SYMBOLCOMMON_NAMEaka. SYNONYMS
win.oceansalt (Back to overview)

Oceansalt


There is no description at this point.

References
2018-10-18McAfeeRyan Sherstobitoff, Asheer Malhotra
@techreport{sherstobitoff:20181018:operation:f7a178c, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group}}, date = {2018-10-18}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf}, language = {English}, urldate = {2020-01-07} } ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group
Oceansalt APT1
Yara Rules
[TLP:WHITE] win_oceansalt_auto (20230125 | Detects win.oceansalt.)
rule win_oceansalt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.oceansalt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oceansalt"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 8945f8 6804020000 8d85f8fdffff 50 }
            // n = 5, score = 300
            //   6a00                 | push                0
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   6804020000           | push                0x204
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   50                   | push                eax

        $sequence_1 = { 7e0d 80b405fcfdffff77 40 3bc1 7cf3 }
            // n = 5, score = 300
            //   7e0d                 | jle                 0xf
            //   80b405fcfdffff77     | xor                 byte ptr [ebp + eax - 0x204], 0x77
            //   40                   | inc                 eax
            //   3bc1                 | cmp                 eax, ecx
            //   7cf3                 | jl                  0xfffffff5

        $sequence_2 = { 6a00 52 c685fcfbffff00 e8???????? }
            // n = 4, score = 300
            //   6a00                 | push                0
            //   52                   | push                edx
            //   c685fcfbffff00       | mov                 byte ptr [ebp - 0x404], 0
            //   e8????????           |                     

        $sequence_3 = { c3 8b04cd2cf04000 5d c3 }
            // n = 4, score = 300
            //   c3                   | ret                 
            //   8b04cd2cf04000       | mov                 eax, dword ptr [ecx*8 + 0x40f02c]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_4 = { ffd7 6a00 6a02 8d8dc8fdffff 51 56 }
            // n = 6, score = 300
            //   ffd7                 | call                edi
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   8d8dc8fdffff         | lea                 ecx, [ebp - 0x238]
            //   51                   | push                ecx
            //   56                   | push                esi

        $sequence_5 = { 6a02 c785ccfdffff28010000 e8???????? 8d8dccfdffff 51 50 8985c4fdffff }
            // n = 7, score = 300
            //   6a02                 | push                2
            //   c785ccfdffff28010000     | mov    dword ptr [ebp - 0x234], 0x128
            //   e8????????           |                     
            //   8d8dccfdffff         | lea                 ecx, [ebp - 0x234]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   8985c4fdffff         | mov                 dword ptr [ebp - 0x23c], eax

        $sequence_6 = { 85c0 7428 6a04 50 8d55fc }
            // n = 5, score = 300
            //   85c0                 | test                eax, eax
            //   7428                 | je                  0x2a
            //   6a04                 | push                4
            //   50                   | push                eax
            //   8d55fc               | lea                 edx, [ebp - 4]

        $sequence_7 = { 6a07 8d45f4 50 56 c645f400 }
            // n = 5, score = 300
            //   6a07                 | push                7
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   56                   | push                esi
            //   c645f400             | mov                 byte ptr [ebp - 0xc], 0

        $sequence_8 = { 4883ec20 488d1dfd9d0000 488d2d36a00000 488bfb 488b37 }
            // n = 5, score = 100
            //   4883ec20             | mov                 dword ptr [ecx + 0xb8], eax
            //   488d1dfd9d0000       | mov                 ecx, 0xd
            //   488d2d36a00000       | dec                 eax
            //   488bfb               | inc                 edi
            //   488b37               | mov                 byte ptr [esp + edi + 0x23f], al

        $sequence_9 = { 488d4c2450 448d4502 4533c9 ba00000040 }
            // n = 4, score = 100
            //   488d4c2450           | mov                 edi, ebx
            //   448d4502             | dec                 eax
            //   4533c9               | mov                 esi, dword ptr [edi]
            //   ba00000040           | test                eax, eax

        $sequence_10 = { c7411c01000000 c781c800000001000000 c6817401000043 c681f701000043 488d0524c70000 488981b8000000 b90d000000 }
            // n = 7, score = 100
            //   c7411c01000000       | mov                 ebp, esp
            //   c781c800000001000000     | dec    eax
            //   c6817401000043       | not                 ecx
            //   c681f701000043       | dec                 esp
            //   488d0524c70000       | mov                 dword ptr [esp + 0x20], esp
            //   488981b8000000       | mov                 dword ptr [ecx + 0x1c], 1
            //   b90d000000           | mov                 dword ptr [ecx + 0xc8], 1

        $sequence_11 = { 4c8d0ddd130100 f2ae 488bf2 418bec 48f7d1 4c89642420 }
            // n = 6, score = 100
            //   4c8d0ddd130100       | dec                 esp
            //   f2ae                 | lea                 ecx, [0x113dd]
            //   488bf2               | repne scasb         al, byte ptr es:[edi]
            //   418bec               | dec                 eax
            //   48f7d1               | mov                 esi, edx
            //   4c89642420           | inc                 ecx

        $sequence_12 = { 48ffc7 88843c3f020000 84c0 75ee 41bc02000000 }
            // n = 5, score = 100
            //   48ffc7               | mov                 byte ptr [ecx + 0x174], 0x43
            //   88843c3f020000       | mov                 byte ptr [ecx + 0x1f7], 0x43
            //   84c0                 | dec                 eax
            //   75ee                 | lea                 eax, [0xc724]
            //   41bc02000000         | dec                 eax

        $sequence_13 = { 85c0 745a 85db 759c 488bce }
            // n = 5, score = 100
            //   85c0                 | test                al, al
            //   745a                 | jne                 0xfffffff9
            //   85db                 | inc                 ecx
            //   759c                 | mov                 esp, 2
            //   488bce               | dec                 eax

        $sequence_14 = { 41b804000000 e8???????? 8b4c2440 ff15???????? }
            // n = 4, score = 100
            //   41b804000000         | sub                 esp, 0x20
            //   e8????????           |                     
            //   8b4c2440             | dec                 eax
            //   ff15????????         |                     

        $sequence_15 = { 41b804020000 ff15???????? 488b0d???????? 4533c9 458d4102 488d542440 }
            // n = 6, score = 100
            //   41b804020000         | lea                 ebx, [0x9dfd]
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   4533c9               | dec                 eax
            //   458d4102             | lea                 ebp, [0xa036]
            //   488d542440           | dec                 eax

    condition:
        7 of them and filesize < 212992
}
Download all Yara Rules