Sneed-Reactivity/yara-Neo23x0/apt_freemilk.yar

105 lines
4.4 KiB
Text
Raw Permalink Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-10-05
Identifier: FreeMilk
Reference: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/
*/
import "pe"
/* Rule Set ----------------------------------------------------------------- */
rule FreeMilk_APT_Mal_1 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
hash1 = "34478d6692f8c28332751b31fd695b799d4ab36a8c12f7b728e2cb99ae2efcd9"
hash2 = "35273d6c25665a19ac14d469e1436223202be655ee19b5b247cb1afef626c9f2"
hash3 = "0f82ea2f92c7e906ee9ffbbd8212be6a8545b9bb0200eda09cce0ba9d7cb1313"
id = "eff37dba-d4a9-5e3d-9452-49f04ddcbe0b"
strings:
$x1 = "\\milk\\Release\\milk.pdb" ascii
$x2 = "E:\\BIG_POOH\\Project\\" ascii
$x3 = "Windows-KB271854-x86.exe" fullword wide
$s1 = "Windows-KB275122-x86.exe" fullword wide
$s2 = "\\wsatra.tmp" wide
$s3 = "%s\\Rar0tmpExtra%d.rtf" fullword wide
$s4 = "\"%s\" help" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 300KB and (
pe.imphash() == "108aa007b3d1b4817ff4c04d9b254b39" or
1 of ($x*) or
4 of them
)
}
rule FreeMilk_APT_Mal_2 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
hash1 = "7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df"
id = "ef5f400c-16f8-5374-af16-c8530ddb87ee"
strings:
$s1 = "failed to take the screenshot. err: %d" fullword ascii
$s2 = "runsample" fullword wide
$s3 = "%s%02X%02X%02X%02X%02X%02X:" fullword wide
$s4 = "win-%d.%d.%d-%d" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and (
pe.imphash() == "b86f7d2c1c182ec4c074ae1e16b7a3f5" or
all of them
)
}
rule FreeMilk_APT_Mal_3 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
hash1 = "ef40f7ddff404d1193e025081780e32f88883fa4dd496f4189084d772a435cb2"
id = "152781f0-756b-50ab-b588-4af5fa4ce419"
strings:
$s1 = "CMD.EXE /C \"%s\"" fullword wide
$s2 = "\\command\\start.exe" wide
$s3 = ".bat;.com;.cmd;.exe" fullword wide
$s4 = "Unexpected failure opening HKCR key: %d" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and all of them )
}
rule FreeMilk_APT_Mal_4 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
hash1 = "99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5"
id = "44f919f7-8eda-5e70-88d5-9e81a761192c"
strings:
$x1 = "base64Encoded=\"TVqQAAMAAAAE" ascii
$s1 = "SOFTWARE\\Clients\\StartMenuInternet\\firefox.exe\\shell\\open\\command" fullword wide
$s2 = "'Wscript.echo \"Base64 encoded: \" + base64Encoded" fullword ascii
$s3 = "\\Google\\Chrome\\User Data\\Default\\Login Data" ascii
$s4 = "outFile=sysDir&\"\\rundll32.exe\"" fullword ascii
$s5 = "set shell = WScript.CreateObject(\"WScript.Shell\")" fullword ascii
$s6 = "command =outFile &\" sysupdate\"" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and (
( pe.exports("getUpdate") and pe.number_of_exports == 1 ) or
1 of ($x*) or
3 of them
)
}