Sneed-Reactivity/yara-Neo23x0/apt_golddragon.yar

155 lines
6.7 KiB
Text
Raw Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2018-02-03
Identifier: Gold Dragon
Reference: https://goo.gl/rW1yvZ
*/
import "pe"
/* Rule Set ----------------------------------------------------------------- */
rule GoldDragon_malware_Feb18_1 {
meta:
description = "Detects malware from Gold Dragon report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
date = "2018-02-03"
score = 90
id = "1da29f0f-4e83-56a0-b843-3b19d9b9a1b7"
condition:
uint16(0) == 0x5a4d and filesize < 300KB and (
pe.imphash() == "168c2f7752511dfd263a83d5d08a90db" or
pe.imphash() == "0606858bdeb129de33a2b095d7806e74" or
pe.imphash() == "51d992f5b9e01533eb1356323ed1cb0f" or
pe.imphash() == "bb801224abd8562f9ee8fb261b75e32a"
)
}
rule GoldDragon_Aux_File {
meta:
description = "Detects export from Gold Dragon - February 2018"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
date = "2018-02-03"
score = 90
id = "8f23dec4-e369-500f-a036-32df13e5543e"
strings:
$x1 = "/////////////////////regkeyenum////////////" ascii
condition:
filesize < 500KB and 1 of them
}
rule GoldDragon_Ghost419_RAT {
meta:
description = "Detects Ghost419 RAT from Gold Dragon report"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/rW1yvZ"
date = "2018-02-03"
modified = "2023-01-06"
hash1 = "45bfa1327c2c0118c152c7192ada429c6d4ae03b8164ebe36ab5ba9a84f5d7aa"
hash2 = "ee7a9a7589cbbcac8b6bf1a3d9c5d1c1ada98e68ac2f43ff93f768661b7e4a85"
hash3 = "dee482e5f461a8e531a6a7ea4728535aafdc4941a8939bc3c55f6cb28c46ad3d"
hash4 = "2df9e274ce0e71964aca4183cec01fb63566a907981a9e7384c0d73f86578fe4"
hash5 = "111ab6aa14ef1f8359c59b43778b76c7be5ca72dc1372a3603cd5814bfb2850d"
hash6 = "0ca12b78644f7e4141083dbb850acbacbebfd3cfa17a4849db844e3f7ef1bee5"
hash7 = "ae1b32aac4d8a35e2c62e334b794373c7457ebfaaab5e5e8e46f3928af07cde4"
hash8 = "c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82"
hash9 = "db350bb43179f2a43a1330d82f3afeb900db5ff5094c2364d0767a3e6b97c854"
id = "8ac951d5-4a18-50c5-8ded-8a0a6b585fd6"
strings:
$x2 = "WebKitFormBoundarywhpFxMBe19cSjFnG" ascii
$x3 = "\\Microsoft\\HNC\\" ascii
$x4 = "\\anternet abplorer" ascii
$x5 = "%s\\abxplore.exe" fullword ascii
$x6 = "GHOST419" fullword ascii
$x7 = "I,m Online. %04d - %02d - %02d - %02d - %02d" fullword ascii
$x8 = "//////////////////////////regkeyenum//////////////" ascii
$s0 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)" fullword ascii
$s1 = "www.GoldDragon.com" fullword ascii
$s2 = "/c systeminfo >> %s" fullword ascii
$s3 = "/c dir %s\\ >> %s" fullword ascii
$s4 = "DownLoading %02x, %02x, %02x" fullword ascii
$s5 = "Tran_dll.dll" fullword ascii
$s6 = "MpCmdRunkr.dll" fullword ascii
$s7 = "MpCmdRun.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 600KB and (
( pe.exports("ExportFunction") and pe.number_of_exports == 1 ) or
( 1 of ($x*) and 1 of ($s*) ) or
3 of them
)
}
rule GoldDragon_RunningRAT {
meta:
description = "Detects Running RAT from Gold Dragon report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/rW1yvZ"
date = "2018-02-03"
hash1 = "0852f2c5741997d8899a34bb95c349d7a9fb7277cd0910656c3ce37a6f11cb88"
hash2 = "2981e1a1b3c395cee6e4b9e6c46d062cf6130546b04401d724750e4c8382c863"
hash3 = "7aa99ebc49a130f07304ed25655862a04cc20cb59d129e1416a7dfa04f7d3e51"
id = "7de93103-46a5-5aba-90cf-26735a6a580e"
strings:
$x1 = "C:\\USERS\\WIN7_x64\\result.log" fullword wide
$x2 = "rundll32.exe %s RunningRat" fullword ascii
$x3 = "SystemRat.dll" fullword ascii
$x4 = "rundll32.exe %s ExportFunction" fullword ascii
$x5 = "rundll32.exe \"%s\" RunningRat" fullword ascii
$x6 = "ixeorat.bin" fullword ascii
$x7 = "C:\\USERS\\Public\\result.log" fullword ascii
$a1 = "emanybtsohteg" fullword ascii /* reversed goodware string 'gethostbyname' */
$a2 = "tekcosesolc" fullword ascii /* reversed goodware string 'closesocket' */
$a3 = "emankcosteg" fullword ascii /* reversed goodware string 'getsockname' */
$a4 = "emantsohteg" fullword ascii /* reversed goodware string 'gethostname' */
$a5 = "tpokcostes" fullword ascii /* reversed goodware string 'setsockopt' */
$a6 = "putratSASW" fullword ascii /* reversed goodware string 'WSAStartup' */
$s1 = "ParentDll.dll" fullword ascii
$s2 = "MR - Already Existed" fullword ascii
$s3 = "MR First Started, Registed OK!" fullword ascii
$s4 = "RM-M : LoadResource OK!" fullword ascii
$s5 = "D:\\result.log" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and (
pe.imphash() == "c78ccc8f02286648c4373d3bf03efc43" or
pe.exports("RunningRat") or
1 of ($x*) or
5 of ($a*) or
3 of ($s*)
)
}
rule GoldDragon_RunnignRAT {
meta:
description = "Detects Running RAT malware from Gold Dragon report"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/rW1yvZ"
date = "2018-02-03"
modified = "2023-01-07"
hash1 = "94aa827a514d7aa70c404ec326edaaad4b2b738ffaea5a66c0c9f246738df579"
hash2 = "5cbc07895d099ce39a3142025c557b7fac41d79914535ab7ffc2094809f12a4b"
hash3 = "98ccf3a463b81a47fdf4275e228a8f2266e613e08baae8bdcd098e49851ed49a"
id = "b99b89a4-a764-5d72-8360-8e53461267d9"
strings:
$s1 = "cmd.exe /c systeminfo " fullword ascii
$s2 = "ieproxy.dll" fullword ascii
$s3 = "taskkill /f /im daumcleaner.exe" fullword ascii
$s4 = "cmd.exe /c tasklist " fullword ascii
$s5 = "rundll32.exe \"%s\" Run" fullword ascii
$s6 = "Mozilla/5.0 (Windows NT 5.2; rv:12.0) Gecko/20100101 Firefox/12.0" fullword ascii
$s7 = "%s\\%s_%03d" fullword wide
$s8 = "\\PI_001.dat" ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and (
3 of them
)
}