Sneed-Reactivity/yara-Neo23x0/apt_microcin.yar

129 lines
5.7 KiB
Text
Raw Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-09-26
Identifier: Microcin
Reference: https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule Microcin_Sample_1 {
meta:
description = "Malware sample mentioned in Microcin technical report by Kaspersky"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
date = "2017-09-26"
hash1 = "49816eefcd341d7a9c1715e1f89143862d4775ba4f9730397a1e8529f5f5e200"
hash2 = "a73f8f76a30ad5ab03dd503cc63de3a150e6ab75440c1060d75addceb4270f46"
hash3 = "9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c"
id = "96e9ac3b-a837-5909-b17b-259d54e0e7fd"
strings:
$s1 = "e Class Descriptor at (" ascii
$s2 = ".?AVCAntiAntiAppleFrameRealClass@@" fullword ascii
$s3 = ".?AVCAntiAntiAppleFrameBaseClass@@" fullword ascii
$s4 = ".?AVCAppleBinRealClass@@" fullword ascii
$s5 = ".?AVCAppleBinBaseClass@@" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and (
4 of them or
pe.imphash() == "897077ca318eaf629cfe74569f10e023"
)
)
}
rule Microcin_Sample_2 {
meta:
description = "Malware sample mentioned in Microcin technical report by Kaspersky"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
date = "2017-09-26"
hash1 = "8a7d04229722539f2480270851184d75b26c375a77b468d8cbad6dbdb0c99271"
id = "8718ef84-be2b-55a6-a4bb-41161548a2b4"
strings:
$s2 = "[Pause]" fullword ascii
$s7 = "IconCache_%02d%02d%02d%02d%02d" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}
rule Microcin_Sample_3 {
meta:
description = "Malware sample mentioned in Microcin technical report by Kaspersky"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
date = "2017-09-26"
hash1 = "4f74a3b67c5ed6f38f08786f1601214412249fe128f12c51525135710d681e1d"
id = "daecdfe3-e78c-55ee-83a3-3cee8cb9bb5f"
strings:
$x1 = "C:\\Users\\Lenovo\\Desktop\\test\\Release\\test.pdb" fullword ascii
$s2 = "test, Version 1.0" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}
rule Microcin_Sample_4 {
meta:
description = "Malware sample mentioned in Microcin technical report by Kaspersky"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
date = "2017-09-26"
hash1 = "92c01d5af922bdaacb6b0b2dfbe29e5cc58c45cbee5133932a499561dab616b8"
id = "8a6a0735-422a-5e91-9274-ce55f7bee5d3"
strings:
$s1 = "cmd /c dir /a /s \"%s\" > \"%s\"" fullword wide
$s2 = "ini.dat" fullword wide
$s3 = "winupdata" fullword wide
$f1 = "%s\\(%08x%08x)%s" fullword wide
$f2 = "%s\\d%08x\\d%08x.db" fullword wide
$f3 = "%s\\u%08x\\u%08x.db" fullword wide
$f4 = "%s\\h%08x\\h%08x.db" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of ($s*) or 5 of them )
}
rule Microcin_Sample_5 {
meta:
description = "Malware sample mentioned in Microcin technical report by Kaspersky"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
date = "2017-09-26"
hash1 = "b9c51397e79d5a5fd37647bc4e4ee63018ac3ab9d050b02190403eb717b1366e"
id = "cd06f9f7-0ba3-52c9-a814-be1cd53e2e42"
strings:
$x1 = "Sorry, you are not fortuante ^_^, Please try other password dictionary " fullword ascii
$x2 = "DomCrack <IP> <UserName> <Password_Dic file path> <option>" fullword ascii
$x3 = "The password is \"%s\" Time: %d(s)" fullword ascii
$x4 = "The password is \" %s \" Time: %d(s)" fullword ascii
$x5 = "No password found!" fullword ascii
$x7 = "Can not found the Password Dictoonary file! " fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) or 2 of them
}
rule Microcin_Sample_6 {
meta:
description = "Malware sample mentioned in Microcin technical report by Kaspersky"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
date = "2017-09-26"
hash1 = "cbd43e70dc55e94140099722d7b91b07a3997722d4a539ecc4015f37ea14a26e"
hash2 = "871ab24fd6ae15783dd9df5010d794b6121c4316b11f30a55f23ba37eef4b87a"
id = "9988723f-a7ca-598f-9a6c-9f3915732117"
strings:
$s1 = "** ERROR ** %s: %s" fullword ascii
$s2 = "TEMPDATA" fullword wide
$s3 = "Bruntime error " fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and all of them )
}