SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rising_sun (Back to overview)

Rising Sun

Actor(s): Operation Sharpshooter

VTCollection    

There is no description at this point.

References
2022-03-31APNICDebashis Pal
How to: Detect and prevent common data exfiltration attacks
Agent Tesla DNSMessenger PingBack Rising Sun
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2018-12-12McAfeeAsheer Malhotra, Ryan Sherstobitoff
Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure
Rising Sun
2018-12-12McAfeeAsheer Malhotra, Ryan Sherstobitoff
‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure
Rising Sun Lazarus Group Operation Sharpshooter
Yara Rules
[TLP:WHITE] win_rising_sun_auto (20230808 | Detects win.rising_sun.)
rule win_rising_sun_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.rising_sun."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745b03414d384 c745b418f4ff64 c745b851d4c644 c745bcabb43c24 c745c099945804 c745c4c4746ce4 c745c8dd544ec4 }
            // n = 7, score = 100
            //   c745b03414d384       | jne                 0xdfe
            //   c745b418f4ff64       | dec                 eax
            //   c745b851d4c644       | mov                 ecx, dword ptr [ebx + 0x158]
            //   c745bcabb43c24       | dec                 eax
            //   c745c099945804       | lea                 eax, [0xf683]
            //   c745c4c4746ce4       | mov                 ebx, edx
            //   c745c8dd544ec4       | dec                 eax

        $sequence_1 = { 4889742418 48897c2420 55 488dac24a0e4ffff b8601c0000 }
            // n = 5, score = 100
            //   4889742418           | mov                 eax, dword ptr [ebx + 8]
            //   48897c2420           | dec                 eax
            //   55                   | test                edx, edx
            //   488dac24a0e4ffff     | inc                 ecx
            //   b8601c0000           | cmp                 edi, esi

        $sequence_2 = { c745dcd3515290 c745e00358c000 c745e4c80ae51e c745e804d34ed7 c745ec3e3054ad c745f046c2e664 c745f418a189fe }
            // n = 7, score = 100
            //   c745dcd3515290       | mov                 esi, edi
            //   c745e00358c000       | inc                 ebp
            //   c745e4c80ae51e       | test                ebp, ebp
            //   c745e804d34ed7       | jle                 0x312
            //   c745ec3e3054ad       | dec                 eax
            //   c745f046c2e664       | lea                 ecx, [0x1f9cc]
            //   c745f418a189fe       | nop                 dword ptr [eax + eax]

        $sequence_3 = { c785100200000358c000 c78514020000c80ae51e c7851802000004d34ed7 c7851c0200003e3054ad c7852002000046c2e664 }
            // n = 5, score = 100
            //   c785100200000358c000     | mov    ecx, 0x800000
            //   c78514020000c80ae51e     | mov    edx, 0x6801
            //   c7851802000004d34ed7     | dec    esp
            //   c7851c0200003e3054ad     | mov    dword ptr [esp + 0x20], ebx
            //   c7852002000046c2e664     | dec    esp

        $sequence_4 = { e8???????? 48898588000000 488d05c298feff 4883c420 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   48898588000000       | pop                 edi
            //   488d05c298feff       | mov                 eax, edx
            //   4883c420             | dec                 eax

        $sequence_5 = { c78514020000c80ae51e c7851802000004d34ed7 c7851c0200003e3054ad c7852002000046c2e664 c7852402000018a189fe c7852802000003f29cea c7852c0200000bbce179 }
            // n = 7, score = 100
            //   c78514020000c80ae51e     | sar    eax, 5
            //   c7851802000004d34ed7     | dec    eax
            //   c7851c0200003e3054ad     | imul    ecx, ecx, 0x58
            //   c7852002000046c2e664     | dec    eax
            //   c7852402000018a189fe     | add    ecx, dword ptr [edx + eax*8]
            //   c7852802000003f29cea     | jmp    0x92d
            //   c7852c0200000bbce179     | dec    eax

        $sequence_6 = { c785440600001def57f7 c785480600003bf5679d c7854c0600000989ec8d c78550060000fd9e1cf3 66c785540600002657 664489ad60060000 e8???????? }
            // n = 7, score = 100
            //   c785440600001def57f7     | lea    ecx, [edi + 8]
            //   c785480600003bf5679d     | dec    esp
            //   c7854c0600000989ec8d     | mov    dword ptr [esp + 0x68], ebp
            //   c78550060000fd9e1cf3     | dec    eax
            //   66c785540600002657     | inc    edx
            //   664489ad60060000     | test                al, al
            //   e8????????           |                     

        $sequence_7 = { 4c8d41ff 488bce e8???????? 488b542450 b89fffffff }
            // n = 5, score = 100
            //   4c8d41ff             | mov                 edx, dword ptr [esp + 0x40]
            //   488bce               | dec                 eax
            //   e8????????           |                     
            //   488b542450           | or                  ecx, 0xffffffff
            //   b89fffffff           | dec                 eax

        $sequence_8 = { 660f1f440000 0fb602 48ffc2 88440aff 84c0 75f2 }
            // n = 6, score = 100
            //   660f1f440000         | lea                 edi, [esp + eax*8 + 8]
            //   0fb602               | dec                 ebp
            //   48ffc2               | lea                 eax, [esp + eax*8 + 0x18]
            //   88440aff             | dec                 eax
            //   84c0                 | cmp                 ebx, edx
            //   75f2                 | jae                 0x101c

        $sequence_9 = { e8???????? cc 48895c2408 48896c2418 56 57 4154 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   cc                   | mov                 ecx, esp
            //   48895c2408           | mov                 eax, 0xffffff9f
            //   48896c2418           | dec                 ecx
            //   56                   | lea                 edi, [esp + eax*8 + 8]
            //   57                   | dec                 ebp
            //   4154                 | lea                 eax, [esp + eax*8 + 0x18]

    condition:
        7 of them and filesize < 409600
}
Download all Yara Rules