Sneed-Reactivity/yara-mikesxrs/GoDaddy/granite_coroner.yara

65 lines
1.8 KiB
Text
Raw Permalink Normal View History

rule granite_coroner_dropper {
meta:
description = "Payload dropper for password theft or keylogging"
strings:
$mz = "MZ"
// 5222D4EE744464B154505E68579EB896 - Resource names
$granitea = "GRANITE" nocase
$granitew = "GRANITE" nocase wide
$jocastaeluviuma = "JOCASTAELUVIUM" nocase
$jocastaeluviumw = "JOCASTAELUVIUM" nocase wide
// FA620D788F4E9B22B603276EB020AA8C - Resource names
$coronera = "CORONER" nocase
$coronerw = "CORONER" nocase wide
$bolshiecharitya = "BOLSHIECHARITY" nocase
$bolshiecharityw = "BOLSHIECHARITY" nocase wide
// Both
$cypher_cryptor = "Cypher Cryptor" wide
condition:
$mz at 0 and
($granitea and $jocastaeluviuma) or
($granitew and $jocastaeluviumw) or
($coronera and $bolshiecharitya) or
($coronerw and $bolshiecharityw) or
$cypher_cryptor
}
rule granite_jocasteluvium {
strings:
$mz = "MZ"
// 8B805E07CCA42BE8FC98C8BCF8D0C7C2
$string1 = "JumpID(\"\",\"%s\")"
$string2 = " - Clipboard - "
$string3 = "Content-Type: application/x-www-form-urlencoded"
$string4 = "text="
$string5 = "[Num Lock]"
$string6 = "[PrtScr]"
$string7 = "msgss.exe"
$string8 = "User Interface Manager" wide
condition:
$mz at 0 and 7 of ($string*)
}
rule coroner_bolshiecharity {
meta:
description = "Password extraction utility"
strings:
$mz = "MZ"
// list of default passwords in 907B3FD96072ADCD08BB6ACA4BD07FC1 @ 0x4146b1
$passwords = "chelsea\x0055555\x00angel1\x00hardcore\x00dexter\x00saved\x00112233\x00hallo\x00"
condition:
$mz at 0 and $passwords
}