35 lines
1.5 KiB
Text
35 lines
1.5 KiB
Text
|
rule MAL_WebMonitor_RAT {
|
||
|
meta:
|
||
|
description = "Detects WebMonitor RAT"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/"
|
||
|
date = "2018-04-13"
|
||
|
hash1 = "27aaad8a7b3fd53d99077a9202e8bed05696c843ed2485bea6eb9e33a1c273ac"
|
||
|
hash2 = "05111c305028b5d822ecd12de9879560223c42860cc9d448c47886c236648607"
|
||
|
id = "5378f22e-4bba-50e7-8374-5135e980e06b"
|
||
|
strings:
|
||
|
$x1 = "send_keylog_stream_start" fullword wide
|
||
|
$x2 = "KEYLOG_STREAM_STOP" fullword wide
|
||
|
|
||
|
$s1 = "SHELL_EXEC" fullword wide
|
||
|
$s2 = "send_shell_exec" fullword wide
|
||
|
$s3 = "send_connections_get" fullword wide
|
||
|
|
||
|
$a1 = "Select * from Win32_PerfRawData_PerfProc_Process where IDProcess = '" fullword wide
|
||
|
$a2 = "Select * from Win32_Process WHERE handle =" fullword wide
|
||
|
$a3 = "Select * from Win32_Process where ProcessId=" fullword wide
|
||
|
$a4 = "Select * from Win32_ComputerSystem" fullword wide
|
||
|
$a5 = "The service is in the process of being continued" fullword wide
|
||
|
$a6 = "tcpdump" fullword wide
|
||
|
$a7 = "memdump" fullword wide
|
||
|
$a8 = "<val1>Processor</val1>" fullword wide
|
||
|
$a9 = "Win32 share process" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1000KB and (
|
||
|
1 of ($x*) or
|
||
|
( 2 of ($s*) and 2 of ($a*) ) or
|
||
|
7 of them
|
||
|
)
|
||
|
}
|