SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rising_sun (Back to overview)

Rising Sun

Actor(s): Operation Sharpshooter

There is no description at this point.

References
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@techreport{sherstobitoff:20181212:operation:f8b490f, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf}, language = {English}, urldate = {2019-12-18} } Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure
Rising Sun
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@online{sherstobitoff:20181212:operation:df0b2d2, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/}, language = {English}, urldate = {2020-01-13} } ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure
Rising Sun Lazarus Group Operation Sharpshooter
Yara Rules
[TLP:WHITE] win_rising_sun_auto (20210616 | Detects win.rising_sun.)
rule win_rising_sun_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.rising_sun."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488d8d620e0000 33d2 41b8fe070000 664489ad600e0000 e8???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488d8d620e0000       | dec                 esp
            //   33d2                 | mov                 dword ptr [esp + 0x78], esp
            //   41b8fe070000         | inc                 esp
            //   664489ad600e0000     | mov                 dword ptr [ebp - 0x80], esp
            //   e8????????           |                     

        $sequence_1 = { 498bcc ff15???????? 85c0 0f853cfeffff eb31 41b801000000 8bd3 }
            // n = 7, score = 100
            //   498bcc               | movzx               edx, bx
            //   ff15????????         |                     
            //   85c0                 | dec                 edx
            //   0f853cfeffff         | mov                 dword ptr [ecx + eax*8 + 8], edx
            //   eb31                 | dec                 eax
            //   41b801000000         | arpl                ax, dx
            //   8bd3                 | dec                 eax

        $sequence_2 = { 4c3bc1 746e 48895c2430 488bd1 48896c2438 4889742440 e8???????? }
            // n = 7, score = 100
            //   4c3bc1               | test                eax, eax
            //   746e                 | cmp                 al, 0x58
            //   48895c2430           | ja                  0x657
            //   488bd1               | dec                 ecx
            //   48896c2438           | movsx               eax, ah
            //   4889742440           | inc                 edx
            //   e8????????           |                     

        $sequence_3 = { 488b8d10030000 4833cc e8???????? 4c8d9c2420040000 498b5b28 498b7330 }
            // n = 6, score = 100
            //   488b8d10030000       | lea                 ecx, dword ptr [esp + 0x28]
            //   4833cc               | dec                 esp
            //   e8????????           |                     
            //   4c8d9c2420040000     | lea                 ebx, dword ptr [0x82fb]
            //   498b5b28             | dec                 esp
            //   498b7330             | mov                 dword ptr [ebx], ebx

        $sequence_4 = { 41b701 44897c244c 488b0d???????? 4885c9 754a 488d0da6900200 48833d????????08 }
            // n = 7, score = 100
            //   41b701               | dec                 eax
            //   44897c244c           | lea                 ecx, dword ptr [esp + 0x40]
            //   488b0d????????       |                     
            //   4885c9               | jbe                 0xf31
            //   754a                 | dec                 eax
            //   488d0da6900200       | mov                 ecx, edx
            //   48833d????????08     |                     

        $sequence_5 = { 884417fe 84c0 75f1 ff15???????? 488bcb ff15???????? 488b3d???????? }
            // n = 7, score = 100
            //   884417fe             | cmp                 eax, -1
            //   84c0                 | jne                 0x162
            //   75f1                 | inc                 esp
            //   ff15????????         |                     
            //   488bcb               | lea                 eax, dword ptr [esi - 0x3c]
            //   ff15????????         |                     
            //   488b3d????????       |                     

        $sequence_6 = { ff15???????? 488bf0 4885c0 0f8493010000 488d15de8c0000 488bc8 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   488bf0               | mov                 ebx, dword ptr [ebx + 0x38]
            //   4885c0               | dec                 ecx
            //   0f8493010000         | mov                 esi, dword ptr [ebx + 0x40]
            //   488d15de8c0000       | dec                 ecx
            //   488bc8               | mov                 edi, dword ptr [ebx + 0x48]

        $sequence_7 = { ebd8 488d3dc03d0100 488bf0 b909000000 66f3a7 75bf 488d4c2430 }
            // n = 7, score = 100
            //   ebd8                 | nop                 word ptr [eax + eax]
            //   488d3dc03d0100       | dec                 esp
            //   488bf0               | lea                 ecx, dword ptr [esp + 0x8c]
            //   b909000000           | dec                 eax
            //   66f3a7               | lea                 ecx, dword ptr [esp + 0xab0]
            //   75bf                 | dec                 esp
            //   488d4c2430           | mov                 eax, ebp

        $sequence_8 = { 498bcc e8???????? 8bd8 8bd0 488b0d???????? e8???????? 488b0d???????? }
            // n = 7, score = 100
            //   498bcc               | dec                 esp
            //   e8????????           |                     
            //   8bd8                 | lea                 eax, dword ptr [0x1632c]
            //   8bd0                 | dec                 eax
            //   488b0d????????       |                     
            //   e8????????           |                     
            //   488b0d????????       |                     

        $sequence_9 = { 7503 2b756f 81fe50140000 0f8f8b030000 81feb0ebffff 0f8c6f030000 4c8d2d36a40000 }
            // n = 7, score = 100
            //   7503                 | mov                 ecx, 0x80070057
            //   2b756f               | int3                
            //   81fe50140000         | dec                 esp
            //   0f8f8b030000         | mov                 eax, dword ptr [edi + 8]
            //   81feb0ebffff         | dec                 eax
            //   0f8c6f030000         | mov                 ecx, esi
            //   4c8d2d36a40000       | dec                 eax

    condition:
        7 of them and filesize < 409600
}
Download all Yara Rules