SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_076 (Back to overview)

Unidentified 076 (Higaisa LNK to Shellcode)

Actor(s): Higaisa


There is no description at this point.

References
2020-11-13Youtube (The Standoff)Alexey Zakharov, Positive Technologies
@online{zakharov:20201113:ff202eng:1d1222c, author = {Alexey Zakharov and Positive Technologies}, title = {{FF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research}}, date = {2020-11-13}, organization = {Youtube (The Standoff)}, url = {https://www.youtube.com/watch?v=8x-pGlWpIYI}, language = {English}, urldate = {2020-11-23} } FF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research
CROSSWALK Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-11ZscalerSudeep Singh, Atinderpal Singh
@online{singh:20200611:return:3a58e44, author = {Sudeep Singh and Atinderpal Singh}, title = {{The Return of the Higaisa APT}}, date = {2020-06-11}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/return-higaisa-apt}, language = {English}, urldate = {2020-06-12} } The Return of the Higaisa APT
Unidentified 076 (Higaisa LNK to Shellcode)
Yara Rules
[TLP:WHITE] win_unidentified_076_auto (20220411 | Detects win.unidentified_076.)
rule win_unidentified_076_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.unidentified_076."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_076"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b90e8060000 e8???????? e9???????? 488d9e4c090000 498bce 488bd3 ff9080070000 }
            // n = 7, score = 100
            //   8b90e8060000         | dec                 eax
            //   e8????????           |                     
            //   e9????????           |                     
            //   488d9e4c090000       | mov                 eax, dword ptr [ebx + 0xc8]
            //   498bce               | mov                 dword ptr [esp + 0x20], edi
            //   488bd3               | call                dword ptr [eax + 0x530]
            //   ff9080070000         | test                eax, eax

        $sequence_1 = { 85c0 75a2 488b86c8000000 4421758f bf10000000 448bc7 33d2 }
            // n = 7, score = 100
            //   85c0                 | je                  0x860
            //   75a2                 | dec                 eax
            //   488b86c8000000       | mov                 ecx, eax
            //   4421758f             | call                dword ptr [eax + 0xb0]
            //   bf10000000           | cmp                 dword ptr [eax + 0x18], 0
            //   448bc7               | je                  0x86e
            //   33d2                 | dec                 eax

        $sequence_2 = { ff9020070000 488364243000 488b85c8000000 8364242800 488d4c2460 41b900040000 48894c2420 }
            // n = 7, score = 100
            //   ff9020070000         | xor                 edx, edx
            //   488364243000         | jmp                 0x118d
            //   488b85c8000000       | cmp                 eax, 2
            //   8364242800           | jne                 0x1179
            //   488d4c2460           | dec                 ecx
            //   41b900040000         | mov                 edx, esi
            //   48894c2420           | dec                 eax

        $sequence_3 = { 498bce ff9270010000 488b5c2440 488b6c2448 488b742450 488b7c2458 b801000000 }
            // n = 7, score = 100
            //   498bce               | cmp                 ecx, edx
            //   ff9270010000         | dec                 esp
            //   488b5c2440           | arpl                ax, ax
            //   488b6c2448           | test                eax, eax
            //   488b742450           | jle                 0x16ab
            //   488b7c2458           | dec                 ebp
            //   b801000000           | arpl                word ptr [ecx + 0x38], dx

        $sequence_4 = { 44395f18 762c 448b02 33c9 488d5204 4d03c1 }
            // n = 6, score = 100
            //   44395f18             | xor                 edx, edx
            //   762c                 | inc                 ecx
            //   448b02               | mov                 eax, 0x1370
            //   33c9                 | inc                 ecx
            //   488d5204             | mov                 ecx, ebp
            //   4d03c1               | dec                 eax

        $sequence_5 = { 742b 85d2 741f 49ffc2 4883c020 4983fa14 7cc2 }
            // n = 7, score = 100
            //   742b                 | mov                 eax, dword ptr [esi + 0xc8]
            //   85d2                 | dec                 ecx
            //   741f                 | mov                 ecx, ebp
            //   49ffc2               | call                dword ptr [eax + 0x3d0]
            //   4883c020             | jmp                 0x19e4
            //   4983fa14             | dec                 eax
            //   7cc2                 | mov                 ebx, dword ptr [esi + 0xc8]

        $sequence_6 = { 41ff9140070000 488b8e50020000 bf80000000 8b840b08020000 488d9114020000 448bc7 }
            // n = 6, score = 100
            //   41ff9140070000       | lea                 ecx, dword ptr [ebp + 0x4dc]
            //   488b8e50020000       | dec                 eax
            //   bf80000000           | lea                 edx, dword ptr [0x7172]
            //   8b840b08020000       | dec                 eax
            //   488d9114020000       | lea                 ecx, dword ptr [ebp + 0x704]
            //   448bc7               | dec                 eax

        $sequence_7 = { 488b87c8000000 894df0 397550 0f85ec000000 4c8d45f4 488d55f0 }
            // n = 6, score = 100
            //   488b87c8000000       | inc                 ecx
            //   894df0               | mov                 eax, dword ptr [esi + 4]
            //   397550               | jne                 0x1c01
            //   0f85ec000000         | and                 dword ptr [esp + 0x28], 0
            //   4c8d45f4             | and                 dword ptr [ebx + 0x2d4], 0
            //   488d55f0             | and                 dword ptr [esp + 0x20], 0

        $sequence_8 = { 83caff ff9010010000 488b8f98020000 89b7cc020000 4885c9 7411 }
            // n = 6, score = 100
            //   83caff               | mov                 edx, dword ptr [esp + 0x68]
            //   ff9010010000         | dec                 eax
            //   488b8f98020000       | mov                 ecx, dword ptr [esp + 0x50]
            //   89b7cc020000         | call                dword ptr [eax + 0xd0]
            //   4885c9               | call                dword ptr [eax + 0xd0]
            //   7411                 | mov                 edx, 3

        $sequence_9 = { 4154 4155 4156 4157 488d68b1 4881ecc8000000 488b8100030000 }
            // n = 7, score = 100
            //   4154                 | inc                 esi
            //   4155                 | mov                 esp, dword ptr [eax + ebp]
            //   4156                 | mov                 eax, dword ptr [esp + 0x90]
            //   4157                 | mov                 dword ptr [edi], eax
            //   488d68b1             | mov                 eax, dword ptr [esp + 0x80]
            //   4881ecc8000000       | mov                 word ptr [edi + 4], 0x52
            //   488b8100030000       | inc                 sp

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules