40 lines
1.7 KiB
Text
40 lines
1.7 KiB
Text
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: Florian Roth
|
||
|
Date: 2018-01-09
|
||
|
Identifier: NK Miner Malware
|
||
|
Reference: https://goo.gl/PChE1z
|
||
|
*/
|
||
|
|
||
|
/* Rule Set ----------------------------------------------------------------- */
|
||
|
|
||
|
rule NK_Miner_Malware_Jan18_1 {
|
||
|
meta:
|
||
|
description = "Detects Noth Korean Monero Miner mentioned in AlienVault report"
|
||
|
author = "Florian Roth (Nextron Systems) (original rule by Chris Doman)"
|
||
|
reference = "https://goo.gl/PChE1z"
|
||
|
date = "2018-01-09"
|
||
|
hash1 = "0024e32c0199ded445c0b968601f21cc92fc0c534d2642f2dd64c1c978ff01f3"
|
||
|
hash2 = "42300b6a09f183ae167d7a11d9c6df21d022a5f02df346350d3d875d557d3b76"
|
||
|
id = "40f53c36-9e14-5307-9740-e6f514afc7ec"
|
||
|
strings:
|
||
|
$x0 = "c:\\users\\jawhar\\documents\\" ascii
|
||
|
$x1 = "C:\\Users\\Jawhar\\documents\\" ascii
|
||
|
$x2 = "The number of processors on this computer is {0}." fullword wide
|
||
|
$x3 = { 00 00 1F 43 00 3A 00 5C 00 4E 00 65 00 77 00 44
|
||
|
00 69 00 72 00 65 00 63 00 74 00 6F 00 72 00 79
|
||
|
00 00 }
|
||
|
$x4 = "Le fichier Hello txt n'existe pas" fullword wide
|
||
|
$x5 = "C:\\NewDirectory2\\info2" fullword wide
|
||
|
|
||
|
/* Incorported from Chris Doman's rule - https://goo.gl/PChE1z*/
|
||
|
$a = "82e999fb-a6e0-4094-aa1f-1a306069d1a5" ascii
|
||
|
$b = "4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS" ascii
|
||
|
$c = "barjuok.ryongnamsan.edu.kp" wide ascii
|
||
|
$d = "C:\\SoftwaresInstall\\soft" wide ascii
|
||
|
$e = "C:\\Windows\\Sys64\\intelservice.exe" wide ascii
|
||
|
$f = "C:\\Windows\\Sys64\\updater.exe" wide ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 30KB and 1 of them
|
||
|
}
|