Raspberry Robin and its new anti-emulation trick
Tags
| attack-pattern: | Malware - T1587.001 Malware - T1588.001 Software - T1592.002 |
Common Information
| Type | Value |
|---|---|
| UUID | 46b63aaf-463b-4c3b-904d-0465fb4f11e5 |
| Fingerprint | 8260a0af61f8e4f3 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | April 3, 2024, 2:34 p.m. |
| Added to db | Aug. 31, 2024, 10:52 a.m. |
| Last updated | Nov. 17, 2024, 5:58 p.m. |
| Headline | Raspberry Robin and its new anti-emulation trick |
| Title | Raspberry Robin and its new anti-emulation trick |
| Detected Hints/Tags/Attributes | 32/1/45 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 422 | ✔ | Inside The Lab - HarfangLab | https://harfanglab.io/insidethelab/feed | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 2 | keygenguru.com |
|
| Details | Domain | 5 | harfanglab.io |
|
| Details | Domain | 67 | microsoft.windows |
|
| Details | File | 748 | kernel32.dll |
|
| Details | File | 1 | c:\myapp.exe |
|
| Details | File | 1 | c:\mirc c:\mirc\mirc.ini |
|
| Details | File | 1 | c:\mirc\script.ini |
|
| Details | File | 1 | hrtbddd69.dll |
|
| Details | File | 10 | myapp.exe |
|
| Details | File | 1 | c:\\mirc\\mirc.ini |
|
| Details | File | 1 | c:\\mirc\\script.ini |
|
| Details | File | 5 | mrt.exe |
|
| Details | File | 12 | mpengine.dll |
|
| Details | sha256 | 1 | 242851abe09cc5075d2ffdb8e5eba2f7dcf22712625ec02744eecb52acd6b1bf |
|
| Details | sha256 | 1 | 483adf61d7d932003659d5d6242eace29ea8416ec810749333793e0efa91610d |
|
| Details | sha256 | 1 | 50158e22481acabc56d8e3d318d6d709fcb7a9e442e76157b518d19e13f8e520 |
|
| Details | sha256 | 1 | 93672d67e8100bb984f866888cb042727567d302b30b91356a2b2bc8cd3f7912 |
|
| Details | sha256 | 1 | b5637231e25aa7da8fe925f5b97a2ccbfd082a5463b2a05d2b3221adb35e43d9 |
|
| Details | sha256 | 1 | b81e857427411577552d1ecdd444efaeab23ec903192812d40ab3dd69df98ec5 |
|
| Details | sha256 | 1 | c8d37df88009122c890cb95dc79d895d39339fe1efdcfa5e033d0aea171ffc3d |
|
| Details | sha256 | 1 | 10b4b7e9469366bfe459c3cd674aeab0692cfd9272fe369ef56d2811623e4866 |
|
| Details | Pdb | 1 | mpengine.pdb |
|
| Details | Pdb | 1 | msmpengcp.pdb |
|
| Details | Pdb | 1 | msmpengsvc.pdb |
|
| Details | Pdb | 1 | mpgear.pdb |
|
| Details | Pdb | 1 | mrtstub.pdb |
|
| Details | Pdb | 1 | mrt.pdb |
|
| Details | Pdb | 2 | ntoskrnl.pdb |
|
| Details | Pdb | 1 | mscorlib.pdb |
|
| Details | Pdb | 1 | dbghelp.pdb |
|
| Details | Pdb | 1 | msvcrt.pdb |
|
| Details | Pdb | 1 | appvisvsubsystems32.pdb |
|
| Details | Pdb | 1 | eventing.pdb |
|
| Details | Pdb | 1 | appvisvsubsystems64.pdb |
|
| Details | Pdb | 1 | appventsubsystems.pdb |
|
| Details | Pdb | 1 | shell32.pdb |
|
| Details | Pdb | 1 | version.pdb |
|
| Details | Pdb | 1 | mscoree.pdb |
|
| Details | Pdb | 1 | ws2_32.pdb |
|
| Details | Pdb | 1 | advapi32.pdb |
|
| Details | Pdb | 1 | appventsubsystems64.pdb |
|
| Details | Pdb | 1 | appventsubsystems32.pdb |
|
| Details | Pdb | 1 | appvisvsubsystems.pdb |
|
| Details | Url | 1 | https://harfanglab.io/en/insidethelab/raspberry-robin-and-its-new-anti-emulation-trick |
|
| Details | Yara rule | 1 | rule anti_emulation_defender {
meta:
description = "Research Windows Defender Emulator artefacts that can be used as anti-emulator by malware"
references = "https://harfanglab.io/en/insidethelab/raspberry-robin-and-its-new-anti-emulation-trick/"
hash = "242851abe09cc5075d2ffdb8e5eba2f7dcf22712625ec02744eecb52acd6b1bf"
date = "2024-04-03"
author = "Harfanglab"
context = "file"
strings:
$s_00 = "aaa_TouchMeNot_" ascii wide nocase
$s_01 = "_TouchMeNot_" ascii wide nocase
$s_03 = "C:\\myapp.exe" ascii wide nocase
$s_04 = "C:\\Mirc\\" ascii wide nocase
$s_05 = "C:\\Mirc\\mirc.ini" ascii wide nocase
$s_06 = "C:\\Mirc\\script.ini" ascii wide nocase
$s_07 = "HAL9TH" ascii wide nocase fullword
$s_09 = "MpSockVendor" ascii wide nocase fullword
$s_10 = "MPGoodStatus" ascii wide nocase fullword
$s_11 = "MpDisableSehLimit" ascii wide nocase fullword
$s_12 = "NtControlChannel" ascii wide nocase fullword
$s_13 = "ObjMgr_ValidateVFSHandle" ascii wide nocase fullword
$s_14 = "ThrdMgr_GetCurrentThreadHandle" ascii wide nocase fullword
$s_15 = "ThrdMgr_SaveTEB" ascii wide nocase fullword
$s_16 = "ThrdMgr_SwitchThreads" ascii wide nocase fullword
$s_17 = "VFS_DeleteFileByHandle" ascii wide nocase fullword
$s_18 = "VFS_DeleteFile" ascii wide nocase fullword
$s_19 = "VFS_DeleteFileByHandle" ascii wide nocase fullword
$s_20 = "VFS_FileExists" ascii wide nocase fullword
$s_21 = "VFS_FindClose" ascii wide nocase fullword
$s_22 = "VFS_FindFirstFile" ascii wide nocase fullword
$s_23 = "VFS_FindNextFile" ascii wide nocase fullword
$s_24 = "VFS_FlushViewOfFile" ascii wide nocase fullword
$s_25 = "VFS_GetAttrib" ascii wide nocase fullword
$s_26 = "VFS_GetHandle" ascii wide nocase fullword
$s_27 = "VFS_GetLength" ascii wide nocase fullword
$s_28 = "VFS_MapViewOfFile" ascii wide nocase fullword
$s_29 = "VFS_MoveFile" ascii wide nocase fullword
$s_30 = "VFS_Open" ascii wide nocase fullword
$s_31 = "VFS_Read" ascii wide nocase fullword
$s_32 = "VFS_SetAttrib" ascii wide nocase fullword
$s_33 = "VFS_SetCurrentDir" ascii wide nocase fullword
$s_34 = "VFS_SetLength" ascii wide nocase fullword
$s_35 = "VFS_UnmapViewOfFile" ascii wide nocase fullword
$s_37 = "MpAddToScanQueue" ascii wide nocase fullword
$s_38 = "MpCreateMemoryAliasing" ascii wide nocase fullword
$s_39 = "MpCallPostEntryPointCode" ascii wide nocase fullword
$s_40 = "MpCallPreEntryPointCode" ascii wide nocase fullword
$s_41 = "MpDispatchException" ascii wide nocase fullword
$s_42 = "MpExitThread" ascii wide nocase fullword
$s_43 = "MpFinalize" ascii wide nocase fullword
$s_44 = "MpGetCurrentThreadHandle" ascii wide nocase fullword
$s_45 = "MpGetCurrentThreadId" ascii wide nocase fullword
$s_46 = "MpGetLastSwitchResult" ascii wide nocase fullword
$s_47 = "MpGetPseudoThreadHandle" ascii wide nocase fullword
$s_48 = "MpGetSelectorBase" ascii wide nocase fullword
$s_49 = "MpGetVStoreFileHandle" ascii wide nocase fullword
$s_50 = "MpHandlerCodePost" ascii wide nocase fullword
$s_51 = "MpIntHandler" ascii wide nocase fullword
$s_52 = "MpIntHandlerParam" ascii wide nocase fullword
$s_53 = "MpIntHandlerReturnAddress" ascii wide nocase fullword
$s_54 = "MpNtdllDatatSection" ascii wide nocase fullword
$s_55 = "MpReportEvent" ascii wide nocase fullword
$s_56 = "MpReportEventEx" ascii wide nocase fullword
$s_57 = "MpReportEventW" ascii wide nocase fullword
$s_58 = "MpSehHandler" ascii wide nocase fullword
$s_59 = "MpSetSelectorBase" ascii wide nocase fullword
$s_60 = "MpStartProcess" ascii wide nocase fullword
$s_61 = "MpSwitchToNextThread" ascii wide nocase fullword
$s_62 = "MpSwitchToNextThread_WithCheck" ascii wide nocase fullword
$s_63 = "MpSwitchToNextThread_NewObjManager" ascii wide nocase fullword
$s_64 = "MpTimerEvent" ascii wide nocase fullword
$s_65 = "MpTimerEventData" ascii wide nocase fullword
$s_66 = "MpUfsMetadataOp" ascii wide nocase fullword
$s_67 = "MpValidateVFSHandle" ascii wide nocase fullword
$s_68 = "MpVmp32Entry" ascii wide nocase fullword
$s_69 = "MpVmp32FastEnter" ascii wide nocase fullword
$filter_00 = "mpengine.pdb" ascii nocase
$filter_01 = "MsMpEngCP.pdb" ascii nocase
$filter_02 = "MsMpEngSvc.pdb" ascii nocase
$filter_03 = "MpGear.pdb" ascii nocase
$filter_04 = "mrtstub.pdb" ascii nocase
$filter_05 = "mrt.pdb" ascii nocase
$filter_06 = "ntoskrnl.pdb" ascii nocase
$filter_07 = "mscorlib.pdb" ascii nocase
$filter_08 = "dbghelp.pdb" ascii nocase
$filter_09 = "msvcrt.pdb" ascii nocase
$filter_10 = "mrt.exe" ascii wide nocase
$filter_11 = "PEBMPAT:Obfuscator_EW2" ascii wide
$filter_12 = "Unimplemented type change to VT_" ascii wide
$filter_13 = "Initialize engine first!" ascii wide
$filter_14 = "VirTool:Win32/Obfuscator" ascii wide
$filter_15 = "VDMConsoleOperation" ascii wide
$filter_16 = "VDMOperationStarted" ascii wide
$filter_17 = "sigutils\\vdlls\\"
$filter_18 = "Microsoft.Windows.MalwareRemovalTool" ascii wide
$filter_19 = "AppVISVSubsystems32.pdb" ascii nocase
$filter_20 = "Microsoft.AppV.ClientProgrammability.Eventing.pdb" ascii nocase
$filter_21 = "AppVISVSubsystems64.pdb" ascii nocase
$filter_22 = "AppVEntSubsystems.pdb" ascii nocase
$filter_24 = "shell32.pdb" ascii nocase
$filter_25 = "version.pdb" ascii nocase
$filter_26 = "mscoree.pdb" ascii nocase
$filter_27 = "ws2_32.pdb" ascii nocase
$filter_28 = "advapi32.pdb" ascii nocase
$filter_29 = "AppVEntSubsystems64.pdb" ascii nocase
$filter_30 = "AppVEntSubsystems32.pdb" ascii nocase
$filter_31 = "AppVISVSubsystems.pdb" ascii nocase
$filter_32 = "mpengine.dll" ascii wide nocase
$filter_33 = "VFSAPI_VFS_" ascii wide
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 5MB and 1 of ($s_*) and not 1 of ($filter*)
} |