824affffff 0137 438d0414 894704 8d042b 488b5c2448 }
            // n = 6, score = 100
            //   0f824affffff         | dec                 eax
            //   0137                 | mov                 ecx, esi
            //   438d0414             | dec                 eax
            //   894704               | mov                 ecx, ebp
            //   8d042b               | dec                 ecx
            //   488b5c2448           | mov                 ecx, esi

        $sequence_5 = { 488d151a950100 c744243000008000 4533c9 48895c2428 }
            // n = 4, score = 100
            //   488d151a950100       | dec                 eax
            //   c744243000008000     | add                 esp, 0x28
            //   4533c9               | dec                 eax
            //   48895c2428           | sub                 esp, 0x38

        $sequence_6 = { 488bc8 488d156b8c0100 ff15???????? 4885c0 0f8483000000 4c89642450 }
            // n = 6, score = 100
            //   488bc8               | dec                 esp
            //   488d156b8c0100       | lea                 eax, [ebp - 0x10]
            //   ff15????????         |                     
            //   4885c0               | dec                 eax
            //   0f8483000000         | lea                 edx, [0x187f1]
            //   4c89642450           | dec                 esp

        $sequence_7 = { f3aa 8d4802 488d95e0000000 ff15???????? 488d85e0000000 4c897c2460 4983c8ff }
            // n = 7, score = 100
            //   f3aa                 | inc                 ecx
            //   8d4802               | cmp                 ecx, 0x40
            //   488d95e0000000       | inc                 esp
            //   ff15????????         |                     
            //   488d85e0000000       | or                  eax, eax
            //   4c897c2460           | inc                 ecx
            //   4983c8ff             | shl                 eax, 8

        $sequence_8 = { 498bd0 4c8bcb 488bc2 4923c2 493bc3 7735 498bc1 }
            // n = 7, score = 100
            //   498bd0               | mov                 dword ptr [esi + 0x220], eax
            //   4c8bcb               | movzx               eax, ax
            //   488bc2               | rep stosd           dword ptr es:[edi], eax
            //   4923c2               | dec                 eax
            //   493bc3               | lea                 edi, [0x12d6c]
            //   7735                 | dec                 eax
            //   498bc1               | sub                 edi, esi

        $sequence_9 = { 488bd3 0fb68c02a0ed0100 4883c203 880f 488d7f01 }
            // n = 5, score = 100
            //   488bd3               | dec                 ecx
            //   0fb68c02a0ed0100     | mov                 ecx, edi
            //   4883c203             | dec                 esp
            //   880f                 | lea                 ebp, [0xeb0d]
            //   488d7f01             | and                 ecx, 0x3f

    condition:
        7 of them and filesize < 314368
}
Download all Yara Rules