630 lines
20 KiB
Text
630 lines
20 KiB
Text
|
rule BlackShades {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "BlackShades"
|
||
|
|
||
|
description = "BlackShades implant"
|
||
|
id = "CSE_900000"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = "Brian Wallace (@botnet_hunter)"
|
||
|
creation_date = "2016-03-23T15:26:52.062158Z"
|
||
|
date = "2014/04"
|
||
|
family = "blackshades"
|
||
|
last_saved_by = "malware_dev"
|
||
|
ref = "http://blog.cylance.com/a-study-in-bots-blackshades-net"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.BlackShades.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
$string1 = "bal_server"
|
||
|
$string2 = "txtChat"
|
||
|
$string3 = "UDPFlood"
|
||
|
|
||
|
condition:
|
||
|
all of them
|
||
|
|
||
|
}
|
||
|
|
||
|
rule Punisher {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "Punisher"
|
||
|
|
||
|
description = "Punisher implant"
|
||
|
id = "CSE_900002"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = " Kevin Breen <kevin@techanarchy.net>"
|
||
|
creation_date = "2016-03-23T15:26:52.079754Z"
|
||
|
date = "2014/04"
|
||
|
filetype = "exe"
|
||
|
last_saved_by = "malware_dev"
|
||
|
maltype = "Remote Access Trojan"
|
||
|
ref = "http://malwareconfig.com/stats/Punisher"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.Punisher.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
$a = "abccba"
|
||
|
$b = {5C 00 68 00 66 00 68 00 2E 00 76 00 62 00 73}
|
||
|
$c = {5C 00 73 00 63 00 2E 00 76 00 62 00 73}
|
||
|
$d = "SpyTheSpy" wide ascii
|
||
|
$e = "wireshark" wide
|
||
|
$f = "apateDNS" wide
|
||
|
$g = "abccbaDanabccb"
|
||
|
|
||
|
condition:
|
||
|
all of them
|
||
|
|
||
|
}
|
||
|
|
||
|
rule gh0st {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "gh0st"
|
||
|
|
||
|
description = "gh0st implant"
|
||
|
id = "CSE_900003"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
creation_date = "2016-03-23T15:26:52.087951Z"
|
||
|
last_saved_by = "malware_dev"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.Gh0st.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
// File 11401249a0e499a3cd2dc147d9600ff8.exe @ 0x00460E80 (2015-11-18)
|
||
|
$Match_00460e80 = { 8b 44 24 04 56 8b 70 1c 8b 48 10 8b 56 14 3b d1 76 02 8b d1 85 d2 74 58 8b 76 10 8b ca 53 8b d9 57 8b 78 0c c1 e9 02 f3 a5 8b cb 83 e1 03 f3 a4 8b 78 0c 8b 48 1c 03 fa 89 78 0c 8b 71 10 03 f2 89 71 10 8b 58 14 8b 78 10 8b 48 1c 03 da 2b fa 89 58 14 89 78 10 8b 71 14 5f 2b f2 5b 89 71 14 8b 40 1c 8b 48 14 85 c9 75 06 8b 48 08 89 48 10 5e c3 }
|
||
|
|
||
|
condition:
|
||
|
all of them
|
||
|
|
||
|
}
|
||
|
|
||
|
rule Xtreme {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "Xtreme"
|
||
|
|
||
|
description = "Xtreme implant"
|
||
|
id = "CSE_900004"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = " Kevin Breen <kevin@techanarchy.net>"
|
||
|
creation_date = "2016-03-23T15:26:52.095338Z"
|
||
|
date = "2014/04"
|
||
|
filetype = "exe"
|
||
|
last_saved_by = "malware_dev"
|
||
|
maltype = "Remote Access Trojan"
|
||
|
ref = "http://malwareconfig.com/stats/Xtreme"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.Xtreme.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
ver = "2.9, 3.1, 3.2, 3.5"
|
||
|
|
||
|
strings:
|
||
|
$a = "XTREME" wide
|
||
|
$b = "ServerStarted" wide
|
||
|
$c = "XtremeKeylogger" wide
|
||
|
$d = "x.html" wide
|
||
|
$e = "Xtreme RAT" wide
|
||
|
|
||
|
condition:
|
||
|
all of them
|
||
|
|
||
|
}
|
||
|
|
||
|
rule Bozok {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "Bozok"
|
||
|
|
||
|
description = "Bozok implant"
|
||
|
id = "CSE_900005"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = " Kevin Breen <kevin@techanarchy.net>"
|
||
|
creation_date = "2016-03-23T15:26:52.101921Z"
|
||
|
date = "2014/04"
|
||
|
filetype = "exe"
|
||
|
last_saved_by = "malware_dev"
|
||
|
maltype = "Remote Access Trojan"
|
||
|
ref = "http://malwareconfig.com/stats/Bozok"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.Bozok.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
$a = "getVer" nocase
|
||
|
$b = "StartVNC" nocase
|
||
|
$c = "SendCamList" nocase
|
||
|
$d = "untPlugin" nocase
|
||
|
$e = "gethostbyname" nocase
|
||
|
|
||
|
condition:
|
||
|
all of them
|
||
|
|
||
|
}
|
||
|
|
||
|
rule CyberGate {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "CyberGate"
|
||
|
|
||
|
description = "CyberGate implant"
|
||
|
id = "CSE_900006"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = " Kevin Breen <kevin@techanarchy.net>"
|
||
|
creation_date = "2016-03-23T15:26:52.107496Z"
|
||
|
date = "2014/04"
|
||
|
filetype = "exe"
|
||
|
last_saved_by = "malware_dev"
|
||
|
maltype = "Remote Access Trojan"
|
||
|
ref = "http://malwareconfig.com/stats/CyberGate"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.CyberGate.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
$string1 = {23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23}
|
||
|
$string2 = {23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23}
|
||
|
$string3 = "EditSvr"
|
||
|
$string4 = "TLoader"
|
||
|
$string5 = "Stroks"
|
||
|
$string6 = "####@####"
|
||
|
$res1 = "XX-XX-XX-XX"
|
||
|
$res2 = "CG-CG-CG-CG"
|
||
|
|
||
|
condition:
|
||
|
all of ($string*) and any of ($res*)
|
||
|
|
||
|
}
|
||
|
|
||
|
rule NanoCore {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "NanoCore"
|
||
|
|
||
|
description = "NanoCore implant"
|
||
|
id = "CSE_900007"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = " Kevin Breen <kevin@techanarchy.net>"
|
||
|
creation_date = "2016-03-23T15:26:52.114711Z"
|
||
|
date = "2014/04"
|
||
|
filetype = "exe"
|
||
|
last_saved_by = "malware_dev"
|
||
|
maltype = "Remote Access Trojan"
|
||
|
ref = "http://malwareconfig.com/stats/NanoCore"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.NanoCore.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
$a = "NanoCore"
|
||
|
$b = "ClientPlugin"
|
||
|
$c = "ProjectData"
|
||
|
$d = "DESCrypto"
|
||
|
$e = "KeepAlive"
|
||
|
$f = "IPNETROW"
|
||
|
$g = "LogClientMessage"
|
||
|
$h = "|ClientHost"
|
||
|
$i = "get_Connected"
|
||
|
$j = "#=q"
|
||
|
$key = {43 6f 24 cb 95 30 38 39}
|
||
|
|
||
|
condition:
|
||
|
6 of them
|
||
|
|
||
|
}
|
||
|
|
||
|
rule xRAT {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "xRAT"
|
||
|
|
||
|
description = "xRAT implant"
|
||
|
id = "CSE_900008"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = " Kevin Breen <kevin@techanarchy.net>"
|
||
|
creation_date = "2016-03-23T15:26:52.120133Z"
|
||
|
date = "2014/04"
|
||
|
filetype = "exe"
|
||
|
last_saved_by = "malware_dev"
|
||
|
maltype = "Remote Access Trojan"
|
||
|
ref = "http://malwareconfig.com/stats/xRat"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.xRat.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
$v1a = "DecodeProductKey"
|
||
|
$v1b = "StartHTTPFlood"
|
||
|
$v1c = "CodeKey"
|
||
|
$v1d = "MESSAGEBOX"
|
||
|
$v1e = "GetFilezillaPasswords"
|
||
|
$v1f = "DataIn"
|
||
|
$v1g = "UDPzSockets"
|
||
|
$v1h = {52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41}
|
||
|
$v2a = "<URL>k__BackingField"
|
||
|
$v2b = "<RunHidden>k__BackingField"
|
||
|
$v2c = "DownloadAndExecute"
|
||
|
$v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide
|
||
|
$v2e = "england.png" wide
|
||
|
$v2f = "Showed Messagebox" wide
|
||
|
|
||
|
condition:
|
||
|
all of ($v1*) or all of ($v2*)
|
||
|
|
||
|
}
|
||
|
|
||
|
rule VirusRat {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "VirusRat"
|
||
|
|
||
|
description = "VirusRat implant"
|
||
|
id = "CSE_900009"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = " Kevin Breen <kevin@techanarchy.net>"
|
||
|
creation_date = "2016-03-23T15:26:52.125583Z"
|
||
|
date = "2014/04"
|
||
|
filetype = "exe"
|
||
|
last_saved_by = "malware_dev"
|
||
|
maltype = "Remote Access Trojan"
|
||
|
ref = "http://malwareconfig.com/stats/VirusRat"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.VirusRat.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
$string0 = "virustotal"
|
||
|
$string1 = "virusscan"
|
||
|
$string2 = "abccba"
|
||
|
$string3 = "pronoip"
|
||
|
$string4 = "streamWebcam"
|
||
|
$string5 = "DOMAIN_PASSWORD"
|
||
|
$string6 = "Stub.Form1.resources"
|
||
|
$string7 = "ftp://{0}@{1}" wide
|
||
|
$string8 = "SELECT * FROM moz_logins" wide
|
||
|
$string9 = "SELECT * FROM moz_disabledHosts" wide
|
||
|
$string10 = "DynDNS\\Updater\\config.dyndns" wide
|
||
|
$string11 = "|BawaneH|" wide
|
||
|
|
||
|
condition:
|
||
|
all of them
|
||
|
|
||
|
}
|
||
|
|
||
|
rule LuxNet {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "LuxNet"
|
||
|
|
||
|
description = "LuxNet implant"
|
||
|
id = "CSE_900010"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = " Kevin Breen <kevin@techanarchy.net>"
|
||
|
creation_date = "2016-03-23T15:26:52.131170Z"
|
||
|
date = "2014/04"
|
||
|
filetype = "exe"
|
||
|
last_saved_by = "malware_dev"
|
||
|
maltype = "Remote Access Trojan"
|
||
|
ref = "http://malwareconfig.com/stats/LuxNet"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.LuxNet.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
$a = "GetHashCode"
|
||
|
$b = "Activator"
|
||
|
$c = "WebClient"
|
||
|
$d = "op_Equality"
|
||
|
$e = "dickcursor.cur" wide
|
||
|
$f = "{0}|{1}|{2}" wide
|
||
|
|
||
|
condition:
|
||
|
all of them
|
||
|
|
||
|
}
|
||
|
|
||
|
rule njRat {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "njRat"
|
||
|
|
||
|
description = "njRat implant"
|
||
|
id = "CSE_900011"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = " Kevin Breen <kevin@techanarchy.net>"
|
||
|
creation_date = "2016-03-23T15:26:52.138482Z"
|
||
|
date = "2014/04"
|
||
|
filetype = "exe"
|
||
|
last_saved_by = "malware_dev"
|
||
|
maltype = "Remote Access Trojan"
|
||
|
ref = "http://malwareconfig.com/stats/njRat"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.njRat.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
$s1 = {7C 00 27 00 7C 00 27 00 7C} // |'|'|
|
||
|
$s2 = "netsh firewall add allowedprogram" wide
|
||
|
$s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide
|
||
|
$s4 = "yyyy-MM-dd" wide
|
||
|
$v1 = "cmd.exe /k ping 0 & del" wide
|
||
|
$v2 = "cmd.exe /c ping 127.0.0.1 & del" wide
|
||
|
$v3 = "cmd.exe /c ping 0 -n 2 & del" wide
|
||
|
|
||
|
condition:
|
||
|
all of ($s*) and any of ($v*)
|
||
|
|
||
|
}
|
||
|
|
||
|
rule Pandora {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "Pandora"
|
||
|
|
||
|
description = "Pandora implant"
|
||
|
id = "CSE_900012"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = " Kevin Breen <kevin@techanarchy.net>"
|
||
|
creation_date = "2016-03-23T15:26:52.144083Z"
|
||
|
date = "2014/04"
|
||
|
filetype = "exe"
|
||
|
last_saved_by = "malware_dev"
|
||
|
maltype = "Remote Access Trojan"
|
||
|
ref = "http://malwareconfig.com/stats/Pandora"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.Pandora.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
$a = "Can't get the Windows version"
|
||
|
$b = "=M=Q=U=Y=]=a=e=i=m=q=u=y=}="
|
||
|
$c = "JPEG error #%d" wide
|
||
|
$d = "Cannot assign a %s to a %s" wide
|
||
|
$g = "%s, ProgID:"
|
||
|
$h = "clave"
|
||
|
$i = "Shell_TrayWnd"
|
||
|
$j = "melt.bat"
|
||
|
$k = "\\StubPath"
|
||
|
$l = "\\logs.dat"
|
||
|
$m = "1027|Operation has been canceled!"
|
||
|
$n = "466|You need to plug-in! Double click to install... |"
|
||
|
$0 = "33|[Keylogger Not Activated!]"
|
||
|
|
||
|
condition:
|
||
|
all of them
|
||
|
|
||
|
}
|
||
|
|
||
|
rule njrat: rat {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "njrat"
|
||
|
|
||
|
description = "tested against NjRat versions 0.3.6 - 0.7d"
|
||
|
id = "CSE_900013"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = "Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>"
|
||
|
creation_date = "2016-03-23T15:26:52.150257Z"
|
||
|
date = "2015-11-18"
|
||
|
last_saved_by = "malware_dev"
|
||
|
sample = "unpacked: 2b96518a66d251fedb39264e668f588c (0.7d)"
|
||
|
al_configdumper = "external.geekweek.batchNjRat.getConfig"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
type = "info"
|
||
|
updated = "2015-11-18"
|
||
|
version = "1"
|
||
|
|
||
|
strings:
|
||
|
$cnc_traffic_0 = {7C 00 27 00 7C 00 27 00 7C} // looks like: |'|'|
|
||
|
$rights_0 = "netsh firewall add allowedprogram \"" wide
|
||
|
$rights_1 = "netsh firewall delete allowedprogram \"" wide
|
||
|
|
||
|
condition:
|
||
|
(all of ($cnc_traffic_*)) and (all of ($rights_*))
|
||
|
|
||
|
}
|
||
|
|
||
|
rule darkcomet51: rat {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "darkcomet51"
|
||
|
|
||
|
description = "DarkComet RAT version 5.1"
|
||
|
id = "CSE_900015"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = "CCIRC"
|
||
|
creation_date = "2016-03-23T15:26:52.162005Z"
|
||
|
date = "2015-11-16"
|
||
|
last_saved_by = "malware_dev"
|
||
|
al_configparser = "DarkComet51"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
$config = "D57ABA5857F0AFF67584605E90BE4665C9814BEEC7E"
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
|
||
|
}
|
||
|
|
||
|
rule PoisonIvy {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "PoisonIvy"
|
||
|
|
||
|
description = "PoisonIvy implant"
|
||
|
id = "CSE_900016"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = " Kevin Breen <kevin@techanarchy.net>"
|
||
|
creation_date = "2016-03-23T15:26:52.166521Z"
|
||
|
date = "2014/04"
|
||
|
filetype = "exe"
|
||
|
last_saved_by = "malware_dev"
|
||
|
maltype = "Remote Access Trojan"
|
||
|
ref = "http://malwareconfig.com/stats/PoisonIvy"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.PoisonIvy.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
$stub = {04 08 00 53 74 75 62 50 61 74 68 18 04}
|
||
|
$string1 = "CONNECT %s:%i HTTP/1.0"
|
||
|
$string2 = "ws2_32"
|
||
|
$string3 = "cks=u"
|
||
|
$string4 = "thj@h"
|
||
|
$string5 = "advpack"
|
||
|
|
||
|
condition:
|
||
|
$stub at 0x1620 and all of ($string*) or (all of them)
|
||
|
|
||
|
}
|
||
|
|
||
|
rule DarkComet {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "DarkComet"
|
||
|
|
||
|
description = "DarkComet implant"
|
||
|
id = "CSE_900001"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
author = " Kevin Breen <kevin@techanarchy.net>"
|
||
|
creation_date = "2016-03-23T15:26:52.071996Z"
|
||
|
date = "2014/04"
|
||
|
filetype = "exe"
|
||
|
last_saved_by = "malware_dev"
|
||
|
maltype = "Remote Access Trojan"
|
||
|
ref = "http://malwareconfig.com/stats/DarkComet"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.DarkComet.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
// Versions 2x
|
||
|
$a1 = "#BOT#URLUpdate"
|
||
|
$a2 = "Command successfully executed!"
|
||
|
$a3 = "MUTEXNAME" wide
|
||
|
$a4 = "NETDATA" wide
|
||
|
// Versions 3x & 4x & 5x
|
||
|
$b1 = "FastMM Borland Edition"
|
||
|
$b2 = "%s, ClassID: %s"
|
||
|
$b3 = "I wasn't able to open the hosts file"
|
||
|
$b4 = "#BOT#VisitUrl"
|
||
|
$b5 = "#KCMDDC"
|
||
|
|
||
|
condition:
|
||
|
(all of ($a*) or all of ($b*)) and not darkcomet51
|
||
|
|
||
|
}
|
||
|
|
||
|
rule darkcomet_rc4 {
|
||
|
meta:
|
||
|
rule_group = "implant"
|
||
|
implant = "darkcomet_rc4"
|
||
|
|
||
|
description = "darkcomet_rc4 implant"
|
||
|
id = "CSE_900014"
|
||
|
organisation = "CSE"
|
||
|
poc = "malware_dev@cse"
|
||
|
rule_version = "1"
|
||
|
yara_version = "3.4"
|
||
|
|
||
|
creation_date = "2016-03-23T15:26:52.155838Z"
|
||
|
last_saved_by = "malware_dev"
|
||
|
al_configdumper = "al_services.alsvc_configdecoder.ext.RATDecoders.DarkComet.run"
|
||
|
al_configparser = "GenericParser"
|
||
|
al_imported_by = "malware_dev"
|
||
|
al_status = "DEPLOYED"
|
||
|
|
||
|
strings:
|
||
|
// File 175e27f2e47674e51cb20d9daa8a30c4 @ 0x468438 (2015-11-16)
|
||
|
$darkcomet_rc4 = { 55 8B EC 81 C4 E0 FB FF FF 53 56 57 33 DB 89 9D E0 FB FF FF 89 5D F4 89 5D F0 89 4D EC 89 55 F8 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 F8 85 C0 74 05 83 E8 04 8B 00 85 C0 0F 84 3E 02 00 00 8B 45 FC 85 C0 74 05 83 E8 04 8B 00 85 C0 0F 84 2A 02 00 00 8D 95 E0 FB FF FF 8B 45 FC E8 ?? ?? ?? ?? 8B 95 E0 FB FF FF 8D 45 FC E8 ?? ?? ?? ?? 8B 55 F8 8B C2 85 C0 74 05 83 E8 04 8B 00 3D 00 01 00 00 7E 34 68 00 01 00 00 8D 45 F4 B9 01 00 00 00 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 04 8D 45 F8 E8 ?? ?? ?? ?? 8B D0 8B 45 F4 B9 00 01 00 00 E8 ?? ?? ?? ?? EB 42 8B DA 85 DB 74 05 83 EB 04 8B 1B 53 8D 45 F4 B9 01 00 00 00 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 04 8B 5D F8 85 DB 74 05 83 EB 04 8B 1B 8D 45 F8 E8 ?? ?? ?? ?? 8B D0 8B 45 F4 8B CB E8 ?? ?? ?? ?? 33 F6 8D 85 E4 FB FF FF 89 30 46 83 C0 04 81 FE 00 01 00 00 75 F2 33 DB 33 F6 8D 8D E4 FB FF FF 8B 7D F8 85 FF 74 05 83 EF 04 8B 3F 8B C6 99 F7 FF 8B 45 F4 0F B6 04 10 03 19 03 C3 25 FF 00 00 80 79 07 48 0D 00 FF FF FF 40 8B D8 0F B6 01 88 45 EB 8B 84 9D E4 FB FF FF 89 01 0F B6 45 EB 89 84 9D E4 FB FF FF 46 83 C1 04 81 FE 00 01 00 00 75 AE 33 DB 33 FF 8B 75 FC 85 F6 74 05 83 EE 04 8B 36 56 8D 45 F0 B9 01 00 00 00 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 04 8B 75 FC 85 F6 74 05 83 EE 04 8B 36 8D 45 FC E8 ?? ?? ?? ?? 8B D0 8B 45 F0 8B CE E8 ?? ?? ?? ?? 8B 45 FC 85 C0 74 05 83 E8 04 8B 00 48 85 C0 0F 8C 82 00 00 00 40 89 45 E4 33 F6 43 81 E3 FF 00 00 80 79 08 4B 81 CB 00 FF FF FF 43 03 BC 9D E4 FB FF FF 81 E7 FF 00 00 80 79 08 4F 81 CF 00 FF FF FF 47 0F B6 84 9D E4 FB FF FF 88 45 EB 8B 84 BD E4 FB FF FF 89 84 9D E4 FB FF FF 0F B6 45 EB 89 84 BD E4 FB FF FF 8B 84 9D E4 FB FF FF 03 84 BD E4 FB FF FF 25 FF 00 00 80 79 07 48 0D 00 FF FF FF 40 0F B6 84 85 E4 FB FF FF 8B 55 F0 30 04 32 46 FF 4D E4 75 84 8B 45 FC 85 C0 74 05 83 E8 04 8B 00 8B 55 EC 92 E8 ?? ?? ?? ?? 8B 5D FC 85 DB 74 05 83 EB 04 8B 1B 8B 45 EC E8 ?? ?? ?? ?? 8B 55 F0 8B CB E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 E0 FB FF FF E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? B9 02 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 BA 02 00 00 00 E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB CD 5F 5E 5B 8B E5 5D C3 }
|
||
|
|
||
|
condition:
|
||
|
$darkcomet_rc4 and not darkcomet51
|
||
|
|
||
|
}
|