Sneed-Reactivity/yara-mikesxrs/Novetta/Novetta_index.yara

3068 lines
92 KiB
Text
Raw Normal View History

// From CERT report https://www.us-cert.gov/ncas/alerts/TA14-353A
rule SMB_Worm_Tool
{
strings:
$STR1 = "Global\\FwtSqmSession106829323_S-1-5-19"
$STR2 = "EVERYONE"
$STR3 = "y0uar3@s!llyid!07,ou74n60u7f001"
$STR4 = "\\KB25468.dat"
condition:
( uint16(0) == 0x5A4D or
uint16(0) == 0xCFD0 or
uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or
uint32(1) == 0x6674725C)
and all of them
}
rule Lightweight_Backdoor1
{
strings:
$STR1 = "NetMgStart"
$STR2 = "Netmgmt.srg"
condition:
(uint16(0) == 0x5A4D) and all of them
}
rule LightweightBackdoor2
{
strings:
$STR1 = "prxTroy" ascii wide nocase
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
rule LightweightBackdoor3
{
strings:
$strl = { C6 45 E8 64 C6 45 E9 61 C6 45 EA 79 C6 45 EB 69 C6 45 EC 70 C6 45 ED 6D C6 45 EE 72 C6 45 EF 2E C6 45 F0 74 C6 45 F1 62 C6 45 F2 6C } // 'dayipmr.tbl' being moved to ebp
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
rule LightweightBackdoor4
{
strings:
$strl = { C6 45 F4 61 C6 45 F5 6E C6 45 F6 73 C6 45 F7 69 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'ansi.nls' being moved to ebp
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
rule LightweightBackdoor5
{
strings:
$strl = { C6 45 F4 74 C6 45 F5 6C C6 45 F6 76 C6 45 F7 63 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'tlvc.nls' being moved to ebp
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
rule LightweightBackdoor6
{
strings:
$STR1 = { 8A 10 80 ?? 4E 80 ?? 79 88 10}
$STR2 = { 8A 10 80?? 79 80 ?? 4E 88 10}
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
rule ProxyTool1
{
strings:
$STR1 = "pmsconfig.msi" wide
$STR2 = "pmslog.msi" wide
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them
}
rule ProxyTool2
{
strings:
$STR1 = { 82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00 } // '%SystemRoot%\System32\svchost.exe -k' xor A7
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
rule ProxyTool3
{
strings:
$STR2 = {8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF}
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and $STR2
}
rule DestructiveHardDriveTool1
{
strings:
$str0= "MZ"
$str1 = {c6 84 24 ?? ( 00 | 01 ) 00 00 }
$xorInLoop = { 83 EC 20 B9 08 00 00 00 33 D2 56 8B 74 24 30 57 8D 7C 24 08 F3 A5 8B 7C 24 30 85 FF 7E 3A 8B 74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A 5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C 88 5C 0C 0D 49 83 F9 FF 7F F2 42 88 44 24 0C 3B D7 7C D0 5B 5F 5E 83 C4 20 C3 }
condition:
$str0 at 0 and $xorInLoop and #str1 > 300
}
/*
rule DestructiveTargetCleaningTool1
{
strings:
$s1 = {d3000000 [4] 2c000000 [12] 95000000 [4] 6a000000 [8] 07000000}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
}
*/
/*
rule DestructiveTargetCleaningTool2
{
strings:
$secureWipe = { 83 EC 34 53 55 8B 6C 24 40 56 57 83 CE FF 55 C7 44 24 2C D3 00 00 00 C7 44 24 30 2C 00 00 00 89 74 24 34 89 74 24
38 C7 44 24 3C 95 00 00 00 C7 44 24 40 6A 00 00 00 89 74 24 44 C7 44 24 14 07 00 00 00 FF 15 ?? ?? ?? ?? 3B C6 89
44 24 1C 0F 84 (D8 | d9) 01 00 00 33 FF 68 00 00 01 00 57 FF 15 ?? ?? ?? ?? 8B D8 3B DF 89 5C 24 14 0F 84 (BC | BD)
01 00 00 8B 44 24 1C A8 01 74 0A 24 FE 50 55 FF 15 ?? ?? ?? ?? 8B 44 24 4C 2B C7 74 20 48 74 0F 83 E8 02 75 1C C7
44 24 10 03 00 00 00 EB 12 C7 44 24 10 01 00 00 00 89 74 24 28 EB 04 89 7C 24 10 8B 44 24 10 89 7C 24 1C 3B C7 0F
8E ( 5C | 5d ) 01 00 00 8D 44 24 28 89 44 24 4C EB 03 83 CE FF 8B 4C 24 4C 8B 01 3B C6 74 17 8A D0 B9 00 40 00 00
8A F2 8B FB 8B C2 C1 E0 10 66 8B C2 F3 AB EB ( 13 | 14) 33 F6 (E8 | ff 15) ?? ?? ?? ?? 88 04 1E 46 81 FE 00 00 01
00 7C ( EF | ee) 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 55 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 0F 84 FA 00 00 00
8D 44 24 20 50 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A 02 6A 00 6A FF 56 FF D5 8D 4C 24 18 6A 00 51 6A 01 53 56
FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 8B 44 24 24 8B 54 24 20 33 FF 33 DB 85 C0 7C 5A
7F 0A 85 D2 76 54 EB 04 8B 54 24 20 8B CA BD 00 00 01 00 2B CF 1B C3 85 C0 7F 0A 7C 04 3B CD 73 04 2B D7 8B EA 8B
44 24 14 8D 54 24 18 6A 00 52 55 50 56 FF 15 ?? ?? ?? ?? 8B 6C 24 18 8B 44 24 24 03 FD 83 D3 00 3B D8 7C BE 7F 08
8B 54 24 20 3B FA 72 B8 8B 2D ?? ?? ?? ?? 8B 5C 24 10 8B 7C 24 1C 8D 4B FF 3B F9 75 17 56 FF 15 ?? ?? ?? ?? 6A 00
6A 00 6A 00 56 FF D5 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 4C 24 4C 8B 6C 24 48 47 83
C1 04 3B FB 8B 5C 24 14 89 7C 24 1C 89 4C 24 4C 0F 8C ( AE | AD) FE FF FF 6A 00 55 E8 ?? ?? ?? ?? 83 C4 08 53 FF
15 ?? ?? ?? ?? 5F 5E 5D 5B 83 C4 34 C3 }
condition:
$secureWipe
}
*/
rule DestructiveTargetCleaningTool3
{
strings:
$S1_CMD_Arg = "/install" fullword
$S2_CMD_Parse= "\"%s\" /install \"%s\"" fullword
$S3_CMD_Builder= "\"%s\" \"%s\" \"%s\" %s" fullword
condition:
all of them
}
rule DestructiveTargetCleaningTool4
{
strings:
$BATCH_SCRIPT_LN1_0 = "goto x" fullword
$BATCH_SCRIPT_LN1_1 = "del" fullword
$BATCH_SCRIPT_LN2_0 = "if exist" fullword
$BATCH_SCRIPT_LN3_0 = ":x" fullword
$BATCH_SCRIPT_LN4_0 = "zz%d.bat" fullword
condition:
(#BATCH_SCRIPT_LN1_1 == 2) and all of them
}
rule DestructiveTargetCleaningTool5
{
strings:
$MCU_DLL_ZLIB_COMPRESSED2 = { 5C EC AB AE 81 3C C9 BC D5 A5 42 F4 54 91 04 28 34 34 79 80 6F 71 D5 52 1E 2A 0D }
condition:
$MCU_DLL_ZLIB_COMPRESSED2
}
rule DestructiveTargetCleaningTool6
{
strings:
$MCU_INF_StartHexDec = {010346080A30D63633000B6263750A5052322A00103D1B570A30E67F2A00130952690A503A0D2A000E00A26E15104556766572636C7669642E657865}
$MCU_INF_StartHexEnc = {6C3272386958BF075230780A0A54676166024968790C7A6779588F5E47312739310163615B3D59686721CF5F2120263E1F5413531F1E004543544C55}
condition:
$MCU_INF_StartHexEnc or $MCU_INF_StartHexDec
}
rule DestructiveTargetCleaningTool7
{
strings:
$a = "SetFilePointer"
$b = "SetEndOfFile"
$c = {75 17 56 ff 15 ?? ?? ?? ?? 6a 00 6a 00 6a 00 56 ff D5 56 ff 15 ?? ?? ?? ?? 56}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
}
rule DestructiveTargetCleaningTool8
{
strings:
$license = {E903FFFF820050006F007200740069006F006E007300200063006F007000790072006900670068007400200052006F006200650072007400200064006500200042006100740068002C0020004A006F007200690073002000760061006E002000520061006E007400770069006A006B002C002000440065006C00690061006E000000000000000250000000000A002200CE000800EA03FFFF8200}
$PuTTY= {50007500540054005900}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $license and not $PuTTY
}
rule Malwareusedbycyberthreatactor1
{
strings:
// vvv---- this sig hits on a legit CRT function it seems.
$heapCreateFunction_0 = {33C06A003944240868001000000F94C050FF15????????85C0A3???????07436E893FEFFFF83F803A3???????0750D68F8030000E8??00000059EB0A83F8027518E8????000085C0750FFF35???????0FF15???????033C0C36A0158C3}
$heapCreateFunction = { 55 8B EC B8 2C 12 00 00 E8 ?? ?? FF FF 8D 85 68 FF FF FF 53 50 C7 85 68 FF FF FF 94 00 00 00 FF 1? ?? ?? ?? ?0 85 C0 74 1A 83 BD 78 FF FF FF 02 75 11 83 BD 6C FF FF FF 05 72 08 6A 01 58 E9 02 01 00 00 8D 85 D4 ED FF F6 89 01 00 00 05 06 8? ?? ?? ?? 0F F1 5? ?? ?? ?? 08 5C 00 F8 4D 00 00 00 03 3D B8 D8 DD 4E DF FF F3 89 DD DF FF F7 41 38 A0 13 C6 17 C0 83 C7 A7 F0 42 C2 08 80 14 13 81 97 5E D8 D8 5D 4E DF FF F6 A1 65 06 8? ?? ?? ?? 0E 8? ?? ?0 00 08 3C 40 C8 5C 07 50 88 D8 5D 4E DF FF FE B4 98 D8 56 4F EF FF F6 80 40 10 00 05 05 3F F1 5? ?? ?? ?? 03 89 D6 4F EF FF F8 D8 D6 4F EF FF F7 41 38 A0 13 C6 17 C0 83 C7 A7 F0 42 C2 08 80 14 13 81 97 5E D8 D8 56 4F EF FF F5 08 D8 5D 4E DF FF F5 0E 8? ?? ?? ?? ?5 95 93 BC 37 43 E6 A2 C5 0E 8? ?? ?? ?? ?5 93 BC 35 97 43 04 08 BC 83 81 87 40 E8 03 93 B7 50 48 81 9E B0 14 13 81 97 5F 26 A0 A5 35 0E 8? ?? ?0 00 08 3C 40 C8 3F 80 27 41 D8 3F 80 37 41 88 3F 80 17 41 38 D4 5F C5 0E 89 8F EF FF F8 07 DF C0 65 91 BC 08 3C 00 35 BC 9C}
// vvv---- this sig hits on a legit CRT function it seems.
$getMajorMinorLinker = {568B7424086A00832600FF15???????06681384D5A75148B483C85C9740D03C18A481A880E8A401B8846015EC3}
$openServiceManager = {FF15???0?0?08B?885??74????????????????5?FF15???0?0?08B?????0?0?08BF?85F?74}
condition:
all of them
}
rule Malwareusedbycyberthreatactor2
{
strings:
$str1 = "_quit"
$str2 = "_exe"
$str3 = "_put"
$str4 = "_got"
$str5 = "_get"
$str6 ="_del"
$str7 = "_dir"
$str8 = { C7 44 24 18 1F F7}
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
rule Malwareusedbycyberthreatactor3
{
strings:
$STR1 = { 50 68 80 00 00 00 68 FF FF 00 00 51 C7 44 24 1C 3a 8b 00 00 }
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
import "pe"
rule DeltaCharlie
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$rsaKey = {7B 4E 1E A7 E9 3F 36 4C DE F4 F0 99 C4 D9 B7 94
A1 FF F2 97 D3 91 13 9D C0 12 02 E4 4C BB 6C 77
48 EE 6F 4B 9B 53 60 98 45 A5 28 65 8A 0B F8 39
73 D7 1A 44 13 B3 6A BB 61 44 AF 31 47 E7 87 C2
AE 7A A7 2C 3A D9 5C 2E 42 1A A6 78 FE 2C AD ED
39 3F FA D0 AD 3D D9 C5 3D 28 EF 3D 67 B1 E0 68
3F 58 A0 19 27 CC 27 C9 E8 D8 1E 7E EE 91 DD 13
B3 47 EF 57 1A CA FF 9A 60 E0 64 08 AA E2 92 D0}
condition:
any of them
}
rule Derusbi_Server
{
meta:
Author = "Novetta"
Reference = "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf"
strings:
$uuid = "{93144EB0-8E3E-4591-B307-8EEBFE7DB28F}" wide ascii
$infectionID1 = "-%s-%03d"
$infectionID2 = "-%03d"
$other = "ZwLoadDriver"
condition:
$uuid or ($infectionID1 and $infectionID2 and $other)
}
// yara rules that can cross boundaries between the various sets/types... more general detection signatures
import "pe"
rule wiper_unique_strings
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
company = "novetta"
strings:
$a = "C!@I#%VJSIEOTQWPVz034vuA"
$b = "BAISEO%$2fas9vQsfvx%$"
$c = "1.2.7.f-hanba-win64-v1"
$d = "md %s&copy %s\\*.* %s"
$e = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\""
$f = "Ge.tVol. .umeIn..for mati.onW"
condition:
$a or $b or $c or $d or $e or $f
}
rule wiper_encoded_strings
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
company = "novetta"
strings:
$scr = {89 D4 C4 D5 00 00 00}
$explorer = {E2 DF D7 CB C8 D5 C2 D5 89 C2 DF C2 00 00 00 }
$kernel32 = {CC C2 D5 C9 C2 CB 94 95 89 C3 CB CB 00 00 }
condition:
$scr or $explorer or $kernel32
}
rule createP2P
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = "CreatP2P Thread" wide
condition:
any of them
}
rule firewallOpener
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\""
condition:
any of them
}
rule hidkit
{
meta:
Author = "Novetta"
Reference = "https://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf"
strings:
$a = "---HIDE"
$b = "hide---port = %d"
condition:
uint16(0)==0x5A4D and uint32(uint32(0x3c))==0x00004550 and $a and $b
}
rule hikit
{
meta:
Author = "Novetta"
Reference = "https://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf"
strings:
$hikit_pdb1 = /(H|h)ikit_/
$hikit_pdb2 = "hikit\\"
$hikit_str3 = "hikit>" wide
$driver = "w7fw.sys" wide
$device = "\\Device\\w7fw" wide
$global = "Global\\%s__HIDE__" wide nocase
$backdr = "backdoor closed" wide
$hidden = "*****Hidden:" wide
condition:
(1 of ($hikit_pdb1,$hikit_pdb2,$hikit_str3)) and ($driver or $device or $global or $backdr or $hidden)
}
rule hikit2
{
meta:
Author = "Novetta"
Reference = "https://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf"
strings:
$magic1 = {8C 24 24 43 2B 2B 22 13 13 13 00}
$magic2 = {8A 25 25 42 28 28 20 1C 1C 1C 15 15 15 0E 0E 0E 05 05 05 00}
condition:
$magic1 and $magic2
}
import "pe"
rule HotelAlfa
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "58dab205ecb1e0972027eb92f68cec6d208e5ab5.ex_"
strings:
$resourceHTML = "RSRC_HTML"
/*
8A 0C 18 mov cl, [eax+ebx]
80 F1 63 xor cl, 63h
88 0C 18 mov [eax+ebx], cl
8B 4D 00 mov ecx, [ebp+0]
40 inc eax
3B C1 cmp eax, ecx
72 EF jb short loc_4010B4
*/
$rscsDecoderLoop = {
8A [2]
80 F1 ??
88 [2]
8B [2]
40
3B ??
72 EF
}
condition:
$resourceHTML and $rscsDecoderLoop in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule IndiaAlfa_One
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = "HwpFilePathCheck.dll"
$ = "AdobeArm.exe"
$ = "OpenDocument"
condition:
2 of them
}
rule IndiaAlfa_Two
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = "ExePath: %s\nXlsPath: %s\nTmpPath: %s\n"
condition:
any of them
}
import "pe"
rule IndiaBravo_PapaAlfa
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = "pmsconfig.msi" wide
$ = "scvrit001.bat"
condition:
all of them
}
rule IndiaBravo_RomeoCharlie
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "58ad28ac4fb911abb6a20382456c4ad6fe5c8ee5.ex_"
Status = "Signature is too loose to be useful."
strings:
/*
50 push eax ; argp
68 7E 66 04 80 push 8004667Eh ; cmd
8B 8D DC FE FF FF mov ecx, [ebp+skt]
51 push ecx ; s
FF 15 58 31 41 00 call ioctlsocket
83 F8 FF cmp eax, 0FFFFFFFFh
75 08 jnz short loc_4043F0
*/
$a = {
50
68 7E 66 04 80
8B 8D [4]
51
FF 15 [4]
83 F8 FF
75
}
$b1 = "xc123465-efff-87cc-37abcdef9"
$b2 = "[Check] - PORT ERROR..." wide
$b3 = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d"
condition:
2 of ($b*) or
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule IndiaBravo_RomeoBravo
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "6e3db4da27f12eaba005217eba7cd9133bc258c97fe44605d12e20a556775009"
strings:
/*
E8 C3 FE FF FF call generate64ByteRandomNumber
68 C8 01 00 00 push 1C8h ; dwLength
68 D8 E8 40 00 push offset g_Config ; pvBuffer
A3 80 EA 40 00 mov dword ptr g_Config.qwIdentifier, eax
89 15 84 EA 40 00 mov dword ptr g_Config.qwIdentifier+4, edx
E8 F9 E9 FF FF call DNSCALCDecode
83 C4 08 add esp, 8
8D 4C 24 08 lea ecx, [esp+214h+var_20C]
6A 00 push 0
51 push ecx
68 C8 01 00 00 push 1C8h
68 D8 E8 40 00 push offset g_Config
56 push esi
FF 15 74 E7 40 00 call WriteFile_9
56 push esi
FF 15 6C E7 40 00 call CloseHandle_9
*/
$a = {
E8 [4]
68 [2] 00 00
68 [4]
A3 [4]
89 15 [4]
E8 [4]
83 C4 08
8D [3]
6A 00
5?
68 [2] 00 00
68 [4]
5?
FF 15 [4]
5?
FF 15
}
$b1 = "tmscompg.msi" wide
$b2 = "cvrit000.bat"
condition:
2 of ($b*) or
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule IndiaBravo_generic
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$extractDll = "[2] - Extract Dll..." wide
$createSvc = "[3] - CreateSVC..." wide
condition:
all of them
}
rule IndiaCharlie_One
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = "WMPNetworkSvcUpdate"
$ = "backSched.dll"
$ = "\\mspaint.exe"
$aesKey = "X,LLIe{))%%l2i<[AM|aq!Ql/lPlw]d7@C-#j.<c|#*}Kx4_H(q^F-F^p/[t#%HT"
condition:
2 of them or $aesKey
}
rule IndiaCharlie_Two
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$s1 = "%s is an essential element in Windows System configuration and management. %s"
$s2 = "%SYSTEMROOT%\\system32\\svchost.exe -k "
$s3 = "%s\\system32\\%s"
$s4 = "\\mspaint.exe"
$s5 = ":R\nIF NOT EXIST %s GOTO E\ndel /a %s\nGOTO R\n:E\ndel /a d.bat"
$aesKey = "}[eLkQAeEae0t@h18g!)3x-RvE%+^`n.6^()?+00ME6a&F7vcV}`@.dj]&u$o*vX"
condition:
3 of ($s*) or $aesKey
}
import "pe"
rule IndiaDelta
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "d7b50b1546653bff68220996190446bdc7fc4e38373715b8848d1fb44fe3f53c"
strings:
/*
FF 15 DC 2D 41 00 call ReadFile_0
8B 44 24 20 mov eax, [esp+25Ch+offsetInFile]
8B 54 24 1C mov edx, [esp+25Ch+dwEmbedCnt]
35 78 56 34 12 xor eax, 12345678h
55 push ebp
55 push ebp
81 F2 78 56 34 12 xor edx, 12345678h
50 push eax
57 push edi
89 54 24 2C mov [esp+26Ch+dwEmbedCnt], edx
89 44 24 30 mov [esp+26Ch+offsetInFile], eax
FF 15 E0 2D 41 00 call SetFilePointer_0
*/
$a = {
FF 15 [4-12]
3? 78 56 34 12
[0-2]
8? ?? 78 56 34 12
[0-10]
FF 15
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule IndiaEcho
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "66a21f8c72bb4f314604526e9bf1736f75b06cf37dd3077eb292941b476c3235"
strings:
/*
69 C0 28 01 00 00 imul eax, 128h
50 push eax ; size_t
53 push ebx ; int
FF B5 AC FD FF FF push [ebp+configRecords]; void *
E8 6E 08 00 00 call _memset
8B 85 A4 FC FF FF mov eax, [ebp+var_35C.dwRecordCnt]
69 C0 28 01 00 00 imul eax, 128h
50 push eax ; size_t
8B 85 C4 FE FF FF mov eax, [ebp+hMem]
05 08 01 00 00 add eax, 108h
50 push eax ; void *
FF B5 AC FD FF FF push [ebp+configRecords]; void *
E8 0A 05 00 00 call _memcpy
83 C4 18 add esp, 18h
8B BD A4 FC FF FF mov edi, [ebp+var_35C.dwRecordCnt]
69 FF 28 01 00 00 imul edi, 128h
81 C7 08 01 00 00 add edi, 108h
*/
$a = {
69 ?? 28 01 00 00
5?
5?
FF B5 [4]
E8 [4]
8B [5]
69 ?? 28 01 00 00
50
8B [5]
(05 08 01 00 00 | 03 ??)
50
FF [5]
E8 [4]
83 C4 ??
8B [5]
69 ?? 28 01 00 00
(81 C7 08 01 00 00 | 03 ??)
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule IndiaGolf
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "3dda69dfb254dcaea2ba6e8323d4b61ab1e130a0694f4c43d336cfb86a760c50"
strings:
/*
FF D6 call esi ; rand
8B F8 mov edi, eax
C1 E7 10 shl edi, 10h
FF D6 call esi ; rand
03 F8 add edi, eax
89 7C 24 20 mov [esp+2A90h+var_2A70], edi
FF D6 call esi ; rand
8B F8 mov edi, eax
C1 E7 10 shl edi, 10h
FF D6 call esi ; rand
03 F8 add edi, eax
89 7C 24 24 mov [esp+2A90h+var_2A6C], edi
*/
$generateRandomID = {
FF ??
8B ??
C1 ?? 10
FF ??
03 F8
89 [3]
FF ??
8B ??
C1 ?? 10
FF ??
03 ??
89
}
condition:
$generateRandomID in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule IndiaHotel
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "8a4fc5007faf85e07710dca705108df9fd6252fe3d57dfade314120d72f6d83f"
strings:
/*
6A 0A push 0Ah ; int
8D 85 C4 E4 FF FF lea eax, [ebp+Source]
68 10 02 00 00 push 210h ; unsigned int
50 push eax ; void *
E8 FA 60 00 00 call ??_L@YGXPAXIHP6EX0@Z1@Z; `eh vector constructor iterator'(void *,uint,int,void (*)(void *),void (*)(void *))
*/
$fileExtractorArraySetup = {
6A 0A
8D [5-6]
68 10 02 00 00
50
E8
}
condition:
$fileExtractorArraySetup in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule IndiaJuliett
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source_writeFile = "a164c0ba0be7c33778c12a6457e9c55a2935564a"
strings:
$configFilename = {00 73 63 61 72 64 70 72 76 2E 64 6C 6C 00}
$suicideScript = ":R\nIF NOT EXIST %s GOTO E\ndel /a %s\nGOTO R\n:E\ndel /a d.bat"
$commKey = { 10 20 30 40 50 60 70 80 90 11 12 13 1A FF EE 48 }
/*
.text:10001850 push 7530h ; dwTimeout
.text:10001855 lea eax, [esp+420h+a2]
.text:10001859 push 4 ; len
.text:1000185B push eax ; a2
.text:1000185C push esi ; s
.text:1000185D mov dword ptr [esp+42Ch+a2], 1000h
.text:10001865 call CommSendWithTimeout
.text:1000186A add esp, 14h
.text:1000186D cmp eax, 0FFFFFFFFh
.text:10001870 jz loc_10001915
.text:10001876 lea ecx, [esp+418h+random]
.text:1000187A push ecx ; a1
.text:1000187B call Generate16ByteRandomBuffer
.text:10001880 push 0 ; fEncrypt
.text:10001882 push 7530h ; dwTimeout
*/
$handshake = { 68 30 75 00 00 [4] 6A 04 5? 5? C? [3] 00 10 00 00 E8 [7] 83 F8 FF 0F 84 ?? ?? 00 00 8? [3] 5? E8 [4] 6A 00 68 30 75 00 00 }
/*
68 00 28 00 00 push 2800h
56 push esi
E8 38 F7 FF FF call sub_401000
// optionally there is a "add esp, 8" in some variants here
8D 44 24 28 lea eax, [esp+270h+NumberOfBytesWritten]
6A 00 push 0 ; lpOverlapped
50 push eax ; lpNumberOfBytesWritten
68 00 28 00 00 push 2800h ; nNumberOfBytesToWrite
56 push esi ; lpBuffer
53 push ebx ; hFile
FF 15 6C 80 40 00 call ds:WriteFile
81 ED 00 28 00 00 sub ebp, 2800h
81 C7 00 28 00 00 add edi, 2800h
81 C6 00 28 00 00 add esi, 2800h
*/
$writeFile = {
68 00 28 00 00
5?
E8 [4-7]
8D [3]
6A 00
5?
68 00 28 00 00
5?
5?
FF 15 [4]
81 ?? 00 28 00 00
81 ?? 00 28 00 00
81 ?? 00 28 00 00
}
condition:
($configFilename in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) or
$suicideScript in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)))
or
($handshake in ((pe.sections[pe.section_index(".rsrc")].raw_data_offset)..(pe.sections[pe.section_index(".rsrc")].raw_data_offset + pe.sections[pe.section_index(".rsrc")].raw_data_size)) and
$commKey in ((pe.sections[pe.section_index(".rsrc")].raw_data_offset)..(pe.sections[pe.section_index(".rsrc")].raw_data_offset + pe.sections[pe.section_index(".rsrc")].raw_data_size)))
or
$writeFile in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule IndiaWhiskey
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "0c729deec341267c5a9a2271f20266ac3b0775d70436c7770ddc20605088f3b4"
Description = "Winsec Installer"
strings:
/*
// Service installation code
FF 15 68 30 40 00 call ds:wsprintfA
83 C4 18 add esp, 18h
8D 85 FC FE FF FF lea eax, [ebp+var_104]
56 push esi
56 push esi
56 push esi
56 push esi
56 push esi
50 push eax
6A 01 push 1
// some variants have these two lines added
5E pop esi
56 push esi
6A 02 push 2
68 20 01 00 00 push 120h
68 FF 01 0F 00 push 0F01FFh
FF 75 0C push [ebp+arg_4]
FF 75 08 push [ebp+arg_0]
// some variants have the next line as a push {reg} or push {stack var}
53 push ebx
//or
FF 75 FC push [ebp+var_4]
FF 15 E4 49 40 00 call CreateServiceA
*/
$a = {
FF 15 [4]
83 C4 18
8D [5]
5?
5?
5?
5?
5?
5?
6A 01
[0-2]
6A 02
68 20 01 00 00
68 FF 01 0F 00
FF 75 ??
FF 75 ??
(5? | FF 75 ??)
FF 15
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule KiloAlfa
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
type = "Keylogger"
SourceForDnscalcVariant1 = "b855d05ef7ab6582864c9b35052a1073a6eb7d0c7e9d97f524ec062715d71321"
SourceForDnscalcVariant2 = "ddde628be8cd5db768b807510ae1319888e6c4550a5b9a0d54e17b9ec4aaa256"
strings:
/*
push <variable>
call GetAsyncKeyState
cmp ax, 8001h
jnz short loc_4021EE
push <variable> ; a1
call AddCharacterToKeyLogBuffer
add esp, 4
this block of code is used multiple times in sequence so i'm looking for 5 consecutive blocks
*/
$keyxlate = {
68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04
68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04
68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04
68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04
}
/*
6A 2A push 2Ah
C6 84 24 C4 00 00 00 D6 mov [esp+70Ch+var_648], 0D6h
C6 84 24 C5 00 00 00 E1 mov [esp+70Ch+var_647], 0E1h
C6 84 24 C6 00 00 00 BF mov [esp+70Ch+var_646], 0BFh
C6 84 24 C7 00 00 00 C8 mov [esp+70Ch+var_645], 0C8h
C6 84 24 C8 00 00 00 C3 mov [esp+70Ch+var_644], 0C3h
C6 84 24 C9 00 00 00 BD mov [esp+70Ch+var_643], 0BDh
88 9C 24 CA 00 00 00 mov [esp+70Ch+var_642], bl
FF 15 48 5B 40 00 call GetAsyncKeyState
66 3D 01 80 cmp ax, 8001h
75 20 jnz short loc_401696
8D 94 24 00 01 00 00 lea edx, [esp+708h+pszOutput]
8D 84 24 C0 00 00 00 lea eax, [esp+708h+var_648]
52 push edx ; pszOutput
6A 07 push 7 ; dwLength
50 push eax ; pszInput
E8 A3 F9 FF FF call DNSCALCDecode
50 push eax ; a1
E8 7D FB FF FF call AddEntryToKeylogDataBuffer
83 C4 10 add esp, 10h
*/
$keyxlateDnscalc1 = { 6A 2A C6 [6] D6 C6 [6] E1 C6 [6] BF C6 [6] C8 C6 [6] C3 C6 [6] BD 88 [6] FF 15 [4] 66 3D 01 80 75 ?? 8D [6] 8D [6] 5? 6A 07 5? E8 [4] 50 E8 [4] 83 C4 10 }
/*
6A 2A push 2Ah
C7 85 74 FF FF FF D6 E1 BF C8 mov dword ptr [ebp+var_8C], 0C8BFE1D6h
66 C7 85 78 FF FF FF C3 BD mov [ebp+var_88], 0BDC3h
88 9D 7A FF FF FF mov [ebp+var_86], bl
FF 15 04 47 41 00 call GetAsyncKeyState
BA 01 80 FF FF mov edx, 0FFFF8001h
66 3B C2 cmp ax, dx
75 1E jnz short loc_4018B0
8D 85 CC FE FF FF lea eax, [ebp+a3]
50 push eax ; a3
8D 8D 74 FF FF FF lea ecx, [ebp+var_8C]
6A 07 push 7 ; dwLength
51 push ecx ; a1
E8 89 F7 FF FF call DNSCalcDecode
50 push eax ; a1
E8 83 F9 FF FF call RecordStringToLog
83 C4 10 add esp, 10h
*/
$keyxlateDnscalc2 = { 6A 2A C7 [5] D6 E1 BF C8 66 [6] C3 BD 88 [5] FF 15 [4] BA 01 80 FF FF 66 3B C2 75 ?? 8D [5] 5? 8D [5] 6A 07 5? E8 [4] 50 E8 [4] 83 C4 10 }
condition:
$keyxlate in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or $keyxlateDnscalc1 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or $keyxlateDnscalc2 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule LimaAlfa
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "c9fbad7fc7ff7688776056be3a41714a1f91458a7b16c37c3c906d17daac2c8b"
Status = "Signature is too loose to be useful."
strings:
/*
33 C0 xor eax, eax
66 8B 02 mov ax, [edx]
8B E8 mov ebp, eax
81 E5 00 F0 FF FF and ebp, 0FFFFF000h
81 FD 00 30 00 00 cmp ebp, 3000h
75 0D jnz short loc_4019FB
8B 6C 24 18 mov ebp, [esp+10h+arg_4]
25 FF 0F 00 00 and eax, 0FFFh
03 C7 add eax, edi
01 28 add [eax], ebp
*/
$a = {
33 C0
66 [2]
8B ??
81 ?? 00 F0 FF FF
81 ?? 00 30 00 00
75 ??
8B [3]
25 FF 0F 00 00
03 C7
01
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule LimaBravo
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "Mwsagent.dll"
strings:
/*
83 C4 34 add esp, 34h
83 FD 0A cmp ebp, 0Ah
5D pop ebp
5B pop ebx
7E 12 jle short loc_1000106F
57 push edi ; Src
C6 07 4D mov byte ptr [edi], 4Dh
C6 47 01 5A mov byte ptr [edi+1], 5Ah
E8 97 01 00 00 call ManualImageLoad
*/
$a = {
83 ?? 34
83 ?? 0A
[0-2]
7E ??
5?
C6 ?? 4D
C6 [2] 5A
E8
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule LimaCharlie
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source_x86 = "6ee6ae79ee1502a11ece81e971a54f189a271be9ec700101a2bd7a21198b94c7"
Source_x64 = "90ace24eb132c776a6d5bb0451437db21e84601495a2165d75f520af637e71e8"
strings:
$misspelling = "Defualt Sleep = %d" wide
/*
FF 76 74 push dword ptr [esi+74h]
59 pop ecx
50 push eax
8F 86 48 01 00 00 pop dword ptr [esi+148h]
85 C0 test eax, eax
51 push ecx
8F 86 44 01 00 00 pop dword ptr [esi+144h]
75 3D jnz short loc_100035F3
F6 46 56 01 test byte ptr [esi+56h], 1
74 0A jz short loc_100035C6
*/
$x86 = {
FF ?? 74
5?
5?
8F ?? 48 01 00 00
85 C0
5?
8F ?? 44 01 00 00
75 ??
F6 [2] 01
74
}
/*
48 8B 4B 70 mov rcx, [rbx+70h]
48 89 8B 60 01 00 00 mov [rbx+160h], rcx
48 89 83 68 01 00 00 mov [rbx+168h], rax
48 85 C0 test rax, rax
75 35 jnz short loc_180002372
F6 43 56 01 test byte ptr [rbx+56h], 1
74 07 jz short loc_18000234A
*/
$x64 = {
48 [2] 70
48 [2] 60 01 00 00
48 [2] 68 01 00 00
48 85 C0
75 ??
F6 [2] 01
74
}
condition:
$x86 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or $x64 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or $misspelling
}
import "pe"
rule LimaDelta
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "81e6118a6d8bf8994ce93f940059217481bfd15f2757c48c589983a6af54cfcc"
strings:
/*
8B 69 FC mov ebp, [ecx-4]
83 C1 10 add ecx, 10h
81 F5 6D 3A 71 58 xor ebp, 58713A6Dh
89 2A mov [edx], ebp
33 ED xor ebp, ebp
66 8B 69 F0 mov bp, [ecx-10h]
89 6A 04 mov [edx+4], ebp
83 C2 08 add edx, 8
4F dec edi
75 E3 jnz short loc_4026CE
*/
$fileDecoder = {
8B ?? ??
83 ?? 10
81 ?? 6D 3A 71 58
89 ??
33 ??
66 ?? ?? F0
89 ?? 04
83 ?? 08
4?
75
}
/*
66 81 BC 24 A0 00 00 00 BB 01 cmp [esp+98h+arg_4], 1BBh
74 21 jz short loc_401BD7
FF 15 58 30 40 00 call ds:rand
99 cdq
B9 32 00 00 00 mov ecx, 32h
F7 F9 idiv ecx
8B DA mov ebx, edx
8D 54 24 5E lea edx, [esp+98h+var_3A]
53 push ebx ; dwSize
52 push edx ; pvBuffer
E8 3F FB FF FF call GenerateRandomBuffer
83 C4 08 add esp, 8
83 C3 46 add ebx, 46h
*/
$authenicateBufferGen = {
BB 01
74 ??
FF 15 [4]
99
B? 32 00 00 00
F7 ??
8B ??
8D [3]
5?
5?
E8 [4]
83 C4 08
83 ?? 46
}
condition:
$authenicateBufferGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or $fileDecoder in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule PapaAlfa
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = "pmsconfig.msi" wide
$ = "pmslog.msi" wide
$ = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d"
$ = "CreatP2P Thread" wide
$ = "GreatP2P Thread" wide
condition:
3 of them
}
import "pe"
rule RomeoAlfa
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "fba0b8bdc1be44d100ac31b864830fcc9d056f1f5ab5486384e09bd088256dd0.file2.bin"
strings:
/*
68 C4 94 41 00 push offset a0_0_0_0 ; "0.0.0.0"
56 push esi ; wchar_t *
E8 1C B4 00 00 call _wcscpy
83 C6 28 add esi, 28h
83 C4 08 add esp, 8
81 FE E8 CD 41 00 cmp esi, offset unk_41CDE8
7C E7 jl short loc_4039DA
*/
$zeroIPLoader = {
68 [4]
56
E8 [4]
83 C6 28
83 C4 08
81 FE [4]
7C E?
}
// push esi
// mov esi, [esp+4+a1]
// test esi, esi
// jle short loc_403FEB
// push edi
// mov edi, ds:Sleep
// push 0EA60h ; dwMilliseconds
// call edi ; Sleep
// dec esi
// jnz short loc_403FE0
// pop edi
// pop esi
// retn
$sleeper = {
5?
8B [3]
85 ??
7E ??
5?
8B 3D [4]
68 [4]
FF ??
4?
75 ??
5?
5?
C3
}
$xercesc = "xercesc"
condition:
($sleeper in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or $zeroIPLoader in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)))
and not $xercesc
}
import "pe"
rule RomeoBravo
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "95314a7af76ec36cfba1a02b67c2b81526a04e3b2f9b8fb9b383ffcbcc5a3d9b"
strings:
/*
E8 D9 FC FF FF call SendData
83 C4 10 add esp, 10h
85 C0 test eax, eax
74 0A jz short loc_10003FE8
B8 02 00 00 00 mov eax, 2
5E pop esi
83 C4 18 add esp, 18h
C3 retn
6A 78 push 78h ; dwTimeout
6A 01 push 1 ; fDecode
8D 54 24 18 lea edx, [esp+24h+recvData]
6A 0C push 0Ch ; dwLength
52 push edx ; pvBuffer
56 push esi ; skt
E8 57 FD FF FF call RecvData
83 C4 14 add esp, 14h
85 C0 test eax, eax
74 0A jz short loc_1000400A
B8 02 00 00 00 mov eax, 2
*/
$a = {
E8 [4]
83 C4 10
85 C0
74 ??
B? 02 00 00 00
5?
83 C4 18
C3
6A 78
6A 01
8D [3]
6A 0C
5?
5?
E8 [4]
83 C4 14
85 C0
74 ??
B8 02 00 00 00
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule RomeoCharlie
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "a82108ef7115931b3fbe1fab99448c4139e22feda27c1b1d29325710671154e8"
strings:
$auth1 = "Success - Accept Auth"
$auth2 = "Fail - Accept Auth"
/*
81 E3 FF FF 00 00 and ebx, 0FFFFh
8B EB mov ebp, ebx
57 push edi
C1 EE 10 shr esi, 10h
81 E5 FF FF 00 00 and ebp, 0FFFFh
8B FE mov edi, esi
8B C5 mov eax, ebp
81 E7 FF FF 00 00 and edi, 0FFFFh
C1 E0 10 shl eax, 10h
6A 00 push 0 ; _DWORD
0B C7 or eax, edi
6A 00 push 0 ; _DWORD
50 push eax ; _DWORD
68 10 14 11 71 push offset sub_71111410; _DWORD
6A 00 push 0 ; _DWORD
6A 00 push 0 ; _DWORD
FF 15 5C 8E 12 71 call CreateThread_0
C1 E7 10 shl edi, 10h
*/
$startupRelayThreads = {
81 ?? FF FF 00 00
8B ??
5?
C1 ?? 10
81 ?? FF FF 00 00
8B ??
8B ??
81 ?? FF FF 00 00
C1 ?? 10
6A 00
0B ??
6A 00
50
68 [4]
6A 00
6A 00
FF 15 [4]
C1 ?? 10
}
/*
source: 641808833ad34f2e5143001c8147d779dbfd2a80a80ce0cfc81474d422882adb
25 00 20 00 00 and eax, 2000h
3D 00 20 00 00 cmp eax, 2000h
0F 94 C1 setz cl
81 E2 80 00 00 00 and edx, 80h
33 C0 xor eax, eax
80 FA 80 cmp dl, 80h
0F 94 C0 setz al
03 C8 add ecx, eax
33 D2 xor edx, edx
83 F9 01 cmp ecx, 1
*/
$crypto = {
2? 00 20 00 00
3? 00 20 00 00
0F [2]
81 ?? 80 00 00 00
33 ??
80 ?? 80
0F [2]
03 ??
33 ??
83 ?? 01
}
condition:
all of ($auth*)
or $startupRelayThreads in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or $crypto in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule RomeoDelta
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "1df2af99fb3b6e31067b06df07b96d0ed0632f85111541a416da9ceda709237c"
strings:
/*
E8 78 00 00 00 call GenerateRandomBuffer
33 C0 xor eax, eax
8A 4C 04 04 mov cl, [esp+eax+24h+buffer]
80 E9 22 sub cl, 22h
80 F1 AD xor cl, 0ADh
88 4C 04 04 mov [esp+eax+24h+buffer], cl
40 inc eax
83 F8 10 cmp eax, 10h
7C EC jl short loc_1000117A
6A 01 push 1 ; fEncode
8D 54 24 08 lea edx, [esp+28h+buffer]
6A 10 push 10h ; dwDataLength
52 push edx ; pvData
8B CB mov ecx, ebx ; this
E8 A2 00 00 00 call CSocket__Send
*/
$loginInit = { E8 [4] 33 C0 8A [3] 80 [2] 80 [2] 88 [3] 40 83 F8 10 7C ?? 6A 01 8D [3] 6A 10 5? 8B CB E8 }
condition:
$loginInit in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule RomeoEcho
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = "%s %-20s %10lu %s"
$ = "_quit"
$ = "_exe"
$ = "_put"
$ = "_get"
condition:
all of them
}
import "pe"
rule RomeoFoxtrot
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "dropped.bin"
Source_relativeCalls = "635bebe95671336865f8a546f06bf67ab836ea35795581d8a473ef2cd5ff4a7f"
strings:
/*
C7 44 24 08 01 00 00 00 mov [esp+128h+argp], 1
8B 8C 24 30 01 00 00 mov ecx, dword ptr [esp+128h+wPort]
C7 44 24 04 00 00 20 03 mov dword ptr [esp+128h+optval], 3200000h
51 push ecx ; hostshort
89 44 24 1C mov dword ptr [esp+12Ch+name.sin_addr.S_un], eax
FF 15 8C 01 FF 7E call ds:htons
6A 06 push 6 ; protocol
6A 01 push 1 ; type
6A 02 push 2 ; af
66 89 44 24 22 mov [esp+134h+name.sin_port], ax
66 C7 44 24 20 02 00 mov [esp+134h+name.sin_family], 2
FF 15 84 01 FF 7E call ds:socket <--- this could be a relative call in some variants
83 F8 FF cmp eax, 0FFFFFFFFh
89 46 04 mov [esi+4], eax
0F 84 AD 00 00 00 jz loc_7EFE4C63
57 push edi
8B 3D 88 01 FF 7E mov edi, ds:setsockopt <---- this line is missing when relative calls are used
8D 54 24 08 lea edx, [esp+12Ch+optval]
6A 04 push 4 ; optlen
52 push edx ; optval
68 02 10 00 00 push 1002h ; optname
68 FF FF 00 00 push 0FFFFh ; level
50 push eax ; s
FF D7 call edi ; setsockopt <--- this could be a relative call in some variants
8B 4E 04 mov ecx, [esi+4]
8D 44 24 08 lea eax, [esp+12Ch+optval]
6A 04 push 4 ; optlen
50 push eax ; optval
68 01 10 00 00 push 1001h ; optname
68 FF FF 00 00 push 0FFFFh ; level
51 push ecx ; s
FF D7 call edi ; setsockopt <--- this could be a relative call in some variants
*/
//$connect = {C7 [3] 01 00 00 00 8B [6] C7 [3] 00 00 20 03 5? 89 [3] (FF 15 [4] | E8 [4]) 6A 06 6A 01 6A 02 66 [4] 66 [4] 02 00 (FF 15 [4] | E8 [4]) 83 F8 FF 89 [2] 0F 84 [4] [0-7] 8D [3] 6A 04 5? 68 02 10 00 00 68 FF FF 00 00 5? (FF D? | E8 [4]) 8B [2] 8D [3] 6A 04 5? 68 01 10 00 00 68 FF FF 00 00 5? (FF D? | E8 [4])}
$connect = {C7 [3] 01 00 00 00 8B [6] C7 [3] 00 00 20 03 5? 89 [3] FF 15 [4] 6A 06 6A 01 6A 02 66 [4] 66 [4] 02 00 FF 15 E8 [4] 83 F8 FF 89 [2] 0F 84 [4] [0-7] 8D [3] 6A 04 5? 68 02 10 00 00 68 FF FF 00 00 5? FF D? 8B [2] 8D [3] 6A 04 5? 68 01 10 00 00 68 FF FF 00 00 5? FF D?}
$challenge = "POST HTTP REQUEST?"
$response = "RESPONSE 200 OK!!!"
condition:
($challenge and $response) or
$connect in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule RomeoGolf
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "7322d6b9328a9c708518c99b03a4ed3aa6ba943d7b439f6b1925e6d52a1828fe"
strings:
/*
FF 15 70 80 01 10 call ds:GetTickCount
50 push eax ; unsigned int
E8 80 93 00 00 call _srand
83 C4 04 add esp, 4
E8 85 93 00 00 call _rand
C1 E0 10 shl eax, 10h
89 46 0C mov [esi+0Ch], eax
E8 7A 93 00 00 call _rand
01 46 0C add [esi+0Ch], eax
E8 72 93 00 00 call _rand
C1 E0 10 shl eax, 10h
89 46 08 mov [esi+8], eax
E8 67 93 00 00 call _rand
01 46 08 add [esi+8], eax
*/
$idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4] ?? ?? ?? }
condition:
$idGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule RomeoHotel
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source_64 = "440cb3f6dd07e2f9e3d3614fd23d3863ecfc08b463b0b327eedf08504f838c90"
Source_diskSpace = "1b1496f8f35d32a93c7f16ebff6e9b560a158cc6fce061491f91bc9f43ef5be4"
strings:
/*
E8 D3 C7 00 00 call rand
44 8B ED mov r13d, ebp
44 8B E0 mov r12d, eax
B8 1F 85 EB 51 mov eax, 51EB851Fh
48 8B FD mov rdi, rbp
41 F7 EC imul r12d
C1 FA 05 sar edx, 5
8B CA mov ecx, edx
C1 E9 1F shr ecx, 1Fh
03 D1 add edx, ecx
6B D2 64 imul edx, 64h
44 2B E2 sub r12d, edx
41 83 C4 3C add r12d, 3Ch
*/
$randBuff64 = {
E8 [4]
44 [2]
44 [2]
B? 1F 85 EB 51
48 [2]
41 [2]
C1 ?? 05
8B ??
C1 ?? 1F
03 ??
6B ?? 64
44 [2]
41 [2] 3C
}
/*
FF 15 40 70 01 10 call ds:GetDiskFreeSpaceExA
85 C0 test eax, eax
74 34 jz short loc_10005072
8B 84 24 20 01 00 00 mov eax, [esp+11Ch+arg_0]
6A 00 push 0
99 cdq
68 00 00 10 00 push 100000h
52 push edx
50 push eax
E8 4C 7C 00 00 call __allmul
*/
$diskSpace = {
FF 15 [4]
85 C0
74 ??
8B [6]
6A 00
99
68 00 00 10 00
5?
5?
E8
}
$winst = "winsta0\\default" wide // this limits the overlap with RomeoGolf
condition:
$randBuff64 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or ($diskSpace in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
and $winst)
}
// rules specific to the winsec malware families
import "pe"
rule RomeoWhiskey_Two
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "a8d88714f0bc643e76163d1b8972565e78a159292d45a8218d0ad0754c8f561d"
strings:
/*
FF 15 78 A2 00 10 call GetTickCount_9
66 8B C8 mov cx, ax
// the next op is a mov or a push/pop depending on the code version
53 push ebx
8F 45 F4 pop dword ptr [ebp-0Ch]
//or
89 5D F4 mov dword ptr [ebp+var_C], ebx
66 81 F1 40 1C xor cx, 1C40h
66 D1 E9 shr cx, 1
81 C1 E0 56 00 00 add ecx, 56E0h
0F B7 C9 movzx ecx, cx
0F B7 C0 movzx eax, ax
81 F1 30 32 00 00 xor ecx, 3230h
C1 E0 10 shl eax, 10h
0B C8 or ecx, eax
*/
$a = {
FF 15 [4]
66 8B C8
[3-4]
66 81 F1 40 1C
66 D1 E9
81 C1 E0 56 00 00
0F B7 C9
0F B7 C0
81 F1 30 32 00 00
C1 E0 10
0B C8
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule RomeoWhiskey_One
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "5d21e865d57e9798ac7c14a6ad09c4034d103f3ea993295dcdf8a208ea825ad7"
strings:
/*
FF 15 D8 5B 00 10 call GetTickCount_9
0F B7 C0 movzx eax, ax
8B C8 mov ecx, eax
// skipped: 6A 01 push 1 ; fDecode
C1 E9 34 shr ecx, 34h <--- this value could change
81 F1 C0 F3 00 00 xor ecx, 0F3C0h <--- this value could change
// skipped: 6A 04 push 4 ; dwLength
C1 E0 10 shl eax, 10h
0B C8 or ecx, eax
*/
$a = {
FF 15 [4]
0F B7 C0
8B C8
[2-4]
C1 E9 ??
81 F1 [2] 00 00
[0-2]
C1 E0 10
0B C8
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
// sigs for the various cross-family codes
import "pe"
rule Caracachs: sharedcode
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
strings:
/*
B9 10 00 00 00 mov ecx, 10h ; ecx = 16
8B 06 mov eax, [esi] ; eax = lastValue
C1 EA 10 shr edx, 10h ; edx = val >> 16
81 E2 FF 7F 00 00 and edx, 7FFFh ; edx = (val >> 16) & 0x7FFF
03 C2 add eax, edx ; eax = ((val >> 16) & 0x7FFF) + lastValue
8B D0 mov edx, eax ; edx = ((val >> 16) & 0x7FFF) + lastValue
8B F8 mov edi, eax ; edi = ((val >> 16) & 0x7FFF) + lastValue
83 E2 0F and edx, 0Fh ; edx = (((val >> 16) & 0x7FFF) + lastValue) & 0xF
2B CA sub ecx, edx ; ecx = 16 - ((((val >> 16) & 0x7FFF) + lastValue)) & 0xF
D3 EF shr edi, cl ; edi = (((val >> 16) & 0x7FFF) + lastValue) >> ((16 - ((val >> 16) & 0x7FFF) + lastValue) & 0xF)
8B CA mov ecx, edx ; ecx = (((val >> 16) & 0x7FFF) + lastValue) & 0xF
D3 E0 shl eax, cl ; eax = (((val >> 16) & 0x7FFF) + lastValue) << ((((val >> 16) & 0x7FFF) + lastValue) & 0xF)
0B F8 or edi, eax ; edi = (((val >> 16) & 0x7FFF) + lastValue) >> ((16 - ((val >> 16) & 0x7FFF) + lastValue) & 0xF) | (((val >> 16) & 0x7FFF) + lastValue) << ((((val >> 16) & 0x7FFF) + lastValue) & 0xF)
89 3E mov [esi], edi ; pLastValue = (((val >> 16) & 0x7FFF) + lastValue) >> ((16 - ((val >> 16) & 0x7FFF) + lastValue) & 0xF) | (((val >> 16) & 0x7FFF) + lastValue) << ((((val >> 16) & 0x7FFF) + lastValue) & 0xF)
*/
$a = {
B? 10 00 00 00
8B ??
C1 ?? 10
81 ?? FF 7F 00 00
03 ??
8B ??
8B ??
83 ?? 0F
2B ??
D3 ??
8B ??
D3 ??
0B ??
89 ??
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule StringDotSimplified: sharedcode
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
strings:
/*
F3 AB rep stosd
80 3A 00 cmp byte ptr [edx], 0
74 15 jz short loc_404170
8A 02 mov al, [edx]
3C 2E cmp al, 2Eh
74 07 jz short loc_404168
3C 20 cmp al, 20h
74 03 jz short loc_404168
88 06 mov [esi], al
46 inc esi
*/
$a = {
F3 AB
80 ?? 00
74 ??
8A 02
3C 2E
74 ??
3C 20
74 ??
88 06
46
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule FakeTLS_ServerHelloGetSelectedCipher: sharedcode
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
strings:
/*
24 10 and al, 10h
0C 10 or al, 10h
89 07 mov [edi], eax
66 8B 44 24 14 mov ax, [esp+0Ch+wCipherSuiteID]
66 3D 00 C0 cmp ax, 0C000h
73 34 jnb short loc_4067C1
66 2D 35 00 sub ax, 35h
66 F7 D8 neg ax
1B C0 sbb eax, eax
24 80 and al, 80h
05 00 01 00 00 add eax, 100h
8B D8 mov ebx, eax
53 push ebx ; hostshort
*/
$a = {
24 10
0C 10
89 ??
66 8? [3]
66 3? 00 C0
73 ??
66 2? 35 00
66 F7 ??
1B ??
2? 80
0? 00 01 00 00
8B ??
5?
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule XORDecodeA7: sharedcode
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
strings:
/*
8A 04 17 mov al, [edi+edx]
8B FB mov edi, ebx
34 A7 xor al, 0A7h
46 inc esi
88 02 mov [edx], al
83 C9 FF or ecx, 0FFFFFFFFh
33 C0 xor eax, eax
42 inc edx
F2 AE repne scasb
F7 D1 not ecx
49 dec ecx
3B F1 cmp esi, ecx
*/
$a = {
8A [2]
8B ??
34 A7
46
88 ??
83 ?? FF
33 ??
4?
F2 AE
F7 ??
4?
3B ??
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule DynamicAPILoading: sharedcode
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
strings:
/*
83 C4 04 add esp, 4
50 push eax ; lpProcName
56 push esi ; hModule
FF 15 20 F0 40 00 call ds:GetProcAddress
68 A8 0C 41 00 push offset aLo_adlIbr_arYw; "Lo.adL ibr.ar yW"
A3 DC 3E 41 00 mov GetProcAddress_0, eax
E8 7D FF FF FF call CleanupString
83 C4 04 add esp, 4
50 push eax ; _DWORD
56 push esi ; _DWORD
FF 15 DC 3E 41 00 call GetProcAddress_0
68 94 0C 41 00 push offset aLoad_LibR_arYa; "Load. Lib r.ar yA"
A3 D4 3E 41 00 mov LoadLibraryW, eax
E8 63 FF FF FF call CleanupString
83 C4 04 add esp, 4
50 push eax ; _DWORD
56 push esi ; _DWORD
FF 15 DC 3E 41 00 call GetProcAddress_0
68 80 0C 41 00 push offset a_frE_eliBr_arY; ".Fr e.eLi br.ar y"
A3 D8 3E 41 00 mov LoadLibraryA_0, eax
E8 49 FF FF FF call CleanupString
*/
$a = {
83 C4 ??
5?
5?
FF 15 [4]
68 [4]
A3 [4]
E8 [4]
83 C4 ??
5?
5?
FF 15 [4]
68 [4]
A3 [4]
E8 [4]
83 C4 ??
5?
5?
FF 15 [4]
68 [4]
A3 [4]
E8
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule DNSCalcStyleEncodeAndDecode: sharedcode
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "975522bc3e07f7aa2c4a5457e6cc16c49a148b9f731134b8971983225835577e"
strings:
/*
8A 10 mov dl, [eax]
80 F2 73 xor dl, 73h <--- for decoding and encoding, this and
80 EA 3A sub dl, 3Ah <--- this could be reversed, but the sig holds since both are 0x80
88 10 mov [eax], dl
40 inc eax
49 dec ecx
75 F2 jnz short loc_1000403C
*/
$a = {
8A ??
80 ?? ??
80 ?? ??
88 ??
4?
4?
75 ??
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule GenerateTLSClientHelloPacket_Test: sharedcode
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
strings:
/*
25 07 00 00 80 and eax, 80000007h
79 05 jns short loc_405EC8; um, nope.. this will always happen
48 dec eax
83 C8 F8 or eax, 0FFFFFFF8h
40 inc eax
*/
$a = {
25 07 00 00 80
79 ??
4?
83 ?? F8
4?
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule RC4SboxKeyGen: sharedcode
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "RT_RCDATA_101.bin.bin"
strings:
/*
8A 4C 04 08 mov cl, [esp+eax+108h+sbox]; cl = sbox[i]
8B D0 mov edx, eax
81 E2 0F 00 00 80 and edx, 8000000Fh ; i % 16
79 05 jns short loc_10003AC8; dl = key[i & 16]
4A dec edx
83 CA F0 or edx, 0FFFFFFF0h
42 inc edx
*/
$a = {
8A [3]
8B ??
81 ?? 0F 00 00 80
79 ??
4?
83 ?? F0
4?
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule RandomTimestampGenerator: sharedcode
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "RT_RCDATA_101.bin.bin joanap baseline sample"
strings:
/*
66 81 44 24 0C FE FF add [esp+1Ch+SystemTime.wYear], 0FFFEh
FF D6 call esi ; rand
99 cdq
B9 0C 00 00 00 mov ecx, 0Ch
F7 F9 idiv ecx
42 inc edx
66 89 54 24 0E mov [esp+1Ch+SystemTime.wMonth], dx
FF D6 call esi ; rand
99 cdq
B9 1C 00 00 00 mov ecx, 1Ch
F7 F9 idiv ecx
42 inc edx
66 89 54 24 12 mov [esp+1Ch+SystemTime.wDay], dx
FF D6 call esi ; rand
99 cdq
B9 17 00 00 00 mov ecx, 17h
F7 F9 idiv ecx
42 inc edx
66 89 54 24 14 mov [esp+1Ch+SystemTime.wHour], dx
FF D6 call esi ; rand
99 cdq
B9 3B 00 00 00 mov ecx, 3Bh
F7 F9 idiv ecx
42 inc edx
66 89 54 24 16 mov [esp+1Ch+SystemTime.wMinute], dx
FF D6 call esi ; rand
99 cdq
B9 3B 00 00 00 mov ecx, 3Bh
F7 F9 idiv ecx
*/
$a = {
66 81 [3] FE FF
FF [1-4]
99
B9 0C 00 00 00
F7 [1-4]
42
66 89 [3]
FF D6
99
B9 1C 00 00 00
F7 [1-4]
42
66 89 [3]
FF D6
99
B9 17 00 00 00
F7 [1-4]
42
66 89 [3]
FF D6
99
B9 3B 00 00 00
F7 [1-4]
42
66 89 [3]
FF D6
99
B9 3B 00 00 00
F7
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule CPUInfoExtraction
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "Cmd10010_296fcc9d611ca1b8f8288192d6d854cf4072853010cc65cb0c7f958626999fbd.bin"
strings:
/*
68 00 00 00 80 push 80000000h ; a2
8B 02 mov eax, [edx]
8B 4A 04 mov ecx, [edx+4]
89 4C 24 10 mov [esp+2Ch+var_1C], ecx
8B 4A 08 mov ecx, [edx+8]
89 4C 24 14 mov [esp+2Ch+var_18], ecx
8B 4A 0C mov ecx, [edx+0Ch]
8D 54 24 1C lea edx, [esp+2Ch+var_10]
89 8E 70 03 00 00 mov [esi+370h], ecx
52 push edx ; a1
8B CE mov ecx, esi
89 86 6C 03 00 00 mov [esi+36Ch], eax
E8 29 FF FF FF call GetCPUIDValues
8B C8 mov ecx, eax
8B 01 mov eax, [ecx]
3D 00 00 00 80 cmp eax, 80000000h
8B 51 04 mov edx, [ecx+4]
*/
$a = {
68 00 00 00 80
8B ??
8B ?? 04
89 [3]
8B ?? 08
89 [3]
8B ?? 0C
8D [3]
89 [5]
5?
8B ??
89 [5]
E8 [4]
8B ??
8B ??
3D 00 00 00 80
8B ?? 04
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule SierraAlfa
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "4d4b17ddbcf4ce397f76cf0a2e230c9d513b23065f746a5ee2de74f447be39b9.ex_"
strings:
/*
8D 54 24 08 lea edx, [esp+128h+argp]
52 push edx ; argp
68 7E 66 04 80 push 8004667Eh ; cmd
56 push esi ; s
E8 DB 51 00 00 call ioctlsocket
8D 44 24 14 lea eax, [esp+128h+name]
6A 10 push 10h ; namelen
50 push eax ; name
56 push esi ; s
E8 C8 51 00 00 call connect
8B 8C 24 34 01 00 00 mov ecx, [esp+128h+dwTimeout]
8D 54 24 0C lea edx, [esp+128h+timeout]
52 push edx ; timeout
8D 44 24 28 lea eax, [esp+12Ch+writefds]
6A 00 push 0 ; exceptfds
50 push eax ; writefds
6A 00 push 0 ; readfds
6A 00 push 0 ; nfds
89 74 24 3C mov [esp+13Ch+writefds.fd_array], esi
89 7C 24 38 mov [esp+13Ch+writefds.fd_count], edi
89 4C 24 20 mov [esp+13Ch+timeout.tv_sec], ecx
C7 44 24 24 00 00 00 00 mov [esp+13Ch+timeout.tv_usec], 0
E8 92 51 00 00 call select
33 C9 xor ecx, ecx
56 push esi ; s
85 C0 test eax, eax
0F 9F C1 setnle cl
8B F9 mov edi, ecx
E8 7D 51 00 00 call closesocket
*/
$connectTest = { 8D [3] 5? 68 7E 66 04 80 5? E8 [4] 8D [3] 6A 10 5? 5? E8 [4] 8B [6] 8D [3] 5? 8D [3] 6A 00 5? 6A 00 6A 00
89 [3] 89 [3] 89 [3] C7 [7] E8 [4] 33 ?? 5? 85 C0 0F 9F ?? 8B ?? E8 }
/*
E8 D8 62 00 00 call rand
8B F8 mov edi, eax
E8 D1 62 00 00 call rand
0F AF F8 imul edi, eax
E8 C9 62 00 00 call rand
0F AF C7 imul eax, edi
99 cdq
33 C2 xor eax, edx
2B C2 sub eax, edx
33 D2 xor edx, edx
F7 F6 div esi
8B FA mov edi, edx
57 push edi
E8 05 13 00 00 call sub_402BD0
*/
$maths = { E8 [4] 8B ?? E8 [4] 0F AF ?? E8 [4] 0F AF ?? 99 33 ?? 2B ?? 33 ?? F7 ?? 8B ?? 5? E8}
$s1 = "recdiscm32.exe"
$s2 = "\\\\%s\\shared$\\syswow64"
$s3 = "\\\\%s\\shared$\\system32"
condition:
$connectTest in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or $maths in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or 3 of ($s*)
}
// Brambul related signatures
import "pe"
rule SierraBravo_Two
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
/*
.text:00403D5A mov word ptr [esi+0Eh], 0C807h
.text:00403D60 mov dword ptr [esi+39h], 800000D4h
.text:00403D67 mov byte ptr [edi], 0Ch <---- ignored
.text:00403D6A mov word ptr [esi+25h], 0FFh
.text:00403D70 mov word ptr [esi+27h], 0A4h
.text:00403D76 mov word ptr [esi+29h], 4104h
.text:00403D7C mov word ptr [esi+2Bh], 32h
or
.text:100036F9 mov word ptr [ebx+0Eh], 0C807h
---- begin ignored -----
.text:100036FF rep movsd
.text:10003701 lea edi, [ebx+60h]
.text:10003704 mov ecx, 9
.text:10003709 mov esi, offset aWindows2000219 ; "windows 2000 2195"
---- end ignored -----
.text:1000370E mov dword ptr [ebx+39h], 800000D4h
.text:10003715 mov word ptr [ebx+25h], 0FFh
.text:1000371B mov word ptr [ebx+27h], 0A4h
.text:10003721 mov word ptr [ebx+29h], 4104h
.text:10003727 mov word ptr [ebx+2Bh], 32h
*/
$smbComNegotiationPacketGen = { 66 C7 ?? 0E 07 C8
[0-32]
C7 ?? 39 D4 00 00 80
[0-32]
66 C7 ?? 25 FF 00
[0-32]
66 C7 ?? 27 A4 00
[0-32]
66 C7 ?? 29 04 41
[0-32]
66 C7 ?? 2B 32 00
}
$lib = "!emCFgv7Xc8ItaVGN0bMf"
$api1 = "!ctRHFEX5m9JnZdDfpK"
$api2 = "!emCFgv7Xc8ItaVGN0bMf"
$api3 = "!VWBeBxYx1nzrCkBLGQO"
$pwd = "iamsorry!@1234567"
condition:
$smbComNegotiationPacketGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or ($pwd in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
and
($lib in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
or $api1 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
or $api2 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
or $api3 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
))
}
rule SierraBravo_One
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
/*
.text:00402A65 push 8004667Eh ; cmd
.text:00402A6A push esi ; s
.text:00402A6B call ioctlsocket
.text:00402A70 push 32h ; dwMilliseconds
.text:00402A72 mov [esp+24Ch+writefds.fd_array], esi
.text:00402A79 mov [esp+24Ch+writefds.fd_count], 1
.text:00402A84 mov [esp+24Ch+timeout.tv_sec], 3
.text:00402A8C mov [esp+24Ch+timeout.tv_usec], 0
*/
$spreaderSetup = {68 7E 66 04 80
5?
E8 [4]
6A 32
89 B4 [5]
C7 84 [5] 01 00 00 00
C7 44 [2] 03 00 00 00
C7 44 [2] 00 00 00 00 }
condition:
$spreaderSetup in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule SierraBravo_packed
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = "cmd.exe /c \"net share admin$ /d\""
$ = "MAIL FROM:<"
$ = ".petite"
$ = "Subject: %s|%s|%s"
condition:
3 of them
}
import "pe"
rule SierraCharlie
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "f4750e1d82b08318bdc1eb6d3399dee52750250f7959a5e4f83245449f399698.bin"
strings:
/*
8B 0D 50 A7 56 00 mov ecx, DnsFree
81 F6 8C 3F 7C 5E xor esi, 5E7C3F8Ch
6A 01 push 1 ; _DWORD
50 push eax ; _DWORD
85 C9 test ecx, ecx
74 3A jz short loc_40580B
FF D1 call ecx ; DnsFree
*/
$dnsResolve = {
8B 0D 50 A7 56 00
81 F6 8C 3F 7C 5E
6A 01
50
85 C9
74 3A
FF D1
}
$file1 = "wmplog21t.sqm"
$file2 = "wmplog15r.sqm"
$file3 = "wmplog09c.sqm"
condition:
$dnsResolve in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or 2 of ($file*)
}
import "pe"
rule SierraJuliettMikeOne
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$commKey = { 10 20 30 40 50 60 70 80 90 11 12 13 1A FF EE 48 }
/*
.text:10001850 push 7530h ; dwTimeout
.text:10001855 lea eax, [esp+420h+a2]
.text:10001859 push 4 ; len
.text:1000185B push eax ; a2
.text:1000185C push esi ; s
.text:1000185D mov dword ptr [esp+42Ch+a2], 1000h
.text:10001865 call CommSendWithTimeout
.text:1000186A add esp, 14h
.text:1000186D cmp eax, 0FFFFFFFFh
.text:10001870 jz loc_10001915
.text:10001876 lea ecx, [esp+418h+random]
.text:1000187A push ecx ; a1
.text:1000187B call Generate16ByteRandomBuffer
.text:10001880 push 0 ; fEncrypt
.text:10001882 push 7530h ; dwTimeout
*/
$handshake = { 68 30 75 00 00 [4] 6A 04 5? 5? C? [3] 00 10 00 00 E8 [7] 83 F8 FF 0F 84 ?? ?? 00 00 8? [3] 5? E8 [4] 6A 00 68 30 75 00 00 }
condition:
$commKey in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
and $handshake in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule RomeoJuliettMikeTwo
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "819722ba1c5b9d0b360c54cbdd3811d0cac1a9230720b3ed4815f78bcacb3653_d1ba9ba2987f59d99ce4bf09393c0521c4d1f2961c5aeed4e0bf86e78303d27c"
strings:
/*
81 7C 24 24 33 27 00 00 cmp [esp+1Ch+dwBytesToRead], 2733h
75 7F jnz short loc_10002B74
8D 54 24 14 lea edx, [esp+1Ch+var_8]
52 push edx ; Time
FF 15 5C 11 02 10 call ds:time
8B 44 24 14 mov eax, [esp+20h+var_C]
83 C4 04 add esp, 4
8B C8 mov ecx, eax
40 inc eax
83 F9 64 cmp ecx, 64h
*/
$recvFunc = { 81 [3] 33 27 00 00 75 ?? 8D [3] 5? FF 15 [4] 8B [3] 83 ?? 04 8B ?? 4? 83 ?? 64 }
/*
E8 74 31 00 00 call GetStringByIndex
8B 7C 24 14 mov edi, [esp+0Ch+dwFuncIndex]
8B F0 mov esi, eax
57 push edi ; index
E8 68 31 00 00 call GetStringByIndex
83 C4 08 add esp, 8
85 F6 test esi, esi
74 21 jz short loc_10001040
85 C0 test eax, eax
74 1D jz short loc_10001040
56 push esi ; lpLibFileName
FF 15 2C 10 02 10 call ds:LoadLibraryA
57 push edi ; index
8B F0 mov esi, eax
E8 4E 31 00 00 call GetStringByIndex
83 C4 04 add esp, 4
50 push eax ; lpProcName
56 push esi ; hModule
FF 15 5C 10 02 10 call ds:GetProcAddress
*/
$apiLoader = { E8 [4] 8B [3] 8B ?? 5? E8 [4] 83 C4 08 85 ?? 74 ?? 85 C0 74 ?? 5? FF 15 [4] 5? 8B ?? E8 [4] 83 C4 04 5? 5? FF 15 }
/*
68 B8 0B 00 00 push 0BB8h ; dwMilliseconds
FF 15 18 10 02 10 call ds:Sleep
6A 01 push 1 ; dwTimeout
8D 4C 24 10 lea ecx, [esp+4C0h+peerEntries]
68 B0 04 00 00 push 4B0h ; dwBytesToRead
51 push ecx ; pvRecvBuffer
8B CE mov ecx, esi ; this
C7 44 24 14 B0 04 00 00 mov [esp+4C8h+Memory], 4B0h
E8 25 F4 FF FF call CClientConnection__RecvData
83 F8 FF cmp eax, 0FFFFFFFFh
*/
$recvPeers = { 68 B8 0B 00 00 FF 15 [4] 6A 01 [0-4] 68 B0 04 00 00 51 8B ?? [1-4] B0 04 00 00 E8 [4] 83 F8 FF }
$logFileName = "KBD_%%s_%%02d%%02d%%02d%%02d%%02d.CAT"
condition:
$recvFunc in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or $apiLoader in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or $recvPeers in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or $logFileName
}
// yara sigs for detecting common suicide scripts
rule SuicideScriptL1
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = ":L1\ndel \"%s\"\nif exist \"%s\" goto L1\ndel \"%s\"\n"
condition:
any of them
}
rule SuicideScriptR1_Multi
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = "\" goto R1\ndel /a \""
$ = "\"\nif exist \""
$ = "@echo off\n:R1\ndel /a \""
condition:
all of them
}
rule SuicideScriptR
{
// joanap, joanapCleaner
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = ":R\nIF NOT EXIST %s GOTO E\ndel /a %s\nGOTO R\n:E\ndel /a d.bat"
condition:
all of them
}
rule TangoAlfa
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
// $firewall is a shared code string
$firewall = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\""
$testStatus1 = "*****[Start Test -> %s:%d]" wide
$testStatus2 = "*****[Relay Connect " wide
$testStatus3 = "*****[Listen Port %d] - " wide
$testStatus4 = "*****[Error Socket]" wide
$testStatus5 = "*****[End Test]" wide
condition:
2 of them
}
import "pe"
rule TangoBravo
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "2aa9cd3a2db2bd9dbe5ee36d9a5fc42b50beca806f9d644f387d5a680a580896"
strings:
/*
50 push eax ; SubStr
55 push ebp ; Str
FF D3 call ebx ; strstr
83 C4 08 add esp, 8
85 C0 test eax, eax
75 1A jnz short loc_401131
8A 8E 08 01 00 00 mov cl, [esi+108h]
81 C6 08 01 00 00 add esi, 108h
47 inc edi
8B C6 mov eax, esi
84 C9 test cl, cl
75 E2 jnz short loc_40110C
*/
$targetDomainCheck = {
5?
5?
FF ??
83 C4 08
85 C0
75 ??
8? ?? 08 01 00 00
8? ?? 08 01 00 00
4?
8B ??
84 ??
75
}
condition:
$targetDomainCheck in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule UniformAlfa
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "a24377681cf56c712e544af01ac8a5dbaa81d16851a17a147bbf5132890d7437"
strings:
/*
8D 44 24 10 lea eax, [esp+2Ch+ServiceStatus]
50 push eax ; lpServiceStatus
6A 01 push 1 ; dwControl
56 push esi ; hService
FF D3 call ebx ; ControlService
83 7C 24 14 01 cmp [esp+2Ch+ServiceStatus.dwCurrentState], 1
75 EF jnz short loc_4010A5
56 push esi ; hService
FF 15 08 70 40 00 call ds:DeleteService
*/
$stopDeleteService = {
8D [3]
5?
6A 01
5?
FF D?
83 [3] 01
75 ??
5?
FF 15
}
condition:
$stopDeleteService in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule UniformJuliett
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "Cmd03000_1a6f62e1630d512c3b67bfdbff26270177585c82802ffa834b768ff47be0a008.bin"
strings:
/*
56 push esi ; hSCObject
FF D5 call ebp ; CloseServiceHandle
68 B8 0B 00 00 push 0BB8h ; dwMilliseconds
FF 15 38 70 40 00 call ds:Sleep
6A 00 push 0 ; fCreateHighestLevel
68 60 A9 40 00 push offset PathName ; lpPathName
E8 43 FE FF FF call RecursivelyCreateDirectories
83 C4 08 add esp, 8
68 60 A9 40 00 push offset PathName ; lpFileName
FF 15 3C 70 40 00 call ds:DeleteFileA
*/
$a = {
56
FF D5
68 B8 0B 00 00
FF 15 [4]
6A 00
68 [4]
E8 [4]
83 C4 08
68 [4]
FF 15
}
$ = "wauserv.dll"
$ = "Rpcss"
condition:
all of them
}
import "pe"
rule WhiskeyAlfa
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "1c66e67a8531e3ff1c64ae57e6edfde7bef2352d.ex_"
strings:
/*
E8 77 07 00 00 call _rand
B1 FB mov cl, 0FBh
F6 E9 imul cl
88 44 34 08 mov [esp+esi+10008h+randomData], al
46 inc esi
81 FE 00 00 01 00 cmp esi, 10000h
7C EA jl short loc_402E8D
*/
$randomBuffer = {
E8 [4]
B1 ??
F6 E9
88 [3]
4?
81 ?? 00 00 01 00
7C
}
/*
89 58 09 mov [eax+9], ebx
C7 40 65 00 00 02 00 mov dword ptr [eax+65h], 20000h
C7 40 15 04 00 00 00 mov dword ptr [eax+15h], 4
C6 40 08 08 mov byte ptr [eax+8], 8
C7 40 04 00 02 00 00 mov dword ptr [eax+4], 200h
89 18 mov [eax], ebx
89 58 0D mov [eax+0Dh], ebx
C7 40 11 01 00 00 00 mov dword ptr [eax+11h], 1
89 58 69 mov [eax+69h], ebx
89 58 19 mov [eax+19h], ebx
B8 01 00 00 00 mov eax, 1
*/
$mbrDiskInfo = {
89 ?? 09
C7 ?? 65 00 00 02 00
C7 ?? 15 04 00 00 00
C6 ?? 08 08
C7 ?? 04 00 02 00 00
89 ??
89 ?? 0D
C7 ?? 11 01 00 00 00
89 ?? 69
89 ?? 19
B8 01 00 00 00
}
// the replacement MBRs in both encoded (XOR 0x53) and decoded form
$mbrReplacement_Decoded = { B4 43 B0 00 CD 13 FE C2 80 FA 84 7C F3 B2 80 BF 65 7C 81 05 00 04 83 55 02 00 83 55 04 00 }
$mbrReplacement_Encoded = { E7 10 E3 53 9E 40 AD 91 D3 A9 D7 2F A0 E1 D3 EC 36 2F D2 56 53 57 D0 06 51 53 D0 06 57 53 }
$licKey = "99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C78585B692047273B0E55275102C664C5217E76B8E67F35FCE385E4328EE1AD139EA6AA26345C4F93000DBBC7EF1579D4F"
condition:
$licKey or $mbrReplacement_Decoded or $mbrReplacement_Encoded
or $randomBuffer in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or $mbrDiskInfo in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule WhiskeyBravo
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "74eac0461c40316689ac2d598f606caa3965195b22f23d5acefeedfcdf056c5b"
Source = "41badf10ef6f469dd1c3be201aba809f9c42f86ad77d7f83bc3895bfa289c635"
Source = "d079a266ed2a852c33cdac3df115d163ebbf2c8dae32d935e895cf8193163b13"
strings:
/*
6A 04 push 4 ; MaxCount <--- this arg is not found in some variants (41bad..) as wcscmp is used instead
68 08 82 00 10 push offset Str2 ; ".doc"
56 push esi ; Str1
FF D7 call edi ; _wcsnicmp <--- d07... variant uses a direct call instead
83 C4 0C add esp, 0Ch <--- when wcscmp is used, this is add esp, 8
85 C0 test eax, eax
0F 84 5B 02 00 00 jz loc_100017D5
6A 05 push 5 ; MaxCount
68 FC 81 00 10 push offset a_docx ; ".docx"
56 push esi ; Str1
FF D7 call edi ; _wcsnicmp
83 C4 0C add esp, 0Ch
85 C0 test eax, eax
0F 84 46 02 00 00 jz loc_100017D5
6A 04 push 4 ; MaxCount
68 F0 81 00 10 push offset a_docm ; ".docm"
56 push esi ; Str1
FF D7 call edi ; _wcsnicmp
83 C4 0C add esp, 0Ch
85 C0 test eax, eax
0F 84 31 02 00 00 jz loc_100017D5
6A 04 push 4 ; MaxCount
68 E4 81 00 10 push offset a_wpd ; ".wpd"
56 push esi ; Str1
FF D7 call edi ; _wcsnicmp
*/
$a = {68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 [4] [0-2] 68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 [4] [0-2] 68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 }
$ext1 = ".wpd" wide nocase
$ext2 = ".doc" wide nocase
$ext3 = ".hwp" wide nocase
condition:
2 of ($ext*) and $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule WhiskeyCharlie
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "47ff4f73738acc2f8433dccb2caf980d7444d723ccf2968d69f88f8f96405f96"
strings:
/*
66 89 55 DC mov [ebp+SystemTime.wYear], dx
E8 1E 16 00 00 call _rand
6A 0C push 0Ch
99 cdq
59 pop ecx
F7 F9 idiv ecx
42 inc edx
66 89 55 DE mov [ebp+SystemTime.wMonth], dx
E8 0E 16 00 00 call _rand
6A 1C push 1Ch
99 cdq
59 pop ecx
F7 F9 idiv ecx
42 inc edx
66 89 55 E2 mov [ebp+SystemTime.wDay], dx
E8 FE 15 00 00 call _rand
6A 18 push 18h
99 cdq
59 pop ecx
F7 F9 idiv ecx
66 89 55 E4 mov [ebp+SystemTime.wHour], dx
E8 EF 15 00 00 call _rand
6A 3C push 3Ch
99 cdq
59 pop ecx
F7 F9 idiv ecx
66 89 55 E6 mov [ebp+SystemTime.wMinute], dx
E8 E0 15 00 00 call _rand
6A 3C push 3Ch
99 cdq
59 pop ecx
F7 F9 idiv ecx
*/
$a = {
66 89 55 DC
E8 [4]
6A 0C
99
59
F7 F9
42
66 89 55 DE
E8 [4]
6A 1C
99
59
F7 F9
42
66 89 55 E2
E8 [4]
6A 18
99
59
F7 F9
66 89 55 E4
E8 [4]
6A 3C
99
59
F7 F9
66 89 55 E6
E8 [4]
6A 3C
99
59
F7 F9
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
import "pe"
rule WhiskeyDelta
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group trig@novetta.com"
Source = "41badf10ef6f469dd1c3be201aba809f9c42f86ad77d7f83bc3895bfa289c635"
strings:
/*
F3 A5 rep movsd
8B 7C 24 30 mov edi, [esp+28h+arg_4]
85 FF test edi, edi
7E 3A jle short loc_402018
8B 74 24 2C mov esi, [esp+28h+arg_0]
8A 44 24 08 mov al, [esp+28h+var_20]
53 push ebx
8A 4C 24 21 mov cl, [esp+2Ch+var_B]
8A 5C 24 2B mov bl, [esp+2Ch+var_1]
32 C1 xor al, cl
8A 0C 32 mov cl, [edx+esi]
32 C3 xor al, bl
32 C8 xor cl, al
88 0C 32 mov [edx+esi], cl
B9 1E 00 00 00 mov ecx, 1Eh
8A 5C 0C 0C mov bl, [esp+ecx+2Ch+var_20]
88 5C 0C 0D mov [esp+ecx+2Ch+var_1F], bl
49 dec ecx
83 F9 FF cmp ecx, 0FFFFFFFFh
7F F2 jg short loc_402000
42 inc edx
*/
$decryption = {
F3 A5
8B 7C 24 30
85 FF
7E ??
8B 74 24 2C
8A 44 24 08
53
8A 4C 24 21
8A 5C 24 2B
32 C1
8A 0C 32
32 C3
32 C8
88 0C 32
B9 1E 00 00 00
8A 5C 0C 0C
88 5C 0C 0D
49
83 F9 FF
7F ??
42
}
$s1 = "=====IsFile=====" wide
$s2 = "=====4M=====" wide
$s3 = "=====IsBackup=====" wide
condition:
2 of ($s*)
or $decryption in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule zox
{
meta:
Author = "Novetta"
Reference = "https://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf"
strings:
$url ="png&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,i:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&ty=58"
condition:
$url
}