SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chainshot (Back to overview)

Chainshot


There is no description at this point.

References
2021-07-15CitizenLabBill Marczak, John Scott-Railton, Kristin Berdan, Bahr Abdul Razzak, Ron Deibert
@online{marczak:20210715:hooking:7f3adbe, author = {Bill Marczak and John Scott-Railton and Kristin Berdan and Bahr Abdul Razzak and Ron Deibert}, title = {{Hooking Candiru Another Mercenary Spyware Vendor Comes into Focus}}, date = {2021-07-15}, organization = {CitizenLab}, url = {https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/}, language = {English}, urldate = {2021-07-20} } Hooking Candiru Another Mercenary Spyware Vendor Comes into Focus
Chainshot
2021-06-08KasperskyBoris Larin, Costin Raiu, Alexey Kulaev
@online{larin:20210608:puzzlemaker:43c7dfa, author = {Boris Larin and Costin Raiu and Alexey Kulaev}, title = {{PuzzleMaker attacks with Chrome zero-day exploit chain}}, date = {2021-06-08}, organization = {Kaspersky}, url = {https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/}, language = {English}, urldate = {2021-06-16} } PuzzleMaker attacks with Chrome zero-day exploit chain
Chainshot puzzlemaker
2019-10-03Kim Zetter
@online{zetter:20191003:researchers:3e1944a, author = {Kim Zetter}, title = {{Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC}}, date = {2019-10-03}, url = {https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec}, language = {English}, urldate = {2019-11-20} } Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC
Chainshot
2018-09-06Palo Alto Networks Unit 42Dominik Reichel, Esmid Idrizovic
@online{reichel:20180906:slicing:b6b847f, author = {Dominik Reichel and Esmid Idrizovic}, title = {{Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware}}, date = {2018-09-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/}, language = {English}, urldate = {2019-12-20} } Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware
Chainshot
2018-06-07GigamonChenming Xu, Jason Jones, Justin Warner, Dan Caselden
@online{xu:20180607:adobe:5bedebc, author = {Chenming Xu and Jason Jones and Justin Warner and Dan Caselden}, title = {{Adobe Flash Zero-Day Leveraged for Targeted Attack in Middle East - Gigamon ATR Blog}}, date = {2018-06-07}, organization = {Gigamon}, url = {https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack}, language = {English}, urldate = {2019-07-22} } Adobe Flash Zero-Day Leveraged for Targeted Attack in Middle East - Gigamon ATR Blog
Chainshot
Yara Rules
[TLP:WHITE] win_chainshot_auto (20220808 | Detects win.chainshot.)
rule win_chainshot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.chainshot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f844e0e0000 ffc8 0f84d8110000 ffc8 }
            // n = 4, score = 300
            //   0f844e0e0000         | dec                 ebp
            //   ffc8                 | je                  0x2cf
            //   0f84d8110000         | test                edx, edx
            //   ffc8                 | je                  0x2cf

        $sequence_1 = { bd01000000 c70703000000 ebe9 bd01000000 c7070b000000 }
            // n = 5, score = 300
            //   bd01000000           | inc                 ecx
            //   c70703000000         | cmp                 edi, edi
            //   ebe9                 | mov                 dword ptr [esp + 0x20], esp
            //   bd01000000           | int3                
            //   c7070b000000         | dec                 eax

        $sequence_2 = { 7708 7519 66892c5f eb13 66892c5f be7a000780 eb08 }
            // n = 7, score = 300
            //   7708                 | test                eax, eax
            //   7519                 | je                  0x207
            //   66892c5f             | call                eax
            //   eb13                 | mov                 ecx, 0x80000043
            //   66892c5f             | jmp                 0x27c
            //   be7a000780           | dec                 eax
            //   eb08                 | test                eax, eax

        $sequence_3 = { 754a c705????????05000000 eb67 83fa05 7539 }
            // n = 5, score = 300
            //   754a                 | dec                 eax
            //   c705????????05000000     |     
            //   eb67                 | mov                 edx, dword ptr [esp + 0x80]
            //   83fa05               | dec                 eax
            //   7539                 | dec                 esp

        $sequence_4 = { 84db 7507 b929080080 eb19 }
            // n = 4, score = 300
            //   84db                 | dec                 eax
            //   7507                 | jne                 0x115
            //   b929080080           | mov                 ebx, 0x80000005
            //   eb19                 | jne                 0x11c

        $sequence_5 = { 85c0 7407 b908000080 eb21 }
            // n = 4, score = 300
            //   85c0                 | jne                 0x30
            //   7407                 | inc                 ecx
            //   b908000080           | cmp                 al, dl
            //   eb21                 | jne                 0xdf

        $sequence_6 = { ffc8 0f84d8110000 ffc8 0f8423110000 ffc8 }
            // n = 5, score = 300
            //   ffc8                 | mov                 ecx, esi
            //   0f84d8110000         | lea                 edx, [ebp - 0x30]
            //   ffc8                 | inc                 ebp
            //   0f8423110000         | lea                 eax, [ecx + 0x2c]
            //   ffc8                 | dec                 eax

        $sequence_7 = { e8???????? 85c0 0f8891000000 8b0f 85c9 7503 8b4f10 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   85c0                 | mov                 dword ptr [esp + 0x40], ecx
            //   0f8891000000         | mov                 byte ptr [ecx], al
            //   8b0f                 | dec                 ecx
            //   85c9                 | inc                 ecx
            //   7503                 | dec                 eax
            //   8b4f10               | dec                 ecx

        $sequence_8 = { b902070080 ebd9 ff15???????? 3db7000000 750a }
            // n = 5, score = 300
            //   b902070080           | dec                 ecx
            //   ebd9                 | mov                 edx, esp
            //   ff15????????         |                     
            //   3db7000000           | jmp                 0x11f
            //   750a                 | dec                 eax

        $sequence_9 = { 8ad8 84c0 7507 b901080080 ebde }
            // n = 5, score = 300
            //   8ad8                 | jmp                 0x75
            //   84c0                 | mov                 ecx, 0x201
            //   7507                 | jne                 0xc6
            //   b901080080           | mov                 ecx, 0x80000801
            //   ebde                 | jmp                 0x113

    condition:
        7 of them and filesize < 802816
}
Download all Yara Rules