44 lines
2 KiB
Text
44 lines
2 KiB
Text
|
rule Mal_Infostealer_MSI_EXE_Jupyter_Certificate
|
||
|
{
|
||
|
meta:
|
||
|
description = "Detects Jupter by certificate"
|
||
|
reference = "https://blogs.blackberry.com/en/2022/01/threat-thursday-jupyter-infostealer-is-a-master-of-disguise"
|
||
|
author = "BlackBerry Threat Research Team"
|
||
|
date = "2021-11-04"
|
||
|
license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
|
||
|
|
||
|
strings:
|
||
|
// MSI Installer
|
||
|
$msi = { D0 CF 11 E0 A1 B1 1A E1 }
|
||
|
|
||
|
// MSI Strings
|
||
|
$a1 = "EMCO MSI Package Builder"
|
||
|
|
||
|
// PowerShell execution strings
|
||
|
$b1 = "powershell-ExecutionPolicy bypass -command \"iex([\\[]IO.File[\\]]::ReadAllText('[CurrentUserProfileFolder]" nocase
|
||
|
$b2 = "powershell-ep bypass -file \"[AppDataFolder]" nocase
|
||
|
$b3 = /powershell-ep bypass -windowstyle hidden -command \"\$xp=\'\[AppDataFolder\].{0,256}\.{0,256}\'/ nocase
|
||
|
$b4 = /powershell-ep bypass -windowstyle hidden -command \"\$p=\'\[AppDataFolder\].{0,256}\.{0,256}\'/ nocase
|
||
|
$b5 = /powershell-ExecutionPolicy bypass -command \"iex\(\[\\\[\]IO.File\[\\\]\]::ReadAllText\(\'\[CurrentUserProfileFolder\].{1,256}\..{1,256}\'\)\)/ nocase
|
||
|
|
||
|
// Certificate Name
|
||
|
$c1 = "OOO ENDI"
|
||
|
$c2 = "OOO MVS"
|
||
|
$c3 = "OOO LEVELAP"
|
||
|
$c4 = "Soto Manufacturing SRL"
|
||
|
$c5 = "Decapolis Consulting Inc."
|
||
|
|
||
|
// Co-signers
|
||
|
$f1 = "SSL.com EV Root Certification Authority RSA R2"
|
||
|
$f2 = "SSL.com EV Code Signing Intermediate CA RSA R3"
|
||
|
$f3 = "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
|
||
|
$f4 = "DigiCert Trusted Root G40"
|
||
|
|
||
|
condition:
|
||
|
($msi at 0 or uint16(0) == 0x5a4d) and
|
||
|
all of ($a*) and
|
||
|
1 of ($b*) and
|
||
|
1 of ($c*) and
|
||
|
2 of ($f*)
|
||
|
}
|