SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_100 (Back to overview)

Unidentified 100 (APT-Q-12)

Actor(s): APT-Q-12

VTCollection    

There is no description at this point.

References
2022-11-25ThreatBookThreatBook
Analysis of APT-C-60 Attack on South Korea
Unidentified 100 (APT-Q-12)
2021-11-29Qianxin Threat Intelligence CenterRed Raindrop Team
APT-Q-12: An intelligence espionage campaign targeting the trade industry
Unidentified 100 (APT-Q-12) APT-C-60
Yara Rules
[TLP:WHITE] win_unidentified_100_auto (20230808 | Detects win.unidentified_100.)
rule win_unidentified_100_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.unidentified_100."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_100"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d9424f0030000 488b4c2448 e8???????? e9???????? 4c8d8c2490070000 4533c0 488d942470130000 }
            // n = 7, score = 100
            //   488d9424f0030000     | lea                 edx, [0x9759]
            //   488b4c2448           | dec                 eax
            //   e8????????           |                     
            //   e9????????           |                     
            //   4c8d8c2490070000     | test                eax, eax
            //   4533c0               | je                  0x1b6f
            //   488d942470130000     | mov                 ecx, 0x22

        $sequence_1 = { 4889442420 4c8d8c24e0020000 448b442458 8b54245c 8b4c2454 }
            // n = 5, score = 100
            //   4889442420           | add                 ecx, ecx
            //   4c8d8c24e0020000     | dec                 eax
            //   448b442458           | arpl                cx, cx
            //   8b54245c             | mov                 byte ptr [esp + ecx + 0x78], al
            //   8b4c2454             | mov                 eax, dword ptr [esp + 0x34]

        $sequence_2 = { 0f8dac000000 c644242000 eb0b 0fb6442420 fec0 88442420 0fb6442420 }
            // n = 7, score = 100
            //   0f8dac000000         | lea                 ebx, [0x1d5e7]
            //   c644242000           | dec                 eax
            //   eb0b                 | lea                 edi, [0x1d5e0]
            //   0fb6442420           | jmp                 0x1c5a
            //   fec0                 | dec                 eax
            //   88442420             | mov                 eax, dword ptr [ebx]
            //   0fb6442420           | dec                 eax

        $sequence_3 = { 448bc3 488d1580860000 e8???????? 85c0 7429 }
            // n = 5, score = 100
            //   448bc3               | dec                 eax
            //   488d1580860000       | lea                 ecx, [0xf1b7]
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   7429                 | lea                 ebx, [0x19517]

        $sequence_4 = { 488bf8 33c0 b9fe010000 f3aa 4c8b8c24b8060000 4c8b8424b0060000 488d156dfd0100 }
            // n = 7, score = 100
            //   488bf8               | dec                 eax
            //   33c0                 | mov                 dword ptr [esp + 0x80], edx
            //   b9fe010000           | mov                 dword ptr [esp + 0x38], eax
            //   f3aa                 | dec                 eax
            //   4c8b8c24b8060000     | mov                 edi, eax
            //   4c8b8424b0060000     | movzx               ecx, byte ptr [edx + eax*4 + 0x1e522]
            //   488d156dfd0100       | movzx               esi, byte ptr [edx + eax*4 + 0x1e523]

        $sequence_5 = { eb1d 488d05a7690100 ffcb 488d0c9b 488d0cc8 ff15???????? ff0d???????? }
            // n = 7, score = 100
            //   eb1d                 | lea                 ecx, [0x1fbdd]
            //   488d05a7690100       | dec                 eax
            //   ffcb                 | xor                 eax, esp
            //   488d0c9b             | dec                 eax
            //   488d0cc8             | mov                 dword ptr [esp + 0x420], eax
            //   ff15????????         |                     
            //   ff0d????????         |                     

        $sequence_6 = { 488d05a7690100 ffcb 488d0c9b 488d0cc8 ff15???????? }
            // n = 5, score = 100
            //   488d05a7690100       | dec                 eax
            //   ffcb                 | arpl                word ptr [esp], ax
            //   488d0c9b             | dec                 eax
            //   488d0cc8             | mov                 ecx, dword ptr [esp + 0x30]
            //   ff15????????         |                     

        $sequence_7 = { ffc0 8944243c 486344243c 483b442458 7320 486344243c }
            // n = 6, score = 100
            //   ffc0                 | dec                 eax
            //   8944243c             | mov                 dword ptr [ebp - 9], ebx
            //   486344243c           | dec                 esp
            //   483b442458           | mov                 esp, ebx
            //   7320                 | dec                 esp
            //   486344243c           | mov                 dword ptr [ebp - 0x49], ebp

        $sequence_8 = { 33c0 b97a010000 f3aa 488d8424b0190000 488d0deee80100 }
            // n = 5, score = 100
            //   33c0                 | mov                 ecx, 0xa6
            //   b97a010000           | rep stosb           byte ptr es:[edi], al
            //   f3aa                 | dec                 eax
            //   488d8424b0190000     | lea                 eax, [esp + 0x6e0]
            //   488d0deee80100       | dec                 eax

        $sequence_9 = { 488b842490030000 4889842490000000 48c7442458ffffffff 48ff442458 488b842490000000 488b4c2458 66833c4800 }
            // n = 7, score = 100
            //   488b842490030000     | cmp                 eax, 1
            //   4889842490000000     | je                  0x1d22
            //   48c7442458ffffffff     | dec    eax
            //   48ff442458           | lea                 ecx, [esp + 0x140]
            //   488b842490000000     | mov                 dword ptr [esp + 0x50], eax
            //   488b4c2458           | cmp                 dword ptr [esp + 0x50], -1
            //   66833c4800           | cmp                 eax, 1

    condition:
        7 of them and filesize < 372736
}
Download all Yara Rules