Sneed-Group/Sneed-Reactivity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Sneed-Reactivity/yara-Neo23x0/apt_waterbear.yar

262 lines
10 KiB
Text
Raw Permalink Normal View History

OMG ISTG PLS WORK RED PILL :red_circle: :pill:
2024-07-25 12:43:35 -05:00
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-06-23
Identifier: Waterbear
Reference: https://goo.gl/L9g9eR
*/
/* Rule Set ----------------------------------------------------------------- */
rule Waterbear_1_Jun17 {
meta:
description = "Detects malware from Operation Waterbear"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/L9g9eR"
date = "2017-06-23"
hash1 = "dd3676f478ee6f814077a12302d38426760b0701bb629f413f7bf2ec71319db5"
id = "2202506a-6009-5321-a8b2-df3bff51d06f"
strings:
$s1 = "\\Release\\svc.pdb" ascii
$s2 = "svc.dll" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and all of them )
}
rule Waterbear_2_Jun17 {
meta:
description = "Detects malware from Operation Waterbear"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/L9g9eR"
date = "2017-06-23"
hash1 = "dcb5c350af76c590002a8ea00b01d862b4d89cccbec3908bfe92fdf25eaa6ea4"
id = "d3178f01-90a8-5a82-9c95-40bf8e9b567f"
strings:
$s1 = "downloading movie" fullword ascii
$s2 = "name=\"test.exe\"/>" fullword ascii
$s3 = "<description>Test Application</description>" fullword ascii
$s4 = "UI look 2003" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
}
rule Waterbear_4_Jun17 {
meta:
description = "Detects malware from Operation Waterbear"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/L9g9eR"
date = "2017-06-23"
hash1 = "2e9cb7cadb3478edc9ef714ca4ddebb45e99d35386480e12792950f8a7a766e1"
id = "c7941f92-12ee-5d57-b58e-c8caf74ca6ba"
strings:
$x1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" fullword ascii
$s1 = "Wininet.dll InternetOpenA InternetConnectA HttpOpenRequestA HttpSendRequestA HttpQueryInfoA InternetReadFile InternetCloseHandle" fullword ascii
$s2 = "read from pipe:%s" fullword ascii
$s3 = "delete pipe" fullword ascii
$s4 = "cmdcommand:%s" fullword ascii
$s5 = "%s /c del %s" fullword ascii
$s6 = "10.0.0.250" fullword ascii
$s7 = "Vista/2008" fullword ascii
$s8 = "%02X%02X%02X%02X%02X%02X%04X" fullword ascii
$s9 = "UNKOWN" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them )
}
rule Waterbear_5_Jun17 {
meta:
description = "Detects malware from Operation Waterbear"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/L9g9eR"
date = "2017-06-23"
modified = "2023-01-07"
hash1 = "d3678cd9744b3aedeba23a03a178be5b82d5f8059a86f816007789a9dd06dc7d"
id = "f92fe6d5-0afa-50a1-bdcf-c6dd78aa6809"
strings:
$a1 = "ICESWORD" fullword ascii
$a2 = "klog.dat" fullword ascii
$s1 = "\\cswbse.dll" ascii
$s2 = "WIRESHARK" fullword ascii
$s3 = "default_zz|" fullword ascii
$s4 = "%c4%u-%.2u-%.2u %.2u:%.2u" fullword ascii
$s5 = "1111%c%s" fullword ascii
condition:
( uint16(0) == 0x3d53 and filesize < 100KB and ( all of ($a*) or 3 of them ) )
}
rule Waterbear_6_Jun17 {
meta:
description = "Detects malware from Operation Waterbear"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/L9g9eR"
date = "2017-06-23"
hash1 = "409cd490feb40d08eb33808b78d52c00e1722eee163b60635df6c6fe2c43c230"
id = "86d203be-2d3a-54f2-b851-9080d5be36f5"
strings:
$s1 = "svcdll.dll" fullword ascii
$s2 = "log.log" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 60KB and all of them )
}
rule Waterbear_7_Jun17 {
meta:
description = "Detects malware from Operation Waterbear"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/L9g9eR"
date = "2017-06-23"
hash1 = "6891aa78524e442f4dda66dff51db9798e1f92e6fefcdf21eb870b05b0293134"
id = "4613df5b-495e-5738-9b7f-ac8ff586cd17"
strings:
$s1 = "Bluthmon.exe" fullword wide
$s2 = "Motomon.exe" fullword wide
$s3 = "%d.%s%d%d%d" fullword ascii
$s4 = "mywishes.hlp" fullword ascii
$s5 = "filemon.rtf" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 80KB and all of them )
}
rule Waterbear_8_Jun17 {
meta:
description = "Detects malware from Operation Waterbear"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/L9g9eR"
date = "2017-06-23"
modified = "2023-01-07"
hash1 = "bd06f6117a0abf1442826179f6f5e1932047b4a6c14add9149e8288ab4a902c3"
hash1 = "5dba8ddf05cb204ef320a72a0c031e55285202570d7883f2ff65135ec35b3dd0"
id = "5ebeda22-ad67-5715-b42f-9b4bb5dcde94"
strings:
$s1 = "Update.dll" fullword ascii
$s2 = "ADVPACK32.DLL" fullword wide
$s3 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Services\\" ascii
$s4 = "\\drivers\\sftst.sys" ascii
$s5 = "\\\\.\\SFilter" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 40KB and all of them )
}
rule Waterbear_9_Jun17 {
meta:
description = "Detects malware from Operation Waterbear"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/L9g9eR"
date = "2017-06-23"
hash1 = "fc74d2434d48b316c9368d3f90fea19d76a20c09847421d1469268a32f59664c"
id = "727cdb55-ede5-5520-9aa9-5a265b5aeba1"
strings:
$s1 = "ADVPACK32.DLL" fullword wide
$s2 = "ADVPACK32" fullword wide
$a1 = "U2_Dll.dll" fullword ascii
$b1 = "ProUpdate" fullword ascii
$b2 = "Update.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 30KB and all of ($s*) and ( $a1 or all of ($b*) )
}
rule Waterbear_10_Jun17 {
meta:
description = "Detects malware from Operation Waterbear"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/L9g9eR"
date = "2017-06-23"
hash1 = "3b1e67e0e86d912d7bc6dee5b0f801260350e8ce831c93c3e9cfe5a39e766f41"
id = "1219c3e6-1001-5075-b7fc-e0d8a7de6a65"
strings:
$s1 = "ADVPACK32.DLL" fullword wide
$s5 = "ADVPACK32" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 30KB and all of them )
}
rule Waterbear_11_Jun17 {
meta:
description = "Detects malware from Operation Waterbear"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/L9g9eR"
date = "2017-06-23"
hash1 = "b046b2e2569636c2fc3683a0da8cfad25ff47bc304145be0f282a969c7397ae8"
id = "d7eb7561-c84e-5149-920c-35ad225ca8a9"
strings:
$s1 = "/Pages/%u.asp" fullword wide
$s2 = "NVIDIA Corporation." fullword wide
$s3 = "tqxbLc|fP_{eOY{eOX{eO" fullword ascii
$s4 = "Copyright (C) 2005" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
}
rule Waterbear_12_Jun17 {
meta:
description = "Detects malware from Operation Waterbear"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/L9g9eR"
date = "2017-06-23"
hash1 = "15d9db2c90f56cd02be38e7088db8ec00fc603508ec888b4b85d60d970966585"
id = "cc0a071c-c409-57a2-80c5-dd93ca7db339"
strings:
$s1 = "O_PROXY" fullword ascii
$s2 = "XMODIFY" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}
rule Waterbear_13_Jun17 {
meta:
description = "Detects malware from Operation Waterbear"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/L9g9eR"
date = "2017-06-23"
super_rule = 1
hash1 = "734e5972ab5ac1e9bc5470c666a55e0d2bd57c4e2ea2da11dc9bf56fb2ea6f23"
hash2 = "8bde3f71575aa0d5f5a095d9d0ea10eceadba38be888e10d3ca3776f7b361fe7"
hash3 = "c4b3b0a7378bfc3824d4178fd7fb29475c42ab874d69abdfb4898d0bcd4f8ce1"
id = "425aaed4-879e-5caf-808b-14de98f628e8"
strings:
$s1 = "%WINDIR%\\PCHealth\\HelpCtr\\Binaries\\pchsvc.dll" fullword ascii
$s2 = "brnew.exe" fullword ascii
$s3 = "ChangeServiceConfig failed (%d)" fullword ascii
$s4 = "Proxy %d:%s %d" fullword ascii
$s5 = "win9807.tmp" fullword ascii
$s7 = "Service stopped successfully" fullword ascii
$s8 = "current dns:%s" fullword ascii
$s9 = "%c%u|%u|%u|%u|%u|" fullword ascii
$s10 = "[-]send %d: " fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 4 of them )
}
rule Waterbear_14_Jun17 {
meta:
description = "Detects malware from Operation Waterbear"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/L9g9eR"
date = "2017-06-23"
hash1 = "00a1068645dbe982a9aa95e7b8202a588989cd37de2fa1b344abbc0102c27d05"
hash2 = "53330a80b3c4f74f3f10a8621dbef4cd2427723e8b98c5b7aed58229d0c292ba"
hash3 = "bdcb23a82ac4eb1bc9254d77d92b6f294d45501aaea678a3d21c8b188e31e68b"
id = "515d9400-3e2e-5ee5-a7dd-b313125c6482"
strings:
$s1 = "my.com/msg/util/sgthash" fullword ascii
$s2 = "C:\\recycled" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 8000KB and all of them )
}
Reference in a new issue Copy permalink