Sneed-Reactivity/yara-Neo23x0/apt_rancor.yar

76 lines
3.6 KiB
Text
Raw Permalink Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2018-06-26
Identifier: RANCOR
Reference: https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule APT_RANCOR_JS_Malware {
meta:
description = "Rancor Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
date = "2018-06-26"
hash1 = "1dc5966572e94afc2fbcf8e93e3382eef4e4d7b5bc02f24069c403a28fa6a458"
id = "83dd9567-199e-511c-8c9a-96422bd793e7"
strings:
$x1 = ",0,0 >%SystemRoot%\\system32\\spool\\drivers\\color\\fb.vbs\",0,0" fullword ascii
$x2 = "CreateObject(\"Wscript.Shell\").Run \"explorer.exe \"\"http" ascii
$x3 = "CreateObject(\"Wscript.Shell\").Run \"schtasks /create" ascii
condition:
uint16(0) == 0x533c and filesize < 1KB and 1 of them
}
rule APT_RANCOR_PLAINTEE_Variant {
meta:
description = "Detects PLAINTEE malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
date = "2018-06-26"
hash1 = "6aad1408a72e7adc88c2e60631a6eee3d77f18a70e4eee868623588612efdd31"
hash2 = "bcd37f1d625772c162350e5383903fe8dbed341ebf0dc38035be5078624c039e"
id = "f5b68079-0517-504d-a45f-f6ced532db82"
strings:
$s1 = "payload.dat" fullword ascii
$s3 = "temp_microsoft_test.txt" fullword ascii
$s4 = "reg add %s /v %s /t REG_SZ /d \"%s\"" fullword ascii
$s6 = "%s %s,helloworld2" fullword ascii
$s9 = "%s \\\"%s\\\",helloworld" fullword ascii
$s16 = "recv plugin type %s size:%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 3 of them
}
rule APT_RANCOR_PLAINTEE_Malware_Exports {
meta:
description = "Detects PLAINTEE malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
date = "2018-06-26"
hash1 = "c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d"
id = "fa1e678d-8357-522b-9167-31321ab7753f"
condition:
uint16(0) == 0x5a4d and pe.exports("Add") and pe.exports("Sub") and pe.exports("DllEntryPoint") and pe.number_of_exports == 3
}
rule APT_RANCOR_DDKONG_Malware_Exports {
meta:
description = "Detects DDKONG malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
date = "2018-06-26"
hash1 = "c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d"
id = "c94d4ea2-7c16-5003-98ea-253f8a2d01d1"
condition:
uint16(0) == 0x5a4d and pe.exports("ServiceMain") and pe.exports("Rundll32Call") and pe.exports("DllEntryPoint") and pe.number_of_exports == 3
}