Sneed-Reactivity/yara-mikesxrs/Mike Schladt/apt_win_blackenergy3_core.yar

49 lines
1.7 KiB
Text
Raw Normal View History

rule blackenergy3_api_encode
{
meta:
author = "Mike Schladt"
date = "2015-06-08"
description = "matches api name encoding function for be3 persistence dll"
md5 = "46649163C659CBA8A7D0D4075329EFA3"
reference = "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
strings:
$api_encode = {8B C2 C1 E8 09 32 E0 32 C4 32 E0 0F C8 66 8B CA 66 D1 E9 8A E1 33 C9 8A EA 66 D1 E9 8A C1 8B CA D1 E9 0F C9 0A C1 33 C9 8A 0B 33 C1 8B D0 43 EB CA}
condition:
$api_encode
}
rule blackenergy3_push_bytes
{
meta:
author = "Mike Schladt"
date = "2015-06-08"
description = "matches push bytes used for api calls in be3 core files"
md5 = "46649163C659CBA8A7D0D4075329EFA3"
md5_2 = "78387651dd9608fcdf6bfb9df8b84db4"
reference = "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
strings:
$push_4byte_1 = {68 EE EA C0 1F}
$push_4byte_2 = {68 49 F3 A5 2C}
$push_4byte_3 = {68 6B 43 59 4E}
$push_4byte_4 = {68 E6 4B 59 4E}
$push_4byte_5 = {68 6C 91 BA 4F}
$push_4byte_6 = {68 8A 86 39 56}
$push_4byte_7 = {68 9E 6D BD 5C}
$push_4byte_8 = {68 FE 6A 7A 69}
$push_4byte_9 = {68 A1 B0 5C 72}
$push_4byte_10 = {68 60 A2 8A 76}
$push_4byte_11 = {68 67 95 CD 77}
$push_4byte_12 = {68 EB 3D 03 84}
$push_4byte_13 = {68 19 2B 90 95}
$push_4byte_14 = {68 62 67 8D A4}
$push_4byte_15 = {68 AF 02 91 AB}
$push_4byte_16 = {68 26 80 AC C8}
condition:
all of them
}