SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chinoxy (Back to overview)

Chinoxy


There is no description at this point.

References
2021-12-08Recorded FutureInsikt Group®
@techreport{group:20211208:chinese:98ded4d, author = {Insikt Group®}, title = {{Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia}}, date = {2021-12-08}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf}, language = {English}, urldate = {2021-12-23} } Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia
Chinoxy FunnyDream
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-01-04nao_sec blognao_sec
@online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-12-15Trend MicroLenart Bermejo, Gilbert Sison, Buddy Tancio
@techreport{bermejo:20201215:finding:f68f005, author = {Lenart Bermejo and Gilbert Sison and Buddy Tancio}, title = {{Finding APTX: Attacks via MITRE TTPs}}, date = {2020-12-15}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf}, language = {English}, urldate = {2020-12-17} } Finding APTX: Attacks via MITRE TTPs
Chinoxy
2020-11-16BitdefenderVictor Vrabie, Liviu Arsene
@techreport{vrabie:20201116:dissecting:1b39d4d, author = {Victor Vrabie and Liviu Arsene}, title = {{Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions}}, date = {2020-11-16}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf}, language = {English}, urldate = {2020-11-18} } Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions
Chinoxy FunnyDream
2020-09-16RiskIQJon Gross
@online{gross:20200916:riskiq:da4b864, author = {Jon Gross}, title = {{RiskIQ: Adventures in Cookie Land - Part 2}}, date = {2020-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/56fa1b2f}, language = {English}, urldate = {2020-09-23} } RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy
2020-08-19RiskIQJon Gross, Cory Kennedy
@online{gross:20200819:riskiq:94e5ccf, author = {Jon Gross and Cory Kennedy}, title = {{RiskIQ Adventures in Cookie Land - Part 1}}, date = {2020-08-19}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/5fe2da7f}, language = {English}, urldate = {2020-09-23} } RiskIQ Adventures in Cookie Land - Part 1
8.t Dropper Chinoxy
2020-07-08Medium (@sevdraven)Sébastien Larinier
@online{larinier:20200708:how:7d692bb, author = {Sébastien Larinier}, title = {{How to unpack Chinoxy backdoor and decipher the configuration of the backdoor}}, date = {2020-07-08}, organization = {Medium (@sevdraven)}, url = {https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02}, language = {English}, urldate = {2020-07-11} } How to unpack Chinoxy backdoor and decipher the configuration of the backdoor
Chinoxy
2020-03-20Medium SebdravenSébastien Larinier
@online{larinier:20200320:new:3da1211, author = {Sébastien Larinier}, title = {{New version of chinoxy backdoor using COVID19 alerts document lure}}, date = {2020-03-20}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746}, language = {English}, urldate = {2020-03-26} } New version of chinoxy backdoor using COVID19 alerts document lure
8.t Dropper Chinoxy
Yara Rules
[TLP:WHITE] win_chinoxy_auto (20220516 | Detects win.chinoxy.)
rule win_chinoxy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.chinoxy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinoxy"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5b c3 8b442414 57 56 53 50 }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   57                   | push                edi
            //   56                   | push                esi
            //   53                   | push                ebx
            //   50                   | push                eax

        $sequence_1 = { 50 8bce ff9290000000 5f 8bc3 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   ff9290000000         | call                dword ptr [edx + 0x90]
            //   5f                   | pop                 edi
            //   8bc3                 | mov                 eax, ebx

        $sequence_2 = { 8bce ff5240 5f 8bc3 5e 5b c20400 }
            // n = 7, score = 100
            //   8bce                 | mov                 ecx, esi
            //   ff5240               | call                dword ptr [edx + 0x40]
            //   5f                   | pop                 edi
            //   8bc3                 | mov                 eax, ebx
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c20400               | ret                 4

        $sequence_3 = { 894610 8b460c 3bc6 75a9 8b830c010000 8db304010000 3bc6 }
            // n = 7, score = 100
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   3bc6                 | cmp                 eax, esi
            //   75a9                 | jne                 0xffffffab
            //   8b830c010000         | mov                 eax, dword ptr [ebx + 0x10c]
            //   8db304010000         | lea                 esi, [ebx + 0x104]
            //   3bc6                 | cmp                 eax, esi

        $sequence_4 = { 83ff04 723e 8b06 85c0 7508 5f b804000000 }
            // n = 7, score = 100
            //   83ff04               | cmp                 edi, 4
            //   723e                 | jb                  0x40
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   5f                   | pop                 edi
            //   b804000000           | mov                 eax, 4

        $sequence_5 = { 56 8b742410 57 8b06 33d0 33c0 89542414 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   8b742410             | mov                 esi, dword ptr [esp + 0x10]
            //   57                   | push                edi
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   33d0                 | xor                 edx, eax
            //   33c0                 | xor                 eax, eax
            //   89542414             | mov                 dword ptr [esp + 0x14], edx

        $sequence_6 = { e8???????? 83c40c 6a00 6800100000 6a00 50 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6a00                 | push                0
            //   6800100000           | push                0x1000
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 51 ffd7 8b9694800200 52 ffd7 8b8698800200 50 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   ffd7                 | call                edi
            //   8b9694800200         | mov                 edx, dword ptr [esi + 0x28094]
            //   52                   | push                edx
            //   ffd7                 | call                edi
            //   8b8698800200         | mov                 eax, dword ptr [esi + 0x28098]
            //   50                   | push                eax

        $sequence_8 = { 50 e8???????? 85c0 0f8cd6020000 8b4e1c 03c8 894e1c }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8cd6020000         | jl                  0x2dc
            //   8b4e1c               | mov                 ecx, dword ptr [esi + 0x1c]
            //   03c8                 | add                 ecx, eax
            //   894e1c               | mov                 dword ptr [esi + 0x1c], ecx

        $sequence_9 = { 3bc6 8b5008 895610 75a7 e9???????? 8b85a0020000 8db598020000 }
            // n = 7, score = 100
            //   3bc6                 | cmp                 eax, esi
            //   8b5008               | mov                 edx, dword ptr [eax + 8]
            //   895610               | mov                 dword ptr [esi + 0x10], edx
            //   75a7                 | jne                 0xffffffa9
            //   e9????????           |                     
            //   8b85a0020000         | mov                 eax, dword ptr [ebp + 0x2a0]
            //   8db598020000         | lea                 esi, [ebp + 0x298]

    condition:
        7 of them and filesize < 1138688
}
Download all Yara Rules