SparrowDoor
Common Information
| Type | Value |
|---|---|
| UUID | 084eb03d-3087-4991-857c-188aae26ddda |
| Fingerprint | a6a9a26061f4ccc3e41b642e6a76adddb4b04e3f68beee08dc5b567d307e222a |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 9, 2023, 3:51 p.m. |
| Added to db | Nov. 6, 2024, 11:04 a.m. |
| Last updated | Nov. 6, 2024, 11:09 a.m. |
| Headline | SparrowDoor |
| Title | SparrowDoor |
| Detected Hints/Tags/Attributes | 112/2/63 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 262 | www.welivesecurity.com |
|
| Details | Domain | 67 | 360.cn |
|
| Details | Domain | 3 | cdn181.awsdns-531.com |
|
| Details | Domain | 281 | docs.microsoft.com |
|
| Details | Domain | 2 | systemtime.day |
|
| Details | Domain | 53 | ncsc.gov.uk |
|
| Details | 22 | ncscinfoleg@ncsc.gov.uk |
||
| Details | File | 35 | libcurl.dll |
|
| Details | File | 2 | libhost.dll |
|
| Details | File | 27 | searchindexer.exe |
|
| Details | File | 1260 | explorer.exe |
|
| Details | File | 1122 | svchost.exe |
|
| Details | File | 1018 | rundll32.exe |
|
| Details | File | 36 | zhudongfangyu.exe |
|
| Details | File | 119 | avp.exe |
|
| Details | File | 36 | egui.exe |
|
| Details | File | 7 | ccsetmgr.exe |
|
| Details | File | 35 | ccsvchst.exe |
|
| Details | File | 11 | ccapp.exe |
|
| Details | File | 11 | tmbmsrv.exe |
|
| Details | File | 5 | cpf.exe |
|
| Details | File | 45 | mcshield.exe |
|
| Details | File | 20 | sspicli.dll |
|
| Details | File | 130 | ws2_32.dll |
|
| Details | File | 291 | user32.dll |
|
| Details | File | 748 | kernel32.dll |
|
| Details | File | 26 | gup.exe |
|
| Details | md5 | 2 | 46077a32e433a56eb8ba64dcbf86bc60 |
|
| Details | md5 | 2 | 8ad3f513f48f711d573d33b7419e3ed5 |
|
| Details | md5 | 2 | 5f983177f3f9ce6cb72088f3da96435d |
|
| Details | sha1 | 2 | 989b3798841d06e286eb083132242749c80fdd4d |
|
| Details | sha1 | 3 | c1890a6447c991880467b86a013dbeaa66cc615f |
|
| Details | sha1 | 2 | 1bb8f3f8c67199c36b26115442930d0108dc8e6a |
|
| Details | sha256 | 2 | f19bb3b49d548bce4d35e9cf83fba112ef8e087a422b86d1376a395466fdff2d |
|
| Details | sha256 | 2 | e0b107be8034976f6e91cfcc2bbc792b49ea61a071166968fec775af28b1f19c |
|
| Details | sha256 | 2 | 9863ac60b92fad160ce88353760c7c4f21f8e9c3190b18b374bdbca3a7d1a3fb |
|
| Details | IPv4 | 6 | 127.1.1.1 |
|
| Details | MITRE ATT&CK Techniques | 180 | T1543.003 |
|
| Details | MITRE ATT&CK Techniques | 380 | T1547.001 |
|
| Details | MITRE ATT&CK Techniques | 44 | T1134.001 |
|
| Details | MITRE ATT&CK Techniques | 504 | T1140 |
|
| Details | MITRE ATT&CK Techniques | 227 | T1574.002 |
|
| Details | MITRE ATT&CK Techniques | 86 | T1055.012 |
|
| Details | MITRE ATT&CK Techniques | 297 | T1070.004 |
|
| Details | MITRE ATT&CK Techniques | 91 | T1620 |
|
| Details | MITRE ATT&CK Techniques | 183 | T1036.005 |
|
| Details | MITRE ATT&CK Techniques | 121 | T1218 |
|
| Details | MITRE ATT&CK Techniques | 141 | T1518.001 |
|
| Details | MITRE ATT&CK Techniques | 442 | T1071.001 |
|
| Details | MITRE ATT&CK Techniques | 130 | T1573.001 |
|
| Details | MITRE ATT&CK Techniques | 82 | T1115 |
|
| Details | MITRE ATT&CK Techniques | 422 | T1041 |
|
| Details | Url | 3 | https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest |
|
| Details | Url | 2 | https://docs.microsoft.com/en-us/windows/win32/api/winsock/ns-winsock-linger |
|
| Details | Url | 2 | https://docs.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-closesocket |
|
| Details | Windows Registry Key | 2 | HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr |
|
| Details | Windows Registry Key | 5 | HKEY_CURRENT_USER\Software\Microsoft\Win |
|
| Details | Yara rule | 2 | import "pe"
rule SparrowDoor_clipshot {
meta:
author = "NCSC"
description = "The SparrowDoor loader contains a feature it calls
clipshot, which logs clipboard data to a file."
date = "2022-02-28"
hash1 = "989b3798841d06e286eb083132242749c80fdd4d"
strings:
$exsting_cmp = { 8B 1E 3B 19 75 ?? 83 E8 04 83 C1 04 83 C6 04 83 F8 04 }
$time_format_string = "%d/%d/%d %d:%d"
$cre_fil_args = { 6A 00 68 80 00 00 00 6A 04 6A 00 6A 02 68 00 00 00 40 52 }
condition:
(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and all of them and (pe.imports("User32.dll", "OpenClipboard") and pe.imports("User32.dll", "GetClipboardData") and pe.imports("Kernel32.dll", "GetLocalTime") and pe.imports("Kernel32.dll", "GlobalSize"))
} |
|
| Details | Yara rule | 2 | rule SparrowDoor_config {
meta:
author = "NCSC"
description = "Targets the XOR encoded loader config and
shellcode in the file libhost.dll using the known position of the XOR
key."
date = "2022-02-28"
hash1 = "c1890a6447c991880467b86a013dbeaa66cc615f"
condition:
(uint16(0) != 0x5A4D) and (uint16(0) != 0x8b55) and (uint32(0) ^ uint32(0x4c) == 0x00) and (uint32(0) ^ uint32(0x34) == 0x00) and (uint16(0) ^ uint16(0x50) == 0x8b55)
} |
|
| Details | Yara rule | 2 | rule SparrowDoor_shellcode {
meta:
author = "NCSC"
description = "Targets code features of the reflective loader for
SparrowDoor. Targeting in memory."
date = "2022-02-28"
hash1 = "c1890a6447c991880467b86a013dbeaa66cc615f"
strings:
$peb = { 8B 48 08 89 4D FC 8B 51 3C 8B 54 0A 78 8B 74 0A 20 03 D1 03 F1 B3 64 }
$getp_match = { 8B 06 03 C1 80 38 47 75 34 80 78 01 65 75 2E 80 78 02 74 75 28 80 78 03 50 75 22 80 78 04 72 75 1C 80 78 06 63 75 16 80 78 05 6F 75 10 80 78 07 41 75 0A }
$k_check = { 8B 48 20 8A 09 80 F9 6B 74 05 80 F9 4B 75 05 }
$resolve_load_lib = { C7 45 C4 4C 6F 61 64 C7 45 C8 4C 69 62 72 C7 45 CC 61 72 79 41 C7 45 D0 00 00 00 00 FF 75 FC FF 55 E4 }
condition:
3 of them
} |
|
| Details | Yara rule | 1 | rule SparrowDoor_sleep_routine {
meta:
author = "NCSC"
description = "SparrowDoor implements a Sleep routine with value
seeded on GetTickCount. This signature detects the previous and this
variant of SparrowDoor. No MZ/PE match as the backdoor has no header.
Targeting in memory."
date = "2022-02-28"
hash1 = "c1890a6447c991880467b86a013dbeaa66cc615f"
strings:
$sleep = { FF D7 33 D2 B9 [4] F7 F1 81 C2 [4] 8B C2 C1 E0 04 2B C2 03 C0 03 C0 03 C0 50 }
condition:
all of them
} |
|
| Details | Yara rule | 2 | rule SparrowDoor_xor {
meta:
author = "NCSC"
description = "Highlights XOR routines in SparrowDoor. No MZ/PE
match as the backdoor has no header. Targeting in memory."
date = "2022-02-28"
hash1 = "c1890a6447c991880467b86a013dbeaa66cc615f"
strings:
$xor_routine_outbound = { B8 39 8E E3 38 F7 E1 D1 EA 8D 14 D2 8B C1 2B C2 8A [4] 00 30 14 39 41 3B CE }
$xor_routine_inbound = { B8 25 49 92 24 F7 E1 8B C1 2B C2 D1 E8 03 C2 C1 E8 02 8D 14 C5 [4] 2B D0 8B C1 2B C2 }
$xor_routine_config = { 8B D9 83 E3 07 0F [6] 30 18 8D 1C 07 83 E3 07 0F [6] 30 58 01 8D 1C 28 83 E3 07 0F [6] 30 58 02 8D 1C 02 83 E3 07 0F [6] 30 58 03 8B DE 83 E3 07 0F [6] 30 58 04 83 C6 05 83 C1 05 }
condition:
2 of them
} |
|
| Details | Yara rule | 1 | rule SparrowDoor_strings {
meta:
author = "NCSC"
description = "Strings that appear in SparrowDoor's backdoor.
Targeting in memory."
date = "2022-02-28"
hash1 = "c1890a6447c991880467b86a013dbeaa66cc615f"
strings:
$reg = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
$http_headers = { 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 30 29 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 55 53 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A }
$http_proxy = "HTTPS=HTTPS://%s:%d"
$debug = "SeDebugPrivilege"
$av1 = "avp.exe"
$av2 = "ZhuDongFangYu.exe"
$av3 = "egui.exe"
$av4 = "TMBMSRV.exe"
$av5 = "ccSetMgr.exe"
$clipshot = "clipshot"
$ComSpec = "ComSpec"
$export = "curl_easy_init"
condition:
10 of them
} |