Sneed-Reactivity/yara-Neo23x0/crime_ransom_darkside.yar

78 lines
4.6 KiB
Text
Raw Normal View History

rule MAL_RANSOM_Darkside_May21_1 {
meta:
description = "Detects Darkside Ransomware"
author = "Florian Roth (Nextron Systems)"
reference = "https://app.any.run/tasks/020c1740-717a-4191-8917-5819aa25f385/"
date = "2021-05-10"
hash1 = "ec368752c2cf3b23efbfa5705f9e582fc9d6766435a7b8eea8ef045082c6fbce"
id = "e5592065-591e-597b-bebb-f20bc306fe52"
strings:
$op1 = { 85 c9 75 ed ff 75 10 ff b5 d8 fe ff ff ff b5 dc fe ff ff e8 7d fc ff ff ff 8d cc fe ff ff 8b 8d cc fe ff ff }
$op2 = { 66 0f 6f 06 66 0f 7f 07 83 c6 10 83 c7 10 49 85 c9 75 ed 5f }
$op3 = { 6a 00 ff 15 72 0d 41 00 ab 46 81 fe 80 00 00 00 75 2e 6a ff 6a 01 }
$op4 = { 0f b7 0c 5d 88 0f 41 00 03 4c 24 04 89 4c 24 04 83 e1 3f 0f b7 14 4d 88 0f 41 00 03 54 24 08 89 54 24 08 83 e2 3f }
$s1 = "http://darksid" ascii
$s2 = "[ Welcome to DarkSide ]" ascii
$s3 = ".onion/" ascii
condition:
uint16(0) == 0x5a4d and
filesize < 200KB and
3 of them or all of ($op*) or all of ($s*)
}
rule MAL_Ransomware_Win_DARKSIDE_v1_1 {
meta:
author = "FireEye"
date = "2021-03-22"
description = "Detection for early versions of DARKSIDE ransomware samples based on the encryption mode configuration values."
hash = "1a700f845849e573ab3148daef1a3b0b"
reference = "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html"
id = "322a3de5-a7e5-52b9-8648-6019954e92d7"
strings:
$consts = { 80 3D [4] 01 [1-10] 03 00 00 00 [1-10] 03 00 00 00 [1-10] 00 00 04 00 [1-10] 00 00 00 00 [1-30] 80 3D [4] 02 [1-10] 03 00 00 00 [1-10] 03 00 00 00 [1-10] FF FF FF FF [1-10] FF FF FF FF [1-30] 03 00 00 00 [1-10] 03 00 00 00 }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $consts
}
rule MAL_Dropper_Win_Darkside_1 {
meta:
author = "FireEye"
date_created = "2021-05-11"
description = "Detection for on the binary that was used as the dropper leading to DARKSIDE."
reference = "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html"
id = "910a581c-25a4-5d5e-acdc-6d87cbedd3cf"
strings:
$CommonDLLs1 = "KERNEL32.dll" fullword
$CommonDLLs2 = "USER32.dll" fullword
$CommonDLLs3 = "ADVAPI32.dll" fullword
$CommonDLLs4 = "ole32.dll" fullword
$KeyString1 = { 74 79 70 65 3D 22 77 69 6E 33 32 22 20 6E 61 6D 65 3D 22 4D 69 63 72 6F 73 6F 66 74 2E 57 69 6E 64 6F 77 73 2E 43 6F 6D 6D 6F 6E 2D 43 6F 6E 74 72 6F 6C 73 22 20 76 65 72 73 69 6F 6E 3D 22 36 2E 30 2E 30 2E 30 22 20 70 72 6F 63 65 73 73 6F 72 41 72 63 68 69 74 65 63 74 75 72 65 3D 22 78 38 36 22 20 70 75 62 6C 69 63 4B 65 79 54 6F 6B 65 6E 3D 22 36 35 39 35 62 36 34 31 34 34 63 63 66 31 64 66 22 }
$KeyString2 = { 74 79 70 65 3D 22 77 69 6E 33 32 22 20 6E 61 6D 65 3D 22 4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D 46 43 22 20 76 65 72 73 69 6F 6E 3D 22 39 2E 30 2E 32 31 30 32 32 2E 38 22 20 70 72 6F 63 65 73 73 6F 72 41 72 63 68 69 74 65 63 74 75 72 65 3D 22 78 38 36 22 20 70 75 62 6C 69 63 4B 65 79 54 6F 6B 65 6E 3D 22 31 66 63 38 62 33 62 39 61 31 65 31 38 65 33 62 22 }
$Slashes = { 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C }
condition:
filesize < 2MB and filesize > 500KB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (all of ($CommonDLLs*)) and (all of ($KeyString*)) and $Slashes
}
rule MAL_Backdoor_Win_C3_1 {
meta:
author = "FireEye"
date_created = "2021-05-11"
description = "Detection to identify the Custom Command and Control (C3) binaries."
md5 = "7cdac4b82a7573ae825e5edb48f80be5"
reference = "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html"
id = "60eb022e-6f4e-5c7d-9ddf-b458a593071e"
strings:
$dropboxAPI = "Dropbox-API-Arg"
$knownDLLs1 = "WINHTTP.dll" fullword
$knownDLLs2 = "SHLWAPI.dll" fullword
$knownDLLs3 = "NETAPI32.dll" fullword
$knownDLLs4 = "ODBC32.dll" fullword
$tokenString1 = { 5B 78 5D 20 65 72 72 6F 72 20 73 65 74 74 69 6E 67 20 74 6F 6B 65 6E }
$tokenString2 = { 5B 78 5D 20 65 72 72 6F 72 20 63 72 65 61 74 69 6E 67 20 54 6F 6B 65 6E }
$tokenString3 = { 5B 78 5D 20 65 72 72 6F 72 20 64 75 70 6C 69 63 61 74 69 6E 67 20 74 6F 6B 65 6E }
condition:
filesize < 5MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (((all of ($knownDLLs*)) and ($dropboxAPI or (1 of ($tokenString*)))) or (all of ($tokenString*)))
}