Sneed-Reactivity/yara-Neo23x0/apt_muddywater.yar

67 lines
3.1 KiB
Text
Raw Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2018-02-26
Identifier: MuddyWater samples
*/
/* Rule Set ----------------------------------------------------------------- */
rule MuddyWater_Mal_Doc_Feb18_1 {
meta:
description = "Detects malicious document used by MuddyWater"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - TI2T"
date = "2018-02-26"
hash1 = "3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c"
id = "5f275ee8-c6a9-532b-bc82-b109195171da"
strings:
/* iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( */
$x1 = "aWV4KFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVuaWNvZGUuR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmco" ascii
/* Double Base64 encoded : Invoke-Expression */
$x2 = "U1FCdUFIWUFid0JyQUdVQUxRQkZBSGdBY0FCeUFHVUFjd0J6QUdrQWJ3QnVBQ0FBS"
condition:
uint16(0) == 0xcfd0 and filesize < 3000KB and 1 of them
}
rule MuddyWater_Mal_Doc_Feb18_2 {
meta:
description = "Detects malicious document used by MuddyWater"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - TI2T"
date = "2018-02-26"
hash1 = "3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c"
hash2 = "366d8b84a43a528e6aaf9ecfc38980b148f983967803914471ccf011b9bb0832"
id = "117e1d33-63a3-52c8-acf6-bc61959193db"
strings:
$s1 = "*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\System32\\stdole2.tlb#OLE Automation" fullword wide
$s2 = "*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft " wide
$s3 = "*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Office16\\MSWORD.OLB#Microsoft Word 16.0 O" wide
$s4 = "scripting.filesystemobject$" fullword ascii
$s5 = "ID=\"{00000000-0000-0000-0000-000000000000}\"" fullword ascii
condition:
uint16(0) == 0xcfd0 and filesize < 6000KB and all of them
}
rule MAL_MuddyWater_DroppedTask_Jun18_1 {
meta:
description = "Detects a dropped Windows task as used by MudyWater in June 2018"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://app.any.run/tasks/719c94eb-0a00-47cc-b583-ad4f9e25ebdb"
date = "2018-06-12"
hash1 = "7ecc2e1817f655ece2bde39b7d6633f4f586093047ec5697a1fab6adc7e1da54"
id = "d9ef379d-161f-59f1-873e-3af12b24b76b"
strings:
$x1 = "%11%\\scrobj.dll,NI,c:" wide
$s1 = "AppAct = \"SOFTWARE\\Microsoft\\Connection Manager\"" fullword wide
$s2 = "[DefenderService]" fullword wide
$s3 = "UnRegisterOCXs=EventManager" fullword wide
$s4 = "ShortSvcName=\" \"" fullword wide
condition:
uint16(0) == 0xfeff and filesize < 1KB and ( 1 of ($x*) or 3 of them )
}