SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chainshot (Back to overview)

Chainshot

There is no description at this point.

References
2021-07-15CitizenLabBill Marczak, John Scott-Railton, Kristin Berdan, Bahr Abdul Razzak, Ron Deibert
@online{marczak:20210715:hooking:7f3adbe, author = {Bill Marczak and John Scott-Railton and Kristin Berdan and Bahr Abdul Razzak and Ron Deibert}, title = {{Hooking Candiru Another Mercenary Spyware Vendor Comes into Focus}}, date = {2021-07-15}, organization = {CitizenLab}, url = {https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/}, language = {English}, urldate = {2021-07-20} } Hooking Candiru Another Mercenary Spyware Vendor Comes into Focus
Chainshot
2021-06-08KasperskyBoris Larin, Costin Raiu, Alexey Kulaev
@online{larin:20210608:puzzlemaker:43c7dfa, author = {Boris Larin and Costin Raiu and Alexey Kulaev}, title = {{PuzzleMaker attacks with Chrome zero-day exploit chain}}, date = {2021-06-08}, organization = {Kaspersky}, url = {https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/}, language = {English}, urldate = {2021-06-16} } PuzzleMaker attacks with Chrome zero-day exploit chain
Chainshot puzzlemaker
2019-10-03Kim Zetter
@online{zetter:20191003:researchers:3e1944a, author = {Kim Zetter}, title = {{Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC}}, date = {2019-10-03}, url = {https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec}, language = {English}, urldate = {2019-11-20} } Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC
Chainshot
2018-09-06Palo Alto Networks Unit 42Dominik Reichel, Esmid Idrizovic
@online{reichel:20180906:slicing:b6b847f, author = {Dominik Reichel and Esmid Idrizovic}, title = {{Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware}}, date = {2018-09-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/}, language = {English}, urldate = {2019-12-20} } Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware
Chainshot
2018-06-07GigamonChenming Xu, Jason Jones, Justin Warner, Dan Caselden
@online{xu:20180607:adobe:5bedebc, author = {Chenming Xu and Jason Jones and Justin Warner and Dan Caselden}, title = {{Adobe Flash Zero-Day Leveraged for Targeted Attack in Middle East - Gigamon ATR Blog}}, date = {2018-06-07}, organization = {Gigamon}, url = {https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack}, language = {English}, urldate = {2019-07-22} } Adobe Flash Zero-Day Leveraged for Targeted Attack in Middle East - Gigamon ATR Blog
Chainshot
Yara Rules
[TLP:WHITE] win_chainshot_auto (20211008 | Detects win.chainshot.)
rule win_chainshot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.chainshot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffc8 0f8461100000 ffc8 740d ffc8 0f84ea100000 }
            // n = 6, score = 300
            //   ffc8                 | movdqu              xmmword ptr [ebp + 0x238], xmm0
            //   0f8461100000         | mov                 eax, 0x161
            //   ffc8                 | mov                 word ptr [ebp + 0x248], ax
            //   740d                 | dec                 eax
            //   ffc8                 | mov                 eax, 0x3ad70000
            //   0f84ea100000         | add                 byte ptr [eax], al

        $sequence_1 = { 0f8490010000 83e819 0f8481000000 ffc8 7468 }
            // n = 5, score = 300
            //   0f8490010000         | call                eax
            //   83e819               | mov                 esi, 0x8000003a
            //   0f8481000000         | jmp                 0x35a
            //   ffc8                 | call                eax
            //   7468                 | mov                 esi, 0x8000003f

        $sequence_2 = { 85c0 0f8886000000 8b06 85c0 7503 8b4610 8bd8 }
            // n = 7, score = 300
            //   85c0                 | and                 edx, 1
            //   0f8886000000         | dec                 eax
            //   8b06                 | add                 edx, eax
            //   85c0                 | inc                 esp
            //   7503                 | movsx               ebp, word ptr [edi + edx*2 + 0x968]
            //   8b4610               | inc                 ebp
            //   8bd8                 | test                ebp, ebp

        $sequence_3 = { 0f84d1000000 813850450000 0f85c5000000 83b89400000000 0f84b1000000 8bb890000000 }
            // n = 6, score = 300
            //   0f84d1000000         | lea                 eax, dword ptr [ebp - 1]
            //   813850450000         | jmp                 0x1a01
            //   0f85c5000000         | jne                 0x19c5
            //   83b89400000000       | test                eax, eax
            //   0f84b1000000         | jmp                 0x1a07
            //   8bb890000000         | mov                 esi, dword ptr [edi]

        $sequence_4 = { 7408 ffd0 8905???????? bfa3000080 e9???????? }
            // n = 5, score = 300
            //   7408                 | dec                 ebp
            //   ffd0                 | add                 eax, eax
            //   8905????????         |                     
            //   bfa3000080           | dec                 edx
            //   e9????????           |                     

        $sequence_5 = { 7410 0f1003 0f1101 f20f104b10 f20f114910 }
            // n = 5, score = 300
            //   7410                 | mov                 ecx, dword ptr [ebp - 0x10]
            //   0f1003               | dec                 eax
            //   0f1101               | mov                 edx, esi
            //   f20f104b10           | dec                 ebp
            //   f20f114910           | mov                 eax, edi

        $sequence_6 = { 33d2 b901000080 e8???????? eb36 }
            // n = 4, score = 300
            //   33d2                 | pop                 edi
            //   b901000080           | xor                 eax, ecx
            //   e8????????           |                     
            //   eb36                 | dec                 eax

        $sequence_7 = { e9???????? bd01000000 c70703000000 ebe9 bd01000000 }
            // n = 5, score = 300
            //   e9????????           |                     
            //   bd01000000           | mov                 eax, edi
            //   c70703000000         | xor                 edx, edx
            //   ebe9                 | mov                 ebx, 0x800000ac
            //   bd01000000           | jmp                 0x1b54

        $sequence_8 = { b805000000 a801 0f846f100000 8bc6 83e007 3bf0 0f83930f0000 }
            // n = 7, score = 300
            //   b805000000           | dec                 eax
            //   a801                 | lea                 edx, dword ptr [ebp + 0x10]
            //   0f846f100000         | dec                 eax
            //   8bc6                 | lea                 ecx, dword ptr [ebp - 0x20]
            //   83e007               | mov                 dword ptr [ebp - 0x20], 0x6d0065
            //   3bf0                 | mov                 dword ptr [ebp - 0x1c], 0x740065
            //   0f83930f0000         | mov                 dword ptr [ebp - 0x18], 0x64002e

        $sequence_9 = { 8bd3 ff15???????? 85c0 7527 b90a0b0080 eb05 }
            // n = 6, score = 300
            //   8bd3                 | add                 eax, esi
            //   ff15????????         |                     
            //   85c0                 | push                eax
            //   7527                 | push                esi
            //   b90a0b0080           | mov                 eax, dword ptr [ebx + 0x220]
            //   eb05                 | dec                 eax

    condition:
        7 of them and filesize < 802816
}
Download all Yara Rules