SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chinoxy (Back to overview)

Chinoxy


There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-01-04nao_sec blognao_sec
@online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-12-15Trend MicroLenart Bermejo, Gilbert Sison, Buddy Tancio
@techreport{bermejo:20201215:finding:f68f005, author = {Lenart Bermejo and Gilbert Sison and Buddy Tancio}, title = {{Finding APTX: Attacks via MITRE TTPs}}, date = {2020-12-15}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf}, language = {English}, urldate = {2020-12-17} } Finding APTX: Attacks via MITRE TTPs
Chinoxy
2020-11-16BitdefenderVictor Vrabie, Liviu Arsene
@techreport{vrabie:20201116:dissecting:1b39d4d, author = {Victor Vrabie and Liviu Arsene}, title = {{Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions}}, date = {2020-11-16}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf}, language = {English}, urldate = {2020-11-18} } Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions
Chinoxy FunnyDream
2020-09-16RiskIQJon Gross
@online{gross:20200916:riskiq:da4b864, author = {Jon Gross}, title = {{RiskIQ: Adventures in Cookie Land - Part 2}}, date = {2020-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/56fa1b2f}, language = {English}, urldate = {2020-09-23} } RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy
2020-08-19RiskIQJon Gross, Cory Kennedy
@online{gross:20200819:riskiq:94e5ccf, author = {Jon Gross and Cory Kennedy}, title = {{RiskIQ Adventures in Cookie Land - Part 1}}, date = {2020-08-19}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/5fe2da7f}, language = {English}, urldate = {2020-09-23} } RiskIQ Adventures in Cookie Land - Part 1
8.t Dropper Chinoxy
2020-07-08Medium (@sevdraven)Sébastien Larinier
@online{larinier:20200708:how:7d692bb, author = {Sébastien Larinier}, title = {{How to unpack Chinoxy backdoor and decipher the configuration of the backdoor}}, date = {2020-07-08}, organization = {Medium (@sevdraven)}, url = {https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02}, language = {English}, urldate = {2020-07-11} } How to unpack Chinoxy backdoor and decipher the configuration of the backdoor
Chinoxy
2020-03-20Medium SebdravenSébastien Larinier
@online{larinier:20200320:new:3da1211, author = {Sébastien Larinier}, title = {{New version of chinoxy backdoor using COVID19 alerts document lure}}, date = {2020-03-20}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746}, language = {English}, urldate = {2020-03-26} } New version of chinoxy backdoor using COVID19 alerts document lure
8.t Dropper Chinoxy
Yara Rules
[TLP:WHITE] win_chinoxy_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_chinoxy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinoxy"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b06 33d0 33c0 89542414 8bfa 8a442416 c1ef18 }
            // n = 7, score = 100
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   33d0                 | xor                 edx, eax
            //   33c0                 | xor                 eax, eax
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   8bfa                 | mov                 edi, edx
            //   8a442416             | mov                 al, byte ptr [esp + 0x16]
            //   c1ef18               | shr                 edi, 0x18

        $sequence_1 = { 6833270000 ff15???????? 5f 5e 5d b8feffffff }
            // n = 6, score = 100
            //   6833270000           | push                0x2733
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   b8feffffff           | mov                 eax, 0xfffffffe

        $sequence_2 = { 50 8bcf e8???????? 3bc6 5e c7442428ffffffff 8d4c2404 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   3bc6                 | cmp                 eax, esi
            //   5e                   | pop                 esi
            //   c7442428ffffffff     | mov                 dword ptr [esp + 0x28], 0xffffffff
            //   8d4c2404             | lea                 ecx, [esp + 4]

        $sequence_3 = { c644243002 e8???????? 68???????? 6800100000 8d5740 6a14 52 }
            // n = 7, score = 100
            //   c644243002           | mov                 byte ptr [esp + 0x30], 2
            //   e8????????           |                     
            //   68????????           |                     
            //   6800100000           | push                0x1000
            //   8d5740               | lea                 edx, [edi + 0x40]
            //   6a14                 | push                0x14
            //   52                   | push                edx

        $sequence_4 = { 6a00 85c0 0f849e000000 8d4f34 6a08 51 e8???????? }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   85c0                 | test                eax, eax
            //   0f849e000000         | je                  0xa4
            //   8d4f34               | lea                 ecx, [edi + 0x34]
            //   6a08                 | push                8
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_5 = { 8b591c 33eb 33db 33c5 89442414 8be8 8a5c2416 }
            // n = 7, score = 100
            //   8b591c               | mov                 ebx, dword ptr [ecx + 0x1c]
            //   33eb                 | xor                 ebp, ebx
            //   33db                 | xor                 ebx, ebx
            //   33c5                 | xor                 eax, ebp
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   8be8                 | mov                 ebp, eax
            //   8a5c2416             | mov                 bl, byte ptr [esp + 0x16]

        $sequence_6 = { 7406 8b01 6a01 ff10 8b442410 83c304 48 }
            // n = 7, score = 100
            //   7406                 | je                  8
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   6a01                 | push                1
            //   ff10                 | call                dword ptr [eax]
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   83c304               | add                 ebx, 4
            //   48                   | dec                 eax

        $sequence_7 = { 5b c20400 8b06 8bce ff503c 5f }
            // n = 6, score = 100
            //   5b                   | pop                 ebx
            //   c20400               | ret                 4
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8bce                 | mov                 ecx, esi
            //   ff503c               | call                dword ptr [eax + 0x3c]
            //   5f                   | pop                 edi

        $sequence_8 = { 8bc8 894310 8d343a 8bd1 c1e902 f3a5 8bca }
            // n = 7, score = 100
            //   8bc8                 | mov                 ecx, eax
            //   894310               | mov                 dword ptr [ebx + 0x10], eax
            //   8d343a               | lea                 esi, [edx + edi]
            //   8bd1                 | mov                 edx, ecx
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bca                 | mov                 ecx, edx

        $sequence_9 = { 83c404 85c0 8984f2905f0100 7453 }
            // n = 4, score = 100
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   8984f2905f0100       | mov                 dword ptr [edx + esi*8 + 0x15f90], eax
            //   7453                 | je                  0x55

    condition:
        7 of them and filesize < 1138688
}
Download all Yara Rules