Sneed-Reactivity/yara-Neo23x0/apt_suckfly.yar

88 lines
3.6 KiB
Text
Raw Permalink Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2018-01-28
Identifier: Suckfly
Reference: https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates
*/
import "pe"
/* Rule Set ----------------------------------------------------------------- */
rule Suckfly_Nidiran_Gen_1 {
meta:
description = "Detects Suckfly Nidiran Trojan"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
date = "2018-01-28"
hash1 = "ac7d7c676f58ebfa5def9b84553f00f283c61e4a310459178ea9e7164004e734"
id = "1abc596a-5fb1-55f9-b72d-022bfc6d10c7"
strings:
$s1 = "WriteProcessMemory fail at %d " fullword ascii
$s2 = "CreateRemoteThread fail at %d " fullword ascii
$s3 = "CreateRemoteThread Succ" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
}
rule Suckfly_Nidiran_Gen_2 {
meta:
description = "Detects Suckfly Nidiran Trojan"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
date = "2018-01-28"
hash1 = "b53a316a03b46758cb128e5045dab2717cb36e7b5eb1863ce2524d4f69bc2cab"
hash2 = "eaee2bf83cf90d35dab8a4711f7a5f2ebf9741007668f3746995f4564046fbdf"
id = "b090079d-1c22-5931-a25b-e960343a610f"
strings:
$x1 = "WorkDll.dll" fullword ascii
$x2 = "%userprofile%\\Security Center\\secriter.dll" fullword ascii
$s1 = "DLL_PROCESS_ATTACH is called" fullword ascii
$s2 = "Support Security Accounts Manager For Microsoft Windows.If this service is stopped, any services that depended on it will fail t" ascii
$s3 = "before CreateRemoteThread" fullword ascii
$s4 = "CreateRemoteThread Succ" fullword ascii
$s5 = "Microsoft Security Accounts Manager" fullword ascii
$s6 = "DoRunRemote" fullword ascii
$s7 = "AutoRunFun" fullword ascii
$s8 = "ServiceMain is called" fullword ascii
$s9 = "DllRegisterServer is called" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (
1 of ($x*) or
4 of them
)
}
rule Suckfly_Nidiran_Gen_3 {
meta:
description = "Detects Suckfly Nidiran Trojan"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
date = "2018-01-28"
hash1 = "c2022e1114b162e79e44d974fd310d53e1bbdd8cb4f217553c1227cafed78855"
hash2 = "47731c9d985ebc2bd7227fced3cc44c6d72e29b52f76fccbdaddd76cc3450706"
id = "d9daf7e4-2cfa-50c9-84d2-c971734abe5e"
strings:
$x1 = "RUN SHELLCODE FAIL" fullword ascii
$x2 = "RUN PROCESS FAILD!" fullword ascii
$x3 = "DOWNLOAD FILE FAILD" fullword ascii
$x4 = "MODIFYCONFIG FAIL!" fullword ascii
$x5 = "GetFileAttributes FILE FAILD" fullword ascii
$x6 = "MODIFYCONFIG SUCC!" fullword ascii
$s1 = "cmd.exe /c %s" fullword ascii
$s2 = "error to create pipe!" fullword ascii
$s3 = "%s\\%08x.exe" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and (
pe.imphash() == "ae0f4ebf7e8ce91d6548318a3cf82b7a" or
1 of ($x*) or
2 of them
)
}