SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rising_sun (Back to overview)

Rising Sun

Actor(s): Operation Sharpshooter

There is no description at this point.

References
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@techreport{sherstobitoff:20181212:operation:f8b490f, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf}, language = {English}, urldate = {2019-12-18} } Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure
Rising Sun
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@online{sherstobitoff:20181212:operation:df0b2d2, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/}, language = {English}, urldate = {2020-01-13} } ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure
Rising Sun Lazarus Group Operation Sharpshooter
Yara Rules
[TLP:WHITE] win_rising_sun_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_rising_sun_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4881ecf0090000 488b05???????? 4833c4 488985e0080000 448bea 488bd9 }
            // n = 6, score = 100
            //   4881ecf0090000       | mov                 eax, edx
            //   488b05????????       |                     
            //   4833c4               | mov                 eax, ecx
            //   488985e0080000       | jmp                 0x154a
            //   448bea               | inc                 ecx
            //   488bd9               | mov                 eax, esp

        $sequence_1 = { 488d152ddb0100 e8???????? 85c0 0f85aa110000 448d4004 488d1515db0100 }
            // n = 6, score = 100
            //   488d152ddb0100       | mov                 dword ptr [ebx + 0x28], ebp
            //   e8????????           |                     
            //   85c0                 | dec                 esp
            //   0f85aa110000         | mov                 dword ptr [esi], edi
            //   448d4004             | cmp                 edi, 0x13
            //   488d1515db0100       | dec                 eax

        $sequence_2 = { 66f3a7 75bf 488d4c2430 e8???????? 488d4c2430 ba281c0000 }
            // n = 6, score = 100
            //   66f3a7               | test                eax, eax
            //   75bf                 | jne                 0x2c7
            //   488d4c2430           | dec                 esp
            //   e8????????           |                     
            //   488d4c2430           | cmp                 edi, edi
            //   ba281c0000           | inc                 ecx

        $sequence_3 = { 8bc2 48c1e803 488d44d808 410fb70c44 0fb6c2 2407 }
            // n = 6, score = 100
            //   8bc2                 | mov                 dword ptr [eax + edx*8 + 8], eax
            //   48c1e803             | mov                 edx, 0xd
            //   488d44d808           | dec                 esp
            //   410fb70c44           | mov                 dword ptr [esp + 0x20], esi
            //   0fb6c2               | dec                 eax
            //   2407                 | add                 edx, edx

        $sequence_4 = { 41b800040000 e8???????? 488d8c24200c0000 41b801000000 ba00040000 }
            // n = 5, score = 100
            //   41b800040000         | mov                 dword ptr [esp + 0x5c], 0x1b091ab6
            //   e8????????           |                     
            //   488d8c24200c0000     | mov                 dword ptr [esp + 0x60], 0x92241eb7
            //   41b801000000         | mov                 dword ptr [esp + 0x64], 0xc4902d36
            //   ba00040000           | mov                 dword ptr [esp + 0x58], 0x67b0abfd

        $sequence_5 = { 488bd8 e8???????? 488d1532600100 488d8d50020000 ff15???????? 4c8d85e0010000 8d5634 }
            // n = 7, score = 100
            //   488bd8               | mov                 dword ptr [ebx + 0x20], esp
            //   e8????????           |                     
            //   488d1532600100       | test                al, al
            //   488d8d50020000       | jne                 0xfba
            //   ff15????????         |                     
            //   4c8d85e0010000       | xor                 eax, eax
            //   8d5634               | mov                 edx, edi

        $sequence_6 = { 8bd6 4a894cf008 488bcb e8???????? 85c0 }
            // n = 5, score = 100
            //   8bd6                 | mov                 edx, dword ptr [edx + eax*8]
            //   4a894cf008           | dec                 ecx
            //   488bcb               | cmp                 ebx, dword ptr [esi + 0x10]
            //   e8????????           |                     
            //   85c0                 | jae                 0x30f

        $sequence_7 = { 720b b957000780 e8???????? cc 4863c8 488b4308 4803d2 }
            // n = 7, score = 100
            //   720b                 | mov                 eax, 0xffffffff
            //   b957000780           | dec                 eax
            //   e8????????           |                     
            //   cc                   | cmova               ebx, eax
            //   4863c8               | nop                 
            //   488b4308             | dec                 eax
            //   4803d2               | mov                 edx, eax

        $sequence_8 = { 4889442420 ff15???????? 488b4c2438 488d542444 4533c9 448bc7 ff15???????? }
            // n = 7, score = 100
            //   4889442420           | lea                 edx, [0x1e0ac]
            //   ff15????????         |                     
            //   488b4c2438           | dec                 eax
            //   488d542444           | lea                 ecx, [0x29595]
            //   4533c9               | nop                 
            //   448bc7               | inc                 ebp
            //   ff15????????         |                     

        $sequence_9 = { 03df 4863cb 42890439 8d4304 488b8d30650000 4833cc }
            // n = 6, score = 100
            //   03df                 | mov                 dword ptr [esp + 8], 0xc44754f0
            //   4863cb               | mov                 dword ptr [esp + 0xc], 0xa4a33437
            //   42890439             | dec                 esp
            //   8d4304               | arpl                dx, cx
            //   488b8d30650000       | mov                 eax, 0x55555556
            //   4833cc               | dec                 eax

    condition:
        7 of them and filesize < 409600
}
Download all Yara Rules