112 lines
4.2 KiB
Text
112 lines
4.2 KiB
Text
|
/*
|
||
|
Operation WoolenGoldfish Rules (Trendmicro Report)
|
||
|
v0.1 25.03.2015
|
||
|
|
||
|
These rules detect 26 of the samples mentioned in the report
|
||
|
Reference: http://blog.trendmicro.com/trendlabs-security-intelligence/operation-woolen-goldfish-when-kittens-go-phishing/
|
||
|
|
||
|
Tested against 20GB goodware sample archiv - pls report back false positives
|
||
|
on LOKI's github page https://github.com/Neo23x0/Loki/issues
|
||
|
|
||
|
*/
|
||
|
|
||
|
rule WoolenGoldfish_Sample_1 {
|
||
|
meta:
|
||
|
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "http://goo.gl/NpJpVZ"
|
||
|
date = "2015/03/25"
|
||
|
score = 60
|
||
|
hash = "7ad0eb113bc575363a058f4bf21dbab8c8f7073a"
|
||
|
id = "923de51a-8422-5318-95f5-79613d2d642e"
|
||
|
strings:
|
||
|
$s1 = "Cannot execute (%d)" fullword ascii
|
||
|
$s16 = "SvcName" fullword ascii
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|
||
|
|
||
|
rule WoolenGoldfish_Generic_1 {
|
||
|
meta:
|
||
|
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "http://goo.gl/NpJpVZ"
|
||
|
date = "2015/03/25"
|
||
|
score = 90
|
||
|
super_rule = 1
|
||
|
hash0 = "5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3"
|
||
|
hash1 = "d5b2b30fe2d4759c199e3659d561a50f88a7fb2e"
|
||
|
hash2 = "a42f1ad2360833baedd2d5f59354c4fc3820c475"
|
||
|
id = "351f5ee5-c0ec-51b6-9953-2b64e3e74b09"
|
||
|
strings:
|
||
|
$x0 = "Users\\Wool3n.H4t\\"
|
||
|
$x1 = "C-CPP\\CWoolger"
|
||
|
$x2 = "NTSuser.exe" fullword wide
|
||
|
|
||
|
$s1 = "107.6.181.116" fullword wide
|
||
|
$s2 = "oShellLink.Hotkey = \"CTRL+SHIFT+F\"" fullword
|
||
|
$s3 = "set WshShell = WScript.CreateObject(\"WScript.Shell\")" fullword
|
||
|
$s4 = "oShellLink.IconLocation = \"notepad.exe, 0\"" fullword
|
||
|
$s5 = "set oShellLink = WshShell.CreateShortcut(strSTUP & \"\\WinDefender.lnk\")" fullword
|
||
|
$s6 = "wlg.dat" fullword
|
||
|
$s7 = "woolger" fullword wide
|
||
|
$s8 = "[Enter]" fullword
|
||
|
$s9 = "[Control]" fullword
|
||
|
condition:
|
||
|
( 1 of ($x*) and 2 of ($s*) ) or
|
||
|
( 6 of ($s*) )
|
||
|
}
|
||
|
|
||
|
rule WoolenGoldfish_Generic_2 {
|
||
|
meta:
|
||
|
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "http://goo.gl/NpJpVZ"
|
||
|
date = "2015/03/25"
|
||
|
score = 90
|
||
|
hash1 = "47b1c9caabe3ae681934a33cd6f3a1b311fd7f9f"
|
||
|
hash2 = "62172eee1a4591bde2658175dd5b8652d5aead2a"
|
||
|
hash3 = "7fef48e1303e40110798dfec929ad88f1ad4fbd8"
|
||
|
hash4 = "c1edf6e3a271cf06030cc46cbd90074488c05564"
|
||
|
id = "930b928f-ff32-56b2-9e3c-dd80036ff7ef"
|
||
|
strings:
|
||
|
$s0 = "modules\\exploits\\littletools\\agent_wrapper\\release" ascii
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|
||
|
|
||
|
rule WoolenGoldfish_Generic_3 {
|
||
|
meta:
|
||
|
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "http://goo.gl/NpJpVZ"
|
||
|
date = "2015/03/25"
|
||
|
score = 90
|
||
|
hash1 = "86222ef166474e53f1eb6d7e6701713834e6fee7"
|
||
|
hash2 = "e8dbcde49c7f760165ebb0cb3452e4f1c24981f5"
|
||
|
id = "5c227d24-624c-5fb5-a2ea-a971fda8bfba"
|
||
|
strings:
|
||
|
$x1 = "... get header FATAL ERROR !!! %d bytes read > header_size" fullword ascii
|
||
|
$x2 = "index.php?c=%S&r=%x&u=1&t=%S" fullword wide
|
||
|
$x3 = "connect_back_tcp_channel#do_connect:: Error resolving connect back hostname" fullword ascii
|
||
|
|
||
|
$s0 = "kernel32.dll GetProcAddressLoadLibraryAws2_32.dll" fullword ascii
|
||
|
$s1 = "Content-Type: multipart/form-data; boundary=%S" fullword wide
|
||
|
$s2 = "Attempting to unlock uninitialized lock!" fullword ascii
|
||
|
$s4 = "unable to load kernel32.dll" fullword ascii
|
||
|
$s5 = "index.php?c=%S&r=%x" fullword wide
|
||
|
$s6 = "%s len:%d " fullword ascii
|
||
|
$s7 = "Encountered error sending syscall response to client" fullword ascii
|
||
|
$s9 = "/info.dat" fullword ascii
|
||
|
$s10 = "Error entering thread lock" fullword ascii
|
||
|
$s11 = "Error exiting thread lock" fullword ascii
|
||
|
$s12 = "connect_back_tcp_channel_init:: socket() failed" fullword ascii
|
||
|
condition:
|
||
|
( 1 of ($x*) ) or
|
||
|
( 8 of ($s*) )
|
||
|
}
|