Sneed-Reactivity/yara-Neo23x0/apt_derusbi.yar

144 lines
5.1 KiB
Text
Raw Normal View History

/*
Yara Rule Set
Author: Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud
Date: 2015-12-09
Reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
Identifier: Derusbi Dez 2015
*/
rule derusbi_kernel
{
meta:
description = "Derusbi Driver version"
date = "2015-12-09"
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
id = "a60ab93a-e2be-53ee-a7da-56c763bc5533"
strings:
$token1 = "$$$--Hello"
$token2 = "Wrod--$$$"
$class = ".?AVPCC_BASEMOD@@"
condition:
uint16(0) == 0x5A4D and $token1 and $token2 and $class
}
rule derusbi_linux
{
meta:
description = "Derusbi Server Linux version"
date = "2015-12-09"
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
id = "2b33afb5-be87-5d41-b05e-b99d0c1d8ed9"
strings:
$PS1 = "PS1=RK# \\u@\\h:\\w \\$"
$cmd = "unset LS_OPTIONS;uname -a"
$pname = "[diskio]"
$rkfile = "/tmp/.secure"
$ELF = "\x7fELF"
condition:
$ELF at 0 and $PS1 and $cmd and $pname and $rkfile
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-12-15
Identifier: Derusbi Dez 2015
*/
rule Derusbi_Kernel_Driver_WD_UDFS {
meta:
description = "Detects Derusbi Kernel Driver"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
score = 80
hash1 = "1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016"
hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
hash4 = "e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59"
id = "51d80d19-f87f-5b09-ac49-08ebcb464013"
strings:
$x1 = "\\\\.\\pipe\\usbpcex%d" fullword wide
$x2 = "\\\\.\\pipe\\usbpcg%d" fullword wide
$x3 = "\\??\\pipe\\usbpcex%d" fullword wide
$x4 = "\\??\\pipe\\usbpcg%d" fullword wide
$x5 = "$$$--Hello" fullword ascii
$x6 = "Wrod--$$$" fullword ascii
$s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" wide
$s2 = "Update.dll" fullword ascii
$s3 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" wide
$s4 = "\\Driver\\nsiproxy" wide
$s5 = "HOST: %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and
(
2 of ($x*) or all of ($s*)
)
}
rule Derusbi_Code_Signing_Cert {
meta:
description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
score = 60
id = "d123fde9-0182-5232-a716-b76e8d9830c4"
strings:
$s1 = "Fuqing Dawu Technology Co.,Ltd.0" fullword ascii
$s2 = "XL Games Co.,Ltd.0" fullword ascii
$s3 = "Wemade Entertainment co.,Ltd0" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and 1 of them
}
rule XOR_4byte_Key {
meta:
description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
score = 60
id = "77850332-87ce-5ed3-bb09-88e91e5bb5f6"
strings:
/* Op Code */
$s1 = { 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2 }
/*
test ecx, ecx
jz short loc_590170
xor [esi], eax
add [esi], ebx
add esi, 4
dec ecx
jmp short loc_590162
*/
condition:
uint16(0) == 0x5a4d and filesize < 900KB and all of them
}
rule Derusbi_Backdoor_Mar17_1 {
meta:
description = "Detects a variant of the Derusbi backdoor"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-03-03"
hash1 = "f87915f21dcc527981ebb6db3d332b5b341129b4af83524f59d7178e9d2a3a32"
id = "5c8838d6-b9c2-589e-b6a2-a8c7ad6f10cc"
strings:
$x1 = "%SystemRoot%\\System32\\wiaservc.dll" fullword wide
$x2 = "c%WINDIR%\\PCHealth\\HelpCtr\\Binaries\\pchsvc.dll" fullword wide
$x3 = "%Systemroot%\\Help\\perfc009.dat" fullword wide
$x4 = "rundll32.exe \"%s\", R32 %s" fullword wide
$x5 = "OfficeUt32.dll" fullword ascii
$x6 = "\\\\.\\pipe\\usb%so" fullword wide
$x7 = "\\\\.\\pipe\\usb%si" fullword wide
$x8 = "\\tmp1.dat" wide
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 1 of them )
}