SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_076 (Back to overview)

Unidentified 076 (Higaisa LNK to Shellcode)

Actor(s): Higaisa


There is no description at this point.

References
2020-11-13Youtube (The Standoff)Alexey Zakharov, Positive Technologies
@online{zakharov:20201113:ff202eng:1d1222c, author = {Alexey Zakharov and Positive Technologies}, title = {{FF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research}}, date = {2020-11-13}, organization = {Youtube (The Standoff)}, url = {https://www.youtube.com/watch?v=8x-pGlWpIYI}, language = {English}, urldate = {2020-11-23} } FF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research
CROSSWALK Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-11ZscalerSudeep Singh, Atinderpal Singh
@online{singh:20200611:return:3a58e44, author = {Sudeep Singh and Atinderpal Singh}, title = {{The Return of the Higaisa APT}}, date = {2020-06-11}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/return-higaisa-apt}, language = {English}, urldate = {2020-06-12} } The Return of the Higaisa APT
Unidentified 076 (Higaisa LNK to Shellcode)
Yara Rules
[TLP:WHITE] win_unidentified_076_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_unidentified_076_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_076"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 458d4d01 488bcf 448d4218 4889742420 e8???????? eb05 be01000000 }
            // n = 7, score = 100
            //   458d4d01             | xor                 edx, edx
            //   488bcf               | dec                 eax
            //   448d4218             | test                eax, eax
            //   4889742420           | je                  0x1cf0
            //   e8????????           |                     
            //   eb05                 | dec                 esp
            //   be01000000           | mov                 eax, dword ptr [esi + 0x250]

        $sequence_1 = { 4c21742428 4421742420 488945b7 488b86c8000000 4c8d4daf 33d2 33c9 }
            // n = 7, score = 100
            //   4c21742428           | je                  0x3b3
            //   4421742420           | dec                 eax
            //   488945b7             | lea                 edx, [ecx + 0x214]
            //   488b86c8000000       | inc                 esp
            //   4c8d4daf             | mov                 eax, edi
            //   33d2                 | mov                 dword ptr [esi + 0xaec], eax
            //   33c9                 | mov                 eax, dword ptr [ebx + ecx + 0x20c]

        $sequence_2 = { ff9020070000 488364243000 488b85c8000000 8364242800 488d4c2460 41b900040000 48894c2420 }
            // n = 7, score = 100
            //   ff9020070000         | mov                 eax, 0x270
            //   488364243000         | dec                 eax
            //   488b85c8000000       | mov                 ecx, esi
            //   8364242800           | dec                 eax
            //   488d4c2460           | mov                 edi, dword ptr [esi + 0xc8]
            //   41b900040000         | mov                 edx, dword ptr [eax + 0x3f8]
            //   48894c2420           | inc                 ecx

        $sequence_3 = { 458d4538 488d55cf 418d4d40 ff9060030000 458d6501 3d040000c0 7568 }
            // n = 7, score = 100
            //   458d4538             | mov                 ecx, eax
            //   488d55cf             | call                dword ptr [edx + 0x30]
            //   418d4d40             | mov                 ebx, 1
            //   ff9060030000         | dec                 eax
            //   458d6501             | test                eax, eax
            //   3d040000c0           | je                  0x1c26
            //   7568                 | inc                 esp

        $sequence_4 = { 83bbdc02000002 751f 488b8bb00a0000 4885c9 7413 4c8b83c8000000 ba02000000 }
            // n = 7, score = 100
            //   83bbdc02000002       | inc                 ecx
            //   751f                 | mov                 eax, 2
            //   488b8bb00a0000       | dec                 ecx
            //   4885c9               | add                 ecx, edi
            //   7413                 | inc                 ecx
            //   4c8b83c8000000       | call                dword ptr [ecx + 0x740]
            //   ba02000000           | dec                 ebp

        $sequence_5 = { 488d8d38080000 ff15???????? 488d153a710000 488d8d740c0000 ff15???????? 488d1536710000 488d8d20080000 }
            // n = 7, score = 100
            //   488d8d38080000       | dec                 eax
            //   ff15????????         |                     
            //   488d153a710000       | mov                 ebp, edx
            //   488d8d740c0000       | dec                 eax
            //   ff15????????         |                     
            //   488d1536710000       | mov                 esi, ecx
            //   488d8d20080000       | inc                 esp

        $sequence_6 = { 41ffd4 85c0 7f08 458bcd e9???????? 488b87c8000000 41bf03000000 }
            // n = 7, score = 100
            //   41ffd4               | mov                 eax, dword ptr [edi + 0xc8]
            //   85c0                 | dec                 ecx
            //   7f08                 | mov                 ecx, esp
            //   458bcd               | call                dword ptr [eax + 0x80]
            //   e9????????           |                     
            //   488b87c8000000       | inc                 ebp
            //   41bf03000000         | xor                 esp, esp

        $sequence_7 = { 33c0 4889442420 eba0 488b4c2460 488b87c8000000 4c8b4c2440 48895c2428 }
            // n = 7, score = 100
            //   33c0                 | inc                 ecx
            //   4889442420           | mov                 eax, 0x10
            //   eba0                 | call                dword ptr [eax + 0x430]
            //   488b4c2460           | test                eax, eax
            //   488b87c8000000       | je                  0x11ce
            //   4c8b4c2440           | dec                 eax
            //   48895c2428           | mov                 eax, dword ptr [esi + 0xc8]

        $sequence_8 = { 488b87c8000000 ff9050010000 41b838080000 488bcf 448bc8 }
            // n = 5, score = 100
            //   488b87c8000000       | mov                 ecx, dword ptr [esp + 0xb0]
            //   ff9050010000         | mov                 edx, eax
            //   41b838080000         | call                dword ptr [edx + 0x180]
            //   488bcf               | inc                 ebx
            //   448bc8               | dec                 eax

        $sequence_9 = { 488b88c8000000 4885c9 7417 458bc5 33d2 ff9700010000 }
            // n = 6, score = 100
            //   488b88c8000000       | lea                 ecx, [ebp + 0xac]
            //   4885c9               | inc                 esp
            //   7417                 | lea                 eax, [edx + 0x10]
            //   458bc5               | jb                  0x818
            //   33d2                 | dec                 eax
            //   ff9700010000         | mov                 eax, dword ptr [ebx + 0xc8]

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules