SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chinotto (Back to overview)

Chinotto

Actor(s): APT37

VTCollection    

There is no description at this point.

References
2023-03-28ThreatMonSeyit Sigirci (@h3xecute), ThreatMon Malware Research Team
Chinotto Backdoor Technical Analysis of the APT Reaper’s Powerful Weapon
Chinotto
2023-03-21ZscalerNaveen Selvan, Sudeep Singh
The Unintentional Leak: A glimpse into the attack vectors of APT37
Chinotto
2023-03-16SekoiaThreat & Detection Research Team
Peeking at Reaper’s surveillance operations
Chinotto
2023-01-27ThorCERTDongwook Kim, Seulgi Lee, Taewoo Lee
TTPs #9: Analyzing Attack Strategies to Monitor Individuals' Daily Lives
Chinotto
2022-12-05KISAKrCERT
TTPs#9: Analyzing the attack strategy monitoring the daily life of individuals
Chinotto
2021-11-29KasperskyGReAT
ScarCruft surveilling North Korean defectors and human rights activists
Chinotto Chinotto PoorWeb
Yara Rules
[TLP:WHITE] win_chinotto_auto (20230808 | Detects win.chinotto.)
rule win_chinotto_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.chinotto."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinotto"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 034d0c 53 56 57 8b7848 8b774c }
            // n = 6, score = 100
            //   034d0c               | add                 ecx, dword ptr [ebp + 0xc]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7848               | mov                 edi, dword ptr [eax + 0x48]
            //   8b774c               | mov                 esi, dword ptr [edi + 0x4c]

        $sequence_1 = { 6a1a e8???????? 8bd8 b906000000 be???????? 8bfb f3a5 }
            // n = 7, score = 100
            //   6a1a                 | push                0x1a
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   b906000000           | mov                 ecx, 6
            //   be????????           |                     
            //   8bfb                 | mov                 edi, ebx
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]

        $sequence_2 = { c745f800000000 8955c8 85d2 7505 ba02000000 8b461c 8bf8 }
            // n = 7, score = 100
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   8955c8               | mov                 dword ptr [ebp - 0x38], edx
            //   85d2                 | test                edx, edx
            //   7505                 | jne                 7
            //   ba02000000           | mov                 edx, 2
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   8bf8                 | mov                 edi, eax

        $sequence_3 = { 57 8945f0 8d5801 740e 8b4e1c 2b4e40 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8d5801               | lea                 ebx, [eax + 1]
            //   740e                 | je                  0x10
            //   8b4e1c               | mov                 ecx, dword ptr [esi + 0x1c]
            //   2b4e40               | sub                 ecx, dword ptr [esi + 0x40]

        $sequence_4 = { 837dfc00 7514 837dd000 0f8421080000 837e2000 0f8417080000 }
            // n = 6, score = 100
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   7514                 | jne                 0x16
            //   837dd000             | cmp                 dword ptr [ebp - 0x30], 0
            //   0f8421080000         | je                  0x827
            //   837e2000             | cmp                 dword ptr [esi + 0x20], 0
            //   0f8417080000         | je                  0x81d

        $sequence_5 = { 8d8dd0fbffff 68???????? 51 ffd6 83c418 8d95a4f1ffff 52 }
            // n = 7, score = 100
            //   8d8dd0fbffff         | lea                 ecx, [ebp - 0x430]
            //   68????????           |                     
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   83c418               | add                 esp, 0x18
            //   8d95a4f1ffff         | lea                 edx, [ebp - 0xe5c]
            //   52                   | push                edx

        $sequence_6 = { 8b5620 57 8b7e24 8bc2 0bc7 7412 8bc2 }
            // n = 7, score = 100
            //   8b5620               | mov                 edx, dword ptr [esi + 0x20]
            //   57                   | push                edi
            //   8b7e24               | mov                 edi, dword ptr [esi + 0x24]
            //   8bc2                 | mov                 eax, edx
            //   0bc7                 | or                  eax, edi
            //   7412                 | je                  0x14
            //   8bc2                 | mov                 eax, edx

        $sequence_7 = { 8a08 40 84c9 75f9 2bc7 8b7d18 }
            // n = 6, score = 100
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl
            //   75f9                 | jne                 0xfffffffb
            //   2bc7                 | sub                 eax, edi
            //   8b7d18               | mov                 edi, dword ptr [ebp + 0x18]

        $sequence_8 = { 83c434 5f 5e 33cd 8d85e0fdfcff 5b }
            // n = 6, score = 100
            //   83c434               | add                 esp, 0x34
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   33cd                 | xor                 ecx, ebp
            //   8d85e0fdfcff         | lea                 eax, [ebp - 0x30220]
            //   5b                   | pop                 ebx

        $sequence_9 = { 8b471c 50 0fafc1 034710 8d55f8 }
            // n = 5, score = 100
            //   8b471c               | mov                 eax, dword ptr [edi + 0x1c]
            //   50                   | push                eax
            //   0fafc1               | imul                eax, ecx
            //   034710               | add                 eax, dword ptr [edi + 0x10]
            //   8d55f8               | lea                 edx, [ebp - 8]

    condition:
        7 of them and filesize < 300032
}
Download all Yara Rules