Sneed-Reactivity/yara-mikesxrs/Checkpoint/ZZ_breakwin_wiper.yar

121 lines
8.1 KiB
Text
Raw Normal View History

rule ZZ_breakwin_wiper {
meta:
description = "Detects the BreakWin wiper that was used in attacks in Syria"
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
author = "Check Point Research"
date = "22-07-2021"
hash = "2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b"
hash = "6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4"
hash = "d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e"
strings:
$debug_str_meteor_1 = "the program received an invalid number of arguments" wide
$debug_str_meteor_2 = "End interval logger. Resuming writing every log" wide
$debug_str_meteor_0 = "failed to initialize configuration from file" wide
$debug_str_meteor_3 = "Meteor is still alive." wide
$debug_str_meteor_4 = "Exiting main function because of some error" wide
$debug_str_meteor_5 = "Meteor has finished. This shouldn't be possible because of the is-alive loop." wide
$debug_str_meteor_6 = "Meteor has started." wide
$debug_str_meteor_7 = "Could not hide current console." wide
$debug_str_meteor_8 = "Could not get the window handle used by the console." wide
$debug_str_meteor_9 = "Failed to find base-64 data size" wide
$debug_str_meteor_10 = "Running locker thread" wide
$debug_str_meteor_11 = "Failed to encode wide-character string as Base64" wide
$debug_str_meteor_12 = "Wiper operation failed." wide
$debug_str_meteor_13 = "Screen saver disable failed." wide
$debug_str_meteor_14 = "Failed to generate password of length %s. Generating a default one." wide
$debug_str_meteor_15 = "Failed to delete boot configuration" wide
$debug_str_meteor_16 = "Could not delete all BCD entries." wide
$debug_str_meteor_17 = "Finished deleting BCD entries." wide
$debug_str_meteor_18 = "Failed to change lock screen" wide
$debug_str_meteor_19 = "Boot configuration deleted successfully" wide
$debug_str_meteor_20 = "Failed to kill all winlogon processes" wide
$debug_str_meteor_21 = "Changing passwords of all users to" wide
$debug_str_meteor_22 = "Failed to change the passwords of all users" wide
$debug_str_meteor_23 = "Failed to run the locker thread" wide
$debug_str_meteor_24 = "Screen saver disabled successfully." wide
$debug_str_meteor_25 = "Generating random password failed" wide
$debug_str_meteor_26 = "Locker installation failed" wide
$debug_str_meteor_27 = "Failed to set auto logon." wide
$debug_str_meteor_28 = "Failed to initialize interval logger. Using a dummy logger instead." wide
$debug_str_meteor_29 = "Succeeded setting auto logon for" wide
$debug_str_meteor_30 = "Failed disabling the first logon privacy settings user approval." wide
$debug_str_meteor_31 = "Failed disabling the first logon animation." wide
$debug_str_meteor_32 = "Waiting for new winlogon process" wide
$debug_str_meteor_33 = "Failed to isolate from domain" wide
$debug_str_meteor_34 = "Failed creating scheduled task for system with name %s." wide
$debug_str_meteor_35 = "Failed to get the new token of winlogon." wide
$debug_str_meteor_36 = "Failed adding new admin user." wide
$debug_str_meteor_37 = "Failed changing settings for the created new user." wide
$debug_str_meteor_38 = "Failed disabling recovery mode." wide
$debug_str_meteor_39 = "Logging off users on Windows version 8 or above" wide
$debug_str_meteor_40 = "Succeeded setting boot policy to ignore all errors." wide
$debug_str_meteor_41 = "Succeeded creating scheduled task for system with name" wide
$debug_str_meteor_42 = "Succeeded disabling recovery mode" wide
$debug_str_meteor_43 = "Failed to log off all sessions" wide
$debug_str_meteor_44 = "Failed to delete shadowcopies." wide
$debug_str_meteor_45 = "Failed logging off session: " wide
$debug_str_meteor_46 = "Failed setting boot policy to ignore all errors." wide
$debug_str_meteor_47 = "Successfully logged off all local sessions, except winlogon." wide
$debug_str_meteor_48 = "Succeeded creating scheduled task with name %s for user %s." wide
$debug_str_meteor_49 = "Killing all winlogon processes" wide
$debug_str_meteor_50 = "Logging off users in Windows 7" wide
$debug_str_meteor_51 = "Failed logging off all local sessions, except winlogon." wide
$debug_str_meteor_52 = "Failed creating scheduled task with name %s for user %s." wide
$debug_str_meteor_53 = "Succeeded deleting shadowcopies." wide
$debug_str_meteor_54 = "Logging off users in Windows XP" wide
$debug_str_meteor_55 = "Failed changing settings for the created new user." wide
$debug_str_meteor_56 = "Could not open file %s. error message: %s" wide
$debug_str_meteor_57 = "Could not write to file %s. error message: %s" wide
$debug_str_meteor_58 = "tCould not tell file pointer location on file %s." wide
$debug_str_meteor_59 = "Could not set file pointer location on file %s to offset %s." wide
$debug_str_meteor_60 = "Could not read from file %s. error message: %s" wide
$debug_str_meteor_61 = "Failed to wipe file %s" wide
$debug_str_meteor_62 = "attempted to access encrypted file in offset %s, but it only supports offset 0" wide
$debug_str_meteor_63 = "Failed to create thread. Error message: %s" wide
$debug_str_meteor_64 = "Failed to wipe file %s" wide
$debug_str_meteor_65 = "failed to get configuration value with key %s" wide
$debug_str_meteor_66 = "failed to parse the configuration from file %s" wide
$debug_str_meteor_67 = "Failed posting to server, received unknown exception" wide
$debug_str_meteor_68 = "Failed posting to server, received std::exception" wide
$debug_str_meteor_69 = "Skipping %s logs. Writing log number %s:" wide
$debug_str_meteor_70 = "Start interval logger. Writing logs with an interval of %s logs." wide
$debug_str_meteor_71 = "failed to write message to log file %s" wide
$debug_str_meteor_72 = "The log message is too big: %s/%s characters." wide
$debug_str_stardust_0 = "Stardust has started." wide
$debug_str_stardust_1 = "0Vy0qMGO" ascii wide
$debug_str_comet_0 = "Comet has started." wide
$debug_str_comet_1 = "Comet has finished." wide
$str_lock_my_pc = "Lock My PC 4" ascii wide
$config_entry_0 = "state_path" ascii
$config_entry_1 = "state_encryption_key" ascii
$config_entry_2 = "log_server_port" ascii
$config_entry_3 = "log_file_path" ascii
$config_entry_4 = "log_encryption_key" ascii
$config_entry_5 = "log_server_ip" ascii
$config_entry_6 = "processes_to_kill" ascii
$config_entry_7 = "process_termination_timeout" ascii
$config_entry_8 = "paths_to_wipe" ascii
$config_entry_9 = "wiping_stage_logger_interval" ascii
$config_entry_10 = "locker_exe_path" ascii
$config_entry_11 = "locker_background_image_jpg_path" ascii
$config_entry_12 = "auto_logon_path" ascii
$config_entry_13 = "locker_installer_path" ascii
$config_entry_14 = "locker_password_hash" ascii
$config_entry_15 = "users_password" ascii
$config_entry_16 = "locker_background_image_bmp_path" ascii
$config_entry_17 = "locker_registry_settings_files" ascii
$config_entry_18 = "cleanup_script_path" ascii
$config_entry_19 = "is_alive_loop_interval" ascii
$config_entry_20 = "cleanup_scheduled_task_name" ascii
$config_entry_21 = "self_scheduled_task_name" ascii
$encryption_asm = {33 D2 8B C3 F7 75 E8 8B 41 04 8B 4E 04 8A 04 02 02 C3 32 04 1F 88 45 F3 39 4E 08}
$random_string_generation = {33 D2 59 F7 F1 83 ?? ?? 08 66 0F BE 82 ?? ?? ?? 00 0F B7 C8 8B C7}
condition:
uint16(0) == 0x5A4D and
(
6 of them or
$encryption_asm or
$random_string_generation
)
}