105 lines
4.4 KiB
Text
105 lines
4.4 KiB
Text
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: Florian Roth
|
||
|
Date: 2017-10-05
|
||
|
Identifier: FreeMilk
|
||
|
Reference: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/
|
||
|
*/
|
||
|
|
||
|
import "pe"
|
||
|
|
||
|
/* Rule Set ----------------------------------------------------------------- */
|
||
|
|
||
|
rule FreeMilk_APT_Mal_1 {
|
||
|
meta:
|
||
|
description = "Detects malware from FreeMilk campaign"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
|
||
|
date = "2017-10-05"
|
||
|
hash1 = "34478d6692f8c28332751b31fd695b799d4ab36a8c12f7b728e2cb99ae2efcd9"
|
||
|
hash2 = "35273d6c25665a19ac14d469e1436223202be655ee19b5b247cb1afef626c9f2"
|
||
|
hash3 = "0f82ea2f92c7e906ee9ffbbd8212be6a8545b9bb0200eda09cce0ba9d7cb1313"
|
||
|
id = "eff37dba-d4a9-5e3d-9452-49f04ddcbe0b"
|
||
|
strings:
|
||
|
$x1 = "\\milk\\Release\\milk.pdb" ascii
|
||
|
$x2 = "E:\\BIG_POOH\\Project\\" ascii
|
||
|
$x3 = "Windows-KB271854-x86.exe" fullword wide
|
||
|
|
||
|
$s1 = "Windows-KB275122-x86.exe" fullword wide
|
||
|
$s2 = "\\wsatra.tmp" wide
|
||
|
$s3 = "%s\\Rar0tmpExtra%d.rtf" fullword wide
|
||
|
$s4 = "\"%s\" help" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 300KB and (
|
||
|
pe.imphash() == "108aa007b3d1b4817ff4c04d9b254b39" or
|
||
|
1 of ($x*) or
|
||
|
4 of them
|
||
|
)
|
||
|
}
|
||
|
|
||
|
rule FreeMilk_APT_Mal_2 {
|
||
|
meta:
|
||
|
description = "Detects malware from FreeMilk campaign"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
|
||
|
date = "2017-10-05"
|
||
|
hash1 = "7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df"
|
||
|
id = "ef5f400c-16f8-5374-af16-c8530ddb87ee"
|
||
|
strings:
|
||
|
$s1 = "failed to take the screenshot. err: %d" fullword ascii
|
||
|
$s2 = "runsample" fullword wide
|
||
|
$s3 = "%s%02X%02X%02X%02X%02X%02X:" fullword wide
|
||
|
$s4 = "win-%d.%d.%d-%d" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 400KB and (
|
||
|
pe.imphash() == "b86f7d2c1c182ec4c074ae1e16b7a3f5" or
|
||
|
all of them
|
||
|
)
|
||
|
}
|
||
|
|
||
|
rule FreeMilk_APT_Mal_3 {
|
||
|
meta:
|
||
|
description = "Detects malware from FreeMilk campaign"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
|
||
|
date = "2017-10-05"
|
||
|
hash1 = "ef40f7ddff404d1193e025081780e32f88883fa4dd496f4189084d772a435cb2"
|
||
|
id = "152781f0-756b-50ab-b588-4af5fa4ce419"
|
||
|
strings:
|
||
|
$s1 = "CMD.EXE /C \"%s\"" fullword wide
|
||
|
$s2 = "\\command\\start.exe" wide
|
||
|
$s3 = ".bat;.com;.cmd;.exe" fullword wide
|
||
|
$s4 = "Unexpected failure opening HKCR key: %d" fullword ascii
|
||
|
condition:
|
||
|
( uint16(0) == 0x5a4d and filesize < 900KB and all of them )
|
||
|
}
|
||
|
|
||
|
rule FreeMilk_APT_Mal_4 {
|
||
|
meta:
|
||
|
description = "Detects malware from FreeMilk campaign"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
|
||
|
date = "2017-10-05"
|
||
|
hash1 = "99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5"
|
||
|
id = "44f919f7-8eda-5e70-88d5-9e81a761192c"
|
||
|
strings:
|
||
|
$x1 = "base64Encoded=\"TVqQAAMAAAAE" ascii
|
||
|
|
||
|
$s1 = "SOFTWARE\\Clients\\StartMenuInternet\\firefox.exe\\shell\\open\\command" fullword wide
|
||
|
$s2 = "'Wscript.echo \"Base64 encoded: \" + base64Encoded" fullword ascii
|
||
|
$s3 = "\\Google\\Chrome\\User Data\\Default\\Login Data" ascii
|
||
|
$s4 = "outFile=sysDir&\"\\rundll32.exe\"" fullword ascii
|
||
|
$s5 = "set shell = WScript.CreateObject(\"WScript.Shell\")" fullword ascii
|
||
|
$s6 = "command =outFile &\" sysupdate\"" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 3000KB and (
|
||
|
( pe.exports("getUpdate") and pe.number_of_exports == 1 ) or
|
||
|
1 of ($x*) or
|
||
|
3 of them
|
||
|
)
|
||
|
}
|