SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_100 (Back to overview)

Unidentified 100 (APT-Q-12)

Actor(s): APT-Q-12


There is no description at this point.

References
2021-11-29Qianxin Threat Intelligence CenterRed Raindrop Team
@online{team:20211129:aptq12:34c3ea9, author = {Red Raindrop Team}, title = {{APT-Q-12: An intelligence espionage campaign targeting the trade industry}}, date = {2021-11-29}, organization = {Qianxin Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/Hzq4_tWmunDpKfHTlZNM-A}, language = {Chinese}, urldate = {2022-12-06} } APT-Q-12: An intelligence espionage campaign targeting the trade industry
Unidentified 100 (APT-Q-12) APT-C-60
Yara Rules
[TLP:WHITE] win_unidentified_100_auto (20230715 | Detects win.unidentified_100.)
rule win_unidentified_100_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.unidentified_100."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_100"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bf8 33c0 b9e2010000 f3aa 488d842460190000 488d0d8ff40100 }
            // n = 6, score = 100
            //   488bf8               | mov                 dword ptr [esp + 0x34], eax
            //   33c0                 | mov                 dword ptr [esp + 0x3c], 0
            //   b9e2010000           | jmp                 0x1be
            //   f3aa                 | mov                 eax, dword ptr [esp + 0x3c]
            //   488d842460190000     | inc                 eax
            //   488d0d8ff40100       | mov                 dword ptr [esp + 0x34], eax

        $sequence_1 = { ba2c010000 488b8c24a0030000 e8???????? 488d842410010000 488bf8 33c0 }
            // n = 6, score = 100
            //   ba2c010000           | lea                 esp, [0x6940]
            //   488b8c24a0030000     | inc                 bp
            //   e8????????           |                     
            //   488d842410010000     | cmp                 dword ptr [esi], edi
            //   488bf8               | jae                 0x7ff
            //   33c0                 | inc                 ecx

        $sequence_2 = { 837c243803 7420 eb26 c744243001000000 eb1c }
            // n = 5, score = 100
            //   837c243803           | mov                 byte ptr [edx + ecx], al
            //   7420                 | mov                 eax, 1
            //   eb26                 | dec                 eax
            //   c744243001000000     | imul                eax, eax, 0
            //   eb1c                 | dec                 eax

        $sequence_3 = { b901000000 486bc903 488b9424c8000000 0fb61402 }
            // n = 4, score = 100
            //   b901000000           | sar                 eax, 6
            //   486bc903             | dec                 eax
            //   488b9424c8000000     | lea                 ecx, [0x16f70]
            //   0fb61402             | inc                 ecx

        $sequence_4 = { 4c8d4c2460 41b802000000 488d942410020000 488b4c2448 }
            // n = 4, score = 100
            //   4c8d4c2460           | mov                 ecx, 0x17e
            //   41b802000000         | rep stosb           byte ptr es:[edi], al
            //   488d942410020000     | dec                 eax
            //   488b4c2448           | mov                 edi, eax

        $sequence_5 = { 4533c0 8b9424c0200000 488d8c2400060000 ff15???????? }
            // n = 4, score = 100
            //   4533c0               | cmp                 eax, ecx
            //   8b9424c0200000       | jge                 0x291
            //   488d8c2400060000     | movzx               eax, byte ptr [esp + 0x20]
            //   ff15????????         |                     

        $sequence_6 = { c6040101 eb6f 0fb6442430 83f801 7e65 b801000000 486bc000 }
            // n = 7, score = 100
            //   c6040101             | mov                 esi, esi
            //   eb6f                 | dec                 eax
            //   0fb6442430           | sar                 esi, 6
            //   83f801               | dec                 eax
            //   7e65                 | lea                 edi, [eax + eax*8]
            //   b801000000           | je                  0x250
            //   486bc000             | dec                 esp

        $sequence_7 = { 33db 488d3d3d8a0100 488b0c3b 4885c9 740a e8???????? 4883243b00 }
            // n = 7, score = 100
            //   33db                 | mov                 eax, dword ptr [esp + 0x398]
            //   488d3d3d8a0100       | dec                 eax
            //   488b0c3b             | mov                 eax, dword ptr [esp + 0x398]
            //   4885c9               | dec                 eax
            //   740a                 | cmp                 dword ptr [eax], 0
            //   e8????????           |                     
            //   4883243b00           | je                  0x480

        $sequence_8 = { e9???????? 418bd2 4d85c0 7e2d 482bf7 488d1d4febfeff 8a043e }
            // n = 7, score = 100
            //   e9????????           |                     
            //   418bd2               | movzx               eax, byte ptr [esp + 0x20]
            //   4d85c0               | cmp                 eax, 4
            //   7e2d                 | jge                 0x313
            //   482bf7               | movzx               eax, byte ptr [esp + 0x20]
            //   488d1d4febfeff       | movzx               eax, byte ptr [esp + 0x20]
            //   8a043e               | inc                 al

        $sequence_9 = { 488b8c2478050000 ff15???????? 33c0 488b8c2440050000 4833cc e8???????? }
            // n = 6, score = 100
            //   488b8c2478050000     | mov                 ecx, dword ptr [esp + 0x20]
            //   ff15????????         |                     
            //   33c0                 | movzx               eax, byte ptr [ecx + eax]
            //   488b8c2440050000     | cmp                 eax, 4
            //   4833cc               | jge                 0x13fd
            //   e8????????           |                     

    condition:
        7 of them and filesize < 372736
}
Download all Yara Rules