Sneed-Reactivity/yara-Neo23x0/apt_eqgrp_sparc_sbz_apr23.yar


rule SUSP_ELF_SPARC_Hunting_SBZ_Obfuscation {
   meta:
   description = "This rule is UNTESTED against a large dataset and is for hunting purposes only."
   author = "netadr, modified by Florian Roth to avoid elf module import"
   reference = "https://netadr.github.io/blog/a-quick-glimpse-sbz/"
   date = "2023-04-02"
   modified = "2023-05-08"
   score = 60

   id = "15ee9a66-d823-508c-a14c-2c6ff45f47e5"
   strings:
      // xor g3, 0x47, o5
      // xor o5, g1, o5
      // xor g2, o5, o5
      $xor_block = { 9A 18 E0 47 9A 1B 40 01 9A 18 80 0D }

      $a1 = "SUNW_"

   condition:
      uint32be(0) == 0x7f454c46
      and $a1
      and $xor_block
}

rule SUSP_ELF_SPARC_Hunting_SBZ_UniqueStrings {
   meta:
      description = "This rule is UNTESTED against a large dataset and is for hunting purposes only."
      author = "netadr, modified by Florian Roth for performance reasons"
      reference = "https://netadr.github.io/blog/a-quick-glimpse-sbz/"
      date = "2023-04-02"
      modified = "2023-05-08"
      score = 60

      id = "d2f70d10-412e-5e83-ba4f-eac251012dc1"
   strings:
      $s1 = "<%u>[%s] Event #%u: "
      /* $s2 = "ofn" */
      $s2 = "lprc:%08X" ascii fullword

      // suggested by https://twitter.com/adulau/status/1553401532514766848
      $s3 = "diuXxobB" 
      $s4 = "CHM_FW"

   condition:
      2 of ($*)
}

rule SUSP_ELF_SPARC_Hunting_SBZ_ModuleStruct {
   meta:
      description = "This rule is UNTESTED against a large dataset and is for hunting purposes only."
      author = "netadr, modified by Florian Roth for FP reduction reasons"
      reference = "https://netadr.github.io/blog/a-quick-glimpse-sbz/"
      date = "2023-04-02"
      modified = "2023-05-08"
      score = 60

      id = "909746f1-44f5-597b-bdb2-2a1396d4b8c7"
   strings:
      $be = { 02 02 00 00 01 C1 00 07 }
      $le = { 02 02 00 00 07 00 C1 01 }

   condition:
      uint32be(0) == 0x7f454c46 and ( $be or $le )
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule SUSP_ELF_SPARC_Hunting_SBZ_Obfuscation {`
			`meta:`
			`description = "This rule is UNTESTED against a large dataset and is for hunting purposes only."`
			`author = "netadr, modified by Florian Roth to avoid elf module import"`
			`reference = "https://netadr.github.io/blog/a-quick-glimpse-sbz/"`
			`date = "2023-04-02"`
			`modified = "2023-05-08"`
			`score = 60`

			`id = "15ee9a66-d823-508c-a14c-2c6ff45f47e5"`
			`strings:`
			`// xor g3, 0x47, o5`
			`// xor o5, g1, o5`
			`// xor g2, o5, o5`
			`$xor_block = { 9A 18 E0 47 9A 1B 40 01 9A 18 80 0D }`

			`$a1 = "SUNW_"`

			`condition:`
			`uint32be(0) == 0x7f454c46`
			`and $a1`
			`and $xor_block`
			`}`

			`rule SUSP_ELF_SPARC_Hunting_SBZ_UniqueStrings {`
			`meta:`
			`description = "This rule is UNTESTED against a large dataset and is for hunting purposes only."`
			`author = "netadr, modified by Florian Roth for performance reasons"`
			`reference = "https://netadr.github.io/blog/a-quick-glimpse-sbz/"`
			`date = "2023-04-02"`
			`modified = "2023-05-08"`
			`score = 60`

			`id = "d2f70d10-412e-5e83-ba4f-eac251012dc1"`
			`strings:`
			`$s1 = "<%u>[%s] Event #%u: "`
			`/* $s2 = "ofn" */`
			`$s2 = "lprc:%08X" ascii fullword`

			`// suggested by https://twitter.com/adulau/status/1553401532514766848`
			`$s3 = "diuXxobB"`
			`$s4 = "CHM_FW"`

			`condition:`
			`2 of ($*)`
			`}`

			`rule SUSP_ELF_SPARC_Hunting_SBZ_ModuleStruct {`
			`meta:`
			`description = "This rule is UNTESTED against a large dataset and is for hunting purposes only."`
			`author = "netadr, modified by Florian Roth for FP reduction reasons"`
			`reference = "https://netadr.github.io/blog/a-quick-glimpse-sbz/"`
			`date = "2023-04-02"`
			`modified = "2023-05-08"`
			`score = 60`

			`id = "909746f1-44f5-597b-bdb2-2a1396d4b8c7"`
			`strings:`
			`$be = { 02 02 00 00 01 C1 00 07 }`
			`$le = { 02 02 00 00 07 00 C1 01 }`

			`condition:`
			`uint32be(0) == 0x7f454c46 and ( $be or $le )`
			`}`