SYMBOLCOMMON_NAMEaka. SYNONYMS
win.oceansalt (Back to overview)

Oceansalt


There is no description at this point.

References
2018-10-18McAfeeRyan Sherstobitoff, Asheer Malhotra
@techreport{sherstobitoff:20181018:operation:f7a178c, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group}}, date = {2018-10-18}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf}, language = {English}, urldate = {2020-01-07} } ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group
Oceansalt Comment Crew
Yara Rules
[TLP:WHITE] win_oceansalt_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_oceansalt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oceansalt"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c785ccfdffff28010000 e8???????? 8d8dccfdffff 51 50 }
            // n = 5, score = 300
            //   c785ccfdffff28010000     | mov    dword ptr [ebp - 0x234], 0x128
            //   e8????????           |                     
            //   8d8dccfdffff         | lea                 ecx, [ebp - 0x234]
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_1 = { 6808010000 8d95f4feffff 52 56 c745f800000000 ffd7 8b4dfc }
            // n = 7, score = 300
            //   6808010000           | push                0x108
            //   8d95f4feffff         | lea                 edx, [ebp - 0x10c]
            //   52                   | push                edx
            //   56                   | push                esi
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   ffd7                 | call                edi
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_2 = { 8d8dc8fdffff 51 56 ffd3 8d95c8fdffff }
            // n = 5, score = 300
            //   8d8dc8fdffff         | lea                 ecx, [ebp - 0x238]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   ffd3                 | call                ebx
            //   8d95c8fdffff         | lea                 edx, [ebp - 0x238]

        $sequence_3 = { 56 8b7508 57 6a00 6804020000 }
            // n = 5, score = 300
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   6a00                 | push                0
            //   6804020000           | push                0x204

        $sequence_4 = { 6804020000 8d85f8fdffff 50 51 ff15???????? }
            // n = 5, score = 300
            //   6804020000           | push                0x204
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_5 = { 84c9 75ed 8b95d4fdffff 8955f4 }
            // n = 4, score = 300
            //   84c9                 | test                cl, cl
            //   75ed                 | jne                 0xffffffef
            //   8b95d4fdffff         | mov                 edx, dword ptr [ebp - 0x22c]
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx

        $sequence_6 = { 68???????? 6a00 ff15???????? 33c0 8b4dfc }
            // n = 5, score = 300
            //   68????????           |                     
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_7 = { ff15???????? 57 ff15???????? 8b3d???????? 53 }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   53                   | push                ebx

        $sequence_8 = { 66660f1f840000000000 8bce 8bc5 d3e8 85c0 }
            // n = 5, score = 100
            //   66660f1f840000000000     | inc    esi
            //   8bce                 | cmp                 esi, 0x1a
            //   8bc5                 | jl                  0xffffff6b
            //   d3e8                 | xor                 eax, eax
            //   85c0                 | nop                 word ptr [eax + eax]

        $sequence_9 = { 488d4158 41b806000000 488d15f3830000 483950f0 740c }
            // n = 5, score = 100
            //   488d4158             | mov                 eax, dword ptr [esp + 0x50]
            //   41b806000000         | dec                 eax
            //   488d15f3830000       | and                 dword ptr [esp + 0x20], 0
            //   483950f0             | inc                 eax
            //   740c                 | mov                 byte ptr [esp + 0x5c], ch

        $sequence_10 = { 4833cc e8???????? 4c8d9c2470060000 498b6b20 498b7328 498be3 }
            // n = 6, score = 100
            //   4833cc               | lea                 eax, [ecx + 0x58]
            //   e8????????           |                     
            //   4c8d9c2470060000     | inc                 ecx
            //   498b6b20             | mov                 eax, 6
            //   498b7328             | dec                 eax
            //   498be3               | lea                 edx, [0x83f3]

        $sequence_11 = { 88440ffe 84c0 75f1 ffc6 83fe1a 0f8c65ffffff 33c0 }
            // n = 7, score = 100
            //   88440ffe             | inc                 ebp
            //   84c0                 | lea                 eax, [ecx + 2]
            //   75f1                 | dec                 eax
            //   ffc6                 | lea                 esi, [esp + 0x30]
            //   83fe1a               | mov                 byte ptr [edi + ecx - 2], al
            //   0f8c65ffffff         | test                al, al
            //   33c0                 | jne                 0xfffffff5

        $sequence_12 = { 488bce 488bd3 e8???????? 488bd7 660f1f840000000000 0fb6041a }
            // n = 6, score = 100
            //   488bce               | dec                 eax
            //   488bd3               | lea                 ecx, [0xff94]
            //   e8????????           |                     
            //   488bd7               | dec                 esp
            //   660f1f840000000000     | lea    ecx, [esp + 0x4c]
            //   0fb6041a             | dec                 eax

        $sequence_13 = { 488b442450 488364242000 40886c245c 488d0d94ff0000 4c8d4c244c }
            // n = 5, score = 100
            //   488b442450           | mov                 ecx, esi
            //   488364242000         | mov                 eax, ebp
            //   40886c245c           | shr                 eax, cl
            //   488d0d94ff0000       | test                eax, eax
            //   4c8d4c244c           | dec                 eax

        $sequence_14 = { 488d542430 488bcb 458d4102 ff15???????? 488d742430 }
            // n = 5, score = 100
            //   488d542430           | dec                 eax
            //   488bcb               | lea                 edx, [esp + 0x30]
            //   458d4102             | dec                 eax
            //   ff15????????         |                     
            //   488d742430           | mov                 ecx, ebx

        $sequence_15 = { 420fbe940ac0e60000 c1fa04 8954245c 8bca 413bd2 }
            // n = 5, score = 100
            //   420fbe940ac0e60000     | dec    eax
            //   c1fa04               | cmp                 dword ptr [eax - 0x10], edx
            //   8954245c             | je                  0x19
            //   8bca                 | dec                 eax
            //   413bd2               | mov                 ecx, esi

    condition:
        7 of them and filesize < 212992
}
Download all Yara Rules