Sneed-Reactivity/yara-Neo23x0/apt_hiddencobra_bankshot.yar

93 lines
4.4 KiB
Text
Raw Permalink Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-12-26
Identifier: Hidden Cobra - BANKSHOT
Reference: https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
*/
/* Rule Set ----------------------------------------------------------------- */
rule HiddenCobra_BANKSHOT_Gen {
meta:
description = "Detects Hidden Cobra BANKSHOT trojan"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
date = "2017-12-26"
modified = "2022-06-10"
hash1 = "89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486"
hash2 = "8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247"
hash3 = "b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24"
hash4 = "daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75"
hash5 = "ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699"
hash6 = "d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff"
hash7 = "ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9"
hash8 = "3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6"
hash9 = "6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca"
id = "fbf9dd32-cb9a-51f2-bd03-0387fbf44baa"
strings:
$s1 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" fullword wide
$s2 = "rHTTP/1.1 200 Connection established" fullword wide
$s3 = "Proxy-Connection: keep-alive" fullword wide
$s4 = "\\msncf.dat" wide
$s5 = "msvcru32.bat" fullword ascii
$s6 = "reg delete \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"%s\" /f" fullword ascii
$s7 = "MXINFO.DLL" fullword ascii
$s8 = "usrvc32.bat" fullword ascii
$s9 = "ping -n 1 127.0.0.1" fullword ascii
$s10 = "%sd.e%sc \"%s > %s 2>&1\"" ascii fullword
$s11 = "DWS*.tmp" ascii fullword
$s12 = "CS*.tmp" fullword wide
$s13 = "WM*.tmp" fullword wide
$x1 = "CgpaipIddwspwe32Hnaehsdi" fullword ascii
$x2 = "RpiPmtiCdopIsgpao" fullword ascii
$x3 = "RpiLtnodlhOtgpcidgyA" fullword ascii
$x4 = "LatiQdgHtnrwpDbupci" fullword ascii
/* $x5 = "vchost.exe" fullword ascii */
$x6 = "\\system32\\msncf.dat" ascii
$x7 = "GprthipgHpgktcpCigwSanowpgA" fullword ascii
$a1 = "live.dropbox.com" fullword ascii
$a2 = "tatadocomo.yahoo.com" fullword ascii
$a3 = "widgets.twimg.com" fullword ascii
$a4 = "history.paypal.com" fullword ascii
$a5 = "www.bitcoin.org" fullword ascii
$a6 = "web.whatsapp.com" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and (
1 of ($x*) or
2 of ($s*) or
4 of ($a*)
)
}
/* US CERT Rule */
rule Unauthorized_Proxy_Server_RAT {
meta:
author = "US-CERT Code Analysis Team"
reference = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
hash1 = "C74E289AD927E81D2A1A56BC73E394AB"
hash2 = "2950E3741D7AF69E0CA0C5013ABC4209"
desscription = "Detects Proxy Server RAT"
id = "378573e3-17a7-5862-aae5-a8e84102e237"
strings:
$s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3}
$s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3}
$s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3}
$s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3}
$s4 = {B91A7900008A140780F29A8810404975F4}
$s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9FD19CA59F7E9F539CEF9F029F969C6C9E5C9D949FC99F}
$s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3}
$s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC}
$s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24}
$s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523}
$s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0}
$s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7}
$s12 = {448BE8B84FECC44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541}
$s13 = {8A0A80F9627C2380F9797F1E80F9647C0A80F96D7F0580C10BEB0D80F96F7C0A80F9787F05}
condition:
any of them
}