{ "type": "bundle", "id": "bundle--9e59d830-2063-4bc1-8588-0b54e0d0fd94", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--8a0b93da-a9d1-41b5-8d1b-7e8a105945fc", "created": "2023-03-08T14:44:38.241293Z", "modified": "2023-03-08T14:44:38.241418Z", "name": "S2W", "identity_class": "organization" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--c07138f1-66f4-423d-97d4-be1e5934f519", "value": "151.101.1.195" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d66e323f-3546-4bde-a950-503bce0c947c", "created": "2026-06-24T19:55:43.573937Z", "modified": "2026-06-24T19:55:43.573937Z", "name": "YARA Rule", "pattern": "rule Scarcruft_RUBY_Shellcode_XOR_Routine\r\n{\r\nmeta:\r\nauthor = \"S2WLAB_TALON_JACK2\"\r\ntype = \"APT\"\r\nversion = \"0.1\"\r\ndate = \"2021-05-20\"\r\nstrings:\r\n/*\r\n8B 4C 18 08 mov ecx, [eax+ebx+8]\r\nC1 C7 0D rol edi, 0Dh\r\n40 inc eax\r\nF6 C7 01 test bh, 1\r\n74 06 jz short loc_D0\r\n81 F7 97 EA AE 78 xor edi, 78AEEA97h\r\n*/\r\n$hex1 = {C1 C7 0D 40 F6 C7 01 74 ?? 81 F7}\r\n/*\r\n41 C1 C2 0D rol r10d, 0Dh\r\n41 8B C2 mov eax, r10d\r\n44 8B CA mov r9d, edx\r\n41 8B CA mov ecx, r10d\r\n41 81 F2 97 EA AE 78 xor r10d, 78AEEA97h\r\n*/\r\n$hex2 = {41 C1 C2 0D 41 8B C2 44 8B CA 41 8B CA 41 81 F2}\r\ncondition:\r\n1 of them\r\n}rule Scarcruft_evolved_ROKRAT\r\n{\r\nmeta:\r\nauthor = \"S2WLAB_TALON_JACK2\"\r\ntype = \"APT\"\r\nversion = \"0.1\"\r\ndate = \"2021-07-09\"\r\nstrings:\r\n/*\r\n0x140130f25 C744242032311223 mov dword ptr [rsp + 0x20], 0x23123132\r\n0x140130f2d C744242434455667 mov dword ptr [rsp + 0x24], 0x67564534\r\n0x140130f35 C744242878899AAB mov dword ptr [rsp + 0x28], 0xab9a8978\r\n0x140130f3d C744242C0CBDCEDF mov dword ptr [rsp + 0x2c], 0xdfcebd0c\r\n0x140130f45 C745F02B7EA516 mov dword ptr [rbp - 0x10], 0x16a57e2b\r\n0x140130f4c C745F428AED2A6 mov dword ptr [rbp - 0xc], 0xa6d2ae28\r\n0x140130f53 C745F8ABF71588 mov dword ptr [rbp - 8], 0x8815f7ab\r\n0x140130f5a C745FC09CF4F3C mov dword ptr [rbp - 4], 0x3c4fcf09\r\n*/\r\n$AES_IV_KEY = {\r\nC7 44 24 ?? 32 31 12 23\r\nC7 44 24 ?? 34 45 56 67\r\nC7 44 24 ?? 78 89 9A AB\r\nC7 44 24 ?? 0C BD CE DF\r\nC7 45 ?? 2B 7E A5 16\r\nC7 45 ?? 28 AE D2 A6\r\nC7 45 ?? AB F7 15 88\r\nC7 45 ?? 09 CF 4F 3C\r\n}/*\r\n0x14012b637 80E90F sub cl, 0xf\r\n0x14012b63a 80F1C8 xor cl, 0xc8\r\n0x14012b63d 8848FF mov byte ptr [rax - 1], cl\r\n0x14012b640 4883EA01 sub rdx, 1\r\n*/\r\n$url_deocde = {\r\n80 E9 0F\r\n80 F1 C8\r\n88 48 ??\r\n48 83 EA 01 }", "pattern_type": "yara", "valid_from": "2021-07-14T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588e06b4-d8c9-4817-92d0-b9e949a37836", "created": "2026-06-24T19:55:43.574637Z", "modified": "2026-06-24T19:55:43.574637Z", "name": "YARA Rule", "pattern": "rule Scarcruft_Reverse_BS64_Loader\r\n{\r\nmeta:\r\nauthor = \"S2WLAB_TALON_JACK2\"\r\ntype = \"APT\"\r\nversion = \"0.1\"\r\ndate = \"2021-03-09\"\r\nstrings:\r\n$require_base64 = {72657175697265202762617365363427}\r\n$require_fiddle_import = {726571756972652027666964646c652f696d706f727427}\r\n$bs64_decode64 = {4261736536342e6465636f64653634}\r\n$reverse = {2e72657665727365}\r\ncondition:\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2021-07-14T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--e080feec-1f5a-4e6f-ad71-941a422ea519", "hashes": { "MD5": "888ed5eb170d48cf12f8716db899ec85" } }, { "type": "file", "spec_version": "2.1", "id": "file--24426b55-ae88-4490-b4c1-520934eeb24d", "hashes": { "MD5": "4df1c60bad360e3c0c5ebf8d2de998e0" } }, { "type": "file", "spec_version": "2.1", "id": "file--1655c2a1-6f57-42d4-bde7-456f61385016", "hashes": { "MD5": "5afb61fd9c0bdf9468045291cc9c4e4f" } }, { "type": "file", "spec_version": "2.1", "id": "file--d2174930-9ead-4c10-83ee-3603c6177559", "hashes": { "MD5": "6634c216fdb0067920f911a6fd1d60de" } }, { "type": "file", "spec_version": "2.1", "id": "file--21a11fff-2786-450c-b148-1b26ce1a9823", "hashes": { "MD5": "72657175697265202762617365363427" } }, { "type": "file", "spec_version": "2.1", "id": "file--77c82af9-c4f9-4e3d-81a5-e0ee9032b66c", "hashes": { "MD5": "6117403d7668593be80a0ef1ad72ba5b" } }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--321fb53b-c362-4334-a82f-f0b3fca93abf", "value": "w4lters.jamie@yandex.com" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--3be555f5-1f0d-5001-b84a-c6c910760fd0", "created": "2026-06-24T19:55:43.581464Z", "modified": "2026-06-24T19:55:43.581464Z", "name": "APT37" }, { "type": "report", "spec_version": "2.1", "id": "report--9212dbc3-bcc7-4a35-8b0e-6c5aeea98766", "created_by_ref": "identity--8a0b93da-a9d1-41b5-8d1b-7e8a105945fc", "created": "2026-06-24T19:55:43.585746Z", "modified": "2026-06-24T19:55:43.585746Z", "name": "Matryoshka : Variant of ROKRAT, APT37 (Scarcruft)", "published": "2021-07-14T00:00:00Z", "object_refs": [ "identity--8a0b93da-a9d1-41b5-8d1b-7e8a105945fc", "ipv4-addr--c07138f1-66f4-423d-97d4-be1e5934f519", "indicator--d66e323f-3546-4bde-a950-503bce0c947c", "indicator--588e06b4-d8c9-4817-92d0-b9e949a37836", "file--e080feec-1f5a-4e6f-ad71-941a422ea519", "file--24426b55-ae88-4490-b4c1-520934eeb24d", "file--1655c2a1-6f57-42d4-bde7-456f61385016", "file--d2174930-9ead-4c10-83ee-3603c6177559", "file--21a11fff-2786-450c-b148-1b26ce1a9823", "file--77c82af9-c4f9-4e3d-81a5-e0ee9032b66c", "email-addr--321fb53b-c362-4334-a82f-f0b3fca93abf", "threat-actor--3be555f5-1f0d-5001-b84a-c6c910760fd0" ], "external_references": [ { "source_name": "source", "url": "https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48" } ] } ] }