Sneed-Reactivity/yara-Neo23x0/apt_ke3chang.yar

43 lines
1.8 KiB
Text
Raw Normal View History

rule APT_KE3CHANG_TMPFILE: APT KE3CHANG TMPFILE {
meta:
description = "Detects Strings left in TMP Files created by K3CHANG Backdoor Ketrican"
author = "Markus Neis, Swisscom"
reference = "https://app.any.run/tasks/a96f4f9d-c27d-490b-b5d3-e3be0a1c93e9/"
date = "2020-06-18"
hash1 = "4ef11e84d5203c0c425d1a76d4bf579883d40577c2e781cdccc2cc4c8a8d346f"
id = "84d411af-ea3d-5862-8c2f-7caca60c1b66"
strings:
$pps1 = "PSParentPath : Microsoft.PowerShell.Core\\Registry::HKEY_CURRENT_USE" fullword ascii
$pps2 = "PSPath : Microsoft.PowerShell.Core\\Registry::HKEY_CURRENT_USE" fullword ascii
$psp1 = ": Microsoft.PowerShell.Core\\Registry" ascii
$s4 = "PSChildName : PhishingFilter" fullword ascii
$s1 = "DisableFirstRunCustomize : 2" fullword ascii
$s7 = "PSChildName : 3" fullword ascii
$s8 = "2500 : 3" fullword ascii
condition:
uint16(0) == 0x5350 and filesize < 1KB and $psp1 and 1 of ($pps*) and 1 of ($s*)
}
rule APT_MAL_Ke3chang_Ketrican_Jun20_1 {
meta:
description = "Detects Ketrican malware"
author = "Florian Roth (Nextron Systems)"
reference = "BfV Cyber-Brief Nr. 01/2020"
date = "2020-06-18"
hash1 = "02ea0bc17875ab403c05b50205389065283c59e01de55e68cee4cf340ecea046"
hash2 = "f3efa600b2fa1c3c85f904a300fec56104d2caaabbb39a50a28f60e0fdb1df39"
id = "ccd8322e-c822-512a-9ac5-eabc9d09640b"
strings:
$xc1 = { 00 59 89 85 D4 FB FF FF 8B 85 D4 FB FF FF 89 45
FC 68 E0 58 40 00 8F 45 FC E9 }
$op1 = { 6a 53 58 66 89 85 24 ff ff ff 6a 79 58 66 89 85 }
$op2 = { 8d 45 bc 50 53 53 6a 1c 8d 85 10 ff ff ff 50 ff }
condition:
uint16(0) == 0x5a4d and
filesize < 300KB and
1 of ($x*) or 2 of them
}