183 lines
7.7 KiB
Text
183 lines
7.7 KiB
Text
|
/*
|
|||
|
Yara Rule Set
|
|||
|
Author: Florian Roth
|
|||
|
Date: 2016-10-20
|
|||
|
Identifier: PassCV Group (Cylance)
|
|||
|
*/
|
|||
|
|
|||
|
/* Rule Set ----------------------------------------------------------------- */
|
|||
|
|
|||
|
rule PassCV_Sabre_Malware_1 {
|
|||
|
meta:
|
|||
|
description = "PassCV Malware mentioned in Cylance Report"
|
|||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|||
|
author = "Florian Roth (Nextron Systems)"
|
|||
|
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
|
|||
|
date = "2016-10-20"
|
|||
|
hash1 = "24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a"
|
|||
|
hash2 = "e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55"
|
|||
|
id = "99a26daa-c563-5b23-89b9-965d8ce7229d"
|
|||
|
strings:
|
|||
|
$x1 = "F:\\Excalibur\\Excalibur\\Excalibur\\" ascii
|
|||
|
$x2 = "bin\\oSaberSvc.pdb" ascii
|
|||
|
|
|||
|
$s1 = "cmd.exe /c MD " fullword ascii
|
|||
|
$s2 = "https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=0&rsv_idx=1&tn=baidu&wd=ip138" fullword wide
|
|||
|
$s3 = "CloudRun.exe" fullword wide
|
|||
|
$s4 = "SaberSvcB.exe" fullword wide
|
|||
|
$s5 = "SaberSvc.exe" fullword wide
|
|||
|
$s6 = "SaberSvcW.exe" fullword wide
|
|||
|
$s7 = "tianshiyed@iaomaomark1#23mark123tokenmarkqwebjiuga664115" fullword wide
|
|||
|
$s8 = "Internet Connect Failed!" fullword ascii
|
|||
|
condition:
|
|||
|
( uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($x*) and 5 of ($s*) ) ) or ( all of them )
|
|||
|
}
|
|||
|
|
|||
|
rule PassCV_Sabre_Malware_Signing_Cert {
|
|||
|
meta:
|
|||
|
description = "PassCV Malware mentioned in Cylance Report"
|
|||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|||
|
author = "Florian Roth (Nextron Systems)"
|
|||
|
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
|
|||
|
date = "2016-10-20"
|
|||
|
score = 50
|
|||
|
hash1 = "7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e"
|
|||
|
id = "2b2d1313-6454-5e3f-9b58-5b1a26739ba8"
|
|||
|
strings:
|
|||
|
$s1 = "WOODTALE TECHNOLOGY INC" ascii
|
|||
|
$s2 = "Flyingbird Technology Limited" ascii
|
|||
|
$s3 = "Neoact Co., Ltd." ascii
|
|||
|
$s4 = "AmazGame Age Internet Technology Co., Ltd" ascii
|
|||
|
$s5 = "EMG Technology Limited" ascii
|
|||
|
$s6 = "Zemi Interactive Co., Ltd" ascii
|
|||
|
$s7 = "337 Technology Limited" ascii
|
|||
|
$s8 = "Runewaker Entertainment0" fullword ascii
|
|||
|
condition:
|
|||
|
( uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them )
|
|||
|
}
|
|||
|
|
|||
|
rule PassCV_Sabre_Malware_2 {
|
|||
|
meta:
|
|||
|
description = "PassCV Malware mentioned in Cylance Report"
|
|||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|||
|
author = "Florian Roth (Nextron Systems)"
|
|||
|
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
|
|||
|
date = "2016-10-20"
|
|||
|
hash1 = "475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4"
|
|||
|
hash2 = "009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78"
|
|||
|
hash3 = "92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b"
|
|||
|
hash4 = "0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2"
|
|||
|
id = "dd9eb5f6-9faa-584d-b3b5-6dcfdc3f359c"
|
|||
|
strings:
|
|||
|
$x1 = "ncProxyXll" fullword ascii
|
|||
|
|
|||
|
$s1 = "Uniscribe.dll" fullword ascii
|
|||
|
$s2 = "WS2_32.dll" ascii
|
|||
|
$s3 = "ProxyDll" fullword ascii
|
|||
|
$s4 = "JDNSAPI.dll" fullword ascii
|
|||
|
$s5 = "x64.dat" fullword ascii
|
|||
|
$s6 = "LSpyb2" fullword ascii
|
|||
|
condition:
|
|||
|
( uint16(0) == 0x5a4d and filesize < 4000KB and $x1 ) or ( all of them )
|
|||
|
}
|
|||
|
|
|||
|
rule PassCV_Sabre_Malware_Excalibur_1 {
|
|||
|
meta:
|
|||
|
description = "PassCV Malware mentioned in Cylance Report"
|
|||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|||
|
author = "Florian Roth (Nextron Systems)"
|
|||
|
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
|
|||
|
date = "2016-10-20"
|
|||
|
hash1 = "21566f5ff7d46cc9256dae8bc7e4c57f2b9261f95f6ad2ac921558582ea50dfb"
|
|||
|
hash2 = "02922c5d994e81629d650be2a00507ec5ca221a501fe3827b5ed03b4d9f4fb70"
|
|||
|
|
|||
|
id = "eadad36c-49c8-50e1-8334-813d2e760fe9"
|
|||
|
strings:
|
|||
|
$x1 = "F:\\Excalibur\\Excalibur\\" ascii
|
|||
|
$x2 = "Excalibur\\bin\\Shell.pdb" ascii
|
|||
|
$x3 = "SaberSvc.exe" wide
|
|||
|
|
|||
|
$s1 = "BBB.exe" fullword wide
|
|||
|
$s2 = "AAA.exe" fullword wide
|
|||
|
condition:
|
|||
|
( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of ($x*) or all of ($s*) )
|
|||
|
or 3 of them
|
|||
|
}
|
|||
|
|
|||
|
rule PassCV_Sabre_Malware_3 {
|
|||
|
meta:
|
|||
|
description = "PassCV Malware mentioned in Cylance Report"
|
|||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|||
|
author = "Florian Roth (Nextron Systems)"
|
|||
|
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
|
|||
|
date = "2016-10-20"
|
|||
|
hash1 = "28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1"
|
|||
|
id = "03e5efc0-6076-501f-a600-b3d9008a8711"
|
|||
|
strings:
|
|||
|
$x1 = "NXKILL" fullword wide
|
|||
|
|
|||
|
$s1 = "2OLE32.DLL" fullword ascii
|
|||
|
$s2 = "localspn.dll" fullword wide
|
|||
|
$s3 = "!This is a Win32 program." fullword ascii
|
|||
|
condition:
|
|||
|
( uint16(0) == 0x5a4d and filesize < 8000KB and $x1 and 2 of ($s*) )
|
|||
|
}
|
|||
|
|
|||
|
rule PassCV_Sabre_Malware_4 {
|
|||
|
meta:
|
|||
|
description = "PassCV Malware mentioned in Cylance Report"
|
|||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|||
|
author = "Florian Roth (Nextron Systems)"
|
|||
|
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
|
|||
|
date = "2016-10-20"
|
|||
|
hash1 = "27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f"
|
|||
|
id = "f182064d-3a91-5a61-aa0f-2ce491a60126"
|
|||
|
strings:
|
|||
|
$s1 = "QWNjZXB0On" fullword ascii /* base64 encoded string 'Accept:' */
|
|||
|
$s2 = "VXNlci1BZ2VudDogT" fullword ascii /* b64: User-Agent: */
|
|||
|
$s3 = "dGFzay5kbnME3luLmN" fullword ascii /* b64: task.dns[ */
|
|||
|
condition:
|
|||
|
( uint16(0) == 0x5a4d and filesize < 200KB and 2 of them )
|
|||
|
}
|
|||
|
|
|||
|
rule PassCV_Sabre_Tool_NTScan {
|
|||
|
meta:
|
|||
|
description = "PassCV Malware mentioned in Cylance Report"
|
|||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|||
|
author = "Florian Roth (Nextron Systems)"
|
|||
|
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
|
|||
|
date = "2016-10-20"
|
|||
|
hash1 = "0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665"
|
|||
|
id = "6ec3371a-2a1c-53d1-b650-d28728db1b40"
|
|||
|
strings:
|
|||
|
$x1 = "NTscan.EXE" fullword wide
|
|||
|
$x2 = "NTscan Microsoft " fullword wide
|
|||
|
|
|||
|
$s1 = "admin$" fullword ascii
|
|||
|
condition:
|
|||
|
( uint16(0) == 0x5a4d and filesize < 300KB and 2 of them )
|
|||
|
}
|
|||
|
|
|||
|
rule PassCV_Sabre_Malware_5 {
|
|||
|
meta:
|
|||
|
description = "PassCV Malware mentioned in Cylance Report"
|
|||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|||
|
author = "Florian Roth (Nextron Systems)"
|
|||
|
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
|
|||
|
date = "2016-10-20"
|
|||
|
hash1 = "03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5"
|
|||
|
id = "ce8d1b9e-7750-5796-a048-20bfd48c6aee"
|
|||
|
strings:
|
|||
|
$x1 = "ncircTMPg" fullword ascii
|
|||
|
$x2 = "~SHELL#" fullword ascii
|
|||
|
$x3 = "N.adobe.xm" fullword ascii
|
|||
|
|
|||
|
$s1 = "NEL32.DLL" fullword ascii
|
|||
|
$s2 = "BitLocker.exe" fullword wide
|
|||
|
$s3 = "|xtplhd" fullword ascii /* reversed goodware string 'dhlptx|' */
|
|||
|
$s4 = "SERVICECORE" fullword wide
|
|||
|
$s5 = "SHARECONTROL" fullword wide
|
|||
|
condition:
|
|||
|
( uint16(0) == 0x5a4d and filesize < 4000KB and 1 of ($x*) or all of ($s*) )
|
|||
|
}
|