SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rising_sun (Back to overview)

Rising Sun

Actor(s): Operation Sharpshooter


There is no description at this point.

References
2022-03-31APNICDebashis Pal
@online{pal:20220331:how:c5195a9, author = {Debashis Pal}, title = {{How to: Detect and prevent common data exfiltration attacks}}, date = {2022-03-31}, organization = {APNIC}, url = {https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/}, language = {English}, urldate = {2022-05-05} } How to: Detect and prevent common data exfiltration attacks
Agent Tesla DNSMessenger PingBack Rising Sun
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@online{sherstobitoff:20181212:operation:df0b2d2, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/}, language = {English}, urldate = {2020-01-13} } ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure
Rising Sun Lazarus Group Operation Sharpshooter
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@techreport{sherstobitoff:20181212:operation:f8b490f, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf}, language = {English}, urldate = {2019-12-18} } Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure
Rising Sun
Yara Rules
[TLP:WHITE] win_rising_sun_auto (20221125 | Detects win.rising_sun.)
rule win_rising_sun_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.rising_sun."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c744246c54aea076 c7442470df169074 c7442474c028789d c7442478dd42115a c744247c5223f272 }
            // n = 5, score = 100
            //   c744246c54aea076     | dec                 esp
            //   c7442470df169074     | mov                 dword ptr [esp + 0x30], esp
            //   c7442474c028789d     | xor                 ebx, ebx
            //   c7442478dd42115a     | dec                 ebp
            //   c744247c5223f272     | mov                 ebp, edi

        $sequence_1 = { c785c0010000b4e69536 c785c401000050ab26b7 c785c801000068ad6ac8 c785cc0100003d61579e c785d0010000c81a556b c785d4010000ba0c4b8e c785d8010000b7ea75a1 }
            // n = 7, score = 100
            //   c785c0010000b4e69536     | mov    dword ptr [ebp + 0xd0], eax
            //   c785c401000050ab26b7     | dec    eax
            //   c785c801000068ad6ac8     | mov    ebx, ecx
            //   c785cc0100003d61579e     | mov    dword ptr [esp + 0x40], 0x6322d318
            //   c785d0010000c81a556b     | mov    dword ptr [esp + 0x44], 0x557a1307
            //   c785d4010000ba0c4b8e     | dec    eax
            //   c785d8010000b7ea75a1     | sub    esp, 0x1e0

        $sequence_2 = { e8???????? 4863e8 85c0 0f88c4feffff 4d8bc4 488bd6 488bcb }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4863e8               | lea                 edi, [0x2030b]
            //   85c0                 | inc                 edx
            //   0f88c4feffff         | mov                 dword ptr [edx + edi], eax
            //   4d8bc4               | xor                 eax, eax
            //   488bd6               | dec                 eax
            //   488bcb               | lea                 edx, [0x202fe]

        $sequence_3 = { 49894c0008 ff432c 488b4310 483be8 720b b957000780 e8???????? }
            // n = 7, score = 100
            //   49894c0008           | mov                 dword ptr [ebp + 0x14], 0x64fbf477
            //   ff432c               | mov                 dword ptr [ebp + 0x18], 0x44ced457
            //   488b4310             | mov                 dword ptr [ebp + 7], 0xa22b2bd6
            //   483be8               | mov                 dword ptr [ebp + 0xb], 0xa2fcf8c
            //   720b                 | mov                 dword ptr [ebp + 0xf], 0xcfdc6936
            //   b957000780           | mov                 dword ptr [ebp + 0x13], 0x7aa085bf
            //   e8????????           |                     

        $sequence_4 = { 488b5c2458 488b742450 84c0 0f8493000000 488bcb 482bce 48bf6766666666666666 }
            // n = 7, score = 100
            //   488b5c2458           | dec                 eax
            //   488b742450           | add                 esp, 0x38
            //   84c0                 | inc                 ecx
            //   0f8493000000         | pop                 edi
            //   488bcb               | inc                 ecx
            //   482bce               | pop                 ebp
            //   48bf6766666666666666     | inc    ecx

        $sequence_5 = { 488bfb 4803ff 4c8d2d1d030100 49837cfd0000 7404 8bc6 eb79 }
            // n = 7, score = 100
            //   488bfb               | mov                 eax, dword ptr [ebp + 0x110]
            //   4803ff               | dec                 esp
            //   4c8d2d1d030100       | lea                 eax, [0x12c24]
            //   49837cfd0000         | dec                 eax
            //   7404                 | lea                 ecx, [esp + 0x30]
            //   8bc6                 | inc                 esp
            //   eb79                 | lea                 ecx, [edi - 3]

        $sequence_6 = { 90 4883bd2001000008 720c 488b8d08010000 e8???????? 48c7852001000007000000 4c89a518010000 }
            // n = 7, score = 100
            //   90                   | mov                 edx, dword ptr [eax + esi*8 + 8]
            //   4883bd2001000008     | dec                 eax
            //   720c                 | mov                 eax, dword ptr [ebp + 0x20]
            //   488b8d08010000       | dec                 eax
            //   e8????????           |                     
            //   48c7852001000007000000     | add    edx, edx
            //   4c89a518010000       | je                  0x1671

        $sequence_7 = { e8???????? 488d8c2420080000 e9???????? 483b05???????? 750a e8???????? e9???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d8c2420080000     | dec                 eax
            //   e9????????           |                     
            //   483b05????????       |                     
            //   750a                 | mov                 dword ptr [ebp], eax
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_8 = { 488d15f6e00100 488d0d97950200 e8???????? 90 48891d???????? }
            // n = 5, score = 100
            //   488d15f6e00100       | dec                 eax
            //   488d0d97950200       | lea                 edx, [0x16f1c]
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   48891d????????       |                     

        $sequence_9 = { 4883ec20 488d051be90000 8bda 488bf9 488901 }
            // n = 5, score = 100
            //   4883ec20             | shl                 bl, 4
            //   488d051be90000       | jmp                 0x963
            //   8bda                 | dec                 eax
            //   488bf9               | mov                 ecx, dword ptr [edi + 0x10]
            //   488901               | dec                 eax

    condition:
        7 of them and filesize < 409600
}
Download all Yara Rules