SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chinoxy (Back to overview)

Chinoxy


There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-01-04nao_sec blognao_sec
@online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-12-15Trend MicroLenart Bermejo, Gilbert Sison, Buddy Tancio
@techreport{bermejo:20201215:finding:f68f005, author = {Lenart Bermejo and Gilbert Sison and Buddy Tancio}, title = {{Finding APTX: Attacks via MITRE TTPs}}, date = {2020-12-15}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf}, language = {English}, urldate = {2020-12-17} } Finding APTX: Attacks via MITRE TTPs
Chinoxy
2020-11-16BitdefenderVictor Vrabie, Liviu Arsene
@techreport{vrabie:20201116:dissecting:1b39d4d, author = {Victor Vrabie and Liviu Arsene}, title = {{Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions}}, date = {2020-11-16}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf}, language = {English}, urldate = {2020-11-18} } Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions
Chinoxy FunnyDream
2020-09-16RiskIQJon Gross
@online{gross:20200916:riskiq:da4b864, author = {Jon Gross}, title = {{RiskIQ: Adventures in Cookie Land - Part 2}}, date = {2020-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/56fa1b2f}, language = {English}, urldate = {2020-09-23} } RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy
2020-08-19RiskIQJon Gross, Cory Kennedy
@online{gross:20200819:riskiq:94e5ccf, author = {Jon Gross and Cory Kennedy}, title = {{RiskIQ Adventures in Cookie Land - Part 1}}, date = {2020-08-19}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/5fe2da7f}, language = {English}, urldate = {2020-09-23} } RiskIQ Adventures in Cookie Land - Part 1
8.t Dropper Chinoxy
2020-07-08Medium (@sevdraven)Sébastien Larinier
@online{larinier:20200708:how:7d692bb, author = {Sébastien Larinier}, title = {{How to unpack Chinoxy backdoor and decipher the configuration of the backdoor}}, date = {2020-07-08}, organization = {Medium (@sevdraven)}, url = {https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02}, language = {English}, urldate = {2020-07-11} } How to unpack Chinoxy backdoor and decipher the configuration of the backdoor
Chinoxy
2020-03-20Medium SebdravenSébastien Larinier
@online{larinier:20200320:new:3da1211, author = {Sébastien Larinier}, title = {{New version of chinoxy backdoor using COVID19 alerts document lure}}, date = {2020-03-20}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746}, language = {English}, urldate = {2020-03-26} } New version of chinoxy backdoor using COVID19 alerts document lure
8.t Dropper Chinoxy
Yara Rules
[TLP:WHITE] win_chinoxy_auto (20210616 | Detects win.chinoxy.)
rule win_chinoxy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.chinoxy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinoxy"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c8ff 5b c3 83c00f 50 ff15???????? 8944241c }
            // n = 7, score = 100
            //   83c8ff               | or                  eax, 0xffffffff
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   83c00f               | add                 eax, 0xf
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax

        $sequence_1 = { eb2b 8b44241c 85c0 745b ff15???????? 3d33270000 754e }
            // n = 7, score = 100
            //   eb2b                 | jmp                 0x2d
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   85c0                 | test                eax, eax
            //   745b                 | je                  0x5d
            //   ff15????????         |                     
            //   3d33270000           | cmp                 eax, 0x2733
            //   754e                 | jne                 0x50

        $sequence_2 = { 8bca 8bc2 c1e119 c1e807 0bc8 33fa }
            // n = 6, score = 100
            //   8bca                 | mov                 ecx, edx
            //   8bc2                 | mov                 eax, edx
            //   c1e119               | shl                 ecx, 0x19
            //   c1e807               | shr                 eax, 7
            //   0bc8                 | or                  ecx, eax
            //   33fa                 | xor                 edi, edx

        $sequence_3 = { 89430c 8b4808 894b10 7459 8b4b0c 6a00 }
            // n = 6, score = 100
            //   89430c               | mov                 dword ptr [ebx + 0xc], eax
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   894b10               | mov                 dword ptr [ebx + 0x10], ecx
            //   7459                 | je                  0x5b
            //   8b4b0c               | mov                 ecx, dword ptr [ebx + 0xc]
            //   6a00                 | push                0

        $sequence_4 = { 5b c20400 8b4708 8b16 50 8bce ff526c }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   c20400               | ret                 4
            //   8b4708               | mov                 eax, dword ptr [edi + 8]
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   ff526c               | call                dword ptr [edx + 0x6c]

        $sequence_5 = { 85c0 0f8fae000000 53 8d4e04 c7860481010001000000 e8???????? 8b8608810100 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f8fae000000         | jg                  0xb4
            //   53                   | push                ebx
            //   8d4e04               | lea                 ecx, dword ptr [esi + 4]
            //   c7860481010001000000     | mov    dword ptr [esi + 0x18104], 1
            //   e8????????           |                     
            //   8b8608810100         | mov                 eax, dword ptr [esi + 0x18108]

        $sequence_6 = { 8b4c2434 2bf7 8930 8bc2 5f 2bc5 5e }
            // n = 7, score = 100
            //   8b4c2434             | mov                 ecx, dword ptr [esp + 0x34]
            //   2bf7                 | sub                 esi, edi
            //   8930                 | mov                 dword ptr [eax], esi
            //   8bc2                 | mov                 eax, edx
            //   5f                   | pop                 edi
            //   2bc5                 | sub                 eax, ebp
            //   5e                   | pop                 esi

        $sequence_7 = { 89442420 e8???????? 8b442420 83c404 85c0 0f8432010000 8b442418 }
            // n = 7, score = 100
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   e8????????           |                     
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   0f8432010000         | je                  0x138
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]

        $sequence_8 = { 81c6d4000000 3bc6 0f84bd000000 397604 0f84b4000000 8b6c2414 83fdff }
            // n = 7, score = 100
            //   81c6d4000000         | add                 esi, 0xd4
            //   3bc6                 | cmp                 eax, esi
            //   0f84bd000000         | je                  0xc3
            //   397604               | cmp                 dword ptr [esi + 4], esi
            //   0f84b4000000         | je                  0xba
            //   8b6c2414             | mov                 ebp, dword ptr [esp + 0x14]
            //   83fdff               | cmp                 ebp, -1

        $sequence_9 = { c744241800000000 e8???????? 85c0 7419 8b8eb8200000 8d86b0200000 3bc8 }
            // n = 7, score = 100
            //   c744241800000000     | mov                 dword ptr [esp + 0x18], 0
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7419                 | je                  0x1b
            //   8b8eb8200000         | mov                 ecx, dword ptr [esi + 0x20b8]
            //   8d86b0200000         | lea                 eax, dword ptr [esi + 0x20b0]
            //   3bc8                 | cmp                 ecx, eax

    condition:
        7 of them and filesize < 1138688
}
Download all Yara Rules