SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chinotto (Back to overview)

Chinotto

Actor(s): APT37


There is no description at this point.

References
2023-03-28ThreatMonThreatMon Malware Research Team, seyitsec
@online{team:20230328:chinotto:95afa43, author = {ThreatMon Malware Research Team and seyitsec}, title = {{Chinotto Backdoor Technical Analysis of the APT Reaper’s Powerful Weapon}}, date = {2023-03-28}, organization = {ThreatMon}, url = {https://threatmon.io/chinotto-backdoor-technical-analysis-of-the-apt-reapers-powerful/}, language = {English}, urldate = {2023-03-29} } Chinotto Backdoor Technical Analysis of the APT Reaper’s Powerful Weapon
Chinotto
2023-03-16SekoiaThreat & Detection Research Team
@online{team:20230316:peeking:347803a, author = {Threat & Detection Research Team}, title = {{Peeking at Reaper’s surveillance operations}}, date = {2023-03-16}, organization = {Sekoia}, url = {https://blog.sekoia.io/peeking-at-reaper-surveillance-operations-against-north-korea-defectors/}, language = {English}, urldate = {2023-03-20} } Peeking at Reaper’s surveillance operations
Chinotto
2023-01-27ThorCERTTaewoo Lee, Dongwook Kim, Seulgi Lee
@online{lee:20230127:ttps:7fa02fb, author = {Taewoo Lee and Dongwook Kim and Seulgi Lee}, title = {{TTPs #9: Analyzing Attack Strategies to Monitor Individuals' Daily Lives}}, date = {2023-01-27}, organization = {ThorCERT}, url = {https://thorcert.notion.site/TTPs-9-f04ce99784874947978bd2947738ac92}, language = {Korean}, urldate = {2023-02-14} } TTPs #9: Analyzing Attack Strategies to Monitor Individuals' Daily Lives
Chinotto
2022-12-05KISAKrCERT
@online{krcert:20221205:ttps9:b319cfe, author = {KrCERT}, title = {{TTPs#9: Analyzing the attack strategy monitoring the daily life of individuals}}, date = {2022-12-05}, organization = {KISA}, url = {https://www.boho.or.kr/data/reportView.do?bulletin_writing_sequence=67064}, language = {Korean}, urldate = {2023-01-25} } TTPs#9: Analyzing the attack strategy monitoring the daily life of individuals
Chinotto
2021-11-29KasperskyGReAT
@online{great:20211129:scarcruft:986e7f4, author = {GReAT}, title = {{ScarCruft surveilling North Korean defectors and human rights activists}}, date = {2021-11-29}, organization = {Kaspersky}, url = {https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/}, language = {English}, urldate = {2021-12-07} } ScarCruft surveilling North Korean defectors and human rights activists
Chinotto Chinotto PoorWeb
Yara Rules
[TLP:WHITE] win_chinotto_auto (20230125 | Detects win.chinotto.)
rule win_chinotto_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.chinotto."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinotto"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 8d14ff c1e206 03f2 8b5508 33db 89b5ecf5ffff }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8d14ff               | lea                 edx, [edi + edi*8]
            //   c1e206               | shl                 edx, 6
            //   03f2                 | add                 esi, edx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   33db                 | xor                 ebx, ebx
            //   89b5ecf5ffff         | mov                 dword ptr [ebp - 0xa14], esi

        $sequence_1 = { 761a c7431c02000000 33c0 5f 5e 5b 8b4df8 }
            // n = 7, score = 100
            //   761a                 | jbe                 0x1c
            //   c7431c02000000       | mov                 dword ptr [ebx + 0x1c], 2
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]

        $sequence_2 = { 898c2448080000 8994244c080000 e8???????? b909000000 be???????? 8dbc2434060000 f3a5 }
            // n = 7, score = 100
            //   898c2448080000       | mov                 dword ptr [esp + 0x848], ecx
            //   8994244c080000       | mov                 dword ptr [esp + 0x84c], edx
            //   e8????????           |                     
            //   b909000000           | mov                 ecx, 9
            //   be????????           |                     
            //   8dbc2434060000       | lea                 edi, [esp + 0x634]
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]

        $sequence_3 = { 03ca bf08000000 894844 095848 3bcf 721d }
            // n = 6, score = 100
            //   03ca                 | add                 ecx, edx
            //   bf08000000           | mov                 edi, 8
            //   894844               | mov                 dword ptr [eax + 0x44], ecx
            //   095848               | or                  dword ptr [eax + 0x48], ebx
            //   3bcf                 | cmp                 ecx, edi
            //   721d                 | jb                  0x1f

        $sequence_4 = { 8b4e44 33c0 837d0804 0f94c0 d3e0 41 894e44 }
            // n = 7, score = 100
            //   8b4e44               | mov                 ecx, dword ptr [esi + 0x44]
            //   33c0                 | xor                 eax, eax
            //   837d0804             | cmp                 dword ptr [ebp + 8], 4
            //   0f94c0               | sete                al
            //   d3e0                 | shl                 eax, cl
            //   41                   | inc                 ecx
            //   894e44               | mov                 dword ptr [esi + 0x44], ecx

        $sequence_5 = { 83c14c 13c2 85c0 0f87e4000000 7209 83f9ff }
            // n = 6, score = 100
            //   83c14c               | add                 ecx, 0x4c
            //   13c2                 | adc                 eax, edx
            //   85c0                 | test                eax, eax
            //   0f87e4000000         | ja                  0xea
            //   7209                 | jb                  0xb
            //   83f9ff               | cmp                 ecx, -1

        $sequence_6 = { 50 8d8de4fbffff 68???????? 51 ffd6 8b95c8f5ffff 52 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d8de4fbffff         | lea                 ecx, [ebp - 0x41c]
            //   68????????           |                     
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   8b95c8f5ffff         | mov                 edx, dword ptr [ebp - 0xa38]
            //   52                   | push                edx

        $sequence_7 = { 6a00 50 c78424240200002f006500 c784242802000064006900 c784242c02000074006f00 c784243002000072002f00 c784243402000063006800 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   50                   | push                eax
            //   c78424240200002f006500     | mov    dword ptr [esp + 0x224], 0x65002f
            //   c784242802000064006900     | mov    dword ptr [esp + 0x228], 0x690064
            //   c784242c02000074006f00     | mov    dword ptr [esp + 0x22c], 0x6f0074
            //   c784243002000072002f00     | mov    dword ptr [esp + 0x230], 0x2f0072
            //   c784243402000063006800     | mov    dword ptr [esp + 0x234], 0x680063

        $sequence_8 = { 52 ffd6 8b85c4f6ffff 50 ffd6 8d4301 5f }
            // n = 7, score = 100
            //   52                   | push                edx
            //   ffd6                 | call                esi
            //   8b85c4f6ffff         | mov                 eax, dword ptr [ebp - 0x93c]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8d4301               | lea                 eax, [ebx + 1]
            //   5f                   | pop                 edi

        $sequence_9 = { 7437 c7473c904b4000 8b463c 50 68???????? 52 8d45fc }
            // n = 7, score = 100
            //   7437                 | je                  0x39
            //   c7473c904b4000       | mov                 dword ptr [edi + 0x3c], 0x404b90
            //   8b463c               | mov                 eax, dword ptr [esi + 0x3c]
            //   50                   | push                eax
            //   68????????           |                     
            //   52                   | push                edx
            //   8d45fc               | lea                 eax, [ebp - 4]

    condition:
        7 of them and filesize < 300032
}
Download all Yara Rules