109 lines
4.4 KiB
Text
109 lines
4.4 KiB
Text
|
// Operation Potao yara rules
|
||
|
// For feedback or questions contact us at: github@eset.com
|
||
|
// https://github.com/eset/malware-ioc/
|
||
|
//
|
||
|
// These yara rules are provided to the community under the two-clause BSD
|
||
|
// license as follows:
|
||
|
//
|
||
|
// Copyright (c) 2015, ESET
|
||
|
// All rights reserved.
|
||
|
//
|
||
|
// Redistribution and use in source and binary forms, with or without
|
||
|
// modification, are permitted provided that the following conditions are met:
|
||
|
//
|
||
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
||
|
// list of conditions and the following disclaimer.
|
||
|
//
|
||
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
||
|
// this list of conditions and the following disclaimer in the documentation
|
||
|
// and/or other materials provided with the distribution.
|
||
|
//
|
||
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
||
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
||
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||
|
//
|
||
|
private rule PotaoDecoy
|
||
|
{
|
||
|
strings:
|
||
|
$mz = { 4d 5a }
|
||
|
$str1 = "eroqw11"
|
||
|
$str2 = "2sfsdf"
|
||
|
$str3 = "RtlDecompressBuffer"
|
||
|
$wiki_str = "spanned more than 100 years and ruined three consecutive" wide
|
||
|
|
||
|
$old_ver1 = {53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 (00 | 78)}
|
||
|
$old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00}
|
||
|
condition:
|
||
|
($mz at 0) and ( (all of ($str*)) or any of ($old_ver*) or $wiki_str )
|
||
|
}
|
||
|
private rule PotaoDll
|
||
|
{
|
||
|
strings:
|
||
|
$mz = { 4d 5a }
|
||
|
|
||
|
$dllstr1 = "?AVCncBuffer@@"
|
||
|
$dllstr2 = "?AVCncRequest@@"
|
||
|
$dllstr3 = "Petrozavodskaya, 11, 9"
|
||
|
$dllstr4 = "_Scan@0"
|
||
|
$dllstr5 = "\x00/sync/document/"
|
||
|
$dllstr6 = "\\temp.temp"
|
||
|
|
||
|
$dllname1 = "node69MainModule.dll"
|
||
|
$dllname2 = "node69-main.dll"
|
||
|
$dllname3 = "node69MainModuleD.dll"
|
||
|
$dllname4 = "task-diskscanner.dll"
|
||
|
$dllname5 = "\x00Screen.dll"
|
||
|
$dllname6 = "Poker2.dll"
|
||
|
$dllname7 = "PasswordStealer.dll"
|
||
|
$dllname8 = "KeyLog2Runner.dll"
|
||
|
$dllname9 = "GetAllSystemInfo.dll"
|
||
|
$dllname10 = "FilePathStealer.dll"
|
||
|
condition:
|
||
|
($mz at 0) and (any of ($dllstr*) and any of ($dllname*))
|
||
|
}
|
||
|
private rule PotaoUSB
|
||
|
{
|
||
|
strings:
|
||
|
$mz = { 4d 5a }
|
||
|
|
||
|
$binary1 = { 33 C0 8B C8 83 E1 03 BA ?? ?? ?? 00 2B D1 8A 0A 32 88 ?? ?? ?? 00 2A C8 FE C9 88 88 ?? ?? ?? 00 40 3D ?? ?? 00 00 7C DA C3 }
|
||
|
$binary2 = { 55 8B EC 51 56 C7 45 FC 00 00 00 00 EB 09 8B 45 FC 83 C0 01 89 45 FC 81 7D FC ?? ?? 00 00 7D 3D 8B 4D FC 0F BE 89 ?? ?? ?? 00 8B 45 FC 33 D2 BE 04 00 00 00 F7 F6 B8 03 00 00 00 2B C2 0F BE 90 ?? ?? ?? 00 33 CA 2B 4D FC 83 E9 01 81 E1 FF 00 00 00 8B 45 FC 88 88 ?? ?? ?? 00 EB B1 5E 8B E5 5D C3}
|
||
|
condition:
|
||
|
($mz at 0) and any of ($binary*)
|
||
|
}
|
||
|
private rule PotaoSecondStage
|
||
|
{
|
||
|
strings:
|
||
|
$mz = { 4d 5a }
|
||
|
// hash of CryptBinaryToStringA and CryptStringToBinaryA
|
||
|
$binary1 = {51 7A BB 85 [10-180] E8 47 D2 A8}
|
||
|
// old hash of CryptBinaryToStringA and CryptStringToBinaryA
|
||
|
$binary2 = {5F 21 63 DD [10-30] EC FD 33 02}
|
||
|
$binary3 = {CA 77 67 57 [10-30] BA 08 20 7A}
|
||
|
|
||
|
$str1 = "?AVCrypt32Import@@"
|
||
|
$str2 = "%.5llx"
|
||
|
condition:
|
||
|
($mz at 0) and any of ($binary*) and any of ($str*)
|
||
|
}
|
||
|
rule Potao
|
||
|
{
|
||
|
meta:
|
||
|
Author = "Anton Cherepanov"
|
||
|
Date = "2015/07/29"
|
||
|
Description = "Operation Potao"
|
||
|
Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf"
|
||
|
Source = "https://github.com/eset/malware-ioc/"
|
||
|
Contact = "threatintel@eset.com"
|
||
|
License = "BSD 2-Clause"
|
||
|
condition:
|
||
|
PotaoDecoy or PotaoDll or PotaoUSB or PotaoSecondStage
|
||
|
}
|