36 lines
1.7 KiB
Text
36 lines
1.7 KiB
Text
|
|
||
|
rule APT_NK_MAL_Keylogger_Unknown_Nov19_1 {
|
||
|
meta:
|
||
|
description = "Detects unknown keylogger reported by CNMF in November 2019"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://twitter.com/CNMF_VirusAlert/status/1192131508007505921"
|
||
|
date = "2019-11-06"
|
||
|
hash1 = "04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30"
|
||
|
hash2 = "618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6"
|
||
|
id = "5311d883-52e0-5503-9494-c583fabbedfe"
|
||
|
strings:
|
||
|
$x1 = "CKeyLogDlg::Keylogger_WriteFile" ascii
|
||
|
$x2 = "Keylog file is saved >>>>>> %s" fullword ascii
|
||
|
$x3 = "MicCap file is saved >>>>>> %s" fullword ascii
|
||
|
$x4 = "cr5cr33nc4p.dat" fullword ascii
|
||
|
$xc1 = { 73 74 61 74 75 73 00 00 5C 4B 65 79 6C 6F 67 }
|
||
|
$xc2 = { 5B 43 4D 69 63 43 61 70 44 6C 67 5D 2E 00 00 00
|
||
|
25 30 34 64 25 30 32 64 25 30 32 64 25 30 32 64
|
||
|
25 30 32 64 2E 77 61 76 }
|
||
|
$xc3 = { 25 73 00 00 25 73 5C 2A 2E 2A 00 00 61 62 00 00
|
||
|
5B 25 73 5D 20 75 70 6C 6F 61 64 20 66 61 69 6C
|
||
|
65 64 2E 00 72 62 00 00 5B 25 73 5D 20 6F 70 65
|
||
|
6E 20 66 61 69 6C 65 64 2E 00 00 00 2E 2E 00 00
|
||
|
5B 25 73 20 2D 3E 20 25 73 5D 20 63 6F 70 79 20
|
||
|
66 61 69 6C 65 64 }
|
||
|
|
||
|
$s1 = "%s\\cmd.exe /c %s" fullword ascii
|
||
|
$s2 = "File upload error occured in [CFSDlg::ProcessResultMessage]." fullword ascii
|
||
|
$s3 = "\\SAM\\Domains\\Account\\Users\\Names" ascii
|
||
|
$s4 = "%s_hist%d:%d:%s:%s:::" fullword ascii
|
||
|
$s5 = "CARAT_Ws2_32.dll" fullword ascii
|
||
|
$s6 = "PID [%s], open process failed." fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize <= 40000KB and ( 1 of ($x*) or 4 of them )
|
||
|
}
|