Sneed-Reactivity/yara-Neo23x0/crime_socgholish.yar

rule MAL_ZIP_SocGholish_Mar21_1 : zip js socgholish {
    meta:
        description = "Triggers on small zip files with typical SocGholish JS files in it"
        author = "Nils Kuhnert"
        date = "2021-03-29"
        hash = "4f6566c145be5046b6be6a43c64d0acae38cada5eb49b2f73135b3ac3d6ba770"
        hash = "54f756fbf8c20c76af7c9f538ff861690800c622d1c9db26eb3afedc50835b09"
        hash = "dfdbec1846b74238ba3cfb8c7580c64a0fa8b14b6ed2b0e0e951cc6a9202dd8d"
        id = "da35eefd-b34d-59cd-8afc-da9c78ace96e"
    strings:
        $a1 = /\.[a-z0-9]{6}\.js/ ascii
        $a2 = "Chrome" ascii
        $a3 = "Opera" ascii

        $b1 = "Firefox.js" ascii
        $b2 = "Edge.js" ascii
    condition:
        uint16(0) == 0x4b50 and filesize < 1600 and (
            2 of ($a*) or
            any of ($b*)
        )
}

/* modified rule: too many matches with 'try' */
rule EXT_MAL_JS_SocGholish_Mar21_1 : js socgholish {
    meta:
        description = "Triggers on SocGholish JS files"
        author = "Nils Kuhnert"
        date = "2021-03-29"
        modified = "2023-01-02"
        hash = "7ccbdcde5a9b30f8b2b866a5ca173063dec7bc92034e7cf10e3eebff017f3c23"
        hash = "f6d738baea6802cbbb3ae63b39bf65fbd641a1f0d2f0c819a8c56f677b97bed1"
        hash = "c7372ffaf831ad963c0a9348beeaadb5e814ceeb878a0cc7709473343d63a51c"
        id = "3ed7d2da-569b-5851-a821-4a3cda3e13ce"
    strings:
        /* $try = "try" ascii */

        $s1 = "new ActiveXObject('Scripting.FileSystemObject');" ascii
        $s2 = "['DeleteFile']" ascii
        $s3 = "['WScript']['ScriptFullName']" ascii
        $s4 = "['WScript']['Sleep'](1000)" ascii
        $s5 = "new ActiveXObject('MSXML2.XMLHTTP')" ascii
        $s6 = "this['eval']" ascii
        $s7 = "String['fromCharCode']"
        $s8 = "2), 16)," ascii
        $s9 = "= 103," ascii
        $s10 = "'00000000'" ascii
    condition:
        //$try in (0 .. 10) and 
        filesize > 3KB and filesize < 5KB and 8 of ($s*)
}

rule SocGholish_JS_22_02_2022 {
    meta:
        description = "Detects SocGholish fake update Javascript files 22.02.2022"
        author = "Wojciech Cieślak"
        date = "2022-02-22"
        hash = "3e14d04da9cc38f371961f6115f37c30"
        hash = "dffa20158dcc110366f939bd137515c3"
        hash = "afee3af324951b1840c789540d5c8bff"
        hash = "c04a1625efec27fb6bbef9c66ca8372b"
        hash = "d08a2350df5abbd8fd530cff8339373e"
    
        id = "68d2dbb7-0079-527a-92c7-450c3dd953b3"
    strings:
        $s1 = "encodeURIComponent(''+" ascii
        $s2 = "['open']('POST'," ascii 
        $s3 = "new ActiveXObject('MSXML2.XMLHTTP');" ascii
    
    condition:
        filesize < 5KB and all of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`rule MAL_ZIP_SocGholish_Mar21_1 : zip js socgholish {`
			`meta:`
			`description = "Triggers on small zip files with typical SocGholish JS files in it"`
			`author = "Nils Kuhnert"`
			`date = "2021-03-29"`
			`hash = "4f6566c145be5046b6be6a43c64d0acae38cada5eb49b2f73135b3ac3d6ba770"`
			`hash = "54f756fbf8c20c76af7c9f538ff861690800c622d1c9db26eb3afedc50835b09"`
			`hash = "dfdbec1846b74238ba3cfb8c7580c64a0fa8b14b6ed2b0e0e951cc6a9202dd8d"`
			`id = "da35eefd-b34d-59cd-8afc-da9c78ace96e"`
			`strings:`
			`$a1 = /\.[a-z0-9]{6}\.js/ ascii`
			`$a2 = "Chrome" ascii`
			`$a3 = "Opera" ascii`

			`$b1 = "Firefox.js" ascii`
			`$b2 = "Edge.js" ascii`
			`condition:`
			`uint16(0) == 0x4b50 and filesize < 1600 and (`
			`2 of ($a*) or`
			`any of ($b*)`
			`)`
			`}`

			`/* modified rule: too many matches with 'try' */`
			`rule EXT_MAL_JS_SocGholish_Mar21_1 : js socgholish {`
			`meta:`
			`description = "Triggers on SocGholish JS files"`
			`author = "Nils Kuhnert"`
			`date = "2021-03-29"`
			`modified = "2023-01-02"`
			`hash = "7ccbdcde5a9b30f8b2b866a5ca173063dec7bc92034e7cf10e3eebff017f3c23"`
			`hash = "f6d738baea6802cbbb3ae63b39bf65fbd641a1f0d2f0c819a8c56f677b97bed1"`
			`hash = "c7372ffaf831ad963c0a9348beeaadb5e814ceeb878a0cc7709473343d63a51c"`
			`id = "3ed7d2da-569b-5851-a821-4a3cda3e13ce"`
			`strings:`
			`/* $try = "try" ascii */`

			`$s1 = "new ActiveXObject('Scripting.FileSystemObject');" ascii`
			`$s2 = "['DeleteFile']" ascii`
			`$s3 = "['WScript']['ScriptFullName']" ascii`
			`$s4 = "['WScript']['Sleep'](1000)" ascii`
			`$s5 = "new ActiveXObject('MSXML2.XMLHTTP')" ascii`
			`$s6 = "this['eval']" ascii`
			`$s7 = "String['fromCharCode']"`
			`$s8 = "2), 16)," ascii`
			`$s9 = "= 103," ascii`
			`$s10 = "'00000000'" ascii`
			`condition:`
			`//$try in (0 .. 10) and`
			`filesize > 3KB and filesize < 5KB and 8 of ($s*)`
			`}`

			`rule SocGholish_JS_22_02_2022 {`
			`meta:`
			`description = "Detects SocGholish fake update Javascript files 22.02.2022"`
			`author = "Wojciech Cieślak"`
			`date = "2022-02-22"`
			`hash = "3e14d04da9cc38f371961f6115f37c30"`
			`hash = "dffa20158dcc110366f939bd137515c3"`
			`hash = "afee3af324951b1840c789540d5c8bff"`
			`hash = "c04a1625efec27fb6bbef9c66ca8372b"`
			`hash = "d08a2350df5abbd8fd530cff8339373e"`

			`id = "68d2dbb7-0079-527a-92c7-450c3dd953b3"`
			`strings:`
			`$s1 = "encodeURIComponent(''+" ascii`
			`$s2 = "['open']('POST'," ascii`
			`$s3 = "new ActiveXObject('MSXML2.XMLHTTP');" ascii`

			`condition:`
			`filesize < 5KB and all of them`
			`}`