Sneed-Reactivity/yara-mikesxrs/secureworks/Secureworks_index.yara

70 lines
2.5 KiB
Text
Raw Normal View History

rule Mirage_APT_Backdoor : APT Mirage Backdoor Rat MirageRat
{
meta:
author = "Silas Cutler (SCutler@SecureWorks.com)"
version = "1.0"
description = "Malware related to APT campaign"
type = "APT Trojan / RAT / Backdoor"
reference = "https://www.secureworks.com/research/the-mirage-campaign"
strings:
$a1 = "welcome to the desert of the real"
$a2 = "Mirage"
$b = "Encoding: gzip"
$c = /\/[A-Za-z]*\?hl=en/
condition:
(($a1 or $a2) or $b) and $c
}
rule skeleton_key_injected_code
{
meta:
author = "secureworks"
reference = "https://www.secureworks.com/research/skeleton-key-malware-analysis"
strings:
$injected = { 33 C0 85 C9 0F 95 C0 48 8B 8C 24 40 01 00 00 48 33 CC E8 4D 02 00
00 48 81 C4 58 01 00 00 C3 }
$patch_CDLocateCSystem = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B FA
8B F1 E8 ?? ?? ?? ?? 48 8B D7 8B CE 48 8B D8 FF 50 10 44 8B D8 85 C0 0F 88 A5 00
00 00 48 85 FF 0F 84 9C 00 00 00 83 FE 17 0F 85 93 00 00 00 48 8B 07 48 85 C0 0F
84 84 00 00 00 48 83 BB 48 01 00 00 00 75 73 48 89 83 48 01 00 00 33 D2 }
$patch_SamIRetrievePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74
24 18 57 48 83 EC 20 49 8B F9 49 8B F0 48 8B DA 48 8B E9 48 85 D2 74 2A 48 8B 42
08 48 85 C0 74 21 66 83 3A 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83
78 1E 4B 75 07 B8 A1 02 00 C0 EB 14 E8 ?? ?? ?? ?? 4C 8B CF 4C 8B C6 48 8B D3 48
8B CD FF 50 18 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
$patch_SamIRetrieveMultiplePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10
48 89 74 24 18 57 48 83 EC 20 41 8B F9 49 8B D8 8B F2 8B E9 4D 85 C0 74 2B 49 8B
40 08 48 85 C0 74 22 66 41 83 38 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E
66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 12 E8 ?? ?? ?? ?? 44 8B CF 4C 8B C3 8B D6
8B CD FF 50 20 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
condition:
any of them
}
rule skeleton_key_patcher
{
meta:
author = "secureworks"
reference = "https://www.secureworks.com/research/skeleton-key-malware-analysis"
strings:
$target_process = "lsass.exe" wide
$dll1 = "cryptdll.dll"
$dll2 = "samsrv.dll"
$name = "HookDC.dll"
$patched1 = "CDLocateCSystem"
$patched2 = "SamIRetrievePrimaryCredentials"
$patched3 = "SamIRetrieveMultiplePrimaryCredentials"
condition:
all of them
}