75 lines
3.4 KiB
Text
75 lines
3.4 KiB
Text
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: Florian Roth
|
||
|
Date: 2017-10-20
|
||
|
Identifier: BadPatch
|
||
|
Reference: https://goo.gl/RvDwwA
|
||
|
*/
|
||
|
|
||
|
/* Rule Set ----------------------------------------------------------------- */
|
||
|
|
||
|
rule WinAgent_BadPatch_1 {
|
||
|
meta:
|
||
|
description = "Detects samples mentioned in BadPatch report"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://goo.gl/RvDwwA"
|
||
|
date = "2017-10-20"
|
||
|
hash1 = "285998bce9692e46652529685775aa05e3a5cb93ee4e65d021d2231256e92813"
|
||
|
id = "732792ed-cb70-5b69-8457-f54177e4609e"
|
||
|
strings:
|
||
|
$x1 = "J:\\newPatch\\downloader\\" wide
|
||
|
$x2 = "L:\\rashed\\New code\\" wide
|
||
|
$x3 = ":\\newPatch\\last version\\" wide
|
||
|
$x4 = "\\Microsoft\\Microsoft\\Microsoft1.log" wide
|
||
|
$x5 = "\\Microsoft\\Microsoft\\Microsoft.log" wide
|
||
|
$x6 = "\\Microsoft\\newPP.exe" wide
|
||
|
$x7 = " (this is probably a proxy server error)." fullword wide
|
||
|
$x8 = " :Old - update patch and check anti-virus.. " fullword wide
|
||
|
$x9 = "PatchNotExit-- download now.. " fullword wide
|
||
|
$x10 = "PatchNotExit-- Check Version" fullword wide
|
||
|
$x11 = "PatchNotExit-- Version Patch" fullword wide
|
||
|
|
||
|
$s1 = "downloader " fullword wide
|
||
|
$s2 = "DelDownloadFile" fullword ascii
|
||
|
$s3 = "downloadFile" fullword ascii
|
||
|
$s4 = "downloadUpdate" fullword wide
|
||
|
condition:
|
||
|
( uint16(0) == 0x5a4d and filesize < 600KB and ( 1 of ($x*) or 4 of them ) )
|
||
|
}
|
||
|
|
||
|
rule WinAgent_BadPatch_2 {
|
||
|
meta:
|
||
|
description = "Detects samples mentioned in BadPatch report"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://goo.gl/RvDwwA"
|
||
|
date = "2017-10-20"
|
||
|
hash1 = "106deff16a93c4a4624fe96e3274e1432921c56d5a430834775e5b98861c00ea"
|
||
|
hash2 = "ece76fdf7e33d05a757ef5ed020140d9367c7319022a889923bbfacccb58f4d7"
|
||
|
hash3 = "cf53fc8c9ce4e5797cc5ac6f71d4cbc0f2b15f2ed43f38048a5273f40bc09876"
|
||
|
hash4 = "802a39b22dfacdc2325f8a839377c903b4a7957503106ce6f7aed67e824b82c2"
|
||
|
hash5 = "278dba3857367824fc2d693b7d96cef4f06cb7fdc52260b1c804b9c90d43646d"
|
||
|
hash6 = "2941f75da0574c21e4772f015ef38bb623dd4d0c81c263523d431b0114dd847e"
|
||
|
hash7 = "46f3afae22e83344e4311482a9987ed851b2de282e8127f64d5901ac945713c0"
|
||
|
hash8 = "27752bbb01abc6abf50e1da3a59fefcce59618016619d68690e71ad9d4a3c247"
|
||
|
hash9 = "050610cfb3d3100841685826273546c829335a5f4e2e4260461b88367ad9502c"
|
||
|
id = "648528f0-351c-527e-b516-2c8cae9fb4a3"
|
||
|
strings:
|
||
|
$s1 = "myAction=shell_result&serialNumber=" fullword wide
|
||
|
$s2 = "\\Appdata\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.*" wide
|
||
|
$s3 = "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" wide
|
||
|
$s4 = "\\Appdata\\Local\\Google\\Chrome\\User Data\\Default\\Cookies.*" wide
|
||
|
$s5 = "newSHELL[" fullword wide
|
||
|
$s6 = "\\file1.txt" wide
|
||
|
$s7 = "myAction=newGIF&serialNumber=" fullword wide
|
||
|
$s8 = "\\Storege1" wide
|
||
|
$s9 = "\\Microsoft\\mac.txt" wide
|
||
|
$s10 = "spytube____:" fullword ascii
|
||
|
$s11 = "0D0700045F5C5B0312045A04041F40014B1D11004A1F19074A141100011200154B031C04" fullword wide
|
||
|
$s12 = "16161A1000012B162503151851065A1A0007" fullword wide
|
||
|
$s13 = "-- SysFile...." fullword wide
|
||
|
condition:
|
||
|
( uint16(0) == 0x5a4d and filesize < 700KB and 3 of them )
|
||
|
}
|