Sneed-Reactivity/yara-Neo23x0/apt_magichound.yar

51 lines
2.2 KiB
Text
Raw Permalink Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-02-17
Identifier: Magic Hound
*/
/* Rule Set ----------------------------------------------------------------- */
rule APT_PupyRAT_PY {
meta:
description = "Detects Pupy RAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations"
date = "2017-02-17"
hash1 = "8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71"
id = "cdd689e3-437e-514d-a058-fad80ce0639e"
strings:
$x1 = "reflective_inject_dll" fullword ascii
$x2 = "ImportError: pupy builtin module not found !" fullword ascii
$x3 = "please start pupy from either it's exe stub or it's reflective DLLR;" fullword ascii
$x4 = "[INJECT] inject_dll." fullword ascii
$x5 = "import base64,zlib;exec zlib.decompress(base64.b64decode('eJzzcQz1c/ZwDbJVT87Py0tNLlHnAgA56wXS'))" fullword ascii
$op1 = { 8b 42 0c 8b 78 14 89 5c 24 18 89 7c 24 14 3b fd } /* Opcode */
condition:
( uint16(0) == 0x5a4d and filesize < 20000KB and 1 of them ) or ( 2 of them )
}
/* Super Rules ------------------------------------------------------------- */
rule APT_MagicHound_MalMacro {
meta:
description = "Detects malicious macro / powershell in Office document"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations"
date = "2017-02-17"
super_rule = 1
hash1 = "66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b"
hash2 = "e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6"
id = "ad573f52-dbda-5852-ad73-9ef47dd6e7df"
strings:
$s1 = "powershell.exe " fullword ascii
$s2 = "CommandButton1_Click" fullword ascii
$s3 = "URLDownloadToFile" fullword ascii
condition:
( uint16(0) == 0xcfd0 and filesize < 8000KB and all of them )
}