SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chainshot (Back to overview)

Chainshot


There is no description at this point.

References
2021-07-15CitizenLabBill Marczak, John Scott-Railton, Kristin Berdan, Bahr Abdul Razzak, Ron Deibert
@online{marczak:20210715:hooking:7f3adbe, author = {Bill Marczak and John Scott-Railton and Kristin Berdan and Bahr Abdul Razzak and Ron Deibert}, title = {{Hooking Candiru Another Mercenary Spyware Vendor Comes into Focus}}, date = {2021-07-15}, organization = {CitizenLab}, url = {https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/}, language = {English}, urldate = {2021-07-20} } Hooking Candiru Another Mercenary Spyware Vendor Comes into Focus
Chainshot
2021-06-08KasperskyBoris Larin, Costin Raiu, Alexey Kulaev
@online{larin:20210608:puzzlemaker:43c7dfa, author = {Boris Larin and Costin Raiu and Alexey Kulaev}, title = {{PuzzleMaker attacks with Chrome zero-day exploit chain}}, date = {2021-06-08}, organization = {Kaspersky}, url = {https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/}, language = {English}, urldate = {2021-06-16} } PuzzleMaker attacks with Chrome zero-day exploit chain
Chainshot puzzlemaker
2019-10-03Kim Zetter
@online{zetter:20191003:researchers:3e1944a, author = {Kim Zetter}, title = {{Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC}}, date = {2019-10-03}, url = {https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec}, language = {English}, urldate = {2019-11-20} } Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC
Chainshot
2018-09-06Palo Alto Networks Unit 42Dominik Reichel, Esmid Idrizovic
@online{reichel:20180906:slicing:b6b847f, author = {Dominik Reichel and Esmid Idrizovic}, title = {{Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware}}, date = {2018-09-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/}, language = {English}, urldate = {2019-12-20} } Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware
Chainshot
2018-06-07GigamonChenming Xu, Jason Jones, Justin Warner, Dan Caselden
@online{xu:20180607:adobe:5bedebc, author = {Chenming Xu and Jason Jones and Justin Warner and Dan Caselden}, title = {{Adobe Flash Zero-Day Leveraged for Targeted Attack in Middle East - Gigamon ATR Blog}}, date = {2018-06-07}, organization = {Gigamon}, url = {https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack}, language = {English}, urldate = {2019-07-22} } Adobe Flash Zero-Day Leveraged for Targeted Attack in Middle East - Gigamon ATR Blog
Chainshot
Yara Rules
[TLP:WHITE] win_chainshot_auto (20230125 | Detects win.chainshot.)
rule win_chainshot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.chainshot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { bd01000000 c70703000000 ebe9 bd01000000 }
            // n = 4, score = 300
            //   bd01000000           | lea                 edx, [0xc6f3]
            //   c70703000000         | dec                 eax
            //   ebe9                 | dec                 eax
            //   bd01000000           | lea                 edx, [0x1df5]

        $sequence_1 = { 83e010 83c010 c3 85c9 7906 b804000000 }
            // n = 6, score = 300
            //   83e010               | dec                 esp
            //   83c010               | mov                 ecx, dword ptr [esp + 0x28]
            //   c3                   | dec                 esp
            //   85c9                 | mov                 edx, dword ptr [esp + 0x48]
            //   7906                 | inc                 ecx
            //   b804000000           | mov                 ebx, 0x100

        $sequence_2 = { e9???????? bd01000000 c70706000000 e9???????? bd01000000 c70707000000 e9???????? }
            // n = 7, score = 300
            //   e9????????           |                     
            //   bd01000000           | push                eax
            //   c70706000000         | mov                 ecx, dword ptr [ebp + 0xc]
            //   e9????????           |                     
            //   bd01000000           | mov                 ebx, dword ptr [ebp - 4]
            //   c70707000000         | mov                 edx, edi
            //   e9????????           |                     

        $sequence_3 = { ff15???????? 85c0 7527 b90a0b0080 eb05 b901000080 }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   85c0                 | push                edi
            //   7527                 | mov                 ecx, eax
            //   b90a0b0080           | lea                 ecx, [ebp - 0xc]
            //   eb05                 | push                ebx
            //   b901000080           | push                ecx

        $sequence_4 = { 8bd8 85c0 780b 837d3000 752c }
            // n = 5, score = 300
            //   8bd8                 | jne                 0x67f
            //   85c0                 | mov                 ecx, dword ptr [edi + ebp*8 + 0x148]
            //   780b                 | cmp                 eax, 0xa
            //   837d3000             | jae                 0x891
            //   752c                 | push                edi

        $sequence_5 = { 0f8454020000 8d68fc c70726000000 e9???????? c70709000000 }
            // n = 5, score = 300
            //   0f8454020000         | dec                 esp
            //   8d68fc               | lea                 eax, [edi + 4]
            //   c70726000000         | dec                 eax
            //   e9????????           |                     
            //   c70709000000         | lea                 edx, [ebp + 0x20]

        $sequence_6 = { 8ad8 84c0 7507 b900080080 eb64 }
            // n = 5, score = 300
            //   8ad8                 | lea                 eax, [0x1e7fd]
            //   84c0                 | dec                 eax
            //   7507                 | cmp                 ebx, eax
            //   b900080080           | jne                 0x76
            //   eb64                 | dec                 eax

        $sequence_7 = { 6683f819 7705 8d4220 eb03 }
            // n = 4, score = 300
            //   6683f819             | sub                 ecx, ecx
            //   7705                 | inc                 ebp
            //   8d4220               | mov                 edx, ebx
            //   eb03                 | dec                 ecx

        $sequence_8 = { 83e819 0f8481000000 ffc8 7468 ffc8 744f }
            // n = 6, score = 300
            //   83e819               | mov                 dword ptr [esp + 0x20], eax
            //   0f8481000000         | dec                 esp
            //   ffc8                 | mov                 esi, eax
            //   7468                 | dec                 eax
            //   ffc8                 | mov                 dword ptr [ebp - 0x10], eax
            //   744f                 | dec                 esp

        $sequence_9 = { 83f818 0f8703020000 0f849b0c0000 83f80a 0f8757010000 }
            // n = 5, score = 300
            //   83f818               | mov                 ebx, 0x2000
            //   0f8703020000         | push                edi
            //   0f849b0c0000         | dec                 eax
            //   83f80a               | sub                 esp, 0x20
            //   0f8757010000         | and                 dword ptr [esp + 0x50], 0

    condition:
        7 of them and filesize < 802816
}
Download all Yara Rules