Sneed-Reactivity/yara-Neo23x0/apt_scanbox_deeppanda.yar

35 lines
1.2 KiB
Text
Raw Permalink Normal View History

rule ScanBox_Malware_Generic {
meta:
description = "Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference1 = "http://goo.gl/MUUfjv"
reference2 = "http://goo.gl/WXUQcP"
date = "2015/02/28"
hash1 = "8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9"
hash2 = "d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d"
hash3 = "3fe208273288fc4d8db1bf20078d550e321d9bc5b9ab80c93d79d2cb05cbf8c2"
id = "f7867e65-567f-530f-83d4-b5126021e523"
strings:
/* Sample 1 */
$s0 = "http://142.91.76.134/p.dat" fullword ascii
$s1 = "HttpDump 1.1" fullword ascii
/* Sample 2 */
$s3 = "SecureInput .exe" fullword wide
$s4 = "http://extcitrix.we11point.com/vpn/index.php?ref=1" fullword ascii
/* Sample 3 */
$s5 = "%SystemRoot%\\System32\\svchost.exe -k msupdate" fullword ascii
$s6 = "ServiceMaix" fullword ascii
/* Certificate and Keywords */
$x1 = "Management Support Team1" fullword ascii
$x2 = "DTOPTOOLZ Co.,Ltd.0" fullword ascii
$x3 = "SEOUL1" fullword ascii
condition:
( 1 of ($s*) and 2 of ($x*) ) or
( 3 of ($x*) )
}