230 lines
10 KiB
Text
230 lines
10 KiB
Text
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: US-CERT
|
||
|
Date: 2017-10-21
|
||
|
Identifier: TA17-293A
|
||
|
Reference: https://www.us-cert.gov/ncas/alerts/TA17-293A
|
||
|
|
||
|
Beware: Rules have been modified to reduce complexity and false positives as well as to
|
||
|
improve the overall performance
|
||
|
*/
|
||
|
|
||
|
import "pe"
|
||
|
|
||
|
rule TA17_293A_malware_1 {
|
||
|
meta:
|
||
|
description = "inveigh pen testing tools & related artifacts"
|
||
|
author = "US-CERT Code Analysis Team (modified by Florian Roth)"
|
||
|
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
|
||
|
date = "2017/07/17"
|
||
|
hash0 = "61C909D2F625223DB2FB858BBDF42A76"
|
||
|
hash1 = "A07AA521E7CAFB360294E56969EDA5D6"
|
||
|
hash2 = "BA756DD64C1147515BA2298B6A760260"
|
||
|
hash3 = "8943E71A8C73B5E343AA9D2E19002373"
|
||
|
hash4 = "04738CA02F59A5CD394998A99FCD9613"
|
||
|
hash5 = "038A97B4E2F37F34B255F0643E49FC9D"
|
||
|
hash6 = "65A1A73253F04354886F375B59550B46"
|
||
|
hash7 = "AA905A3508D9309A93AD5C0EC26EBC9B"
|
||
|
hash8 = "5DBEF7BDDAF50624E840CCBCE2816594"
|
||
|
hash9 = "722154A36F32BA10E98020A8AD758A7A"
|
||
|
hash10 = "4595DBE00A538DF127E0079294C87DA0"
|
||
|
id = "297611c9-f4b1-5618-bd43-5a7444365727"
|
||
|
strings:
|
||
|
$n1 = "file://"
|
||
|
|
||
|
$ax1 = "184.154.150.66"
|
||
|
$ax2 = "5.153.58.45"
|
||
|
$ax3 = "62.8.193.206"
|
||
|
$ax4 = "/pshare1/icon"
|
||
|
$ax5 = "/ame_icon.png"
|
||
|
$ax6 = "/1/ree_stat/p"
|
||
|
|
||
|
/* Too many false positives with these strings
|
||
|
$au1 = "/icon.png"
|
||
|
$au2 = "/notepad.png"
|
||
|
$au3 = "/pic.png"
|
||
|
*/
|
||
|
|
||
|
$s1 = "(g.charCodeAt(c)^l[(l[b]+l[e])%256])"
|
||
|
$s2 = "for(b=0;256>b;b++)k[b]=b;for(b=0;256>b;b++)"
|
||
|
$s3 = "VXNESWJfSjY3grKEkEkRuZeSvkE="
|
||
|
$s4 = "NlZzSZk="
|
||
|
$s5 = "WlJTb1q5kaxqZaRnser3sw=="
|
||
|
|
||
|
$x1 = { 87D081F60C67F5086A003315D49A4000F7D6E8EB12000081F7F01BDD21F7DE }
|
||
|
$x2 = { 33C42BCB333DC0AD400043C1C61A33C3F7DE33F042C705B5AC400026AF2102 }
|
||
|
$x3 = "fromCharCode(d.charCodeAt(e)^k[(k[b]+k[h])%256])"
|
||
|
$x4 = "ps.exe -accepteula \\%ws% -u %user% -p %pass% -s cmd /c netstat"
|
||
|
$x5 = { 22546F6B656E733D312064656C696D733D5C5C222025254920494E20286C6973742E74787429 }
|
||
|
$x6 = { 68656C6C2E657865202D6E6F65786974202D657865637574696F6E706F6C69637920627970617373202D636F6D6D616E6420222E202E5C496E76656967682E70 }
|
||
|
$x7 = { 476F206275696C642049443A202266626433373937623163313465306531 }
|
||
|
$x8 = { 24696E76656967682E7374617475735F71756575652E4164642822507265737320616E79206B657920746F2073746F70207265616C2074696D65 }
|
||
|
//specific malicious word document PK archive
|
||
|
$x9 = { 2F73657474696E67732E786D6CB456616FDB3613FEFE02EF7F10F4798E64C54D06A14ED125F19A225E87C9FD0194485B }
|
||
|
$x10 = { 6C732F73657474696E67732E786D6C2E72656C7355540500010076A41275780B0001040000000004000000008D90B94E03311086EBF014D6F4D87B48214471D2 }
|
||
|
$x11 = { 8D90B94E03311086EBF014D6F4D87B48214471D210A41450A0E50146EBD943F8923D41C9DBE3A54A240ACA394A240ACA39 }
|
||
|
$x12 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 }
|
||
|
$x13 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 }
|
||
|
|
||
|
$x14 = "http://bit.ly/2m0x8IH"
|
||
|
|
||
|
condition:
|
||
|
( $n1 and 1 of ($ax*) ) or
|
||
|
2 of ($s*) or
|
||
|
1 of ($x*)
|
||
|
}
|
||
|
|
||
|
rule TA17_293A_energetic_bear_api_hashing_tool {
|
||
|
meta:
|
||
|
description = "Energetic Bear API Hashing Tool"
|
||
|
assoc_report = "DHS Report TA17-293A"
|
||
|
author = "CERT RE Team"
|
||
|
version = "2"
|
||
|
id = "4e58800a-9618-5d8b-954c-e843be6002c2"
|
||
|
strings:
|
||
|
$api_hash_func_v1 = { 8A 08 84 C9 74 ?? 80 C9 60 01 CB C1 E3 01 03 45 10 EB ED }
|
||
|
$api_hash_func_v2 = { 8A 08 84 C9 74 ?? 80 C9 60 01 CB C1 E3 01 03 44 24 14 EB EC }
|
||
|
$api_hash_func_x64 = { 8A 08 84 C9 74 ?? 80 C9 60 48 01 CB 48 C1 E3 01 48 03 45 20 EB EA }
|
||
|
|
||
|
$http_push = "X-mode: push" nocase
|
||
|
$http_pop = "X-mode: pop" nocase
|
||
|
condition:
|
||
|
$api_hash_func_v1 or $api_hash_func_v2 or $api_hash_func_x64 and (uint16(0) == 0x5a4d or $http_push or $http_pop)
|
||
|
}
|
||
|
|
||
|
rule TA17_293A_Query_XML_Code_MAL_DOC_PT_2 {
|
||
|
meta:
|
||
|
name= "Query_XML_Code_MAL_DOC_PT_2"
|
||
|
author = "other (modified by Florian Roth)"
|
||
|
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
|
||
|
id = "82b0f28a-94b6-52ab-8fd6-cdc05823ac34"
|
||
|
strings:
|
||
|
$dir1 = "word/_rels/settings.xml.rels"
|
||
|
$bytes = {8c 90 cd 4e eb 30 10 85 d7}
|
||
|
condition:
|
||
|
uint32(0) == 0x04034b50 and $dir1 and $bytes
|
||
|
}
|
||
|
|
||
|
rule TA17_293A_Query_XML_Code_MAL_DOC {
|
||
|
meta:
|
||
|
name= "Query_XML_Code_MAL_DOC"
|
||
|
author = "other (modified by Florian Roth)"
|
||
|
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
|
||
|
id = "82b0f28a-94b6-52ab-8fd6-cdc05823ac34"
|
||
|
strings:
|
||
|
$dir = "word/_rels/" ascii
|
||
|
$dir2 = "word/theme/theme1.xml" ascii
|
||
|
$style = "word/styles.xml" ascii
|
||
|
condition:
|
||
|
uint32(0) == 0x04034b50 and $dir at 0x0145 and $dir2 at 0x02b7 and $style at 0x08fd
|
||
|
}
|
||
|
|
||
|
rule TA17_293A_Query_Javascript_Decode_Function {
|
||
|
meta:
|
||
|
name= "Query_Javascript_Decode_Function"
|
||
|
author = "other (modified by Florian Roth)"
|
||
|
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
|
||
|
id = "bc206ab3-a86b-5abe-ae84-15abab838d4e"
|
||
|
strings:
|
||
|
$decode1 = {72 65 70 6C 61 63 65 28 2F 5B 5E 41 2D 5A 61 2D 7A 30 2D 39 5C 2B 5C 2F 5C 3D 5D 2F 67 2C 22 22 29 3B}
|
||
|
$decode2 = {22 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F 3D 22 2E 69 6E 64 65 78 4F 66 28 ?? 2E 63 68 61 72 41 74 28 ?? 2B 2B 29 29}
|
||
|
$decode3 = {3D ?? 3C 3C 32 7C ?? 3E 3E 34 2C ?? 3D 28 ?? 26 31 35 29 3C 3C 34 7C ?? 3E 3E 32 2C ?? 3D 28 ?? 26 33 29 3C 3C 36 7C ?? 2C ?? 2B 3D [1-2] 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29 2C 36 34 21 3D ?? 26 26 28 ?? 2B 3D 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29}
|
||
|
$decode4 = {73 75 62 73 74 72 69 6E 67 28 34 2C ?? 2E 6C 65 6E 67 74 68 29}
|
||
|
/* Only 3 characters atom - this is bad for performance - we're trying to leave this out
|
||
|
$func_call="a(\""
|
||
|
*/
|
||
|
condition:
|
||
|
filesize < 20KB and
|
||
|
/* #func_call > 20 and */
|
||
|
all of ($decode*)
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: Florian Roth
|
||
|
Date: 2017-10-21
|
||
|
Identifier: TA17-293A Extensions
|
||
|
Reference: https://www.us-cert.gov/ncas/alerts/TA17-293A
|
||
|
*/
|
||
|
|
||
|
/* Rule Set ----------------------------------------------------------------- */
|
||
|
|
||
|
rule TA17_293A_Hacktool_PS_1 {
|
||
|
meta:
|
||
|
description = "Auto-generated rule"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
|
||
|
date = "2017-10-21"
|
||
|
hash1 = "72a28efb6e32e653b656ca32ccd44b3111145a695f6f6161965deebbdc437076"
|
||
|
id = "e4b92536-fa9a-5a65-8bd6-84c037dfbdce"
|
||
|
strings:
|
||
|
$x1 = "$HashFormat = '$krb5tgs$23$*ID#124_DISTINGUISHED NAME: CN=fakesvc,OU=Service,OU=Accounts,OU=EnterpriseObjects,DC=asdf,DC=pd,DC=f" ascii
|
||
|
$x2 = "} | Where-Object {$_.SamAccountName -notmatch 'krbtgt'} | Get-SPNTicket @GetSPNTicketArguments" fullword ascii
|
||
|
condition:
|
||
|
( filesize < 80KB and 1 of them )
|
||
|
}
|
||
|
|
||
|
rule TA17_293A_Hacktool_Touch_MAC_modification {
|
||
|
meta:
|
||
|
description = "Auto-generated rule"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
|
||
|
date = "2017-10-21"
|
||
|
hash1 = "070d7082a5abe1112615877214ec82241fd17e5bd465e24d794a470f699af88e"
|
||
|
id = "69240cc0-a04e-544a-b7e3-c5a08c062055"
|
||
|
strings:
|
||
|
$s1 = "-t time - use the time specified to update the access and modification times" fullword ascii
|
||
|
$s2 = "Failed to set file times for %s. Error: %x" fullword ascii
|
||
|
$s3 = "touch [-acm][ -r ref_file | -t time] file..." fullword ascii
|
||
|
$s4 = "-m - change the modification time only" fullword ascii
|
||
|
condition:
|
||
|
( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them )
|
||
|
}
|
||
|
|
||
|
rule TA17_293A_Hacktool_Exploit_MS16_032 {
|
||
|
meta:
|
||
|
description = "Auto-generated rule"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
|
||
|
date = "2017-10-21"
|
||
|
hash1 = "9b97290300abb68fb48480718e6318ee2cdd4f099aa6438010fb2f44803e0b58"
|
||
|
id = "4c5838d7-9956-564e-a25c-f2ba5641ac03"
|
||
|
strings:
|
||
|
$x1 = "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread)))" ascii
|
||
|
$x2 = "0x00000002, \"C:\\Windows\\System32\\cmd.exe\", \"\"," fullword ascii
|
||
|
$x3 = "PowerShell implementation of MS16-032. The exploit targets all vulnerable" fullword ascii
|
||
|
$x4 = "If we can't open the process token it's a SYSTEM shell!" fullword ascii
|
||
|
condition:
|
||
|
( filesize < 40KB and 1 of them )
|
||
|
}
|
||
|
|
||
|
/* Extra Rules based on Imphash of involved malware - Generic approach */
|
||
|
|
||
|
rule Imphash_UPX_Packed_Malware_1_TA17_293A {
|
||
|
meta:
|
||
|
description = "Detects malware based on Imphash of malware used in TA17-293A"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
|
||
|
date = "2017-10-21"
|
||
|
hash1 = "a278256fbf2f061cfded7fdd58feded6765fade730374c508adad89282f67d77"
|
||
|
id = "3ff28f06-8b69-5e8f-ab45-dfa4f6e69812"
|
||
|
condition:
|
||
|
( uint16(0) == 0x5a4d and filesize < 5000KB and pe.imphash() == "d7d745ea39c8c5b82d5e153d3313096c" )
|
||
|
}
|
||
|
|
||
|
rule Imphash_Malware_2_TA17_293A : HIGHVOL {
|
||
|
meta:
|
||
|
description = "Detects malware based on Imphash of malware used in TA17-293A"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
|
||
|
date = "2017-10-21"
|
||
|
id = "5c9f32a3-8c50-5d46-929b-bbe14697540e"
|
||
|
condition:
|
||
|
( uint16(0) == 0x5a4d and filesize < 5000KB and pe.imphash() == "a8f69eb2cf9f30ea96961c86b4347282" )
|
||
|
}
|