122 lines
4.3 KiB
Text
122 lines
4.3 KiB
Text
|
rule malware_sakula_xorloop {
|
||
|
meta:
|
||
|
description = "XOR loops from Sakula malware"
|
||
|
author = "David Cannings/NCCGroup"
|
||
|
reference = "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula"
|
||
|
md5 = "fc6497fe708dbda9355139721b6181e7"
|
||
|
|
||
|
strings:
|
||
|
$mz = "MZ"
|
||
|
|
||
|
// XOR decode loop (non-null, non-key byte only)
|
||
|
$opcodes_decode_loop01 = { 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B }
|
||
|
|
||
|
// XOR decode
|
||
|
$opcodes_decode_loop02 = { 8B 45 08 8D 0C 02 8A 01 84 C0 74 08 3C ?? 74 04 34 ?? 88 01 }
|
||
|
|
||
|
condition:
|
||
|
$mz at 0 and any of ($opcodes*)
|
||
|
}
|
||
|
|
||
|
rule malware_sakula_memory {
|
||
|
meta:
|
||
|
description = "Sakula malware - strings after unpacking (memory rule)"
|
||
|
author = "David Cannings/NCCGroup"
|
||
|
reference = "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula"
|
||
|
md5 = "b3852b9e7f2b8954be447121bb6b65c3"
|
||
|
|
||
|
strings:
|
||
|
$str01 = "cmd.exe /c ping 127.0.0.1 & del \"%s\""
|
||
|
$str02 = "cmd.exe /c rundll32 \"%s\" Play \"%s\""
|
||
|
$str03 = "Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+SV1)"
|
||
|
$str04 = "cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c \"%s\""
|
||
|
$str05 = "Self Process Id:%d"
|
||
|
$str06 = "%d_%d_%d_%s"
|
||
|
$str07 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
|
||
|
$str08 = "cmd.exe /c rundll32 \"%s\" ActiveQvaw \"%s\""
|
||
|
|
||
|
// Encode loop, operations: rol 1; xor ??;
|
||
|
$opcodes01 = { 83 F9 00 74 0E 31 C0 8A 03 D0 C0 34 ?? 88 03 49 43 EB ED }
|
||
|
|
||
|
// Encode loop, single byte XOR
|
||
|
$opcodes02 = { 31 C0 8A 04 13 32 01 83 F8 00 75 0E 83 FA 00 74 04 49 4A }
|
||
|
|
||
|
condition:
|
||
|
4 of them
|
||
|
}
|
||
|
|
||
|
rule malware_sakula_shellcode {
|
||
|
meta:
|
||
|
description = "Sakula shellcode - taken from decoded setup.msi but may not be unique enough to identify Sakula"
|
||
|
author = "David Cannings/NCCGroup"
|
||
|
reference = "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
55 push ebp
|
||
|
89 E5 mov ebp, esp
|
||
|
E8 00 00 00 00 call $+5
|
||
|
58 pop eax
|
||
|
83 C0 06 add eax, 6
|
||
|
C9 leave
|
||
|
C3 retn
|
||
|
*/
|
||
|
// Get EIP technique (may not be unique enough to identify Sakula)
|
||
|
// Note this only appears in memory or decoded files
|
||
|
$opcodes01 = { 55 89 E5 E8 00 00 00 00 58 83 C0 06 C9 C3 }
|
||
|
|
||
|
/*
|
||
|
8B 5E 3C mov ebx, [esi+3Ch] ; Offset to PE header
|
||
|
8B 5C 1E 78 mov ebx, [esi+ebx+78h] ; Length of headers
|
||
|
8B 4C 1E 20 mov ecx, [esi+ebx+20h] ; Number of data directories
|
||
|
53 push ebx
|
||
|
8B 5C 1E 24 mov ebx, [esi+ebx+24h] ; Export table
|
||
|
01 F3 add ebx, esi
|
||
|
*/
|
||
|
// Export parser
|
||
|
$opcodes02 = { 8B 5E 3C 8B 5C 1E 78 8B 4C 1E 20 53 8B 5C 1E 24 01 F3 }
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
|
||
|
rule malware_sakula_loader {
|
||
|
meta:
|
||
|
description = "A small DLL loader (~6KiB) for Sakula malware"
|
||
|
author = "David Cannings/NCCGroup"
|
||
|
reference = "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula"
|
||
|
md5 = "58d56d6e2cafca33e5a9303a36228ef6"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
59 pop ecx
|
||
|
5B pop ebx
|
||
|
6A 69 push 'i'
|
||
|
68 70 2E 6D 73 push 'sm.p'
|
||
|
68 73 65 74 75 push 'utes'
|
||
|
54 push esp ; Source
|
||
|
FF 35 04 20 00 10 push ds:lpFileName ; Dest
|
||
|
E8 29 1F 00 00 call strcat
|
||
|
*/
|
||
|
// String stacking for 'setup.msi'
|
||
|
$opcodes_string_stack01 = { 6A 69 68 70 2E 6D 73 68 73 65 74 75 }
|
||
|
|
||
|
/*
|
||
|
48 dec eax
|
||
|
83 F8 00 cmp eax, 0
|
||
|
0F 84 B2 00 00 00 jz loc_10001171
|
||
|
8A 18 mov bl, [eax]
|
||
|
80 F3 5C xor bl, 5Ch
|
||
|
80 FB 00 cmp bl, 0
|
||
|
*/
|
||
|
$opcodes_decode_loop = { 48 83 F8 00 0F ?? ?? ?? ?? ?? 8A 18 80 F3 ?? 80 FB 00 }
|
||
|
|
||
|
// Generic toolmarks from the compiler
|
||
|
$str01 = "Win32 Program!"
|
||
|
$str02 = "GoLink, GoAsm www.GoDevTool.com"
|
||
|
|
||
|
condition:
|
||
|
1 of ($opcodes*) and 1 of ($str*)
|
||
|
}
|