Sneed-Reactivity/yara-Neo23x0/crime_nansh0u.yar

137 lines
5.3 KiB
Text
Raw Normal View History

/*
YARA Rule Set
Author: Florian Roth
Date: 2019-05-31
Identifier: Nansh0u
Reference: https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
License = CC BY-NC 4.0 https://creativecommons.org/licenses/by-nc/4.0/
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule MAL_XMR_Miner_May19_1 : HIGHVOL {
meta:
description = "Detects Monero Crypto Coin Miner"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
date = "2019-05-31"
score = 85
hash1 = "d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc"
id = "233d1d47-de67-55a9-ae7e-46b5dd34e6ce"
strings:
$x1 = "donate.ssl.xmrig.com" fullword ascii
$x2 = "* COMMANDS 'h' hashrate, 'p' pause, 'r' resume" fullword ascii
$s1 = "[%s] login error code: %d" fullword ascii
$s2 = "\\\\?\\pipe\\uv\\%p-%lu" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 14000KB and (
pe.imphash() == "25d9618d1e16608cd5d14d8ad6e1f98e" or
1 of ($x*) or
2 of them
)
}
rule HKTL_CN_ProcHook_May19_1 {
meta:
description = "Detects hacktool used by Chinese threat groups"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
date = "2019-05-31"
hash1 = "02ebdc1ff6075c15a44711ccd88be9d6d1b47607fea17bef7e5e17f8da35293e"
id = "ae4e2613-8254-5ea6-af88-2f08ebe4da33"
condition:
uint16(0) == 0x5a4d and filesize < 300KB and
pe.imphash() == "343d580dd50ee724746a5c28f752b709"
}
rule SUSP_PDB_CN_Threat_Actor_May19_1 {
meta:
description = "Detects PDB path user name used by Chinese threat actors"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
date = "2019-05-31"
score = 65
hash1 = "01c3882e8141a25abe37bb826ab115c52fd3d109c4a1b898c0c78cee8dac94b4"
id = "fc6969ed-5fc1-5b3b-9659-c6fc1c9e2f9c"
strings:
$x1 = "C:\\Users\\zcg\\Desktop\\" ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 1 of them
}
rule MAL_Ramnit_May19_1 {
meta:
description = "Detects Ramnit malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
date = "2019-05-31"
hash1 = "d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3"
id = "f8fa3557-556e-5680-9f1a-2ecf118ade75"
condition:
uint16(0) == 0x5a4d and filesize < 300KB
and pe.imphash() == "500cd02578808f964519eb2c85153046"
}
rule MAL_Parite_Malware_May19_1 {
meta:
description = "Detects Parite malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
date = "2019-05-31"
score = 80
hash1 = "c9d8852745e81f3bfc09c0a3570d018ae8298af675e3c6ee81ba5b594ff6abb8"
hash2 = "8d47b08504dcf694928e12a6aa372e7fa65d0d6744429e808ff8e225aefa5af2"
hash3 = "285e3f21dd1721af2352196628bada81050e4829fb1bb3f8757a45c221737319"
hash4 = "b987dcc752d9ceb3b0e6cd4370c28567be44b789e8ed8a90c41aa439437321c5"
id = "f4c9da17-9894-5243-828a-827accb0bac5"
strings:
$s1 = "taskkill /im cmd.exe /f" fullword ascii
$s2 = "LOADERX64.dll" fullword ascii
$x1 = "\\dllhot.exe" ascii
$x2 = "dllhot.exe --auto --any --forever --keepalive" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 10000KB and ( 1 of ($x*) or 2 of them )
}
rule MAL_Parite_Malware_May19_2 {
meta:
description = "Detects Parite malware based on Imphash"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
date = "2019-05-31"
hash1 = "c9d8852745e81f3bfc09c0a3570d018ae8298af675e3c6ee81ba5b594ff6abb8"
hash2 = "8d47b08504dcf694928e12a6aa372e7fa65d0d6744429e808ff8e225aefa5af2"
hash3 = "285e3f21dd1721af2352196628bada81050e4829fb1bb3f8757a45c221737319"
hash4 = "b987dcc752d9ceb3b0e6cd4370c28567be44b789e8ed8a90c41aa439437321c5"
id = "33970268-610c-5abf-9e9e-83dae0c81064"
condition:
uint16(0) == 0x5a4d and filesize < 18000KB and (
pe.imphash() == "b132a2719be01a6ef87d9939d785e19e" or
pe.imphash() == "78f4f885323ffee9f8fa011455d0523d"
)
}
rule EXPL_Strings_CVE_POC_May19_1 {
meta:
description = "Detects strings used in CVE POC noticed in May 2019"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
date = "2019-05-31"
score = 80
hash1 = "01c3882e8141a25abe37bb826ab115c52fd3d109c4a1b898c0c78cee8dac94b4"
id = "df11e0b1-e907-5a24-a3e7-0e78acb379f7"
strings:
$x1 = "\\Debug\\poc_cve_20" ascii
$x2 = "\\Release\\poc_cve_20" ascii
$x3 = "alloc fake fail: %x!" fullword ascii
$x4 = "Allocate fake tagWnd fail!" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 1 of them
}