Sneed-Reactivity/yara-Neo23x0/crime_cn_campaign_njrat.yar

161 lines
6.8 KiB
Text
Raw Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2018-02-08
Identifier: Disclosed Chinese Malware Set - mostly NjRAT
Reference: https://twitter.com/cyberintproject/status/961714165550342146
*/
import "pe"
/* Rule Set ----------------------------------------------------------------- */
rule CN_disclosed_20180208_lsls {
meta:
description = "Detects malware from disclosed CN malware set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyberintproject/status/961714165550342146"
date = "2018-02-08"
hash1 = "94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9"
id = "c6c4aa72-1a84-552f-bea0-38b332a74233"
strings:
$x1 = "User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" fullword ascii
condition:
uint16(0) == 0x457f and filesize < 3000KB and $x1
}
rule CN_disclosed_20180208_c {
meta:
description = "Detects malware from disclosed CN malware set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyberintproject/status/961714165550342146"
date = "2018-02-08"
hash1 = "17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7"
id = "cb0bcdc4-7eca-59b7-a947-85c232d4e599"
strings:
$x1 = "cmd.exe /c ping 0 -n 2 & del \"" fullword wide
$x2 = "schtasks /create /sc minute /mo 1 /tn Server /tr " fullword wide
$x3 = "www.upload.ee/image/" wide
$s1 = "winmgmts:\\\\.\\root\\SecurityCenter2" fullword wide
$s2 = "/Server.exe" fullword wide
$s3 = "Executed As " fullword wide
$s4 = "WmiPrvSE.exe" fullword wide
$s5 = "Stub.exe" fullword ascii
$s6 = "Download ERROR" fullword wide
$s7 = "shutdown -r -t 00" fullword wide
$s8 = "Select * From AntiVirusProduct" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 100KB and (
1 of ($x*) or
4 of them
)
}
rule CN_disclosed_20180208_System3 {
meta:
description = "Detects malware from disclosed CN malware set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyberintproject/status/961714165550342146"
date = "2018-02-08"
hash1 = "73fa84cff51d384c2d22d9e53fc5d42cb642172447b07e796c81dd403fb010c2"
id = "097f4506-295d-5066-8895-2148436731c1"
strings:
$a1 = "WmiPrvSE.exe" fullword wide
$s1 = "C:\\Users\\sgl\\AppData\\Local\\" ascii
$s2 = "Temporary Projects\\WmiPrvSE\\" ascii
$s3 = "$15a32a5d-4906-458a-8f57-402311afc1c1" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and $a1 and 1 of ($s*)
}
rule CN_disclosed_20180208_Mal1 {
meta:
description = "Detects malware from disclosed CN malware set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
date = "2018-02-08"
hash1 = "173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e"
id = "8516bbfb-a2ad-565d-bf6c-71629b1831a1"
strings:
$x1 = "%SystemRoot%\\system32\\termsrvhack.dll" fullword ascii
$x2 = "User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword ascii
$a1 = "taskkill /f /im cmd.exe" fullword ascii
$a2 = "taskkill /f /im mstsc.exe" fullword ascii
$a3 = "taskkill /f /im taskmgr.exe" fullword ascii
$a4 = "taskkill /f /im regedit.exe" fullword ascii
$a5 = "taskkill /f /im mmc.exe" fullword ascii
$s1 = "K7TSecurity.exe" fullword ascii
$s2 = "ServUDaemon.exe" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and (
pe.imphash() == "28e3a58132364197d7cb29ee104004bf" or
1 of ($x*) or
3 of them
)
}
rule CN_disclosed_20180208_KeyLogger_1 {
meta:
description = "Detects malware from disclosed CN malware set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
date = "2018-02-08"
hash1 = "c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf"
id = "12eff9b6-1a65-5efc-b39c-88297bdae9c3"
strings:
$x2 = "Process already elevated." fullword wide
$x3 = "GetKeyloggErLogsResponse" fullword ascii
$x4 = "get_encryptedPassword" fullword ascii
$x5 = "DoDownloadAndExecute" fullword ascii
$x6 = "GetKeyloggeRLogs" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them
}
rule CN_disclosed_20180208_Mal4 {
meta:
description = "Detects malware from disclosed CN malware set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
date = "2018-02-08"
hash1 = "f7549c74f09be7e4dbfb64006e535b9f6d17352e236edc2cdb102ec3035cf66e"
id = "6165caf5-157f-5381-a77e-6ed775187ab1"
strings:
$s1 = "Microsoft .Net Framework COM+ Support" fullword ascii
$s2 = "Microsoft .NET and Windows XP COM+ Integration with SOAP" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them and pe.exports("SPACE")
}
rule CN_disclosed_20180208_Mal5 {
meta:
description = "Detects malware from disclosed CN malware set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
date = "2018-02-08"
hash1 = "24c05cd8a1175fbd9aca315ec67fb621448d96bd186e8d5e98cb4f3a19482af4"
hash2 = "05696db46144dab3355dcefe0408f906a6d43fced04cb68334df31c6dfd12720"
id = "b1933610-9e6d-5eed-ba30-ccdd0d3a6124"
strings:
$s1 = "4System.Web.Services.Protocols.SoapHttpClientProtocol" fullword ascii
$s2 = "Server.exe" fullword ascii
$s3 = "System.Windows.Forms.Form" fullword ascii
$s4 = "Stub.Resources.resources" fullword ascii
$s5 = "My.Computer" fullword ascii
$s6 = "MyTemplate" fullword ascii
$s7 = "Stub.My.Resources" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}