Sneed-Reactivity/yara-mikesxrs/GoDaddy/wiper.yara

78 lines
3.2 KiB
Text
Raw Normal View History

rule wiper {
meta:
description = "Wiper malware deployed in late 2014 skywiper attacks"
strings:
// 760C35A80D758F032D02CF4DB12D3E55 @ 0x40124A
$decryption_main_loop = {8bcbe8????????8a143e32d088143e463bf57cec5f}
// 760C35A80D758F032D02CF4DB12D3E55 @ 0x40118d
$context_init_loop1 = { 8b790c8b411033f78971088bf033f789710c8b710833c64b89411075e3 }
// 760C35A80D758F032D02CF4DB12D3E55 @ 0x4011b4
$context_init_loop2 = { 8b510c8b41100bf28971088bf00bf289710c8b71080bc64f89411075e3 }
$MZ = "MZ"
condition:
$MZ at 0 and 2 of them
}
rule wiper_payload_dropper {
meta:
description = "Wiper implant"
filename = "iissvr.exe"
strings:
$MZ = "MZ"
// the following 3 are used to transfer html/wav/jpg data from the resource section (these include the resource name following the http data)
$html={485454502F312E3120323030204F4B0D0A436F6E74656E742D4C656E6774683A2025640D0A436F6E74656E742D547970653A20746578742F68746D6C0D0A4163636570742D52616E6765733A2062797465730D0A5365727665723A204D6963726F736F66742D4949532F362E300D0A0D0A000000525352435F48544D4C00}
$wav={485454502F312E3120323030204F4B0D0A436F6E74656E742D4C656E6774683A2025640D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A4163636570742D52616E6765733A2062797465730D0A5365727665723A204D6963726F736F66742D4949532F362E300D0A0D0A0000525352435F4A504700}
$jpg={485454502F312E3120323030204F4B0D0A436F6E74656E742D4C656E6774683A2025640D0A436F6E74656E742D547970653A20617564696F2F7761760D0A4163636570742D52616E6765733A2062797465730D0A5365727665723A204D6963726F736F66742D4949532F362E300D0A0D0A000000525352435F57415600}
condition:
$MZ at 0 and ($html or $wav or $jpg)
}
/*
// Moderate confidence that this rule matches a legitimate driver component used by the wiper malware
// as opposed to it having been signed by a stolen certificate.
// It's commented out here because it could hit on legitimate software and the userland component
// will be detected by signatures anyway.
rule wiper_driver_component {
meta:
description = "Wiper implant"
filename = "usbdrv3.sys"
strings:
$MZ = "MZ"
// 86E212B7FC20FC406C692400294073FF @ 0x15F55
$switch_table1 = {4C89B424C8000000488B4F088B414883F802742D83F807742883F81F742383F824741E83F82D741983F831741483F836740F83F830740ABB240000C0E9}
// @ 0x164D8
$switch_table2 = {488BF08B484883F903741D83F908741883F909741383F914740E83F920740983F9350F}
condition:
$MZ at 0 and $switch_table1 and $switch_table2
}
*/
rule wiper_payload_dropper2 {
meta:
description = "Wiper implant"
filename = "ams.exe"
strings:
$MZ = "MZ"
// 7E5FEE143FB44FDB0D24A1D32B2BD4BB
$process_hacker_ascii = {5c4465766963655c4b50726f636573734861636b657232}
$process_hacker_unicode = {5c004400650076006900630065005c004b00500072006f0063006500730073004800610063006b006500720032000000}
$mcshield_string = {53595354454d5c43757272656e74436f6e74726f6c5365745c73657276696365735c4d63536869656c6400}
condition:
$MZ at 0 and ($process_hacker_ascii or $process_hacker_unicode) and $mcshield_string
}