SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_100 (Back to overview)

Unidentified 100 (APT-Q-12)

Actor(s): APT-Q-12


There is no description at this point.

References
2021-11-29Qianxin Threat Intelligence CenterRed Raindrop Team
@online{team:20211129:aptq12:34c3ea9, author = {Red Raindrop Team}, title = {{APT-Q-12: An intelligence espionage campaign targeting the trade industry}}, date = {2021-11-29}, organization = {Qianxin Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/Hzq4_tWmunDpKfHTlZNM-A}, language = {Chinese}, urldate = {2022-12-06} } APT-Q-12: An intelligence espionage campaign targeting the trade industry
Unidentified 100 (APT-Q-12) APT-Q-12
Yara Rules
[TLP:WHITE] win_unidentified_100_auto (20230125 | Detects win.unidentified_100.)
rule win_unidentified_100_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.unidentified_100."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_100"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb64c2421 3bc1 0f8d11020000 0fb6442420 8d0485fcffffff 4898 b901000000 }
            // n = 7, score = 100
            //   0fb64c2421           | mov                 byte ptr [edx + ecx], al
            //   3bc1                 | jmp                 0x379
            //   0f8d11020000         | mov                 eax, 1
            //   0fb6442420           | dec                 eax
            //   8d0485fcffffff       | mov                 edx, dword ptr [esp + 0x20]
            //   4898                 | mov                 byte ptr [edx + ecx], al
            //   b901000000           | movzx               eax, byte ptr [esp]

        $sequence_1 = { 4881ec78030000 488b05???????? 4833c4 4889842460030000 488d442440 488d0dcded0100 488bf8 }
            // n = 7, score = 100
            //   4881ec78030000       | mov                 byte ptr [esp + 0x20], 0
            //   488b05????????       |                     
            //   4833c4               | jmp                 0x1dee
            //   4889842460030000     | movzx               eax, byte ptr [esp + 0x20]
            //   488d442440           | dec                 eax
            //   488d0dcded0100       | lea                 edx, [esp + 0x30]
            //   488bf8               | dec                 eax

        $sequence_2 = { 0fb6542403 881401 0fb6442402 fec0 }
            // n = 4, score = 100
            //   0fb6542403           | mov                 byte ptr [esp + 1], al
            //   881401               | movzx               eax, byte ptr [esp + 1]
            //   0fb6442402           | movzx               eax, byte ptr [esp + 1]
            //   fec0                 | dec                 al

        $sequence_3 = { 48c744242800000000 c744242000000000 4533c9 4533c0 488b9424a0030000 488b4c2440 ff15???????? }
            // n = 7, score = 100
            //   48c744242800000000     | movzx    eax, word ptr [esp + 0x20]
            //   c744242000000000     | sub                 eax, 0x30
            //   4533c9               | mov                 ecx, dword ptr [esp]
            //   4533c0               | imul                ecx, eax
            //   488b9424a0030000     | mov                 eax, ecx
            //   488b4c2440           | jg                  0x106d
            //   ff15????????         |                     

        $sequence_4 = { 4c8d05eed70100 ba14000000 488d8c2430030000 e8???????? 488d842448030000 4889442428 }
            // n = 6, score = 100
            //   4c8d05eed70100       | cmp                 eax, dword ptr [esp + 0x30]
            //   ba14000000           | jae                 0xdf4
            //   488d8c2430030000     | inc                 eax
            //   e8????????           |                     
            //   488d842448030000     | mov                 dword ptr [esp + 0x30], eax
            //   4889442428           | cmp                 dword ptr [esp + 0x30], 3

        $sequence_5 = { e9???????? 498b8cf480850200 2bc3 8064f93dfd f7d8 1ac0 2402 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   498b8cf480850200     | lea                 eax, [eax*4 - 3]
            //   2bc3                 | dec                 eax
            //   8064f93dfd           | cwde                
            //   f7d8                 | mov                 ecx, 1
            //   1ac0                 | dec                 eax
            //   2402                 | imul                ecx, ecx, 1

        $sequence_6 = { 488d1563290100 483950f0 740b 488b10 4885d2 }
            // n = 5, score = 100
            //   488d1563290100       | mov                 word ptr [esp + 0x64], ax
            //   483950f0             | movzx               eax, word ptr [esp + eax*2 + 0x530]
            //   740b                 | mov                 ecx, dword ptr [esp + 0x64]
            //   488b10               | mov                 edx, dword ptr [esp + 0x94]
            //   4885d2               | add                 ecx, edx

        $sequence_7 = { 488bd9 488d154f940000 b916000000 4c8d053b940000 e8???????? 488bcb 4885c0 }
            // n = 7, score = 100
            //   488bd9               | lea                 eax, [esp + 0xac0]
            //   488d154f940000       | dec                 eax
            //   b916000000           | lea                 edx, [esp + 0x380]
            //   4c8d053b940000       | dec                 eax
            //   e8????????           |                     
            //   488bcb               | mov                 ecx, dword ptr [esp + 0x48]
            //   4885c0               | dec                 eax

        $sequence_8 = { 488bc1 48c1f806 488d1566130100 83e13f }
            // n = 4, score = 100
            //   488bc1               | dec                 eax
            //   48c1f806             | arpl                cx, bx
            //   488d1566130100       | dec                 eax
            //   83e13f               | lea                 ecx, [0x10e87]

        $sequence_9 = { c705????????090400c0 c705????????01000000 c705????????01000000 b808000000 486bc000 488d0d61110200 8b542430 }
            // n = 7, score = 100
            //   c705????????090400c0     |     
            //   c705????????01000000     |     
            //   c705????????01000000     |     
            //   b808000000           | mov                 dword ptr [esp + 0x5c], eax
            //   486bc000             | cmp                 dword ptr [esp + 0x5c], 0x32
            //   488d0d61110200       | jge                 0xe6d
            //   8b542430             | dec                 eax

    condition:
        7 of them and filesize < 372736
}
Download all Yara Rules