SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rising_sun (Back to overview)

Rising Sun

Actor(s): Operation Sharpshooter

There is no description at this point.

References
2022-03-31APNICDebashis Pal
@online{pal:20220331:how:c5195a9, author = {Debashis Pal}, title = {{How to: Detect and prevent common data exfiltration attacks}}, date = {2022-03-31}, organization = {APNIC}, url = {https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/}, language = {English}, urldate = {2022-05-05} } How to: Detect and prevent common data exfiltration attacks
Agent Tesla DNSMessenger PingBack Rising Sun
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@online{sherstobitoff:20181212:operation:df0b2d2, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/}, language = {English}, urldate = {2020-01-13} } ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure
Rising Sun Lazarus Group Operation Sharpshooter
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@techreport{sherstobitoff:20181212:operation:f8b490f, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf}, language = {English}, urldate = {2019-12-18} } Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure
Rising Sun
Yara Rules
[TLP:WHITE] win_rising_sun_auto (20230125 | Detects win.rising_sun.)
rule win_rising_sun_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.rising_sun."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c704 4863ce 8b9c0510010000 4863c7 48c1e109 488d940510010000 448bc3 }
            // n = 7, score = 100
            //   83c704               | mov                 ecx, esi
            //   4863ce               | test                eax, eax
            //   8b9c0510010000       | je                  0x1807
            //   4863c7               | dec                 eax
            //   48c1e109             | mov                 ecx, dword ptr [ebx + 0x10]
            //   488d940510010000     | dec                 eax
            //   448bc3               | dec                 ecx

        $sequence_1 = { 488b4c2430 e8???????? 488b0d???????? 4885c9 7406 ff15???????? }
            // n = 6, score = 100
            //   488b4c2430           | mov                 dword ptr [ebp - 0x80], 0xc8c8c8c8
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   4885c9               | mov                 dword ptr [ebp - 0x7c], 0xa9beaca9
            //   7406                 | mov                 dword ptr [esp + 0x74], 0x9d7828c0
            //   ff15????????         |                     

        $sequence_2 = { 4881ecd00b0000 488b05???????? 4833c4 488985c00a0000 33f6 488bd9 488d8d72010000 }
            // n = 7, score = 100
            //   4881ecd00b0000       | lea                 ebp, [esp - 0x1c10]
            //   488b05????????       |                     
            //   4833c4               | mov                 eax, 0x1d10
            //   488985c00a0000       | dec                 eax
            //   33f6                 | sub                 esp, eax
            //   488bd9               | movaps              xmmword ptr [esp + 0x1d00], xmm6
            //   488d8d72010000       | push                ebp

        $sequence_3 = { 85c0 0f84fc010000 0f1f440000 498bcd 0fb7440d8c 4883c102 6689840d5e060000 }
            // n = 7, score = 100
            //   85c0                 | xor                 eax, eax
            //   0f84fc010000         | cmp                 cl, 0xa
            //   0f1f440000           | sete                al
            //   498bcd               | mov                 dword ptr [esp + 0x4c], eax
            //   0fb7440d8c           | dec                 eax
            //   4883c102             | lea                 eax, [0x1766a]
            //   6689840d5e060000     | jne                 0x467

        $sequence_4 = { c7454c04349aa4 c745500d148684 c7455418f4cb64 c7455802d4f444 c7455c88b43a24 c7456097940f04 c74564ea7469e4 }
            // n = 7, score = 100
            //   c7454c04349aa4       | lea                 eax, [ecx + 1]
            //   c745500d148684       | xor                 edx, edx
            //   c7455418f4cb64       | dec                 eax
            //   c7455802d4f444       | mov                 dword ptr [esp + 0x20], eax
            //   c7455c88b43a24       | inc                 ebp
            //   c7456097940f04       | xor                 ecx, ecx
            //   c74564ea7469e4       | dec                 esp

        $sequence_5 = { 4533c0 33d2 498bce ff15???????? 85c0 7552 }
            // n = 6, score = 100
            //   4533c0               | mov                 ecx, ebx
            //   33d2                 | dec                 esp
            //   498bce               | arpl                ax, bx
            //   ff15????????         |                     
            //   85c0                 | jns                 0x45b
            //   7552                 | or                  eax, 0xffffffff

        $sequence_6 = { ff15???????? 8d530f 85c0 755c 488dbdc01b0000 4c8bc2 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8d530f               | dec                 eax
            //   85c0                 | lea                 edx, [0x14a8c]
            //   755c                 | dec                 eax
            //   488dbdc01b0000       | lea                 ecx, [ebp + 0x2230]
            //   4c8bc2               | inc                 ebp

        $sequence_7 = { 66f3a7 75bf 488d4c2430 e8???????? 488d4c2430 }
            // n = 5, score = 100
            //   66f3a7               | add                 dword ptr [esi], 4
            //   75bf                 | cmp                 edi, 0x13
            //   488d4c2430           | je                  0x416
            //   e8????????           |                     
            //   488d4c2430           | cmp                 edi, 0xa

        $sequence_8 = { 4883ec20 33c0 48c7411807000000 488d15a97d0200 48894110 4983c9ff 4533c0 }
            // n = 7, score = 100
            //   4883ec20             | je                  0x3f0
            //   33c0                 | dec                 eax
            //   48c7411807000000     | inc                 ebx
            //   488d15a97d0200       | dec                 eax
            //   48894110             | cmp                 ebx, ebp
            //   4983c9ff             | jae                 0x3f8
            //   4533c0               | inc                 cx

        $sequence_9 = { 4803c0 83ff0a 48896cc108 0f446c2470 8bc5 eb02 }
            // n = 6, score = 100
            //   4803c0               | dec                 eax
            //   83ff0a               | mov                 ecx, esi
            //   48896cc108           | dec                 ecx
            //   0f446c2470           | mov                 ecx, esp
            //   8bc5                 | cmp                 eax, 0x3d
            //   eb02                 | jne                 0x4cc

    condition:
        7 of them and filesize < 409600
}
Download all Yara Rules