Sneed-Reactivity/yara-mikesxrs/Mandiant/MTI_Hunting_INDUSTROYERv2_Strings.yar

59 lines
1.3 KiB
Text
Raw Permalink Normal View History

rule MTI_Hunting_INDUSTROYERv2_Strings {
meta:
author = "Mandiant"
date = "04-09-2022"
description = "Searching for executables containing strings associated with the INDUSTROYER.V2 malware family."
reference = "https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks"
strings:
$a1 = "M%X - %02d:%02d:%02d" nocase ascii wide
$a2 = "%02hu:%02hu:%02hu:%04hu" nocase ascii wide
$a3 = "%s M%X " nocase ascii wide
$a4 = "%s: %d: %d" nocase ascii wide
$a5 = "%s M%X %d (%s)" nocase ascii wide
$a6 = "%s M%X SGCNT %d" nocase ascii wide
$a7 = "%s ST%X %d" nocase ascii wide
$a8 = "Current operation : %s" nocase ascii wide
$a9 = "Sent=x%X | Received=x%X" nocase ascii wide
$a10 = "ASDU:%u | OA:%u | IOA:%u | " nocase ascii wide
$a11 = "Cause: %s (x%X) | Telegram type: %s (x%X" nocase ascii wide
$b1 = "Length:%u bytes | " nocase ascii wide
$b2 = "Unknown APDU format !!!" nocase ascii wide
$b3 = "MSTR ->> SLV" nocase ascii wide
$b4 = "MSTR <<- SLV" nocase ascii wide
condition:
filesize < 3MB and
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
(1 of ($a*) and 1 of ($b*))
}