SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rising_sun (Back to overview)

Rising Sun

Actor(s): Operation Sharpshooter


There is no description at this point.

References
2022-03-31APNICDebashis Pal
@online{pal:20220331:how:c5195a9, author = {Debashis Pal}, title = {{How to: Detect and prevent common data exfiltration attacks}}, date = {2022-03-31}, organization = {APNIC}, url = {https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/}, language = {English}, urldate = {2022-05-05} } How to: Detect and prevent common data exfiltration attacks
Agent Tesla DNSMessenger PingBack Rising Sun
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@online{sherstobitoff:20181212:operation:df0b2d2, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/}, language = {English}, urldate = {2020-01-13} } ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure
Rising Sun Lazarus Group Operation Sharpshooter
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@techreport{sherstobitoff:20181212:operation:f8b490f, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf}, language = {English}, urldate = {2019-12-18} } Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure
Rising Sun
Yara Rules
[TLP:WHITE] win_rising_sun_auto (20230715 | Detects win.rising_sun.)
rule win_rising_sun_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.rising_sun."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c7451ceb6cdf53 c745207d99ebb9 c74524f0924af9 c7452858285d83 c7452cb17b929c c745307d0f2b0f }
            // n = 6, score = 100
            //   c7451ceb6cdf53       | xor                 edx, edx
            //   c745207d99ebb9       | inc                 ecx
            //   c74524f0924af9       | mov                 eax, 0x400
            //   c7452858285d83       | dec                 eax
            //   c7452cb17b929c       | mov                 ecx, ebx
            //   c745307d0f2b0f       | dec                 eax

        $sequence_1 = { e8???????? ebc9 488bcb 488bc3 488d15e7780100 48c1f805 83e11f }
            // n = 7, score = 100
            //   e8????????           |                     
            //   ebc9                 | mov                 dword ptr [esp + 0x58], 0x67b0abfd
            //   488bcb               | dec                 eax
            //   488bc3               | mov                 esi, ecx
            //   488d15e7780100       | dec                 eax
            //   48c1f805             | mov                 eax, 0x66666666
            //   83e11f               | push                es

        $sequence_2 = { 7512 c705????????0d000000 4532ed 44886c2440 4885f6 743f 488bfe }
            // n = 7, score = 100
            //   7512                 | inc                 esp
            //   c705????????0d000000     |     
            //   4532ed               | mov                 dword ptr [esp + 0x4c], edi
            //   44886c2440           | dec                 eax
            //   4885f6               | test                ecx, ecx
            //   743f                 | jne                 0x497
            //   488bfe               | dec                 eax

        $sequence_3 = { c785b4000000e9f05082 c785b8000000e7fa6acb c785bc00000088e87280 c785c000000044604695 c785c4000000920fad47 c785c8000000093f9752 c785cc000000c6aca765 }
            // n = 7, score = 100
            //   c785b4000000e9f05082     | dec    eax
            //   c785b8000000e7fa6acb     | inc    ebx
            //   c785bc00000088e87280     | dec    ebp
            //   c785c000000044604695     | lea    ebp, [ebp + ecx*2]
            //   c785c4000000920fad47     | dec    eax
            //   c785c8000000093f9752     | mov    eax, dword ptr [ebp + 0x28]
            //   c785cc000000c6aca765     | dec    eax

        $sequence_4 = { 41b701 44897c244c 488b0d???????? 4885c9 754a 488d0da6900200 48833d????????08 }
            // n = 7, score = 100
            //   41b701               | mov                 edx, 0x32
            //   44897c244c           | mov                 eax, 0x64
            //   488b0d????????       |                     
            //   4885c9               | inc                 sp
            //   754a                 | mov                 dword ptr [esp + 0x30], ebp
            //   488d0da6900200       | inc                 ebp
            //   48833d????????08     |                     

        $sequence_5 = { 7412 48837c244808 720a 488b4c2430 }
            // n = 4, score = 100
            //   7412                 | dec                 eax
            //   48837c244808         | lea                 ecx, [edi + 8]
            //   720a                 | dec                 esp
            //   488b4c2430           | mov                 dword ptr [esp + 0x68], ebp

        $sequence_6 = { c785cc0100003fac63f5 c785d00100000f815702 c785d40100006b20a6d3 c785d8010000ff9108d0 c785dc010000e0acc4b5 c785e0010000272e7346 c785e4010000df0d063e }
            // n = 7, score = 100
            //   c785cc0100003fac63f5     | mov    ecx, dword ptr [esp + 0x30]
            //   c785d00100000f815702     | xor    edx, edx
            //   c785d40100006b20a6d3     | inc    ecx
            //   c785d8010000ff9108d0     | mov    esi, esp
            //   c785dc010000e0acc4b5     | jbe    0x15f6
            //   c785e0010000272e7346     | dec    esp
            //   c785e4010000df0d063e     | lea    ebp, [0x19536]

        $sequence_7 = { 488b7d18 488bcd e8???????? 498b4cf408 48ffc3 488904cf 488b7c2470 }
            // n = 7, score = 100
            //   488b7d18             | mov                 dword ptr [ebp - 0x5c], 0xa78bc8c8
            //   488bcd               | mov                 dword ptr [ebp - 0x58], 0xa7babca6
            //   e8????????           |                     
            //   498b4cf408           | mov                 dword ptr [ebp - 0x69], 0x3d64695f
            //   48ffc3               | dec                 eax
            //   488904cf             | mov                 dword ptr [ebp + 0x17], eax
            //   488b7c2470           | mov                 byte ptr [ebp - 0x65], 0

        $sequence_8 = { 4533c9 4533c0 33d2 ff15???????? 488bc8 488905???????? 4885c0 }
            // n = 7, score = 100
            //   4533c9               | mov                 al, byte ptr [ecx + ebx + 0x1c]
            //   4533c0               | inc                 edx
            //   33d2                 | mov                 byte ptr [ecx + eax + 0x243d0], al
            //   ff15????????         |                     
            //   488bc8               | inc                 edx
            //   488905????????       |                     
            //   4885c0               | jmp                 0x557

        $sequence_9 = { ff15???????? ba55000000 85db 7f05 baaa000000 488d8dc0060000 41b800040000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   ba55000000           | inc                 ecx
            //   85db                 | mov                 eax, 0x1028
            //   7f05                 | dec                 eax
            //   baaa000000           | lea                 edx, [0x12cf1]
            //   488d8dc0060000       | dec                 eax
            //   41b800040000         | mov                 ecx, edi

    condition:
        7 of them and filesize < 409600
}
Download all Yara Rules