SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rising_sun (Back to overview)

Rising Sun

Actor(s): Operation Sharpshooter

There is no description at this point.

References
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@techreport{sherstobitoff:20181212:operation:f8b490f, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf}, language = {English}, urldate = {2019-12-18} } Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure
Rising Sun
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@online{sherstobitoff:20181212:operation:df0b2d2, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/}, language = {English}, urldate = {2020-01-13} } ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure
Rising Sun Lazarus Group Operation Sharpshooter
Yara Rules
[TLP:WHITE] win_rising_sun_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_rising_sun_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48895c2408 55 488dac2480f1ffff 4881ec800f0000 488b05???????? 4833c4 488985700e0000 }
            // n = 7, score = 100
            //   48895c2408           | mov                 dword ptr [ebp - 0x78], 0xd68d27e7
            //   55                   | mov                 dword ptr [ebp - 0x74], 0x4bea39bb
            //   488dac2480f1ffff     | mov                 dword ptr [ebp - 0x70], 0xb88c201
            //   4881ec800f0000       | mov                 dword ptr [ebp - 0x6c], 0x37cd2430
            //   488b05????????       |                     
            //   4833c4               | mov                 dword ptr [ebp - 0x80], 0x40c9497
            //   488985700e0000       | mov                 dword ptr [ebp - 0x7c], 0xe46b74ed

        $sequence_1 = { 4c8d15bb480100 4885c0 7404 4c8d5010 8bcb e8???????? 418902 }
            // n = 7, score = 100
            //   4c8d15bb480100       | add                 eax, 4
            //   4885c0               | mov                 byte ptr [esp + 0x58], 0
            //   7404                 | dec                 eax
            //   4c8d5010             | inc                 esi
            //   8bcb                 | inc                 ecx
            //   e8????????           |                     
            //   418902               | inc                 edx

        $sequence_2 = { e8???????? 4863e8 85c0 0f88c4feffff 4d8bc4 488bd6 488bcb }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4863e8               | dec                 eax
            //   85c0                 | mov                 dword ptr [ebx + 0x10], ebp
            //   0f88c4feffff         | jb                  0x52a
            //   4d8bc4               | dec                 eax
            //   488bd6               | lea                 edi, [ebx + 0x58]
            //   488bcb               | mov                 esi, 6

        $sequence_3 = { c74424502829ea8b c7442454693e5f4d c7442458fd32badc c744245cb61a091b c7442460b71e2492 c7442464362d90c4 }
            // n = 6, score = 100
            //   c74424502829ea8b     | dec                 eax
            //   c7442454693e5f4d     | lea                 ecx, [0x29583]
            //   c7442458fd32badc     | nop                 
            //   c744245cb61a091b     | dec                 eax
            //   c7442460b71e2492     | lea                 ecx, [0x29589]
            //   c7442464362d90c4     | nop                 

        $sequence_4 = { 8bce e8???????? eb2b 83f8ff 7526 4c8d25c7400100 493bdc }
            // n = 7, score = 100
            //   8bce                 | lea                 edx, [ebp + 0x10]
            //   e8????????           |                     
            //   eb2b                 | repne scasd         eax, dword ptr es:[edi]
            //   83f8ff               | dec                 eax
            //   7526                 | or                  ecx, 0xffffffff
            //   4c8d25c7400100       | dec                 eax
            //   493bdc               | or                  ecx, 0xffffffff

        $sequence_5 = { c744247c3ecc0cc2 c74580af6c9d01 c74584614a63ca c74588ed31515d e8???????? 488d157ae50100 }
            // n = 6, score = 100
            //   c744247c3ecc0cc2     | lea                 ecx, [esp + 0x28]
            //   c74580af6c9d01       | nop                 
            //   c74584614a63ca       | dec                 eax
            //   c74588ed31515d       | lea                 ecx, [esp + 0x28]
            //   e8????????           |                     
            //   488d157ae50100       | dec                 eax

        $sequence_6 = { 6644897d04 c745e631000000 ff15???????? 488d9530220000 b900040000 ff15???????? 4c8d8d100c0000 }
            // n = 7, score = 100
            //   6644897d04           | dec                 eax
            //   c745e631000000       | arpl                bx, ax
            //   ff15????????         |                     
            //   488d9530220000       | inc                 ebx
            //   b900040000           | lea                 edx, [esi + ebp*4 + 8]
            //   ff15????????         |                     
            //   4c8d8d100c0000       | dec                 eax

        $sequence_7 = { 7528 448d4ffd 4c8d05cf290100 488d4c2430 33d2 c744242008000000 ff15???????? }
            // n = 7, score = 100
            //   7528                 | dec                 eax
            //   448d4ffd             | add                 eax, eax
            //   4c8d05cf290100       | dec                 eax
            //   488d4c2430           | add                 ecx, ecx
            //   33d2                 | dec                 ebp
            //   c744242008000000     | mov                 eax, esp
            //   ff15????????         |                     

        $sequence_8 = { 48215c2420 488d8520060000 448bc6 442bc0 488b442450 488d0da3730100 488b0cc1 }
            // n = 7, score = 100
            //   48215c2420           | lea                 ecx, [esp + 0x30]
            //   488d8520060000       | inc                 esp
            //   448bc6               | lea                 ecx, [edi - 3]
            //   442bc0               | xor                 edx, edx
            //   488b442450           | mov                 eax, dword ptr [ebp + 0xf84]
            //   488d0da3730100       | inc                 ebp
            //   488b0cc1             | xor                 ecx, ecx

        $sequence_9 = { 88440ffe 84c0 75f1 ff15???????? 8b7d87 4c8d05e1c80100 488d4da7 }
            // n = 7, score = 100
            //   88440ffe             | setne               bl
            //   84c0                 | dec                 eax
            //   75f1                 | cmp                 dword ptr [eax + 0x18], 8
            //   ff15????????         |                     
            //   8b7d87               | jb                  0x174c
            //   4c8d05e1c80100       | dec                 eax
            //   488d4da7             | mov                 eax, dword ptr [eax]

    condition:
        7 of them and filesize < 409600
}
Download all Yara Rules