Sneed-Reactivity/yara-mikesxrs/abhinavbom/APT.yara

38 lines
939 B
Text
Raw Normal View History

//PlugX APT Malware
rule PlugXXOR
{
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
date = "21/09/2015"
description = "rule for PlugX XOR Routine"
ref1 = "7048add2873b08a9693a60135f978686"
strings:
$hex_string = { 05 ?? ?? 00 00 8A D8 2A DC 89 45 FC 32 5D FE 81 E9 ?? ?? 00 00 2A 5D FF 89 4D F8 32 D9 2A DD 32 5D FA 2A 5D FB 32 1C 37 88 1E 46 4A 75 D2 5F 5B }
condition:
all of them
}
//APT1-Group Rule for sample used during exercise
rule BOUNCER_APT1 {
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
date = "21/09/2015"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii
$s2 = "IDR_DATA%d" wide ascii
$s3 = "asdfqwe123cxz" wide ascii
$s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii
condition:
($s1 and $s2) or ($s3 and $s4)
}