458 lines
12 KiB
Text
458 lines
12 KiB
Text
|
// sigs for the various cross-family codes
|
||
|
import "pe"
|
||
|
|
||
|
rule Caracachs: sharedcode
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
B9 10 00 00 00 mov ecx, 10h ; ecx = 16
|
||
|
8B 06 mov eax, [esi] ; eax = lastValue
|
||
|
C1 EA 10 shr edx, 10h ; edx = val >> 16
|
||
|
81 E2 FF 7F 00 00 and edx, 7FFFh ; edx = (val >> 16) & 0x7FFF
|
||
|
03 C2 add eax, edx ; eax = ((val >> 16) & 0x7FFF) + lastValue
|
||
|
8B D0 mov edx, eax ; edx = ((val >> 16) & 0x7FFF) + lastValue
|
||
|
8B F8 mov edi, eax ; edi = ((val >> 16) & 0x7FFF) + lastValue
|
||
|
83 E2 0F and edx, 0Fh ; edx = (((val >> 16) & 0x7FFF) + lastValue) & 0xF
|
||
|
2B CA sub ecx, edx ; ecx = 16 - ((((val >> 16) & 0x7FFF) + lastValue)) & 0xF
|
||
|
D3 EF shr edi, cl ; edi = (((val >> 16) & 0x7FFF) + lastValue) >> ((16 - ((val >> 16) & 0x7FFF) + lastValue) & 0xF)
|
||
|
8B CA mov ecx, edx ; ecx = (((val >> 16) & 0x7FFF) + lastValue) & 0xF
|
||
|
D3 E0 shl eax, cl ; eax = (((val >> 16) & 0x7FFF) + lastValue) << ((((val >> 16) & 0x7FFF) + lastValue) & 0xF)
|
||
|
0B F8 or edi, eax ; edi = (((val >> 16) & 0x7FFF) + lastValue) >> ((16 - ((val >> 16) & 0x7FFF) + lastValue) & 0xF) | (((val >> 16) & 0x7FFF) + lastValue) << ((((val >> 16) & 0x7FFF) + lastValue) & 0xF)
|
||
|
89 3E mov [esi], edi ; pLastValue = (((val >> 16) & 0x7FFF) + lastValue) >> ((16 - ((val >> 16) & 0x7FFF) + lastValue) & 0xF) | (((val >> 16) & 0x7FFF) + lastValue) << ((((val >> 16) & 0x7FFF) + lastValue) & 0xF)
|
||
|
*/
|
||
|
|
||
|
$a = {
|
||
|
B? 10 00 00 00
|
||
|
8B ??
|
||
|
C1 ?? 10
|
||
|
81 ?? FF 7F 00 00
|
||
|
03 ??
|
||
|
8B ??
|
||
|
8B ??
|
||
|
83 ?? 0F
|
||
|
2B ??
|
||
|
D3 ??
|
||
|
8B ??
|
||
|
D3 ??
|
||
|
0B ??
|
||
|
89 ??
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|
||
|
|
||
|
|
||
|
rule StringDotSimplified: sharedcode
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
F3 AB rep stosd
|
||
|
80 3A 00 cmp byte ptr [edx], 0
|
||
|
74 15 jz short loc_404170
|
||
|
8A 02 mov al, [edx]
|
||
|
3C 2E cmp al, 2Eh
|
||
|
74 07 jz short loc_404168
|
||
|
3C 20 cmp al, 20h
|
||
|
74 03 jz short loc_404168
|
||
|
88 06 mov [esi], al
|
||
|
46 inc esi
|
||
|
*/
|
||
|
|
||
|
$a = {
|
||
|
F3 AB
|
||
|
80 ?? 00
|
||
|
74 ??
|
||
|
8A 02
|
||
|
3C 2E
|
||
|
74 ??
|
||
|
3C 20
|
||
|
74 ??
|
||
|
88 06
|
||
|
46
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|
||
|
|
||
|
rule FakeTLS_ServerHelloGetSelectedCipher: sharedcode
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
24 10 and al, 10h
|
||
|
0C 10 or al, 10h
|
||
|
89 07 mov [edi], eax
|
||
|
66 8B 44 24 14 mov ax, [esp+0Ch+wCipherSuiteID]
|
||
|
66 3D 00 C0 cmp ax, 0C000h
|
||
|
73 34 jnb short loc_4067C1
|
||
|
66 2D 35 00 sub ax, 35h
|
||
|
66 F7 D8 neg ax
|
||
|
1B C0 sbb eax, eax
|
||
|
24 80 and al, 80h
|
||
|
05 00 01 00 00 add eax, 100h
|
||
|
8B D8 mov ebx, eax
|
||
|
53 push ebx ; hostshort
|
||
|
*/
|
||
|
|
||
|
$a = {
|
||
|
24 10
|
||
|
0C 10
|
||
|
89 ??
|
||
|
66 8? [3]
|
||
|
66 3? 00 C0
|
||
|
73 ??
|
||
|
66 2? 35 00
|
||
|
66 F7 ??
|
||
|
1B ??
|
||
|
2? 80
|
||
|
0? 00 01 00 00
|
||
|
8B ??
|
||
|
5?
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|
||
|
|
||
|
rule XORDecodeA7: sharedcode
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
8A 04 17 mov al, [edi+edx]
|
||
|
8B FB mov edi, ebx
|
||
|
34 A7 xor al, 0A7h
|
||
|
46 inc esi
|
||
|
88 02 mov [edx], al
|
||
|
83 C9 FF or ecx, 0FFFFFFFFh
|
||
|
33 C0 xor eax, eax
|
||
|
42 inc edx
|
||
|
F2 AE repne scasb
|
||
|
F7 D1 not ecx
|
||
|
49 dec ecx
|
||
|
3B F1 cmp esi, ecx
|
||
|
*/
|
||
|
|
||
|
$a = {
|
||
|
8A [2]
|
||
|
8B ??
|
||
|
34 A7
|
||
|
46
|
||
|
88 ??
|
||
|
83 ?? FF
|
||
|
33 ??
|
||
|
4?
|
||
|
F2 AE
|
||
|
F7 ??
|
||
|
4?
|
||
|
3B ??
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|
||
|
|
||
|
|
||
|
rule DynamicAPILoading: sharedcode
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
83 C4 04 add esp, 4
|
||
|
50 push eax ; lpProcName
|
||
|
56 push esi ; hModule
|
||
|
FF 15 20 F0 40 00 call ds:GetProcAddress
|
||
|
68 A8 0C 41 00 push offset aLo_adlIbr_arYw; "Lo.adL ibr.ar yW"
|
||
|
A3 DC 3E 41 00 mov GetProcAddress_0, eax
|
||
|
E8 7D FF FF FF call CleanupString
|
||
|
83 C4 04 add esp, 4
|
||
|
50 push eax ; _DWORD
|
||
|
56 push esi ; _DWORD
|
||
|
FF 15 DC 3E 41 00 call GetProcAddress_0
|
||
|
68 94 0C 41 00 push offset aLoad_LibR_arYa; "Load. Lib r.ar yA"
|
||
|
A3 D4 3E 41 00 mov LoadLibraryW, eax
|
||
|
E8 63 FF FF FF call CleanupString
|
||
|
83 C4 04 add esp, 4
|
||
|
50 push eax ; _DWORD
|
||
|
56 push esi ; _DWORD
|
||
|
FF 15 DC 3E 41 00 call GetProcAddress_0
|
||
|
68 80 0C 41 00 push offset a_frE_eliBr_arY; ".Fr e.eLi br.ar y"
|
||
|
A3 D8 3E 41 00 mov LoadLibraryA_0, eax
|
||
|
E8 49 FF FF FF call CleanupString
|
||
|
*/
|
||
|
|
||
|
$a = {
|
||
|
83 C4 ??
|
||
|
5?
|
||
|
5?
|
||
|
FF 15 [4]
|
||
|
68 [4]
|
||
|
A3 [4]
|
||
|
E8 [4]
|
||
|
83 C4 ??
|
||
|
5?
|
||
|
5?
|
||
|
FF 15 [4]
|
||
|
68 [4]
|
||
|
A3 [4]
|
||
|
E8 [4]
|
||
|
83 C4 ??
|
||
|
5?
|
||
|
5?
|
||
|
FF 15 [4]
|
||
|
68 [4]
|
||
|
A3 [4]
|
||
|
E8
|
||
|
}
|
||
|
|
||
|
|
||
|
condition:
|
||
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|
||
|
|
||
|
|
||
|
rule DNSCalcStyleEncodeAndDecode: sharedcode
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "975522bc3e07f7aa2c4a5457e6cc16c49a148b9f731134b8971983225835577e"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
8A 10 mov dl, [eax]
|
||
|
80 F2 73 xor dl, 73h <--- for decoding and encoding, this and
|
||
|
80 EA 3A sub dl, 3Ah <--- this could be reversed, but the sig holds since both are 0x80
|
||
|
88 10 mov [eax], dl
|
||
|
40 inc eax
|
||
|
49 dec ecx
|
||
|
75 F2 jnz short loc_1000403C
|
||
|
*/
|
||
|
|
||
|
$a = {
|
||
|
8A ??
|
||
|
80 ?? ??
|
||
|
80 ?? ??
|
||
|
88 ??
|
||
|
4?
|
||
|
4?
|
||
|
75 ??
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|
||
|
|
||
|
rule GenerateTLSClientHelloPacket_Test: sharedcode
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
25 07 00 00 80 and eax, 80000007h
|
||
|
79 05 jns short loc_405EC8; um, nope.. this will always happen
|
||
|
48 dec eax
|
||
|
83 C8 F8 or eax, 0FFFFFFF8h
|
||
|
40 inc eax
|
||
|
*/
|
||
|
|
||
|
$a = {
|
||
|
25 07 00 00 80
|
||
|
79 ??
|
||
|
4?
|
||
|
83 ?? F8
|
||
|
4?
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|
||
|
|
||
|
rule RC4SboxKeyGen: sharedcode
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "RT_RCDATA_101.bin.bin"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
8A 4C 04 08 mov cl, [esp+eax+108h+sbox]; cl = sbox[i]
|
||
|
8B D0 mov edx, eax
|
||
|
81 E2 0F 00 00 80 and edx, 8000000Fh ; i % 16
|
||
|
79 05 jns short loc_10003AC8; dl = key[i & 16]
|
||
|
4A dec edx
|
||
|
83 CA F0 or edx, 0FFFFFFF0h
|
||
|
42 inc edx
|
||
|
*/
|
||
|
|
||
|
$a = {
|
||
|
8A [3]
|
||
|
8B ??
|
||
|
81 ?? 0F 00 00 80
|
||
|
79 ??
|
||
|
4?
|
||
|
83 ?? F0
|
||
|
4?
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|
||
|
|
||
|
|
||
|
rule RandomTimestampGenerator: sharedcode
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "RT_RCDATA_101.bin.bin joanap baseline sample"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
66 81 44 24 0C FE FF add [esp+1Ch+SystemTime.wYear], 0FFFEh
|
||
|
FF D6 call esi ; rand
|
||
|
99 cdq
|
||
|
B9 0C 00 00 00 mov ecx, 0Ch
|
||
|
F7 F9 idiv ecx
|
||
|
42 inc edx
|
||
|
66 89 54 24 0E mov [esp+1Ch+SystemTime.wMonth], dx
|
||
|
FF D6 call esi ; rand
|
||
|
99 cdq
|
||
|
B9 1C 00 00 00 mov ecx, 1Ch
|
||
|
F7 F9 idiv ecx
|
||
|
42 inc edx
|
||
|
66 89 54 24 12 mov [esp+1Ch+SystemTime.wDay], dx
|
||
|
FF D6 call esi ; rand
|
||
|
99 cdq
|
||
|
B9 17 00 00 00 mov ecx, 17h
|
||
|
F7 F9 idiv ecx
|
||
|
42 inc edx
|
||
|
66 89 54 24 14 mov [esp+1Ch+SystemTime.wHour], dx
|
||
|
FF D6 call esi ; rand
|
||
|
99 cdq
|
||
|
B9 3B 00 00 00 mov ecx, 3Bh
|
||
|
F7 F9 idiv ecx
|
||
|
42 inc edx
|
||
|
66 89 54 24 16 mov [esp+1Ch+SystemTime.wMinute], dx
|
||
|
FF D6 call esi ; rand
|
||
|
99 cdq
|
||
|
B9 3B 00 00 00 mov ecx, 3Bh
|
||
|
F7 F9 idiv ecx
|
||
|
*/
|
||
|
|
||
|
$a = {
|
||
|
66 81 [3] FE FF
|
||
|
FF [1-4]
|
||
|
99
|
||
|
B9 0C 00 00 00
|
||
|
F7 [1-4]
|
||
|
42
|
||
|
66 89 [3]
|
||
|
FF D6
|
||
|
99
|
||
|
B9 1C 00 00 00
|
||
|
F7 [1-4]
|
||
|
42
|
||
|
66 89 [3]
|
||
|
FF D6
|
||
|
99
|
||
|
B9 17 00 00 00
|
||
|
F7 [1-4]
|
||
|
42
|
||
|
66 89 [3]
|
||
|
FF D6
|
||
|
99
|
||
|
B9 3B 00 00 00
|
||
|
F7 [1-4]
|
||
|
42
|
||
|
66 89 [3]
|
||
|
FF D6
|
||
|
99
|
||
|
B9 3B 00 00 00
|
||
|
F7
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|
||
|
|
||
|
rule CPUInfoExtraction
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "Cmd10010_296fcc9d611ca1b8f8288192d6d854cf4072853010cc65cb0c7f958626999fbd.bin"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
68 00 00 00 80 push 80000000h ; a2
|
||
|
8B 02 mov eax, [edx]
|
||
|
8B 4A 04 mov ecx, [edx+4]
|
||
|
89 4C 24 10 mov [esp+2Ch+var_1C], ecx
|
||
|
8B 4A 08 mov ecx, [edx+8]
|
||
|
89 4C 24 14 mov [esp+2Ch+var_18], ecx
|
||
|
8B 4A 0C mov ecx, [edx+0Ch]
|
||
|
8D 54 24 1C lea edx, [esp+2Ch+var_10]
|
||
|
89 8E 70 03 00 00 mov [esi+370h], ecx
|
||
|
52 push edx ; a1
|
||
|
8B CE mov ecx, esi
|
||
|
89 86 6C 03 00 00 mov [esi+36Ch], eax
|
||
|
E8 29 FF FF FF call GetCPUIDValues
|
||
|
8B C8 mov ecx, eax
|
||
|
8B 01 mov eax, [ecx]
|
||
|
3D 00 00 00 80 cmp eax, 80000000h
|
||
|
8B 51 04 mov edx, [ecx+4]
|
||
|
*/
|
||
|
|
||
|
$a = {
|
||
|
68 00 00 00 80
|
||
|
8B ??
|
||
|
8B ?? 04
|
||
|
89 [3]
|
||
|
8B ?? 08
|
||
|
89 [3]
|
||
|
8B ?? 0C
|
||
|
8D [3]
|
||
|
89 [5]
|
||
|
5?
|
||
|
8B ??
|
||
|
89 [5]
|
||
|
E8 [4]
|
||
|
8B ??
|
||
|
8B ??
|
||
|
3D 00 00 00 80
|
||
|
8B ?? 04
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|