SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chinoxy (Back to overview)

Chinoxy

VTCollection    

There is no description at this point.

References
2022-08-22FortinetFred Gutierrez, Shunichi Imano
A Tale of PivNoxy and Chinoxy Puppeteer
Chinoxy Poison Ivy
2022-07-14ProofpointCrista Giering, Joshua Miller, Michael Raggi, Proofpoint Threat Research Team
Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media
Chinoxy APT31 Lazarus Group TA482
2021-12-08Recorded FutureInsikt Group®
Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia
Chinoxy FunnyDream
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-01-04nao_sec blognao_sec
Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-12-15Trend MicroBuddy Tancio, Gilbert Sison, Lenart Bermejo
Finding APTX: Attacks via MITRE TTPs
Chinoxy
2020-11-16BitdefenderLiviu Arsene, Victor Vrabie
Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions
Chinoxy FunnyDream
2020-09-16RiskIQJon Gross
RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy
2020-08-19RiskIQCory Kennedy, Jon Gross
RiskIQ Adventures in Cookie Land - Part 1
8.t Dropper Chinoxy
2020-07-08Medium (@sevdraven)Sébastien Larinier
How to unpack Chinoxy backdoor and decipher the configuration of the backdoor
Chinoxy
2020-03-20Medium SebdravenSébastien Larinier
New version of chinoxy backdoor using COVID19 alerts document lure
8.t Dropper Chinoxy
Yara Rules
[TLP:WHITE] win_chinoxy_auto (20230808 | Detects win.chinoxy.)
rule win_chinoxy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.chinoxy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinoxy"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4704 50 ff15???????? 8d8e90200000 c744241800000000 e8???????? 85c0 }
            // n = 7, score = 100
            //   8d4704               | lea                 eax, [edi + 4]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d8e90200000         | lea                 ecx, [esi + 0x2090]
            //   c744241800000000     | mov                 dword ptr [esp + 0x18], 0
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_1 = { 8d842424010000 50 e8???????? 8b9318040000 8d8c2428010000 51 52 }
            // n = 7, score = 100
            //   8d842424010000       | lea                 eax, [esp + 0x124]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b9318040000         | mov                 edx, dword ptr [ebx + 0x418]
            //   8d8c2428010000       | lea                 ecx, [esp + 0x128]
            //   51                   | push                ecx
            //   52                   | push                edx

        $sequence_2 = { 2bcd c1e013 c1ef0d 0bc7 03ee 33c1 8bf8 }
            // n = 7, score = 100
            //   2bcd                 | sub                 ecx, ebp
            //   c1e013               | shl                 eax, 0x13
            //   c1ef0d               | shr                 edi, 0xd
            //   0bc7                 | or                  eax, edi
            //   03ee                 | add                 ebp, esi
            //   33c1                 | xor                 eax, ecx
            //   8bf8                 | mov                 edi, eax

        $sequence_3 = { 897e18 8b4c2410 895e10 895e14 8bc6 5f 5e }
            // n = 7, score = 100
            //   897e18               | mov                 dword ptr [esi + 0x18], edi
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   895e10               | mov                 dword ptr [esi + 0x10], ebx
            //   895e14               | mov                 dword ptr [esi + 0x14], ebx
            //   8bc6                 | mov                 eax, esi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_4 = { e8???????? 85c0 741f 668b4c242c 6a08 66894802 50 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21
            //   668b4c242c           | mov                 cx, word ptr [esp + 0x2c]
            //   6a08                 | push                8
            //   66894802             | mov                 word ptr [eax + 2], cx
            //   50                   | push                eax

        $sequence_5 = { 8b8ef0000000 8d86e8000000 3bc8 c744241c00000000 7405 394004 7538 }
            // n = 7, score = 100
            //   8b8ef0000000         | mov                 ecx, dword ptr [esi + 0xf0]
            //   8d86e8000000         | lea                 eax, [esi + 0xe8]
            //   3bc8                 | cmp                 ecx, eax
            //   c744241c00000000     | mov                 dword ptr [esp + 0x1c], 0
            //   7405                 | je                  7
            //   394004               | cmp                 dword ptr [eax + 4], eax
            //   7538                 | jne                 0x3a

        $sequence_6 = { 8d4c2410 6689542414 66895c2424 6689542430 66895c2438 66895c245c }
            // n = 6, score = 100
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   6689542414           | mov                 word ptr [esp + 0x14], dx
            //   66895c2424           | mov                 word ptr [esp + 0x24], bx
            //   6689542430           | mov                 word ptr [esp + 0x30], dx
            //   66895c2438           | mov                 word ptr [esp + 0x38], bx
            //   66895c245c           | mov                 word ptr [esp + 0x5c], bx

        $sequence_7 = { 8d8ec8020000 e8???????? 8d86d4020000 8b4c240c 894004 894008 c700???????? }
            // n = 7, score = 100
            //   8d8ec8020000         | lea                 ecx, [esi + 0x2c8]
            //   e8????????           |                     
            //   8d86d4020000         | lea                 eax, [esi + 0x2d4]
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   894004               | mov                 dword ptr [eax + 4], eax
            //   894008               | mov                 dword ptr [eax + 8], eax
            //   c700????????         |                     

        $sequence_8 = { 894b10 03f2 8bd1 8bf8 c1e902 f3a5 8bca }
            // n = 7, score = 100
            //   894b10               | mov                 dword ptr [ebx + 0x10], ecx
            //   03f2                 | add                 esi, edx
            //   8bd1                 | mov                 edx, ecx
            //   8bf8                 | mov                 edi, eax
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bca                 | mov                 ecx, edx

        $sequence_9 = { 17 08cb 8291975b9c2acc 8f81509c02d5 96 9e 664e }
            // n = 7, score = 100
            //   17                   | pop                 ss
            //   08cb                 | or                  bl, cl
            //   8291975b9c2acc       | adc                 byte ptr [ecx + 0x2a9c5b97], 0xcc
            //   8f81509c02d5         | pop                 dword ptr [ecx - 0x2afd63b0]
            //   96                   | xchg                eax, esi
            //   9e                   | sahf                
            //   664e                 | dec                 si

    condition:
        7 of them and filesize < 1138688
}
Download all Yara Rules