Sneed-Reactivity/yara-mikesxrs/Root 9B/PoSLURP

176 lines
3.5 KiB
Text
Raw Permalink Normal View History

/*
root9B Yara Rules for SHELLTEA + POSLURP MALWARE blog entry
https://www.root9b.com/newsroom/shelltea-poslurp-malware
*/
rule PoSlurpFile : PoSlurp
{
meta:
copyright = "root9b, LLC"
authors = "Matt Weeks, Dax Morrow"
description = "ShellTea + PoSlurp PoS Malware on Disk PoSlurp executable"
reference = "https://www.root9b.com/newsroom/shelltea-poslurp-malware"
version = "1.0"
last_modified = "2017-06-27"
strings:
$hex1 = { 81 C2 FF 5C F3 22 52 56 E8 } // outer layer custom function resolver
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $hex1
}
rule inRegPowerSniff : PowerSniff
{
meta:
copyright = "root9b, LLC"
authors = "Matt Weeks, Dax Morrow"
description = "ShellTea + PoSlurp PoS Malware in Registry PowerSniff"
reference = "https://www.root9b.com/newsroom/shelltea-poslurp-malware"
version = "1.0"
last_modified = "2017-06-27"
strings:
$hex1 = { 41 2B CF 81 38 BE BA AD AB 48 8B D0 75 09 81 78 04 0D F0 AD 8B } //shellcode blob in registry
condition:
$hex1
}
rule inRegShellTea : ShellTea {
meta:
copyright = "root9b, LLC"
authors = "Matt Weeks, Dax Morrow"
description = "ShellTea + PoSlurp PoS Malware in Registry ShellTea"
reference = "https://www.root9b.com/newsroom/shelltea-poslurp-malware"
version = "1.0"
last_modified = "2017-06-27"
strings:
$hex1 = { 48 83 EC 28 E8 F7 03 00 00 [1015] 48 89 5C 24 18 48 89 4C 24 08 55 56 57 41 54 41 } // Binary registry value with variable content for ShellTea config
condition:
$hex1
}
rule inMemPowerSniff : PowerSniff {
meta:
copyright = "root9b, LLC"
authors = "Matt Weeks, Dax Morrow"
description = "ShellTea + PoSlurp in Memory PowerSniff"
reference = "https://www.root9b.com/newsroom/shelltea-poslurp-malware"
version = "1.0"
last_modified = "2017-06-27"
strings:
$wide_string = "/%s?user=%08x%08x%08x%08x&id=%u&ver=%u&os=%lu&os2=%lu&host=%u&k=%lu&type=%u" wide //PowerSniff URL Pattern
$wide_string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)" wide // PowerSniff URL Pattern
condition:
all of them
}
rule inMemShellTea : ShellTea {
meta:
copyright = "root9b, LLC"
authors = "Matt Weeks, Dax Morrow"
description = "ShellTea + PoSlurp PoS Malware in Memory ShellTea"
reference = "https://www.root9b.com/newsroom/shelltea-poslurp-malware"
version = "1.0"
last_modified = "2017-06-27"
strings:
$hex1 = { B9 1D C7 12 45 E8 } // opcodes for function hash
$hex2 = { B9 52 7E 10 E1 E8 } // opcodes for function hash
$hex3 = { B9 CC 11 67 D6 E8 } // opcodes for function hash
condition:
all of them
}
rule inMemPoSlurp : PoSlurp {
meta:
copyright = "root9b, LLC"
authors = "Matt Weeks, Dax Morrow"
description = "ShellTea + PoSlurp PoS Malware in Memory PoSlurp"
reference = "https://www.root9b.com/newsroom/shelltea-poslurp-malware"
version = "1.0"
last_modified = "2017-06-27"
strings:
$hex1 = { C6 45 ED 65 C6 45 EE 72 C6 45 EF 6E C6 45 F0 65 } // Kernel32 obfuscated
$hex2 = { E8 EE FD FF FF 68 88 13 00 00 FF D6 8D 44 24 18 50 FF D7 8D 44 24 10 50 8D 44 24 1C 50 FF D3 8B 44 24 10 2B 05 80 50 40 00 8B 4C 24 14 1B 0D 84 50 40 00 6A 00 68 80 96 98 00 51 50 E8 B7 05 00 00 6A 3C 33 D2 59 F7 F1 3B 05 2C 40 40 00 72 B0 } // opcodes f rom top-level scan memory basic block
condition:
all of them
}