SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chinoxy (Back to overview)

Chinoxy


There is no description at this point.

References
2022-08-22FortinetShunichi Imano, Fred Gutierrez
@online{imano:20220822:tale:9a74924, author = {Shunichi Imano and Fred Gutierrez}, title = {{A Tale of PivNoxy and Chinoxy Puppeteer}}, date = {2022-08-22}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis}, language = {English}, urldate = {2022-08-28} } A Tale of PivNoxy and Chinoxy Puppeteer
Chinoxy Poison Ivy
2022-07-14ProofpointCrista Giering, Joshua Miller, Michael Raggi, Proofpoint Threat Research Team
@online{giering:20220714:above:06891ca, author = {Crista Giering and Joshua Miller and Michael Raggi and Proofpoint Threat Research Team}, title = {{Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media}}, date = {2022-07-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists}, language = {English}, urldate = {2022-07-15} } Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media
Chinoxy
2021-12-08Recorded FutureInsikt Group®
@techreport{group:20211208:chinese:98ded4d, author = {Insikt Group®}, title = {{Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia}}, date = {2021-12-08}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf}, language = {English}, urldate = {2021-12-23} } Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia
Chinoxy FunnyDream
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-01-04nao_sec blognao_sec
@online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-12-15Trend MicroLenart Bermejo, Gilbert Sison, Buddy Tancio
@techreport{bermejo:20201215:finding:f68f005, author = {Lenart Bermejo and Gilbert Sison and Buddy Tancio}, title = {{Finding APTX: Attacks via MITRE TTPs}}, date = {2020-12-15}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf}, language = {English}, urldate = {2020-12-17} } Finding APTX: Attacks via MITRE TTPs
Chinoxy
2020-11-16BitdefenderVictor Vrabie, Liviu Arsene
@techreport{vrabie:20201116:dissecting:1b39d4d, author = {Victor Vrabie and Liviu Arsene}, title = {{Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions}}, date = {2020-11-16}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf}, language = {English}, urldate = {2020-11-18} } Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions
Chinoxy FunnyDream
2020-09-16RiskIQJon Gross
@online{gross:20200916:riskiq:da4b864, author = {Jon Gross}, title = {{RiskIQ: Adventures in Cookie Land - Part 2}}, date = {2020-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/56fa1b2f}, language = {English}, urldate = {2020-09-23} } RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy
2020-08-19RiskIQJon Gross, Cory Kennedy
@online{gross:20200819:riskiq:94e5ccf, author = {Jon Gross and Cory Kennedy}, title = {{RiskIQ Adventures in Cookie Land - Part 1}}, date = {2020-08-19}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/5fe2da7f}, language = {English}, urldate = {2020-09-23} } RiskIQ Adventures in Cookie Land - Part 1
8.t Dropper Chinoxy
2020-07-08Medium (@sevdraven)Sébastien Larinier
@online{larinier:20200708:how:7d692bb, author = {Sébastien Larinier}, title = {{How to unpack Chinoxy backdoor and decipher the configuration of the backdoor}}, date = {2020-07-08}, organization = {Medium (@sevdraven)}, url = {https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02}, language = {English}, urldate = {2020-07-11} } How to unpack Chinoxy backdoor and decipher the configuration of the backdoor
Chinoxy
2020-03-20Medium SebdravenSébastien Larinier
@online{larinier:20200320:new:3da1211, author = {Sébastien Larinier}, title = {{New version of chinoxy backdoor using COVID19 alerts document lure}}, date = {2020-03-20}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746}, language = {English}, urldate = {2020-03-26} } New version of chinoxy backdoor using COVID19 alerts document lure
8.t Dropper Chinoxy
Yara Rules
[TLP:WHITE] win_chinoxy_auto (20230715 | Detects win.chinoxy.)
rule win_chinoxy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.chinoxy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinoxy"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4804 894a04 8b10 6a01 8bc8 ff12 8b4610 }
            // n = 7, score = 100
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   894a04               | mov                 dword ptr [edx + 4], ecx
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   6a01                 | push                1
            //   8bc8                 | mov                 ecx, eax
            //   ff12                 | call                dword ptr [edx]
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]

        $sequence_1 = { 6a08 8d4620 6a38 50 e8???????? 8d8ee4010000 c786e001000008590110 }
            // n = 7, score = 100
            //   6a08                 | push                8
            //   8d4620               | lea                 eax, [esi + 0x20]
            //   6a38                 | push                0x38
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8ee4010000         | lea                 ecx, [esi + 0x1e4]
            //   c786e001000008590110     | mov    dword ptr [esi + 0x1e0], 0x10015908

        $sequence_2 = { 7528 8b442420 8d5004 83c008 8917 5f }
            // n = 6, score = 100
            //   7528                 | jne                 0x2a
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   8d5004               | lea                 edx, [eax + 4]
            //   83c008               | add                 eax, 8
            //   8917                 | mov                 dword ptr [edi], edx
            //   5f                   | pop                 edi

        $sequence_3 = { 8bf1 89742404 e8???????? 8d4e04 c744241000000000 e8???????? 8d8ed47e0100 }
            // n = 7, score = 100
            //   8bf1                 | mov                 esi, ecx
            //   89742404             | mov                 dword ptr [esp + 4], esi
            //   e8????????           |                     
            //   8d4e04               | lea                 ecx, [esi + 4]
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   e8????????           |                     
            //   8d8ed47e0100         | lea                 ecx, [esi + 0x17ed4]

        $sequence_4 = { 8be8 8b471c 55 2bc8 6a00 51 8b4f10 }
            // n = 7, score = 100
            //   8be8                 | mov                 ebp, eax
            //   8b471c               | mov                 eax, dword ptr [edi + 0x1c]
            //   55                   | push                ebp
            //   2bc8                 | sub                 ecx, eax
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   8b4f10               | mov                 ecx, dword ptr [edi + 0x10]

        $sequence_5 = { 8bce e8???????? 53 6a00 8bce 8be8 e8???????? }
            // n = 7, score = 100
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   8bce                 | mov                 ecx, esi
            //   8be8                 | mov                 ebp, eax
            //   e8????????           |                     

        $sequence_6 = { 85c0 0f8467040000 8b8f2c200000 8b5c2410 51 53 b9???????? }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f8467040000         | je                  0x46d
            //   8b8f2c200000         | mov                 ecx, dword ptr [edi + 0x202c]
            //   8b5c2410             | mov                 ebx, dword ptr [esp + 0x10]
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   b9????????           |                     

        $sequence_7 = { 7f83 6833270000 ff15???????? 5f 5e 5d b8feffffff }
            // n = 7, score = 100
            //   7f83                 | jg                  0xffffff85
            //   6833270000           | push                0x2733
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   b8feffffff           | mov                 eax, 0xfffffffe

        $sequence_8 = { 33ed 57 3bf5 8bd9 7507 33c0 e9???????? }
            // n = 7, score = 100
            //   33ed                 | xor                 ebp, ebp
            //   57                   | push                edi
            //   3bf5                 | cmp                 esi, ebp
            //   8bd9                 | mov                 ebx, ecx
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     

        $sequence_9 = { 50 ff15???????? 83c40c 8d8c2474020000 53 51 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   8d8c2474020000       | lea                 ecx, [esp + 0x274]
            //   53                   | push                ebx
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 1138688
}
Download all Yara Rules