SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chainshot (Back to overview)

Chainshot


There is no description at this point.

References
2021-07-15CitizenLabBill Marczak, John Scott-Railton, Kristin Berdan, Bahr Abdul Razzak, Ron Deibert
@online{marczak:20210715:hooking:7f3adbe, author = {Bill Marczak and John Scott-Railton and Kristin Berdan and Bahr Abdul Razzak and Ron Deibert}, title = {{Hooking Candiru Another Mercenary Spyware Vendor Comes into Focus}}, date = {2021-07-15}, organization = {CitizenLab}, url = {https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/}, language = {English}, urldate = {2021-07-20} } Hooking Candiru Another Mercenary Spyware Vendor Comes into Focus
Chainshot
2021-06-08KasperskyBoris Larin, Costin Raiu, Alexey Kulaev
@online{larin:20210608:puzzlemaker:43c7dfa, author = {Boris Larin and Costin Raiu and Alexey Kulaev}, title = {{PuzzleMaker attacks with Chrome zero-day exploit chain}}, date = {2021-06-08}, organization = {Kaspersky}, url = {https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/}, language = {English}, urldate = {2021-06-16} } PuzzleMaker attacks with Chrome zero-day exploit chain
Chainshot puzzlemaker
2019-10-03Kim Zetter
@online{zetter:20191003:researchers:3e1944a, author = {Kim Zetter}, title = {{Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC}}, date = {2019-10-03}, url = {https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec}, language = {English}, urldate = {2019-11-20} } Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC
Chainshot
2018-09-06Palo Alto Networks Unit 42Dominik Reichel, Esmid Idrizovic
@online{reichel:20180906:slicing:b6b847f, author = {Dominik Reichel and Esmid Idrizovic}, title = {{Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware}}, date = {2018-09-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/}, language = {English}, urldate = {2019-12-20} } Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware
Chainshot
2018-06-07GigamonChenming Xu, Jason Jones, Justin Warner, Dan Caselden
@online{xu:20180607:adobe:5bedebc, author = {Chenming Xu and Jason Jones and Justin Warner and Dan Caselden}, title = {{Adobe Flash Zero-Day Leveraged for Targeted Attack in Middle East - Gigamon ATR Blog}}, date = {2018-06-07}, organization = {Gigamon}, url = {https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack}, language = {English}, urldate = {2019-07-22} } Adobe Flash Zero-Day Leveraged for Targeted Attack in Middle East - Gigamon ATR Blog
Chainshot
Yara Rules
[TLP:WHITE] win_chainshot_auto (20220411 | Detects win.chainshot.)
rule win_chainshot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.chainshot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33d2 b9030a0080 e8???????? 33c9 eb3b 8b6c2420 8bcd }
            // n = 7, score = 300
            //   33d2                 | mov                 ebx, eax
            //   b9030a0080           | test                eax, eax
            //   e8????????           |                     
            //   33c9                 | js                  0x1325
            //   eb3b                 | cmp                 eax, 1
            //   8b6c2420             | mov                 ebx, eax
            //   8bcd                 | test                eax, eax

        $sequence_1 = { ffd0 8905???????? b83e000080 eb14 e8???????? }
            // n = 5, score = 300
            //   ffd0                 | inc                 ebp
            //   8905????????         |                     
            //   b83e000080           | xor                 ecx, ecx
            //   eb14                 | inc                 ebp
            //   e8????????           |                     

        $sequence_2 = { ffd0 8905???????? bb06000080 895c2420 eb33 }
            // n = 5, score = 300
            //   ffd0                 | pop                 ebx
            //   8905????????         |                     
            //   bb06000080           | mov                 byte ptr [eax + 2], 6
            //   895c2420             | mov                 byte ptr [eax + 1], 9
            //   eb33                 | mov                 bl, 1

        $sequence_3 = { 754a c705????????05000000 eb67 83fa05 7539 }
            // n = 5, score = 300
            //   754a                 | mov                 ebx, edx
            //   c705????????05000000     |     
            //   eb67                 | dec                 eax
            //   83fa05               | mov                 edi, ecx
            //   7539                 | push                edi

        $sequence_4 = { e9???????? bd01000000 c70720000000 e9???????? 8bce }
            // n = 5, score = 300
            //   e9????????           |                     
            //   bd01000000           | mov                 dword ptr [esp + 0x1c], 2
            //   c70720000000         | mov                 eax, 0x151
            //   e9????????           |                     
            //   8bce                 | mov                 word ptr [ebp + 0x2c0], ax

        $sequence_5 = { 0f8251ffffff b8abaaaaaa f7e3 d1ea }
            // n = 4, score = 300
            //   0f8251ffffff         | cmovb               esi, ebp
            //   b8abaaaaaa           | dec                 ecx
            //   f7e3                 | mov                 edx, esi
            //   d1ea                 | cmove               eax, edx

        $sequence_6 = { 7461 83e802 7447 ffc8 }
            // n = 4, score = 300
            //   7461                 | mov                 dword ptr [esp + 0x14], 0x3fab0000
            //   83e802               | mov                 dword ptr [esp + 0x18], 0xa0000
            //   7447                 | mov                 word ptr [esp + 0x3fc], ax
            //   ffc8                 | mov                 eax, 0x35

        $sequence_7 = { c3 81e100000040 f7d9 1bc0 83e010 83c010 c3 }
            // n = 7, score = 300
            //   c3                   | mov                 edx, ebx
            //   81e100000040         | dec                 eax
            //   f7d9                 | mov                 ecx, esi
            //   1bc0                 | mov                 edi, eax
            //   83e010               | mov                 eax, ebp
            //   83c010               | dec                 eax
            //   c3                   | lea                 ecx, dword ptr [edi + 0x292c]

        $sequence_8 = { ffc8 0f840d110000 83e809 744a ffc8 0f8495000000 }
            // n = 6, score = 300
            //   ffc8                 | mov                 dword ptr [esp + 0x14], 0x1db00000
            //   0f840d110000         | mov                 eax, 0xc8
            //   83e809               | mov                 dword ptr [esp + 0x14], 0x1db10100
            //   744a                 | movdqu              xmmword ptr [esp + 0x7dc], xmm0
            //   ffc8                 | mov                 dword ptr [esp + 0x18], 0x60001
            //   0f8495000000         | mov                 dword ptr [esp + 0x1c], 3

        $sequence_9 = { 8b05???????? 89870c040000 8325????????00 85db }
            // n = 4, score = 300
            //   8b05????????         |                     
            //   89870c040000         | je                  0x355
            //   8325????????00       |                     
            //   85db                 | dec                 esp

    condition:
        7 of them and filesize < 802816
}
Download all Yara Rules