67 lines
3.1 KiB
Text
67 lines
3.1 KiB
Text
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: Florian Roth
|
||
|
Date: 2018-02-26
|
||
|
Identifier: MuddyWater samples
|
||
|
*/
|
||
|
|
||
|
/* Rule Set ----------------------------------------------------------------- */
|
||
|
|
||
|
rule MuddyWater_Mal_Doc_Feb18_1 {
|
||
|
meta:
|
||
|
description = "Detects malicious document used by MuddyWater"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Internal Research - TI2T"
|
||
|
date = "2018-02-26"
|
||
|
hash1 = "3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c"
|
||
|
id = "5f275ee8-c6a9-532b-bc82-b109195171da"
|
||
|
strings:
|
||
|
/* iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( */
|
||
|
$x1 = "aWV4KFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVuaWNvZGUuR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmco" ascii
|
||
|
/* Double Base64 encoded : Invoke-Expression */
|
||
|
$x2 = "U1FCdUFIWUFid0JyQUdVQUxRQkZBSGdBY0FCeUFHVUFjd0J6QUdrQWJ3QnVBQ0FBS"
|
||
|
condition:
|
||
|
uint16(0) == 0xcfd0 and filesize < 3000KB and 1 of them
|
||
|
}
|
||
|
|
||
|
rule MuddyWater_Mal_Doc_Feb18_2 {
|
||
|
meta:
|
||
|
description = "Detects malicious document used by MuddyWater"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Internal Research - TI2T"
|
||
|
date = "2018-02-26"
|
||
|
hash1 = "3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c"
|
||
|
hash2 = "366d8b84a43a528e6aaf9ecfc38980b148f983967803914471ccf011b9bb0832"
|
||
|
id = "117e1d33-63a3-52c8-acf6-bc61959193db"
|
||
|
strings:
|
||
|
$s1 = "*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\System32\\stdole2.tlb#OLE Automation" fullword wide
|
||
|
$s2 = "*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft " wide
|
||
|
$s3 = "*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Office16\\MSWORD.OLB#Microsoft Word 16.0 O" wide
|
||
|
$s4 = "scripting.filesystemobject$" fullword ascii
|
||
|
$s5 = "ID=\"{00000000-0000-0000-0000-000000000000}\"" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0xcfd0 and filesize < 6000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule MAL_MuddyWater_DroppedTask_Jun18_1 {
|
||
|
meta:
|
||
|
description = "Detects a dropped Windows task as used by MudyWater in June 2018"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://app.any.run/tasks/719c94eb-0a00-47cc-b583-ad4f9e25ebdb"
|
||
|
date = "2018-06-12"
|
||
|
hash1 = "7ecc2e1817f655ece2bde39b7d6633f4f586093047ec5697a1fab6adc7e1da54"
|
||
|
id = "d9ef379d-161f-59f1-873e-3af12b24b76b"
|
||
|
strings:
|
||
|
$x1 = "%11%\\scrobj.dll,NI,c:" wide
|
||
|
|
||
|
$s1 = "AppAct = \"SOFTWARE\\Microsoft\\Connection Manager\"" fullword wide
|
||
|
$s2 = "[DefenderService]" fullword wide
|
||
|
$s3 = "UnRegisterOCXs=EventManager" fullword wide
|
||
|
$s4 = "ShortSvcName=\" \"" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0xfeff and filesize < 1KB and ( 1 of ($x*) or 3 of them )
|
||
|
}
|