SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rising_sun (Back to overview)

Rising Sun

Actor(s): Operation Sharpshooter


There is no description at this point.

References
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@techreport{sherstobitoff:20181212:operation:f8b490f, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf}, language = {English}, urldate = {2019-12-18} } Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure
Rising Sun
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@online{sherstobitoff:20181212:operation:df0b2d2, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/}, language = {English}, urldate = {2020-01-13} } ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure
Rising Sun Lazarus Group Operation Sharpshooter
Yara Rules
[TLP:WHITE] win_rising_sun_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_rising_sun_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bd7 4c8d05b4fffeff 89542420 83fa05 7d15 4863ca 0fb7444b10 }
            // n = 7, score = 100
            //   8bd7                 | xor                 edx, edx
            //   4c8d05b4fffeff       | dec                 eax
            //   89542420             | lea                 ecx, [esp + 0x78]
            //   83fa05               | inc                 esp
            //   7d15                 | lea                 eax, [edx + 0x60]
            //   4863ca               | dec                 eax
            //   0fb7444b10           | lea                 ecx, [ebp + 0x2230]

        $sequence_1 = { 664489ad600e0000 e8???????? 418d4d40 ba00fc0000 418bdd ff15???????? 33d2 }
            // n = 7, score = 100
            //   664489ad600e0000     | mov                 eax, dword ptr [ebx + 0x10]
            //   e8????????           |                     
            //   418d4d40             | dec                 eax
            //   ba00fc0000           | js                  0xa06
            //   418bdd               | dec                 eax
            //   ff15????????         |                     
            //   33d2                 | mov                 eax, dword ptr [esp + 0x60]

        $sequence_2 = { 48837c244008 720a 488b4c2428 e8???????? 488b0d???????? 4885c9 7406 }
            // n = 7, score = 100
            //   48837c244008         | cmp                 ecx, dword ptr [ebx + 0x10]
            //   720a                 | test                al, al
            //   488b4c2428           | je                  0xb7c
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   4885c9               | dec                 eax
            //   7406                 | mov                 ecx, dword ptr [ebx + 0x10]

        $sequence_3 = { 488d153a690100 488bd9 ff15???????? 488bcb ff15???????? a810 7512 }
            // n = 7, score = 100
            //   488d153a690100       | jns                 0x147f
            //   488bd9               | or                  eax, 0xffffffff
            //   ff15????????         |                     
            //   488bcb               | dec                 eax
            //   ff15????????         |                     
            //   a810                 | lea                 ecx, [ebx + 8]
            //   7512                 | dec                 eax

        $sequence_4 = { 4889442428 458d4101 33d2 4c89642420 ff15???????? 488b4daf }
            // n = 6, score = 100
            //   4889442428           | and                 bl, 0xf
            //   458d4101             | movzx               eax, byte ptr [ebp + 0x540]
            //   33d2                 | dec                 esp
            //   4c89642420           | lea                 ebx, [0x747]
            //   ff15????????         |                     
            //   488b4daf             | dec                 esp

        $sequence_5 = { 03df 4863cb 42890439 8d4304 488b8d30650000 4833cc }
            // n = 6, score = 100
            //   03df                 | mov                 dword ptr [esp + 0x44], 0xec26f12c
            //   4863cb               | mov                 dword ptr [esp + 0x48], 0x852dff9b
            //   42890439             | mov                 dword ptr [esp + 0x4c], 0x58cb4c07
            //   8d4304               | mov                 dword ptr [esp + 0x50], 0xaa05b2c4
            //   488b8d30650000       | mov                 dword ptr [esp + 0x54], 0x67503914
            //   4833cc               | mov                 dword ptr [esp + 0x44], 0x76

        $sequence_6 = { c785d01b0000e3905de8 c785d41b00001def57f7 c785d81b00003bf5679d c785dc1b00000989ec8d c785e01b0000fd9e1cf3 66c785e41b00002657 }
            // n = 6, score = 100
            //   c785d01b0000e3905de8     | mov    ecx, edx
            //   c785d41b00001def57f7     | dec    eax
            //   c785d81b00003bf5679d     | sub    ecx, eax
            //   c785dc1b00000989ec8d     | ja    0x326
            //   c785e01b0000fd9e1cf3     | dec    ecx
            //   66c785e41b00002657     | movsx    eax, ah

        $sequence_7 = { 4c8d0d95f3feff 0f85a5000000 488bcb e8???????? 488d15c03e0100 413bc7 }
            // n = 6, score = 100
            //   4c8d0d95f3feff       | dec                 esp
            //   0f85a5000000         | sub                 eax, dword ptr [edx + eax*8]
            //   488bcb               | dec                 eax
            //   e8????????           |                     
            //   488d15c03e0100       | mov                 eax, edx
            //   413bc7               | dec                 eax

        $sequence_8 = { b03d eb08 0fb6c3 420fb60430 4188442802 4183f902 }
            // n = 6, score = 100
            //   b03d                 | mov                 dword ptr [ebp + 0x8e0], eax
            //   eb08                 | inc                 esp
            //   0fb6c3               | mov                 ebp, edx
            //   420fb60430           | dec                 eax
            //   4188442802           | lea                 ebp, [esp - 0xe0]
            //   4183f902             | dec                 eax

        $sequence_9 = { 48833d????????00 741e 488d0db9d70000 e8???????? 85c0 }
            // n = 5, score = 100
            //   48833d????????00     |                     
            //   741e                 | dec                 eax
            //   488d0db9d70000       | lea                 ecx, [ebp - 0x70]
            //   e8????????           |                     
            //   85c0                 | xor                 edx, edx

    condition:
        7 of them and filesize < 409600
}
Download all Yara Rules