SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_099 (Back to overview)

Unidentified 099 (APT29 Dropbox Loader)

Actor(s): APT29


This malware uses DropBox for C2 and was spread via spear-phishing attack at government organizations. It is different from win.boombox, which is another APT29 attributed malware using DropBox (written in .NET).

References
2022-09-06INCIBE-CERTINCIBE
@techreport{incibe:20220906:estudio:20f14b0, author = {INCIBE}, title = {{Estudio del análisis de Nobelium}}, date = {2022-09-06}, institution = {INCIBE-CERT}, url = {https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf}, language = {Spanish}, urldate = {2022-11-22} } Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage
2022-05-16Github (Dump-GUY)Jiří Vinopal
@online{vinopal:20220516:malware:f716c6a, author = {Jiří Vinopal}, title = {{Malware Analysis Report – APT29 C2-Client Dropbox Loader}}, date = {2022-05-16}, organization = {Github (Dump-GUY)}, url = {https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md}, language = {English}, urldate = {2022-05-25} } Malware Analysis Report – APT29 C2-Client Dropbox Loader
Unidentified 099 (APT29 Dropbox Loader)
Yara Rules
[TLP:WHITE] win_unidentified_099_auto (20230125 | Detects win.unidentified_099.)
rule win_unidentified_099_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.unidentified_099."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_099"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 412bef 488d4f14 4c63c5 4983e814 4803cb 750d e8???????? }
            // n = 7, score = 100
            //   412bef               | dec                 eax
            //   488d4f14             | shl                 esi, 2
            //   4c63c5               | movzx               eax, word ptr [ecx + edi*4 + 0x16010]
            //   4983e814             | dec                 eax
            //   4803cb               | lea                 edx, [ecx + 0x15700]
            //   750d                 | dec                 eax
            //   e8????????           |                     

        $sequence_1 = { 48894c2408 4889542410 4c89442418 4c894c2420 4883ec28 b956d2a8b4 e8???????? }
            // n = 7, score = 100
            //   48894c2408           | dec                 esp
            //   4889542410           | mov                 ecx, dword ptr [esp + 0x20]
            //   4c89442418           | dec                 esp
            //   4c894c2420           | mov                 edx, ecx
            //   4883ec28             | syscall             
            //   b956d2a8b4           | ret                 
            //   e8????????           |                     

        $sequence_2 = { 85c0 0f84b8010000 ba5c000000 488d8d00010000 e8???????? 488bf8 4885c0 }
            // n = 7, score = 100
            //   85c0                 | jge                 0x7e8
            //   0f84b8010000         | nop                 dword ptr [eax]
            //   ba5c000000           | nop                 word ptr [eax + eax]
            //   488d8d00010000       | movzx               eax, byte ptr [eax + ebp]
            //   e8????????           |                     
            //   488bf8               | inc                 ecx
            //   4885c0               | mov                 byte ptr [ecx + ebx + 0x18], al

        $sequence_3 = { 488bc2 488d0dadeb0000 48890b 488d5308 33c9 48890a }
            // n = 6, score = 100
            //   488bc2               | nop                 word ptr [eax + eax]
            //   488d0dadeb0000       | inc                 edx
            //   48890b               | movzx               ecx, byte ptr [ebx + esi + 0x1f1e0]
            //   488d5308             | dec                 eax
            //   33c9                 | add                 ebx, 3
            //   48890a               | mov                 byte ptr [edx], cl

        $sequence_4 = { b974000000 33c0 498bd2 f3aa 33db 8bcb 0f1f440000 }
            // n = 7, score = 100
            //   b974000000           | dec                 eax
            //   33c0                 | mov                 dword ptr [esp + 0x50], ecx
            //   498bd2               | inc                 ebp
            //   f3aa                 | xor                 eax, eax
            //   33db                 | dec                 eax
            //   8bcb                 | mov                 dword ptr [esp + 0x48], ecx
            //   0f1f440000           | mov                 edx, 0x1fffff

        $sequence_5 = { 4c8d442438 8bd9 488d1552be0000 33c9 ff15???????? 85c0 741f }
            // n = 7, score = 100
            //   4c8d442438           | mov                 dword ptr [esp + 8], ebx
            //   8bd9                 | push                edi
            //   488d1552be0000       | dec                 eax
            //   33c9                 | sub                 esp, 0x20
            //   ff15????????         |                     
            //   85c0                 | mov                 edi, edx
            //   741f                 | dec                 esp

        $sequence_6 = { 488d159ce50000 e8???????? 488bd8 4885c0 740f 488bc8 e8???????? }
            // n = 7, score = 100
            //   488d159ce50000       | dec                 eax
            //   e8????????           |                     
            //   488bd8               | lea                 edx, [0x19c40]
            //   4885c0               | dec                 eax
            //   740f                 | lea                 ecx, [esp + 0x270]
            //   488bc8               | inc                 ecx
            //   e8????????           |                     

        $sequence_7 = { 488d15521fffff c1e803 89442444 448be0 8944243c 85c0 0f84d8030000 }
            // n = 7, score = 100
            //   488d15521fffff       | dec                 eax
            //   c1e803               | mov                 dword ptr [esp + 0x3c0], esi
            //   89442444             | inc                 ebp
            //   448be0               | xor                 ecx, ecx
            //   8944243c             | inc                 ebp
            //   85c0                 | xor                 eax, eax
            //   0f84d8030000         | dec                 esp

        $sequence_8 = { 488b4c2460 ff15???????? b801000000 488b8c2450060000 4833cc e8???????? }
            // n = 6, score = 100
            //   488b4c2460           | dec                 eax
            //   ff15????????         |                     
            //   b801000000           | sub                 esp, 0x20
            //   488b8c2450060000     | dec                 eax
            //   4833cc               | lea                 ebx, [0x1707e]
            //   e8????????           |                     

        $sequence_9 = { 0fb60428 4188441918 41ffc1 41f6c13f 756b 4533c9 }
            // n = 6, score = 100
            //   0fb60428             | dec                 eax
            //   4188441918           | lea                 ecx, [0x170ad]
            //   41ffc1               | dec                 eax
            //   41f6c13f             | lea                 ecx, [0xebad]
            //   756b                 | dec                 eax
            //   4533c9               | mov                 dword ptr [ebx], ecx

    condition:
        7 of them and filesize < 314368
}
Download all Yara Rules