Sneed-Reactivity/yara-Neo23x0/apt_sysscan.yar

40 lines
1.4 KiB
Text
Raw Normal View History

rule xDedic_SysScan_unpacked {
meta:
author = " Kaspersky Lab"
maltype = "crimeware"
type ="crimeware"
description = "Detects SysScan APT tool"
reference = "https://securelist.com/blog/research/75027/xdedic-the-shady-world-of-hacked-servers-for-sale/"
filetype = "Win32 EXE"
date = "2016-03-14"
version = "1.0"
hash1 = "fac495be1c71012682ebb27092060b43"
hash2 = "e8cc69231e209db7968397e8a244d104"
hash3 = "a53847a51561a7e76fd034043b9aa36d"
hash4 = "e8691fa5872c528cd8e72b82e7880e98"
hash5 = "F661b50d45400e7052a2427919e2f777"
id = "4f5d37b3-e3aa-51ec-b36e-b494c8abe227"
strings:
$a1 = "/c ping -n 2 127.0.0.1 & del \"SysScan.exe\"" ascii wide
$a2 = "SysScan DEBUG Mode!!!" ascii wide
$a3 = "This rechecking? (set 0/1 or press enter key)" ascii wide
$a4 = "http://37.49.224.144:8189/manual_result" ascii wide
$b1 = "Checker end work!" ascii wide
$b2 = "Trying send result..." ascii wide
condition:
uint16(0) == 0x5A4D and filesize < 5000000 and ( any of ($a*) or all of ($b*) )
}
rule xdedic_packed_syscan {
meta:
author = "Kaspersky Lab - modified by Florian Roth"
company = "Kaspersky Lab"
id = "da8e59f3-53f9-504b-afff-9caab798db6c"
strings:
$a1 = "SysScan.exe" nocase ascii wide
$a2 = "1.3.4." wide
condition:
uint16(0) == 0x5A4D and filesize > 500KB and filesize < 1500KB and all of them
}