Sneed-Reactivity/yara-mikesxrs/bluecoat/Bluecoat_index.yara

123 lines
3.4 KiB
Text
Raw Normal View History

rule InceptionDLL
{
meta:
author = "Blue Coat Systems, Inc"
info = "Used by unknown APT actors: Inception"
reference = "https://www.bluecoat.com/documents/download/638d602b-70f4-4644-aaad-b80e1426aad4/d5c87163-e068-440f-b89e-e40b2f8d2088"
strings:
$a = "dll.polymorphed.dll"
$b = {83 7d 08 00 0f 84 cf 00 00 00 83 7d 0c 00 0f 84
c5 00 00 00 83 7d 10 00 0f 84 bb 00 00 00 83 7d 14 08
0f 82 b1 00 00 00 c7 45 fc 00 00 00 00 8b 45 10 89 45
dc 68 00 00}
$c = {FF 15 ?? ?? ?? ?? 8B 4D 08 8B 11 C7 42 14 00 00
00 00 8B 45 08 8B 08 8B 55 14 89 51 18 8B 45 08 8B 08
8B 55 0C 89 51 1C 8B 45 08 8B 08 8B 55 10 89 51 20 8B
45 08 8B 08}
$d = {68 10 27 00 00 FF 15 ?? ?? ?? ?? 83 7D CC 0A 0F
8D 47 01 00 00 83 7D D0 00 0F 85 3D 01 00 00 6A 20 6A
00 8D 4D D4 51 E8 ?? ?? ?? ?? 83 C4 0C 8B 55 08 89 55
E8 C7 45 D8}
$e = {55 8B EC 8B 45 08 8B 88 AC 23 03 00 51 8B 55 0C
52 8B 45 0C 8B 48 04 FF D1 83 C4 08 8B 55 08 8B 82 14
BB 03 00 50 8B 4D 0C 51 8B 55 0C 8B 42 04}
condition:
any of them
}
rule InceptionAndroid {
meta:
author = "Blue Coat Systems, Inc"
info = "Used by unknown APT actors: Inception"
reference = "https://www.bluecoat.com/documents/download/638d602b-70f4-4644-aaad-b80e1426aad4/d5c87163-e068-440f-b89e-e40b2f8d2088"
strings:
$a1 = "BLOGS AVAILABLE="
$a2 = "blog-index"
$a3 = "Cant create dex="
condition:
all of them
}
rule InceptionBlackberry {
meta:
author = "Blue Coat Systems, Inc"
info = "Used by unknown APT actors: Inception"
reference = "https://www.bluecoat.com/documents/download/638d602b-70f4-4644-aaad-b80e1426aad4/d5c87163-e068-440f-b89e-e40b2f8d2088"
strings:
$a1 = "POSTALCODE:"
$a2 = "SecurityCategory:"
$a3 = "amount of free flash:"
$a4 = "$071|'1'|:"
$b1 = "God_Save_The_Queen"
$b2 = "UrlBlog"
condition:
all of ($a*) or all of ($b*)
}
rule InceptionIOS {
meta:
author = "Blue Coat Systems, Inc"
info = "Used by unknown APT actors: Inception"
reference = "https://www.bluecoat.com/documents/download/638d602b-70f4-4644-aaad-b80e1426aad4/d5c87163-e068-440f-b89e-e40b2f8d2088"
strings:
$a1 = "Developer/iOS/JohnClerk/"
$b1 = "SkypeUpdate"
$b2 = "/Syscat/"
$b3 = "WhatsAppUpdate"
condition:
$a1 and any of ($b*)
}
rule InceptionMips {
meta:
author = "Blue Coat Systems, Inc"
info = "Used by unknown APT actors: Inception"
reference = "https://www.bluecoat.com/documents/download/638d602b-70f4-4644-aaad-b80e1426aad4/d5c87163-e068-440f-b89e-e40b2f8d2088"
strings:
$a = "start_sockat" ascii wide
$b = "start_sockss" ascii wide
$c = "13CStatusServer" ascii wide
condition:
all of them
}
rule InceptionRTF {
meta:
author = "Blue Coat Systems, Inc"
info = "Used by unknown APT actors: Inception"
reference = "https://www.bluecoat.com/documents/download/638d602b-70f4-4644-aaad-b80e1426aad4/d5c87163-e068-440f-b89e-e40b2f8d2088"
strings:
$a = "))PT@T"
$b = "XMLVERSION \"3.1.11.5604.5606"
$c = "objclass Word.Document.12}\\objw9355"
condition:
all of them
}
rule InceptionVBS {
meta:
author = "Blue Coat Systems, Inc"
info = "Used by unknown APT actors: Inception"
reference = "https://www.bluecoat.com/documents/download/638d602b-70f4-4644-aaad-b80e1426aad4/d5c87163-e068-440f-b89e-e40b2f8d2088"
strings:
$a = "c = Crypt(c,k)"
$b = "fso.BuildPath( WshShell.ExpandEnvironmentStrings(a), nn)"
condition:
all of them
}