ExportEngine: Find Evil by PE Export DLL Names
(a #dailyyara thread)
PE files w/ exported functions often contain an image directory entry that we usually call something like "PE DLL name" or "export DLL name"
This string is "analytically rich" and is surfaced in many tools
(a #dailyyara thread)
PE files w/ exported functions often contain an image directory entry that we usually call something like "PE DLL name" or "export DLL name"
This string is "analytically rich" and is surfaced in many tools
Here in a sample of EVILTOSS (APT29) we see lots of valuable metadata in the IMAGE_EXPORT_DIRECTORY but it also contains the plain-as-day export DLL name "install_com_x32_as_dll.exe" 
The export DLL name strings contains enough predictable developer conventions that you can use simple Yara rules to surface, cluster, detect/hunt for malicious activity that might otherwise be missed (similar to my prior research on ConventionEngine and PDB paths). Let's look...
Would developers be predictable enough to use x<architecture> in their export DLL names? You bet:
loader(x64).dll
pupyx64d.dll
uacdll(x64).dll
x86Dll.dll
tindll_x86.dll
reflective_dll.x64.dll
Predictable convention for all devs perhaps, but a strong presence in malware too.
loader(x64).dll
pupyx64d.dll
uacdll(x64).dll
x86Dll.dll
tindll_x86.dll
reflective_dll.x64.dll
Predictable convention for all devs perhaps, but a strong presence in malware too.
I'm tracking over 50 unique malware families with x(32|64|86) in the export DLL name, including:
hotcore
airbreak
crosswalk
kpot
lootjack
scrapmint
ransack
dridex
wavekey
cozycar
childsplay
blackcoffee
apocalipto
highnoon
frontshell
stalemate
rdfsniffer
trickbot
anchor
cozycar
hotcore
airbreak
crosswalk
kpot
lootjack
scrapmint
ransack
dridex
wavekey
cozycar
childsplay
blackcoffee
apocalipto
highnoon
frontshell
stalemate
rdfsniffer
trickbot
anchor
cozycar
redmage
soregut
whiteout
badflick
sleepykey
zxshell
babymetal
carbanak
poet
irishmate
pupyrat
milotrick
crosswalk
jumpkick
slub
slowpeek
bullstand
pillowmint
navrat
fiddlewood
soregut
whiteout
badflick
sleepykey
zxshell
babymetal
carbanak
poet
irishmate
pupyrat
milotrick
crosswalk
jumpkick
slub
slowpeek
bullstand
pillowmint
navrat
fiddlewood
beacon
bookpigeon
whinybear
wonderland
miniswipe
wetlink
torrentlocker
sadflower
eviltoss
xthief
uroburos
meterpreter
cardswipe
pocodownloader
bossnail
birdpen
darkmirror
facade
bookpigeon
whinybear
wonderland
miniswipe
wetlink
torrentlocker
sadflower
eviltoss
xthief
uroburos
meterpreter
cardswipe
pocodownloader
bossnail
birdpen
darkmirror
facade
What about actors or threat groups? For JUST malware that has x(32|64|86) in the export DLL name, I see at the very least:
apt19
apt29
apt33
apt34
apt35
apt38
apt40
apt41
fin6
fin7
and 30+ UNC groups, including our own @Mandiant red team -- i see y'all :D
apt19
apt29
apt33
apt34
apt35
apt38
apt40
apt41
fin6
fin7
and 30+ UNC groups, including our own @Mandiant red team -- i see y'all :D
The Yara rules for this are easy as pie now that our friends have made some great enhancements to the PE module. Courtesy of @wxs and co you can use a pcre or string match at the IMAGE_DIRECTORY_ENTRY_EXPORT + 12
gist.github.com/stvemillertime…
gist.github.com/stvemillertime…
APT41's latest rampage involved a custom loader for BEACON shellcode, and in each one they used the "loader_" as a prefix in their export DLL name. To the #dailyyara machine!
gist.github.com/stvemillertime…
gist.github.com/stvemillertime…
What about some other export DLL things though? You can take this template and adapt it for what you need. Keywords, anomalies, weird extensions, single characters, unusual characters, etc. There are lots of options and ways to flesh this out (which I am working on now)
Many of my ConventionEngine keywords and anomalies will apply to ExportEngine.
github.com/stvemillertime…
fireeye.com/blog/threat-re…
Once you've maxed out your Yara ideas for the export DLL name string itself, you can move on to export function names and function anomalies.
github.com/stvemillertime…
fireeye.com/blog/threat-re…
Once you've maxed out your Yara ideas for the export DLL name string itself, you can move on to export function names and function anomalies.
In these trying times, don't forget to check out ExportEngine/SwearEngine crossovers. I kid you not, there are developers who routinely use fuck.dll as an export name.
Do you lol while you code?
Not only is this export DLL name "lol.dll" but the PDB path shows that this developer has fun while coding.
F:\WORK 源码\lol\Release\lol.pdb
Not only is this export DLL name "lol.dll" but the PDB path shows that this developer has fun while coding.
F:\WORK 源码\lol\Release\lol.pdb
Some malware developers don't feel like sugar coating it. Anyone wonder what this export DLL name means?
That wraps up today's #dailyyara thread. Hope this illustrates the potential for the artifact. I plan to publish more comprehensive research (along with dozens of Yara discovery rules) for export DLL shenanigans and developer conventions later this year. Thanks all for reading!
