78 lines
3.2 KiB
Text
78 lines
3.2 KiB
Text
|
|
||
|
rule wiper {
|
||
|
meta:
|
||
|
description = "Wiper malware deployed in late 2014 skywiper attacks"
|
||
|
|
||
|
strings:
|
||
|
// 760C35A80D758F032D02CF4DB12D3E55 @ 0x40124A
|
||
|
$decryption_main_loop = {8bcbe8????????8a143e32d088143e463bf57cec5f}
|
||
|
// 760C35A80D758F032D02CF4DB12D3E55 @ 0x40118d
|
||
|
$context_init_loop1 = { 8b790c8b411033f78971088bf033f789710c8b710833c64b89411075e3 }
|
||
|
// 760C35A80D758F032D02CF4DB12D3E55 @ 0x4011b4
|
||
|
$context_init_loop2 = { 8b510c8b41100bf28971088bf00bf289710c8b71080bc64f89411075e3 }
|
||
|
$MZ = "MZ"
|
||
|
|
||
|
condition:
|
||
|
$MZ at 0 and 2 of them
|
||
|
}
|
||
|
|
||
|
rule wiper_payload_dropper {
|
||
|
meta:
|
||
|
description = "Wiper implant"
|
||
|
filename = "iissvr.exe"
|
||
|
|
||
|
strings:
|
||
|
$MZ = "MZ"
|
||
|
|
||
|
// the following 3 are used to transfer html/wav/jpg data from the resource section (these include the resource name following the http data)
|
||
|
$html={485454502F312E3120323030204F4B0D0A436F6E74656E742D4C656E6774683A2025640D0A436F6E74656E742D547970653A20746578742F68746D6C0D0A4163636570742D52616E6765733A2062797465730D0A5365727665723A204D6963726F736F66742D4949532F362E300D0A0D0A000000525352435F48544D4C00}
|
||
|
|
||
|
$wav={485454502F312E3120323030204F4B0D0A436F6E74656E742D4C656E6774683A2025640D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A4163636570742D52616E6765733A2062797465730D0A5365727665723A204D6963726F736F66742D4949532F362E300D0A0D0A0000525352435F4A504700}
|
||
|
|
||
|
$jpg={485454502F312E3120323030204F4B0D0A436F6E74656E742D4C656E6774683A2025640D0A436F6E74656E742D547970653A20617564696F2F7761760D0A4163636570742D52616E6765733A2062797465730D0A5365727665723A204D6963726F736F66742D4949532F362E300D0A0D0A000000525352435F57415600}
|
||
|
|
||
|
condition:
|
||
|
$MZ at 0 and ($html or $wav or $jpg)
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
// Moderate confidence that this rule matches a legitimate driver component used by the wiper malware
|
||
|
// as opposed to it having been signed by a stolen certificate.
|
||
|
// It's commented out here because it could hit on legitimate software and the userland component
|
||
|
// will be detected by signatures anyway.
|
||
|
rule wiper_driver_component {
|
||
|
meta:
|
||
|
description = "Wiper implant"
|
||
|
filename = "usbdrv3.sys"
|
||
|
|
||
|
strings:
|
||
|
$MZ = "MZ"
|
||
|
|
||
|
// 86E212B7FC20FC406C692400294073FF @ 0x15F55
|
||
|
$switch_table1 = {4C89B424C8000000488B4F088B414883F802742D83F807742883F81F742383F824741E83F82D741983F831741483F836740F83F830740ABB240000C0E9}
|
||
|
// @ 0x164D8
|
||
|
$switch_table2 = {488BF08B484883F903741D83F908741883F909741383F914740E83F920740983F9350F}
|
||
|
|
||
|
condition:
|
||
|
$MZ at 0 and $switch_table1 and $switch_table2
|
||
|
}
|
||
|
*/
|
||
|
|
||
|
rule wiper_payload_dropper2 {
|
||
|
meta:
|
||
|
description = "Wiper implant"
|
||
|
filename = "ams.exe"
|
||
|
|
||
|
strings:
|
||
|
$MZ = "MZ"
|
||
|
|
||
|
// 7E5FEE143FB44FDB0D24A1D32B2BD4BB
|
||
|
$process_hacker_ascii = {5c4465766963655c4b50726f636573734861636b657232}
|
||
|
$process_hacker_unicode = {5c004400650076006900630065005c004b00500072006f0063006500730073004800610063006b006500720032000000}
|
||
|
$mcshield_string = {53595354454d5c43757272656e74436f6e74726f6c5365745c73657276696365735c4d63536869656c6400}
|
||
|
|
||
|
condition:
|
||
|
$MZ at 0 and ($process_hacker_ascii or $process_hacker_unicode) and $mcshield_string
|
||
|
}
|
||
|
|