diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..18eba14 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ + +/yara-hydradragon diff --git a/LICENSE-YARA-RULES-NEO23X0 b/LICENSE-YARA-RULES-NEO23X0 new file mode 100644 index 0000000..37c5f90 --- /dev/null +++ b/LICENSE-YARA-RULES-NEO23X0 @@ -0,0 +1,38 @@ +# Detection Rule License (DRL) 1.1 + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this rule set and associated documentation files (the "Rules"), to deal +in the Rules without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Rules, and to permit persons to whom the Rules are furnished to do so, +subject to the following conditions: + +If you share the Rules (including in modified form), you must retain the +following if it is supplied within the Rules: + +1. identification of the authors(s) ("author" field) of the Rule and any + others designated to receive attribution, in any reasonable manner + requested by the Rule author (including by pseudonym if designated). + +2. a URI or hyperlink to the Rule set or explicit Rule to the extent + reasonably practicable + +3. indicate the Rules are licensed under this Detection Rule License, and + include the text of, or the URI or hyperlink to, this Detection Rule + License to the extent reasonably practicable + +If you use the Rules (including in modified form) on data, messages based on +matches with the Rules must retain the following if it is supplied within the +Rules: + +1. identification of the authors(s) ("author" field) of the Rule and any + others designated to receive attribution, in any reasonable manner + requested by the Rule author (including by pseudonym if designated). + +THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE +RULES. \ No newline at end of file diff --git a/LICENSE-YARA-RULES-REVERSINGLABS b/LICENSE-YARA-RULES-REVERSINGLABS new file mode 100644 index 0000000..a43f946 --- /dev/null +++ b/LICENSE-YARA-RULES-REVERSINGLABS @@ -0,0 +1,19 @@ +Copyright (c) 2020 ReversingLabs + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index 5a5715b..56befc7 100644 --- a/README.md +++ b/README.md @@ -5,11 +5,15 @@ Cross-Platform Open Reactive AntiMalware ## Credits * VirusTotal - Creating Yara -* [ReversingLabs - Creating Yara Rules](https://github.com/reversinglabs/reversinglabs-yara-rules) +* [ReversingLabs - Creating Some Yara Rules](https://github.com/reversinglabs/reversinglabs-yara-rules) +* [Yara23x0 - Creating more Yara Rules](https://github.com/Neo23x0/signature-base) +* [mikesxrc - Creating a compilation of even MORE yara rules (had to delete some due to errors)](https://github.com/mikesxrs/Open-Source-YARA-rules) * Sneed Group - Creating the idea/code * ChatGPT/Gemini - Helping code this amazing project ## Licensing Details -* LICENSE-YARA-RULES - ReversingLab's Yara Rules (everything under the yara subdirectory) -* LICENSE - Our code. (Pretty much anything else.) +* LICENSE-YARA-RULES-REVERSINGLABS - ReversingLab's Yara Rules (under the yara-ReversingLabs subdirectory) +* LICENSE-YARA-RULES-NEO23X0 - NEO23X0's Yara Rules (under the yara-Neo23x0 subdirectory) +* LICENSE - Our code. (Pretty much any .py file in the main directory as well as requirements.txt) +* mikesxrs sadly had no license in his Yara Rules repo, so I guess take that for what you will. \ No newline at end of file diff --git a/main.py b/main.py index 6bca5e8..19cdb22 100644 --- a/main.py +++ b/main.py @@ -23,7 +23,28 @@ import yara # YARA for malware scanning # YARA Rules def load_yara_rules(): yara_rules = [] - yara_dir = Path('yara') + yara_dir = Path('yara-ReversingLabs') + if yara_dir.exists() and yara_dir.is_dir(): + for yara_file in yara_dir.rglob('*.yar'): + try: + rule = yara.compile(filepath=str(yara_file)) + yara_rules.append(rule) + except Exception as e: + print(f"Error compiling YARA rule {yara_file}: {e}") + else: + print(f"YARA rules directory not found: {yara_dir}") + time.sleep(1) + yara_dir = Path('yara-mikesxrs') + if yara_dir.exists() and yara_dir.is_dir(): + for yara_file in yara_dir.rglob('*.yar'): + try: + rule = yara.compile(filepath=str(yara_file)) + yara_rules.append(rule) + except Exception as e: + print(f"Error compiling YARA rule {yara_file}: {e}") + else: + print(f"YARA rules directory not found: {yara_dir}") + yara_dir = Path('yara-Neo23x0') if yara_dir.exists() and yara_dir.is_dir(): for yara_file in yara_dir.rglob('*.yar'): try: diff --git a/requirements.txt b/requirements.txt index 80af7d1..d923c03 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,4 +5,4 @@ requests certifi tensorflow webdriver_manager -pywin32; platform_system == "Windows" +pywin32; platform_system == "Windows" \ No newline at end of file diff --git a/yara-Neo23x0/apt_aa19_024a.yar b/yara-Neo23x0/apt_aa19_024a.yar new file mode 100644 index 0000000..cd794b1 --- /dev/null +++ b/yara-Neo23x0/apt_aa19_024a.yar @@ -0,0 +1,19 @@ + +rule APT_MAL_DNS_Hijacking_Campaign_AA19_024A { + meta: + description = "Detects malware used in DNS Hijackign campaign" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.us-cert.gov/ncas/alerts/AA19-024A" + date = "2019-01-25" + hash1 = "2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec" + hash2 = "45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff" + id = "6a476052-ba4e-5049-9c7a-f8949d26e7b5" + strings: + $s2 = "/Client/Login?id=" fullword ascii + $s3 = "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" fullword ascii + $s4 = ".\\Configure.txt" fullword ascii + $s5 = "Content-Disposition: form-data; name=\"files\"; filename=\"" fullword ascii + $s6 = "Content-Disposition: form-data; name=\"txts\"" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them +} diff --git a/yara-Neo23x0/apt_agent_btz.yar b/yara-Neo23x0/apt_agent_btz.yar new file mode 100644 index 0000000..1972150 --- /dev/null +++ b/yara-Neo23x0/apt_agent_btz.yar @@ -0,0 +1,106 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2017-08-07 + Identifier: Agent BTZ + Reference: http://www.intezer.com/new-variants-of-agent-btz-comrat-found/ +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +import "pe" + +rule Agent_BTZ_Proxy_DLL_1 { + meta: + description = "Detects Agent-BTZ Proxy DLL - activeds.dll" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/" + date = "2017-08-07" + hash1 = "9c163c3f2bd5c5181147c6f4cf2571160197de98f496d16b38c7dc46b5dc1426" + hash2 = "628d316a983383ed716e3f827720915683a8876b54677878a7d2db376d117a24" + id = "f8032616-2a54-5107-b330-65fcc84b866e" + strings: + $s1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Modules" fullword wide + condition: + ( uint16(0) == 0x5a4d and filesize < 300KB and all of them and pe.exports("Entry") ) +} + +rule Agent_BTZ_Proxy_DLL_2 { + meta: + description = "Detects Agent-BTZ Proxy DLL - activeds.dll" + author = "Florian Roth (Nextron Systems)" + reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/" + date = "2017-08-07" + hash1 = "73db4295c5b29958c5d93c20be9482c1efffc89fc4e5c8ba59ac9425a4657a88" + hash2 = "380b0353ba8cd33da8c5e5b95e3e032e83193019e73c71875b58ec1ed389bdac" + hash3 = "f27e9bba6a2635731845b4334b807c0e4f57d3b790cecdc77d8fef50629f51a2" + id = "2777443d-6f63-5948-855a-e064a6e0310f" + strings: + $s1 = { 38 21 38 2C 38 37 38 42 38 4D 38 58 38 63 38 6E + 38 79 38 84 38 8F 38 9A 38 A5 38 B0 38 BB 38 C6 + 38 D1 38 DC 38 E7 38 F2 38 FD 38 08 39 13 39 1E + 39 29 39 34 39 3F 39 4A 39 55 39 60 39 6B 39 76 + 39 81 39 8C 39 97 39 A2 39 AD 39 B8 39 C3 39 CE + 39 D9 39 E4 39 EF 39 FA 39 05 3A 10 3A 1B 3A 26 + 3A 31 3A 3C 3A 47 3A 52 3A 5D 3A 68 3A 73 3A 7E + 3A 89 3A 94 3A 9F 3A AA 3A B5 3A C0 3A CB 3A D6 + 3A E1 3A EC 3A F7 3A } + $s2 = "activeds.dll" ascii fullword + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and pe.imphash() == "09b7c73fbe5529e6de7137e3e8268b7b" +} + +rule Agent_BTZ_Aug17 { + meta: + description = "Detects Agent.BTZ" + author = "Florian Roth (Nextron Systems)" + reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/" + date = "2017-08-07" + hash1 = "6ad78f069c3619d0d18eef8281219679f538cfe0c1b6d40b244beb359762cf96" + hash2 = "49c5c798689d4a54e5b7099b647b0596fb96b996a437bb8241b5dd76e974c24e" + hash3 = "e88970fa4892150441c1616028982fe63c875f149cd490c3c910a1c091d3ad49" + id = "31804208-3edb-554b-8820-e682db647435" + strings: + $s1 = "stdole2.tlb" fullword ascii + $s2 = "UnInstallW" fullword ascii + condition: + ( + uint16(0) == 0x5a4d and filesize < 900KB and + all of them and + pe.exports("Entry") and pe.exports("InstallW") and pe.exports("UnInstallW") + ) +} + +rule APT_Turla_Agent_BTZ_Gen_1 { + meta: + description = "Detects Turla Agent.BTZ" + author = "Florian Roth (Nextron Systems)" + reference = "Internal Research" + date = "2018-06-16" + score = 80 + hash1 = "c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615" + id = "d5e1dd3d-4f03-5f79-898b-e612d2758b60" + strings: + $x1 = "1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s" fullword ascii + + $s1 = "release mutex - %u (%u)(%u)" fullword ascii + $s2 = "\\system32\\win.com" ascii + $s3 = "Command Id:%u%010u(%02d:%02d:%02d %02d/%02d/%04d)" fullword ascii + $s4 = "MakeFile Error(%d) copy file to temp file %s" fullword ascii + $s5 = "%s%%s08x.tmp" fullword ascii + $s6 = "Run instruction: %d ID:%u%010u(%02d:%02d:%02d %02d/%02d/%04d)" fullword ascii + $s7 = "Mutex_Log" fullword ascii + $s8 = "%s\\system32\\winview.ocx" fullword ascii + $s9 = "Microsoft(R) Windows (R) Operating System" fullword wide + $s10 = "Error: pos(%d) > CmdSize(%d)" fullword ascii + $s11 = "\\win.com" ascii + $s12 = "Error(%d) run %s " fullword ascii + $s13 = "%02d.%02d.%04d Log begin:" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 500KB and ( + pe.imphash() == "9d0d6daa47d6e6f2d80eb05405944f87" or + ( pe.exports("Entry") and pe.exports("InstallM") and pe.exports("InstallS") ) or + $x1 or 3 of them + ) or ( 5 of them ) +} diff --git a/yara-Neo23x0/apt_alienspy_rat.yar b/yara-Neo23x0/apt_alienspy_rat.yar new file mode 100644 index 0000000..c0bc7ee --- /dev/null +++ b/yara-Neo23x0/apt_alienspy_rat.yar @@ -0,0 +1,50 @@ + +rule crime_win_rat_AlienSpy +{ +meta: + description = "Alien Spy Remote Access Trojan" + author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team" + reference_1 = "www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf" + reference_2 = "www.fidelissecurity.com/sites/default/files/AlienSpy-Configs2_1_2.csv" + date = "04-Apr-15" + filetype = "Java" + hash_1 = "075fa0567d3415fbab3514b8aa64cfcb" + hash_2 = "818afea3040a887f191ee9d0579ac6ed" + hash_3 = "973de705f2f01e82c00db92eaa27912c" + hash_4 = "7f838907f9cc8305544bd0ad4cfd278e" + hash_5 = "071e12454731161d47a12a8c4b3adfea" + hash_6 = "a7d50760d49faff3656903c1130fd20b" + hash_7 = "f399afb901fcdf436a1b2a135da3ee39" + hash_8 = "3698a3630f80a632c0c7c12e929184fb" + hash_9 = "fdb674cadfa038ff9d931e376f89f1b6" + + id = "a79789cd-9b16-58f5-ab51-48bb900583d1" + strings: + + $sa_1 = "META-INF/MANIFEST.MF" + $sa_2 = "Main.classPK" + $sa_3 = "plugins/Server.classPK" + $sa_4 = "IDPK" + + $sb_1 = "config.iniPK" + $sb_2 = "password.iniPK" + $sb_3 = "plugins/Server.classPK" + $sb_4 = "LoadStub.classPK" + $sb_5 = "LoadStubDecrypted.classPK" + $sb_7 = "LoadPassword.classPK" + $sb_8 = "DecryptStub.classPK" + $sb_9 = "ClassLoaders.classPK" + + $sc_1 = "config.xml" + $sc_2 = "options" + $sc_3 = "plugins" + /* $sc_4 = "util" */ + $sc_5 = "util/OSHelper" + $sc_6 = "Start.class" + $sc_7 = "AlienSpy" + /* $sc_8 = "PK" */ /* too short atom - disabled for performance reasons */ + + condition: + + uint16(0) == 0x4B50 and filesize < 800KB and ( (all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*)) ) +} diff --git a/yara-Neo23x0/apt_apt10.yar b/yara-Neo23x0/apt_apt10.yar new file mode 100644 index 0000000..720e28e --- /dev/null +++ b/yara-Neo23x0/apt_apt10.yar @@ -0,0 +1,1406 @@ +/* + Yara Rule Set + Author: Jonas Lejon + Date: 2017-04-06 + Identifier: APT 10 Malware +*/ + +import "pe" + +/* outdated and prone to FPs */ +/* disabled on 18.07.23 */ +/* see : https://www.linkedin.com/feed/update/urn:li:activity:7087021383276236800/ */ + +/* +rule APT10_Malware_Sample_Gen : FILE { + meta: + description = "APT 10 / Cloud Hopper malware campaign" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html" + date = "2017-04-06" + score = 80 + strings: + $c2_1 = "002562066559681.r3u8.com" ascii + $c2_2 = "031168053846049.r3u8.com" ascii + $c2_3 = "0625.have8000.com" ascii + $c2_4 = "1.gadskysun.com" ascii + $c2_5 = "100fanwen.com" ascii + $c2_6 = "11.usyahooapis.com" ascii + $c2_7 = "19518473326.r3u8.com" ascii + $c2_8 = "1960445709311199.r3u8.com" ascii + $c2_9 = "1j.www1.biz" ascii + $c2_10 = "1z.itsaol.com" ascii + $c2_11 = "2012yearleft.com" ascii + $c2_12 = "2014.zzux.com" ascii + $c2_13 = "202017845.r3u8.com" ascii + $c2_14 = "2139465544784.r3u8.com" ascii + $c2_15 = "2789203959848958.r3u8.com" ascii + $c2_16 = "5590428449750026.r3u8.com" ascii + $c2_17 = "5q.niushenghuo.info" ascii + $c2_18 = "6r.suibian2010.info" ascii + $c2_19 = "9gowg.tech" ascii + $c2_20 = "Hamiltion.catholicmmb.com" ascii + $c2_21 = "a.wubangtu.info" ascii + $c2_22 = "a1.suibian2010.info" ascii + $c2_24 = "abc.wikaba.com" ascii + $c2_25 = "abcd120719.6600.org" ascii + $c2_26 = "abcd120807.3322.org" ascii + $c2_27 = "acc.emailfound.info" ascii + $c2_28 = "acc.lehigtapp.com" ascii + $c2_29 = "acsocietyy.com" ascii + $c2_31 = "ad.webbooting.com" ascii + $c2_32 = "additional.sexidude.com" ascii + $c2_33 = "af.zyns.com" ascii + $c2_34 = "afc.https443.org" ascii + $c2_35 = "ako.ddns.us" ascii + $c2_36 = "androidmusicapp.onmypc.us" ascii + $c2_37 = "announcements.toythieves.com" ascii + $c2_38 = "anvprn.com" ascii + $c2_39 = "aotuo.9966.org" ascii + $c2_40 = "apec.qtsofta.com" ascii + $c2_41 = "app.lehigtapp.com" ascii + $c2_42 = "apple.cmdnetview.com" ascii + $c2_43 = "apple.defensewar.org" ascii + $c2_44 = "apple.ikwb.com" ascii + $c2_45 = "appledownload.ourhobby.com" ascii + $c2_46 = "appleimages.itemdb.com" ascii + $c2_47 = "appleimages.longmusic.com" ascii + $c2_48 = "applelib120102.9966.org" ascii + $c2_49 = "applemirror.organiccrap.com" ascii + $c2_50 = "applemirror.squirly.info" ascii + $c2_51 = "applemusic.isasecret.com" ascii + $c2_52 = "applemusic.itemdb.com" ascii + $c2_53 = "applemusic.wikaba.com" ascii + $c2_54 = "applemusic.xxuz.com" ascii + $c2_55 = "applemusic.zzux.com" ascii + $c2_56 = "apples.sytes.net" ascii + $c2_57 = "appleupdate.itemdb.com" ascii + $c2_58 = "architectisusa.com" ascii + $c2_59 = "area.wthelpdesk.com" ascii + $c2_60 = "army.xxuz.com" ascii + $c2_61 = "art.p6p6.net" ascii + $c2_62 = "asfzx.x24hr.com" ascii + $c2_64 = "availab.wikaba.com" ascii + $c2_65 = "availability.justdied.com" ascii + $c2_66 = "ba.my03.com" ascii + $c2_67 = "baby.macforlinux.net" ascii + $c2_68 = "baby.myie12.com" ascii + $c2_69 = "baby.usmirocomney.net" ascii + $c2_70 = "back.jungleheart.com" ascii + $c2_71 = "back.mofa.dynamic-dns.net" ascii + $c2_72 = "bak.have8000.com" ascii + $c2_73 = "bak.ignorelist.com" ascii + $c2_74 = "bak.un.dnsrd.com" ascii + $c2_75 = "balance1.wikaba.com" ascii + $c2_76 = "balk.n7go.com" ascii + $c2_77 = "banana.cmdnetview.com" ascii + $c2_78 = "barrybaker.6600.org" ascii + $c2_79 = "bbs.jungleheart.com" ascii + $c2_80 = "bdoncloud.com" ascii + $c2_81 = "be.mrslove.com" ascii + $c2_82 = "be.yourtrap.com" ascii + $c2_83 = "belowto.com" ascii + $c2_84 = "bethel.webhop.net" ascii + $c2_85 = "bexm.cleansite.biz" ascii + $c2_86 = "bezu.itemdb.com" ascii + $c2_87 = "bk56.twilightparadox.com" ascii + $c2_88 = "blaaaaaaaaaaaa.windowsupdate.3-a.net" ascii + $c2_89 = "blog.defensewar.org" ascii + $c2_90 = "brand.fartit.com" ascii + $c2_91 = "bridgeluxlightmadness.com" ascii + $c2_92 = "bulletproof.squirly.info" ascii + $c2_93 = "cao.p6p6.net" ascii + $c2_94 = "cata.qtsofta.com" ascii + $c2_95 = "catholicmmb.com" ascii + $c2_96 = "cc.dynamicdns.co.uk" ascii + $c2_97 = "ccfchrist.com" ascii + $c2_98 = "ccupdatedata.authorizeddns.net" ascii + $c2_99 = "cd.usyahooapis.com" ascii + $c2_100 = "cdn.incloud-go.com" ascii + $c2_101 = "center.shenajou.com" ascii + $c2_102 = "cgei493860.r3u8.com" ascii + $c2_103 = "chaindungeons.com" ascii + $c2_104 = "chibashiri.com" ascii + $c2_105 = "childrenstow.com" ascii + $c2_106 = "cia.ezua.com" ascii + $c2_107 = "cia.toh.info" ascii + $c2_108 = "ciaoci.chickenkiller.com" ascii + $c2_109 = "civilwar123.authorizeddns.org" ascii + $c2_110 = "civilwar520.onmypc.org" ascii + $c2_111 = "ckusshani.com" ascii + $c2_112 = "cloud-kingl.com" ascii + $c2_113 = "cloud-maste.com" ascii + $c2_114 = "cloudns.8800.org" ascii + $c2_115 = "cmdnetview.com" ascii + $c2_116 = "cms.sindeali.com" ascii + $c2_117 = "cnnews.mylftv.com" ascii + $c2_118 = "commissioner.shenajou.com" ascii + $c2_119 = "commons.onedumb.com" ascii + $c2_120 = "contactus.myddns.com" ascii + $c2_121 = "contactus.onmypc.us" ascii + $c2_122 = "contract.4mydomain.com" ascii + $c2_123 = "contractus.qpoe.com" ascii + $c2_124 = "contractus.zzux.com" ascii + $c2_125 = "coreck.suayay.com" ascii + $c2_128 = "ctdl.windowsupdate.itsaol.com" ascii + $c2_129 = "ctdl.windowsupdate.nsatcdns.com" ascii + $c2_130 = "ctldl.appledownload.ourhobby.com" ascii + $c2_131 = "ctldl.applemusic.itemdb.com" ascii + $c2_132 = "ctldl.itunesmusic.jkub.com" ascii + $c2_133 = "ctldl.microsoftmusic.onedumb.com" ascii + $c2_134 = "ctldl.microsoftupdate.qhigh.com" ascii + $c2_135 = "ctldl.windowsupdate.authorizeddns.org" ascii + $c2_136 = "ctldl.windowsupdate.authorizeddns.us" ascii + $c2_137 = "ctldl.windowsupdate.dnset.com" ascii + $c2_138 = "ctldl.windowsupdate.esmtp.biz" ascii + $c2_139 = "ctldl.windowsupdate.ezua.com" ascii + $c2_140 = "ctldl.windowsupdate.gettrials.com" ascii + $c2_141 = "ctldl.windowsupdate.itsaol.com" ascii + $c2_142 = "ctldl.windowsupdate.lflinkup.com" ascii + $c2_143 = "ctldl.windowsupdate.mrface.com" ascii + $c2_144 = "ctldl.windowsupdate.nsatcdns.com" ascii + $c2_145 = "ctldl.windowsupdate.organiccrap.com" ascii + $c2_146 = "ctldl.windowsupdate.x24hr.com" ascii + $c2_147 = "cvnx.zyns.com" ascii + $c2_148 = "cwiinatonal.com" ascii + $c2_149 = "daddy.gostudyantivirus.com" ascii + $c2_150 = "dcc.jimingroup.com" ascii + $c2_151 = "dd.ddns.us" ascii + $c2_152 = "de.onmypc.info" ascii + $c2_153 = "dear.loveddos.com" ascii + $c2_154 = "dec.seyesb.acmetoy.com" ascii + $c2_155 = "dedgesuite.net" ascii + $c2_156 = "dedydns.ns01.us" ascii + $c2_157 = "defensewar.org" ascii + $c2_158 = "demoones.com" ascii + $c2_159 = "department.shenajou.com" ascii + $c2_160 = "details.squirly.info" ascii + $c2_161 = "development.shenajou.com" ascii + $c2_162 = "devilcase.acmetoy.com" ascii + $c2_163 = "dfgwerzc.3322.org" ascii + $c2_164 = "dick.ccfchrist.com" ascii + $c2_165 = "digsby.ourhobby.com" ascii + $c2_166 = "disruptive.https443.net" ascii + $c2_167 = "dlmix.ourdvs.com" ascii + $c2_168 = "dnspoddwg.authorizeddns.org" ascii + $c2_170 = "document.methoder.com" ascii + $c2_171 = "document.shenajou.com" ascii + $c2_172 = "domainnow.yourtrap.com" ascii + $c2_173 = "download.applemusic.itemdb.com" ascii + $c2_174 = "download.microsoftmusic.onedumb.com" ascii + $c2_175 = "download.windowsupdate.authorizeddns.org" ascii + $c2_176 = "download.windowsupdate.dedgesuite.net" ascii + $c2_177 = "download.windowsupdate.dnset.com" ascii + $c2_178 = "download.windowsupdate.itsaol.com" ascii + $c2_179 = "download.windowsupdate.lflinkup.com" ascii + $c2_180 = "download.windowsupdate.nsatcdns.com" ascii + $c2_181 = "download.windowsupdate.x24hr.com" ascii + $c2_182 = "downloadlink.mypicture.info" ascii + $c2_183 = "drives.methoder.com" ascii + $c2_184 = "dst.1dumb.com" ascii + $c2_185 = "duosay.com" ascii + $c2_186 = "dyncojinf.6600.org" ascii + $c2_187 = "dynsbluecheck.7766.org" ascii + $c2_188 = "ea.onmypc.info" ascii + $c2_189 = "ea.rebatesrule.net" ascii + $c2_190 = "edgar.ccfchrist.com" ascii + $c2_191 = "ehshiroshima.mylftv.com" ascii + $c2_192 = "emailfound.info" ascii + $c2_193 = "eric-averyanov.wha.la" ascii + $c2_194 = "essashi.com" ascii + $c2_195 = "eu.acmetoy.com" ascii + $c2_196 = "eu.wha.la" ascii + $c2_197 = "eu.zzux.com" ascii + $c2_198 = "everydayfilmlink.com" ascii + $c2_199 = "ewe.toshste.com" ascii + $c2_200 = "eweek.2waky.com" ascii + $c2_201 = "exprenum.com" ascii + $c2_202 = "express.lflinkup.com" ascii + $c2_203 = "extraordinary.dynamic-dns.net" ascii + $c2_204 = "f068v.site" ascii + $c2_205 = "fabian.ccfchrist.com" ascii + $c2_206 = "fastemail.dnsrd.com" ascii + $c2_207 = "fastmail2.com" ascii + $c2_208 = "fbi.sexxxy.biz" ascii + $c2_209 = "fbi.zyns.com" ascii + $c2_210 = "fcztqbg.zj.r3u8.com" ascii + $c2_211 = "feed.jungleheart.com" ascii + $c2_212 = "fftpoor.com" ascii + $c2_213 = "fg.v4.download.windowsupdates.dnsrd.com" ascii + $c2_214 = "fgipv6.download.windowsupdate.com.mwcname.com" ascii + $c2_215 = "file.zzux.com" ascii + $c2_216 = "files.architectisusa.com" ascii + $c2_217 = "film.everydayfilmlink.com" ascii + $c2_218 = "filmlist.everydayfilmlink.com" ascii + $c2_219 = "findme.epac.to" ascii + $c2_220 = "fire.mrface.com" ascii + $c2_221 = "fish.toh.info" ascii + $c2_222 = "fiveavmersi.websegoo.net" ascii + $c2_223 = "fjs.wikaba.com" ascii + $c2_224 = "flea.poulsenv.com" ascii + $c2_225 = "flynews.edns.biz" ascii + $c2_226 = "fo.mysecondarydns.com" ascii + $c2_227 = "foal.wchildress.com" ascii + $c2_228 = "follow.wha.la" ascii + $c2_229 = "foo.shenajou.com" ascii + $c2_230 = "for.ddns.mobi" ascii + $c2_231 = "fr.wikaba.com" ascii + $c2_232 = "franck.demoones.com" ascii + $c2_233 = "ftp.2014.zzux.com" ascii + $c2_234 = "ftp.additional.sexidude.com" ascii + $c2_235 = "ftp.afc.https443.org" ascii + $c2_236 = "ftp.announcements.toythieves.com" ascii + $c2_237 = "ftp.apple.ikwb.com" ascii + $c2_238 = "ftp.appledownload.ourhobby.com" ascii + $c2_239 = "ftp.appleimages.itemdb.com" ascii + $c2_240 = "ftp.appleimages.longmusic.com" ascii + $c2_241 = "ftp.appleimages.organiccrap.com" ascii + $c2_242 = "ftp.applemirror.organiccrap.com" ascii + $c2_243 = "ftp.applemirror.squirly.info" ascii + $c2_244 = "ftp.applemusic.isasecret.com" ascii + $c2_245 = "ftp.applemusic.itemdb.com" ascii + $c2_246 = "ftp.applemusic.wikaba.com" ascii + $c2_247 = "ftp.applemusic.xxuz.com" ascii + $c2_248 = "ftp.applemusic.zzux.com" ascii + $c2_249 = "ftp.appleupdate.itemdb.com" ascii + $c2_250 = "ftp.architectisusa.com" ascii + $c2_251 = "ftp.asfzx.x24hr.com" ascii + $c2_252 = "ftp.availab.wikaba.com" ascii + $c2_253 = "ftp.availability.justdied.com" ascii + $c2_254 = "ftp.back.jungleheart.com" ascii + $c2_255 = "ftp.balance1.wikaba.com" ascii + $c2_256 = "ftp.be.mrslove.com" ascii + $c2_257 = "ftp.brand.fartit.com" ascii + $c2_258 = "ftp.bulletproof.squirly.info" ascii + $c2_259 = "ftp.cia.ezua.com" ascii + $c2_260 = "ftp.cia.toh.info" ascii + $c2_261 = "ftp.civilwar123.authorizeddns.org" ascii + $c2_262 = "ftp.civilwar520.onmypc.org" ascii + $c2_263 = "ftp.cloudfileserverbs.dynamicdns.co.uk" ascii + $c2_264 = "ftp.cnnews.mylftv.com" ascii + $c2_265 = "ftp.commons.onedumb.com" ascii + $c2_266 = "ftp.contractus.qpoe.com" ascii + $c2_267 = "ftp.cvnx.zyns.com" ascii + $c2_268 = "ftp.de.onmypc.info" ascii + $c2_269 = "ftp.details.squirly.info" ascii + $c2_270 = "ftp.devilcase.acmetoy.com" ascii + $c2_271 = "ftp.disruptive.https443.net" ascii + $c2_272 = "ftp.domainnow.yourtrap.com" ascii + $c2_273 = "ftp.ea.onmypc.info" ascii + $c2_274 = "ftp.ehshiroshima.mylftv.com" ascii + $c2_275 = "ftp.eric-averyanov.wha.la" ascii + $c2_276 = "ftp.eu.acmetoy.com" ascii + $c2_277 = "ftp.eu.wha.la" ascii + $c2_278 = "ftp.eu.zzux.com" ascii + $c2_279 = "ftp.fbi.sexxxy.biz" ascii + $c2_280 = "ftp.file.zzux.com" ascii + $c2_281 = "ftp.findme.epac.to" ascii + $c2_282 = "ftp.fire.mrface.com" ascii + $c2_283 = "ftp.fjs.wikaba.com" ascii + $c2_284 = "ftp.fr.wikaba.com" ascii + $c2_285 = "ftp.fuck.ikwb.com" ascii + $c2_286 = "ftp.fuckmm.dns-dns.com" ascii + $c2_287 = "ftp.generat.almostmy.com" ascii + $c2_288 = "ftp.goldtoyota.com" ascii + $c2_289 = "ftp.goodmusic.justdied.com" ascii + $c2_290 = "ftp.helpus.ddns.info" ascii + $c2_291 = "ftp.hii.qhigh.com" ascii + $c2_292 = "ftp.innocent-isayev.sexidude.com" ascii + $c2_293 = "ftp.invoices.sexxxy.biz" ascii + $c2_294 = "ftp.iphone.vizvaz.com" ascii + $c2_295 = "ftp.itlans.isasecret.com" ascii + $c2_296 = "ftp.itunesdownload.jkub.com" ascii + $c2_297 = "ftp.itunesdownload.wikaba.com" ascii + $c2_298 = "ftp.itunesimages.itemdb.com" ascii + $c2_299 = "ftp.itunesimages.itsaol.com" ascii + $c2_300 = "ftp.itunesimages.qpoe.com" ascii + $c2_301 = "ftp.itunesmirror.fartit.com" ascii + $c2_302 = "ftp.itunesmirror.itsaol.com" ascii + $c2_303 = "ftp.itunesmusic.ikwb.com" ascii + $c2_304 = "ftp.itunesmusic.jetos.com" ascii + $c2_305 = "ftp.itunesmusic.jkub.com" ascii + $c2_306 = "ftp.itunesmusic.zzux.com" ascii + $c2_307 = "ftp.itunesupdate.itsaol.com" ascii + $c2_308 = "ftp.itunesupdates.organiccrap.com" ascii + $c2_309 = "ftp.japanfilmsite.ikwb.com" ascii + $c2_310 = "ftp.jimin.mymom.info" ascii + $c2_311 = "ftp.jp.serveuser.com" ascii + $c2_312 = "ftp.key.zzux.com" ascii + $c2_313 = "ftp.knowledge.sellclassics.com" ascii + $c2_314 = "ftp.lan.dynssl.com" ascii + $c2_315 = "ftp.latestnews.epac.to" ascii + $c2_316 = "ftp.latestnews.organiccrap.com" ascii + $c2_317 = "ftp.leedong.longmusic.com" ascii + $c2_318 = "ftp.macfee.mrface.com" ascii + $c2_319 = "ftp.maffc.mrface.com" ascii + $c2_320 = "ftp.malware.dsmtp.com" ascii + $c2_321 = "ftp.manager.jetos.com" ascii + $c2_322 = "ftp.martin.sellclassics.com" ascii + $c2_323 = "ftp.mason.vizvaz.com" ascii + $c2_324 = "ftp.mediapath.organiccrap.com" ascii + $c2_325 = "ftp.microsoft.got-game.org" ascii + $c2_326 = "ftp.microsoft.mrface.com" ascii + $c2_327 = "ftp.microsoftimages.organiccrap.com" ascii + $c2_328 = "ftp.microsoftmusic.mrbasic.com" ascii + $c2_329 = "ftp.microsoftqckmanager.pcanywhere.net" ascii + $c2_330 = "ftp.microsoftupdate.mrbasic.com" ascii + $c2_331 = "ftp.microsoftupdate.qhigh.com" ascii + $c2_332 = "ftp.micrsoftware.dsmtp.com" ascii + $c2_333 = "ftp.mircsoft.compress.to" ascii + $c2_334 = "ftp.mmy.ddns.us" ascii + $c2_335 = "ftp.mod.jetos.com" ascii + $c2_336 = "ftp.mofa.dynamic-dns.net" ascii + $c2_337 = "ftp.mofa.ns01.info" ascii + $c2_338 = "ftp.moscowdic.trickip.org" ascii + $c2_339 = "ftp.msg.ezua.com" ascii + $c2_340 = "ftp.musicfile.ikwb.com" ascii + $c2_341 = "ftp.musicjj.zzux.com" ascii + $c2_342 = "ftp.mymusicbox.vizvaz.com" ascii + $c2_343 = "ftp.myphpwebsite.itsaol.com" ascii + $c2_344 = "ftp.myrestroomimage.isasecret.com" ascii + $c2_345 = "ftp.na.americanunfinished.com" ascii + $c2_346 = "ftp.na.onmypc.org" ascii + $c2_347 = "ftp.newsdata.jkub.com" ascii + $c2_348 = "ftp.newsroom.cleansite.info" ascii + $c2_349 = "ftp.no.authorizeddns.org" ascii + $c2_350 = "ftp.nsa.mefound.com" ascii + $c2_351 = "ftp.nt.mynumber.org" ascii + $c2_352 = "ftp.nttdata.otzo.com" ascii + $c2_353 = "ftp.nz.compress.to" ascii + $c2_354 = "ftp.ol.almostmy.com" ascii + $c2_355 = "ftp.oracleupdate.dns04.com" ascii + $c2_356 = "ftp.portal.mrface.com" ascii + $c2_357 = "ftp.portal.sendsmtp.com" ascii + $c2_358 = "ftp.portalser.dynamic-dns.net" ascii + $c2_359 = "ftp.praskovya-matveyeva.mefound.com" ascii + $c2_360 = "ftp.praskovya-ulyanova.dumb1.com" ascii + $c2_361 = "ftp.products.almostmy.com" ascii + $c2_362 = "ftp.products.cleansite.us" ascii + $c2_363 = "ftp.products.serveuser.com" ascii + $c2_364 = "ftp.purchase.lflinkup.org" ascii + $c2_365 = "ftp.recent.dns-stuff.com" ascii + $c2_366 = "ftp.recent.fartit.com" ascii + $c2_367 = "ftp.referred.gr8domain.biz" ascii + $c2_368 = "ftp.referred.yourtrap.com" ascii + $c2_369 = "ftp.register.ourhobby.com" ascii + $c2_370 = "ftp.registration2.instanthq.com" ascii + $c2_371 = "ftp.registrations.4pu.com" ascii + $c2_372 = "ftp.registrations.organiccrap.com" ascii + $c2_373 = "ftp.remeberdata.iownyour.org" ascii + $c2_374 = "ftp.reserveds.onedumb.com" ascii + $c2_375 = "ftp.rethem.almostmy.com" ascii + $c2_376 = "ftp.sdmsg.onmypc.org" ascii + $c2_377 = "ftp.se.toythieves.com" ascii + $c2_378 = "ftp.secertnews.mrbasic.com" ascii + $c2_379 = "ftp.senseye.ikwb.com" ascii + $c2_380 = "ftp.senseye.mrbonus.com" ascii + $c2_381 = "ftp.septdlluckysystem.jungleheart.com" ascii + $c2_382 = "ftp.seraphim-yurieva.justdied.com" ascii + $c2_383 = "ftp.serv.justdied.com" ascii + $c2_384 = "ftp.server1.proxydns.com" ascii + $c2_385 = "ftp.seyesb.acmetoy.com" ascii + $c2_386 = "ftp.shugiin.jkub.com" ascii + $c2_387 = "ftp.singed.otzo.com" ascii + $c2_388 = "ftp.sstday.jkub.com" ascii + $c2_389 = "ftp.support1.mrface.com" ascii + $c2_390 = "ftp.supportus.mefound.com" ascii + $c2_391 = "ftp.svc.dynssl.com" ascii + $c2_392 = "ftp.synssl.dnset.com" ascii + $c2_393 = "ftp.tamraj.fartit.com" ascii + $c2_394 = "ftp.tfa.longmusic.com" ascii + $c2_395 = "ftp.thunder.wikaba.com" ascii + $c2_396 = "ftp.ticket.instanthq.com" ascii + $c2_397 = "ftp.ticket.serveuser.com" ascii + $c2_398 = "ftp.tokyofile.2waky.com" ascii + $c2_399 = "ftp.tophost.dynamicdns.co.uk" ascii + $c2_400 = "ftp.transfer.lflinkup.org" ascii + $c2_401 = "ftp.transfer.mrbasic.com" ascii + $c2_402 = "ftp.transfer.vizvaz.com" ascii + $c2_403 = "ftp.ugreen.itemdb.com" ascii + $c2_404 = "ftp.uk.dynamicdns.org.uk" ascii + $c2_405 = "ftp.un.ddns.info" ascii + $c2_406 = "ftp.un.dnsrd.com" ascii + $c2_407 = "ftp.usa.itsaol.com" ascii + $c2_408 = "ftp.well.itsaol.com" ascii + $c2_409 = "ftp.well.mrbasic.com" ascii + $c2_410 = "ftp.wike.wikaba.com" ascii + $c2_411 = "ftp.windowfile.itemdb.com" ascii + $c2_412 = "ftp.windowsimages.itemdb.com" ascii + $c2_413 = "ftp.windowsimages.qhigh.com" ascii + $c2_414 = "ftp.windowsmirrors.vizvaz.com" ascii + $c2_415 = "ftp.windowsupdate.2waky.com" ascii + $c2_416 = "ftp.windowsupdate.3-a.net" ascii + $c2_417 = "ftp.windowsupdate.authorizeddns.us" ascii + $c2_418 = "ftp.windowsupdate.dns05.com" ascii + $c2_419 = "ftp.windowsupdate.esmtp.biz" ascii + $c2_420 = "ftp.windowsupdate.ezua.com" ascii + $c2_421 = "ftp.windowsupdate.fartit.com" ascii + $c2_422 = "ftp.windowsupdate.gettrials.com" ascii + $c2_423 = "ftp.windowsupdate.instanthq.com" ascii + $c2_424 = "ftp.windowsupdate.jungleheart.com" ascii + $c2_425 = "ftp.windowsupdate.lflink.com" ascii + $c2_426 = "ftp.windowsupdate.mrface.com" ascii + $c2_427 = "ftp.windowsupdate.mylftv.com" ascii + $c2_428 = "ftp.windowsupdate.rebatesrule.net" ascii + $c2_429 = "ftp.windowsupdate.sellclassics.com" ascii + $c2_430 = "ftp.windowsupdate.serveusers.com" ascii + $c2_431 = "ftp.yandexr.sellclassics.com" ascii + $c2_432 = "fu.epac.to" ascii + $c2_433 = "fuck.ikwb.com" ascii + $c2_434 = "fuckanti.com" ascii + $c2_435 = "fuckdd.8800.org" ascii + $c2_436 = "fuckmm.8800.org" ascii + $c2_437 = "fuckmm.dns-dns.com" ascii + $c2_438 = "fukuoka.cloud-maste.com" ascii + $c2_439 = "g3ypf.online" ascii + $c2_440 = "gadskysun.com" ascii + $c2_441 = "gavin.ccfchrist.com" ascii + $c2_442 = "generat.almostmy.com" ascii + $c2_443 = "generousd.hopto.org" ascii + $c2_444 = "gensuzuki.6600.org" ascii + $c2_446 = "gh.mysecondarydns.com" ascii + $c2_447 = "gifuonlineshopping.mynumber.org" ascii + $c2_448 = "glicense.shenajou.com" ascii + $c2_449 = "globalnews.wikaba.com" ascii + $c2_450 = "gmail.com.mailsserver.com" ascii + $c2_451 = "gmpcw.com" ascii + $c2_452 = "gold.polopurple.com" ascii + $c2_453 = "goldtoyota.com" ascii + $c2_454 = "goodmusic.justdied.com" ascii + $c2_455 = "goodsampjp.com" ascii + $c2_456 = "gooesdataios.instanthq.com" ascii + $c2_457 = "google.macforlinux.net" ascii + $c2_458 = "google.usrobothome.com" ascii + $c2_459 = "googlemeail.com" ascii + $c2_460 = "gostudyantivirus.com" ascii + $c2_461 = "gostudymbaa.com" ascii + $c2_462 = "gotourisma.com" ascii + $c2_463 = "gt4study.com" ascii + $c2_464 = "gtsofta.com" ascii + $c2_465 = "haoyujd.info" ascii + $c2_466 = "happy.workerisgood.com" ascii + $c2_467 = "have8000.com" ascii + $c2_468 = "helpus.ddns.info" ascii + $c2_469 = "helshellfucde.8866.org" ascii + $c2_470 = "hg8fmv.racing" ascii + $c2_471 = "hii.qhigh.com" ascii + $c2_472 = "hk.2012yearleft.com" ascii + $c2_473 = "hk.cmdnetview.com" ascii + $c2_474 = "hk.have8000.com" ascii + $c2_475 = "hk.loveddos.com" ascii + $c2_476 = "home.trickip.org" ascii + $c2_477 = "hostport9.net" ascii + $c2_478 = "hotmai.info" ascii + $c2_479 = "hotmail.com.mailsserver.com" ascii + $c2_480 = "hukuoka.cloud-maste.com" ascii + $c2_481 = "iamges.itunesmusic.jkub.com" ascii + $c2_482 = "ibmmsg.strangled.net" ascii + $c2_483 = "icfeds.cf" ascii + $c2_484 = "idpmus.hostport9.net" ascii + $c2_486 = "im.suibian2010.info" ascii + $c2_487 = "image.websago.info" ascii + $c2_488 = "images.itunesmusic.jkub.com" ascii + $c2_489 = "images.thedomais.info" ascii + $c2_490 = "images.tyoto-go-jp.com" ascii + $c2_491 = "images.windowsupdate.organiccrap.com" ascii + $c2_492 = "imap.architectisusa.com" ascii + $c2_493 = "imap.dnset.com" ascii + $c2_494 = "imap.lflink.com" ascii + $c2_495 = "imap.onmypc.net" ascii + $c2_496 = "imap.ygto.com" ascii + $c2_497 = "img.station155.com" ascii + $c2_498 = "improvejpese.com" ascii + $c2_499 = "incloud-go.com" ascii + $c2_500 = "incloud-obert.com" ascii + $c2_501 = "ingemar.catholicmmb.com" ascii + $c2_502 = "innocent-isayev.sexidude.com" ascii + $c2_503 = "innov-tec.com.ua" ascii + $c2_504 = "inspgon.re26.com" ascii + $c2_505 = "interpreter.shenajou.com" ascii + $c2_506 = "invoices.sexxxy.biz" ascii + $c2_508 = "iphone.vizvaz.com" ascii + $c2_509 = "ipv4.applemusic.itemdb.com" ascii + $c2_510 = "ipv4.itunesmusic.jkub.com" ascii + $c2_511 = "ipv4.japanenvnews.qpoe.com" ascii + $c2_512 = "ipv4.microsoftmusic.onedumb.com" ascii + $c2_513 = "ipv4.microsoftupdate.mrbasic.com" ascii + $c2_514 = "ipv4.microsoftupdate.qhigh.com" ascii + $c2_515 = "ipv4.windowsupdate.3-a.net" ascii + $c2_516 = "ipv4.windowsupdate.authorizeddns.org" ascii + $c2_517 = "ipv4.windowsupdate.authorizeddns.us" ascii + $c2_518 = "ipv4.windowsupdate.dnset.com" ascii + $c2_519 = "ipv4.windowsupdate.esmtp.biz" ascii + $c2_520 = "ipv4.windowsupdate.ezua.com" ascii + $c2_521 = "ipv4.windowsupdate.fartit.com" ascii + $c2_522 = "ipv4.windowsupdate.gettrials.com" ascii + $c2_523 = "ipv4.windowsupdate.itsaol.com" ascii + $c2_524 = "ipv4.windowsupdate.lflink.com" ascii + $c2_525 = "ipv4.windowsupdate.lflinkup.com" ascii + $c2_526 = "ipv4.windowsupdate.mrface.com" ascii + $c2_527 = "ipv4.windowsupdate.mylftv.com" ascii + $c2_528 = "ipv4.windowsupdate.nsatcdns.com" ascii + $c2_529 = "ipv4.windowsupdate.x24hr.com" ascii + $c2_530 = "ipv6microsoft.dlmix.ourdvs.com" ascii + $c2_531 = "itlans.isasecret.com" ascii + $c2_532 = "itunesdownload.jkub.com" ascii + $c2_533 = "itunesdownload.vizvaz.com" ascii + $c2_534 = "itunesdownload.wikaba.com" ascii + $c2_535 = "itunesimages.itemdb.com" ascii + $c2_536 = "itunesimages.itsaol.com" ascii + $c2_537 = "itunesimages.qpoe.com" ascii + $c2_538 = "itunesmirror.fartit.com" ascii + $c2_539 = "itunesmirror.itsaol.com" ascii + $c2_540 = "itunesmusic.ikwb.com" ascii + $c2_541 = "itunesmusic.jetos.com" ascii + $c2_542 = "itunesmusic.jkub.com" ascii + $c2_543 = "itunesmusic.zzux.com" ascii + $c2_544 = "itunesupdate.itsaol.com" ascii + $c2_545 = "itunesupdates.organiccrap.com" ascii + $c2_546 = "iw.mrslove.com" ascii + $c2_547 = "ixrayeye.com" ascii + $c2_548 = "james.tffghelth.com" ascii + $c2_549 = "janpan.bigmoney.biz" ascii + $c2_550 = "janpun.americanunfinished.com" ascii + $c2_551 = "jap.japanmusicinfo.com" ascii + $c2_552 = "japan.fuckanti.com" ascii + $c2_553 = "japan.linuxforover.com" ascii + $c2_554 = "japan.loveddos.com" ascii + $c2_555 = "japanenvnews.qpoe.com" ascii + $c2_556 = "japanfilmsite.ikwb.com" ascii + $c2_557 = "japanfst.japanteam.org" ascii + $c2_558 = "japanmusicinfo.com" ascii + $c2_559 = "japanteam.org" ascii + $c2_560 = "jcie.mofa.ns01.info" ascii + $c2_561 = "jepsen.r3u8.com" ascii + $c2_562 = "jica-go-jp.bike" ascii + $c2_563 = "jica-go-jp.biz" ascii + $c2_564 = "jimin-jp.biz" ascii + $c2_565 = "jimin.jimindaddy.com" ascii + $c2_566 = "jimin.mymom.info" ascii + $c2_567 = "jimindaddy.com" ascii + $c2_568 = "jimingroup.com" ascii + $c2_569 = "jimintokoy.com" ascii + $c2_570 = "jj.mysecondarydns.com" ascii + $c2_571 = "jmuroran.com" ascii + $c2_572 = "jp.rakutenmusic.com" ascii + $c2_573 = "jp.serveuser.com" ascii + $c2_574 = "jpcert.org" ascii + $c2_575 = "jpn.longmusic.com" ascii + $c2_576 = "jpnxzshopdata.authorizeddns.org" ascii + $c2_577 = "jpstarmarket.serveusers.com" ascii + $c2_578 = "kaka.lehigtapp.com" ascii + $c2_579 = "kawasaki.cloud-maste.com" ascii + $c2_580 = "kawasaki.unhamj.com" ascii + $c2_581 = "kennedy.tffghelth.com" ascii + $c2_582 = "key.zzux.com" ascii + $c2_583 = "kikimusic.sellclassics.com" ascii + $c2_584 = "kmd.crabdance.com" ascii + $c2_585 = "knowledge.sellclassics.com" ascii + $c2_586 = "ktgmktanxgvn.r3u8.com" ascii + $c2_587 = "kxsbwappupdate.dhcp.biz" ascii + $c2_588 = "kztmusiclnk.dnsrd.com" ascii + $c2_589 = "lan.dynssl.com" ascii + $c2_590 = "last.p6p6.net" ascii + $c2_591 = "latestnews.epac.to" ascii + $c2_592 = "latestnews.organiccrap.com" ascii + $c2_593 = "leedong.longmusic.com" ascii + $c2_594 = "lehigtapp.com" ascii + $c2_595 = "lennon.fftpoor.com" ascii + $c2_596 = "license.shenajou.com" ascii + $c2_597 = "lie.jetos.com" ascii + $c2_598 = "linuxforover.com" ascii + $c2_599 = "linuxsofta.com" ascii + $c2_600 = "lion.wchildress.com" ascii + $c2_601 = "lizard.poulsenv.com" ascii + $c2_602 = "logon-live.com" ascii + $c2_603 = "lottedfstravel.webbooting.com" ascii + $c2_604 = "loveddos.com" ascii + $c2_605 = "lzf550.r3u8.com" ascii + $c2_606 = "ma.vizvaz.com" ascii + $c2_607 = "mac.goldtoyota.com" ascii + $c2_608 = "mac.methoder.com" ascii + $c2_609 = "macfee.mrface.com" ascii + $c2_610 = "macforlinux.net" ascii + $c2_611 = "maffc.mrface.com" ascii + $c2_612 = "mail.architectisusa.com" ascii + $c2_613 = "mail.macforlinux.net" ascii + $c2_614 = "mailcarriage.co.uk" ascii + $c2_615 = "mailj.hostport9.net" ascii + $c2_616 = "mailserever.com" ascii + $c2_617 = "mailsserver.com" ascii + $c2_618 = "mailvserver.com" ascii + $c2_619 = "malcolm.fftpoor.com" ascii + $c2_620 = "malware.dsmtp.com" ascii + $c2_621 = "manager.architectisusa.com" ascii + $c2_622 = "manager.jetos.com" ascii + $c2_623 = "markabcinfo.dynamicdns.me.uk" ascii + $c2_624 = "martin.sellclassics.com" ascii + $c2_625 = "mason.vizvaz.com" ascii + $c2_626 = "mbaby.macforlinux.net" ascii + $c2_627 = "medexplor.thedomais.info" ascii + $c2_628 = "mediapath.organiccrap.com" ascii + $c2_629 = "meiji-ac-jp.com" ascii + $c2_630 = "mesjm.emailfound.info" ascii + $c2_631 = "message.emailfound.info" ascii + $c2_632 = "message.p6p6.net" ascii + $c2_633 = "messagea.emailfound.info" ascii + $c2_634 = "methoder.com" ascii + $c2_635 = "mf.ddns.info" ascii + $c2_636 = "microcnmlgb.3322.org" ascii + $c2_637 = "microdef.2288.org" ascii + $c2_638 = "microhome.wikaba.com" ascii + $c2_639 = "microsoft.got-game.org" ascii + $c2_640 = "microsoft.mrface.com" ascii + $c2_641 = "microsoftdownload.zzux.com" ascii + $c2_642 = "microsoftempowering.sendsmtp.com" ascii + $c2_643 = "microsoften.com" ascii + $c2_644 = "microsoftgame.mrface.com" ascii + $c2_645 = "microsoftgetstarted.sexidude.com" ascii + $c2_646 = "microsoftimages.organiccrap.com" ascii + $c2_647 = "microsoftmirror.mrbasic.com" ascii + $c2_648 = "microsoftmusic.itemdb.com" ascii + $c2_649 = "microsoftmusic.mrbasic.com" ascii + $c2_650 = "microsoftmusic.onedumb.com" ascii + $c2_651 = "microsoftqckmanager.pcanywhere.net" ascii + $c2_652 = "microsoftstore.jetos.com" ascii + $c2_653 = "microsoftstores.itemdb.com" ascii + $c2_654 = "microsoftupdate.mrbasic.com" ascii + $c2_655 = "microsoftupdate.qhigh.com" ascii + $c2_656 = "microsoftupdates.vizvaz.com" ascii + $c2_657 = "micrsoftware.dsmtp.com" ascii + $c2_658 = "mircsoft.compress.to" ascii + $c2_659 = "mivsee.website0012.net" ascii + $c2_660 = "mmofoojap.2288.org" ascii + $c2_661 = "mmy.ddns.us" ascii + $c2_662 = "mobile.2waky.com" ascii + $c2_663 = "mocha.100fanwen.com" ascii + $c2_664 = "mod.jetos.com" ascii + $c2_665 = "mofa-go-jp.com" ascii + $c2_666 = "mofa.dynamic-dns.net" ascii + $c2_667 = "mofa.ns01.info" ascii + $c2_668 = "mofa.strangled.net" ascii + $c2_669 = "mofaess.com" ascii + $c2_670 = "mongoles.3322.org" ascii + $c2_671 = "monkey.2012yearleft.com" ascii + $c2_672 = "moscowstdsupdate.toythieves.com" ascii + $c2_673 = "mrsloveaqx.mrslove.com" ascii + $c2_674 = "ms.ecc.u-tokyo-ac-jp.com" ascii + $c2_675 = "mseupdate.ourhobby.com" ascii + $c2_676 = "msg.ezua.com" ascii + $c2_677 = "msn.incloud-go.com" ascii + $c2_678 = "muller.exprenum.com" ascii + $c2_679 = "music.applemusic.itemdb.com" ascii + $c2_680 = "music.cleansite.us" ascii + $c2_681 = "music.websegoo.net" ascii + $c2_682 = "musicfile.ikwb.com" ascii + $c2_683 = "musicinfo.everydayfilmlink.com" ascii + $c2_684 = "musiclinker.jkub.com" ascii + $c2_685 = "musicsecph.squirly.info" ascii + $c2_686 = "mx.yetrula.eu" ascii + $c2_687 = "myie12.com" ascii + $c2_688 = "mymusicbox.lflinkup.org" ascii + $c2_689 = "mymusicbox.vizvaz.com" ascii + $c2_690 = "myphpwebsite.itsaol.com" ascii + $c2_691 = "myrestroomimage.isasecret.com" ascii + $c2_692 = "mytwhomeinst.sendsmtp.com" ascii + $c2_693 = "myurinikoreaaps.ninth.biz" ascii + $c2_694 = "na.americanunfinished.com" ascii + $c2_695 = "na.onmypc.org" ascii + $c2_696 = "nasa.xxuz.com" ascii + $c2_697 = "nec.website0012.net" ascii + $c2_698 = "news.100fanwen.com" ascii + $c2_699 = "newsdata.jkub.com" ascii + $c2_700 = "newsfile.toythieves.com" ascii + $c2_701 = "newsreport.justdied.com" ascii + $c2_702 = "newsroom.cleansite.info" ascii + $c2_703 = "nezwq.ezua.com" ascii + $c2_704 = "ngcc.8800.org" ascii + $c2_705 = "niushenghuo.info" ascii + $c2_706 = "nk10.belowto.com" ascii + $c2_707 = "nk20.belowto.com" ascii + $c2_708 = "nlddnsinfo.https443.org" ascii + $c2_709 = "nmrx.mrbonus.com" ascii + $c2_710 = "nn.dynssl.com" ascii + $c2_711 = "no.authorizeddns.org" ascii + $c2_712 = "node.mofaess.com" ascii + $c2_713 = "nodns2.qipian.org" ascii + $c2_714 = "nposnewsinfo.qhigh.com" ascii + $c2_715 = "ns1.belowto.com" ascii + $c2_716 = "ns1.tlchs2.ml" ascii + $c2_717 = "ns2.belowto.com" ascii + $c2_718 = "ns21.belowto.com" ascii + $c2_719 = "ns22.belowto.com" ascii + $c2_720 = "ns4.belowto.com" ascii + $c2_721 = "ns5.belowto.com" ascii + $c2_722 = "nsa.mefound.com" ascii + $c2_723 = "nsatcdns.com" ascii + $c2_724 = "nt.mynumber.org" ascii + $c2_725 = "nttdata.otzo.com" ascii + $c2_726 = "nunluck.re26.com" ascii + $c2_727 = "nz.compress.to" ascii + $c2_728 = "oipbl.com" ascii + $c2_729 = "ol.almostmy.com" ascii + $c2_730 = "oldbmwy.com" ascii + $c2_731 = "oms.sindeali.com" ascii + $c2_732 = "openmofa.8866.org" ascii + $c2_733 = "oracleupdate.dns04.com" ascii + $c2_734 = "osaka-jpgo.com" ascii + $c2_735 = "outlook.otzo.com" ascii + $c2_736 = "owlmedia.mefound.com" ascii + $c2_737 = "p6p6.net" ascii + $c2_738 = "peopleinfodata.3-a.net" ascii + $c2_739 = "phptecinfohelp.itemdb.com" ascii + $c2_740 = "pictures.everydayfilmlink.com" ascii + $c2_741 = "pj.qpoe.com" ascii + $c2_742 = "points.mofaess.com" ascii + $c2_743 = "polopurple.com" ascii + $c2_744 = "pop.architectisusa.com" ascii + $c2_745 = "pop.loveddos.com" ascii + $c2_746 = "portal.mrface.com" ascii + $c2_747 = "portal.sendsmtp.com" ascii + $c2_748 = "portalser.dynamic-dns.net" ascii + $c2_749 = "poulsenv.com" ascii + $c2_750 = "praskovya-matveyeva.mefound.com" ascii + $c2_751 = "praskovya-ulyanova.dumb1.com" ascii + $c2_752 = "premium.redforlinux.com" ascii + $c2_753 = "products.almostmy.com" ascii + $c2_754 = "products.cleansite.us" ascii + $c2_755 = "products.serveuser.com" ascii + $c2_756 = "program.acmetoy.com" ascii + $c2_757 = "prrmes4019.r3u8.com" ascii + $c2_758 = "purchase.lflinkup.org" ascii + $c2_759 = "q6.niushenghuo.info" ascii + $c2_760 = "qtsofta.com" ascii + $c2_761 = "quick.oldbmwy.com" ascii + $c2_762 = "r3u8.com" ascii + $c2_763 = "radiorig.com" ascii + $c2_764 = "rain.orctldl.windowsupdate.authorizeddns.us" ascii + $c2_765 = "rakutenmusic.com" ascii + $c2_766 = "rdns-4.infoproduto1.tk" ascii + $c2_767 = "re26.com" ascii + $c2_768 = "read.xxuz.com" ascii + $c2_769 = "recent.dns-stuff.com" ascii + $c2_770 = "recent.fartit.com" ascii + $c2_771 = "record.hostport9.net" ascii + $c2_772 = "record.webssl9.info" ascii + $c2_773 = "record.wschandler.com" ascii + $c2_774 = "redforlinux.com" ascii + $c2_775 = "referred.gr8domain.biz" ascii + $c2_776 = "referred.yourtrap.com" ascii + $c2_777 = "register.ourhobby.com" ascii + $c2_778 = "registration2.instanthq.com" ascii + $c2_779 = "registrations.4pu.com" ascii + $c2_780 = "registrations.organiccrap.com" ascii + $c2_781 = "reports.tomorrowforgood.com" ascii + $c2_782 = "reserveds.onedumb.com" ascii + $c2_783 = "resources.applemusic.itemdb.com" ascii + $c2_784 = "rethem.almostmy.com" ascii + $c2_785 = "rg197.win" ascii + $c2_786 = "rlbeiydn.hi.r3u8.com" ascii + $c2_787 = "saiyo.exprenum.com" ascii + $c2_788 = "sakai.unhamj.com" ascii + $c2_789 = "salvaiona.com" ascii + $c2_790 = "sappore.cloud-maste.com" ascii + $c2_791 = "sapporo.cloud-maste.com" ascii + $c2_792 = "sapporot.com" ascii + $c2_793 = "sat.suayay.com" ascii + $c2_794 = "saverd.re26.com" ascii + $c2_795 = "sbuudd.webssl9.info" ascii + $c2_796 = "sc.weboot.info" ascii + $c2_797 = "scholz-versand.com" ascii + $c2_798 = "scorpion.poulsenv.com" ascii + $c2_799 = "scrlk.exprenum.com" ascii + $c2_800 = "sdmsg.onmypc.org" ascii + $c2_801 = "se.toythieves.com" ascii + $c2_802 = "sea.websegoo.net" ascii + $c2_803 = "secertnews.mrbasic.com" ascii + $c2_804 = "secmicrosooo.6600.org" ascii + $c2_805 = "secnetshit.com" ascii + $c2_806 = "secserverupdate.toh.info" ascii + $c2_807 = "sell.mofaess.com" ascii + $c2_808 = "sema.linuxsofta.com" ascii + $c2_809 = "send.have8000.com" ascii + $c2_810 = "send.mofa.ns01.info" ascii + $c2_811 = "sendmsg.jumpingcrab.com" ascii + $c2_812 = "senseye.ikwb.com" ascii + $c2_813 = "senseye.mrbonus.com" ascii + $c2_814 = "septdlluckysystem.jungleheart.com" ascii + $c2_815 = "seraphim-yurieva.justdied.com" ascii + $c2_816 = "serv.justdied.com" ascii + $c2_817 = "server1.proxydns.com" ascii + $c2_818 = "seyesb.acmetoy.com" ascii + $c2_819 = "sha.25u.com" ascii + $c2_820 = "sha.ikwb.com" ascii + $c2_821 = "shenajou.com" ascii + $c2_822 = "shoppingcentre.station155.com" ascii + $c2_823 = "shrimp.UsFfUnicef.com" ascii + $c2_824 = "shrimp.bdoncloud.com" ascii + $c2_825 = "shugiin.jkub.com" ascii + $c2_826 = "sindeali.com" ascii + $c2_827 = "singed.otzo.com" ascii + $c2_828 = "siteinit.info" ascii + $c2_829 = "sky.oldbmwy.com" ascii + $c2_830 = "sma.jimindaddy.com" ascii + $c2_831 = "smo.gadskysun.com" ascii + $c2_832 = "smtp.architectisusa.com" ascii + $c2_833 = "smtp.macforlinux.net" ascii + $c2_834 = "smtp230.toldweb.com" ascii + $c2_835 = "somthing.re26.com" ascii + $c2_836 = "sstday.jkub.com" ascii + $c2_837 = "start.usrobothome.com" ascii + $c2_838 = "station155.com" ascii + $c2_839 = "stevenlf.com" ascii + $c2_840 = "stone.jumpingcrab.com" ascii + $c2_841 = "style.u-tokyo-ac-jp.com" ascii + $c2_842 = "suayay.com" ascii + $c2_843 = "suibian2010.info" ascii + $c2_844 = "support1.mrface.com" ascii + $c2_845 = "supportus.mefound.com" ascii + $c2_846 = "suzukigooogle.8866.org" ascii + $c2_847 = "svc.dynssl.com" ascii + $c2_848 = "synssl.dnset.com" ascii + $c2_849 = "sz.thedomais.info" ascii + $c2_850 = "taipei.yourtrap.com" ascii + $c2_851 = "taipeifoodsite.ocry.com" ascii + $c2_852 = "tamraj.fartit.com" ascii + $c2_853 = "telegraph.mefound.com" ascii + $c2_854 = "test.usyahooapis.com" ascii + $c2_855 = "tfa.longmusic.com" ascii + $c2_856 = "tffghelth.com" ascii + $c2_857 = "thedomais.info" ascii + $c2_858 = "ticket.instanthq.com" ascii + $c2_859 = "ticket.jetos.com" ascii + $c2_860 = "ticket.serveuser.com" ascii + $c2_861 = "tidatacenter.shenajou.com" ascii + $c2_862 = "tisdatacenter.shenajou.com" ascii + $c2_863 = "tisupdateinfo.faqserv.com" ascii + $c2_864 = "tokyo-gojp.com" ascii + $c2_865 = "tokyofile.2waky.com" ascii + $c2_866 = "tomorrowforgood.com" ascii + $c2_867 = "tophost.dynamicdns.co.uk" ascii + $c2_868 = "toshste.com" ascii + $c2_869 = "toya.7766.org" ascii + $c2_870 = "transfer.lflinkup.org" ascii + $c2_871 = "transfer.mrbasic.com" ascii + $c2_872 = "transfer.vizvaz.com" ascii + $c2_873 = "trasul.mypicture.info" ascii + $c2_874 = "travelyokogawafz.fartit.com" ascii + $c2_875 = "trendmicroupdate.shenajou.com" ascii + $c2_876 = "trendsecurity.shenajou.com" ascii + $c2_877 = "trout.belowto.com" ascii + $c2_878 = "tv.goldtoyota.com" ascii + $c2_879 = "tw.2012yearleft.com" ascii + $c2_880 = "twmusic.proxydns.com" ascii + $c2_881 = "twpeoplemusicsite.my03.com" ascii + $c2_882 = "twtravelinfomation.toythieves.com" ascii + $c2_883 = "twx.mynumber.org" ascii + $c2_884 = "tyoto-go-jp.com" ascii + $c2_885 = "u-tokyo-ac-jp.com" ascii + $c2_886 = "u1.FartIT.com" ascii + $c2_887 = "u1.haoyujd.info" ascii + $c2_888 = "ubuntusofta.com" ascii + $c2_889 = "ugreen.itemdb.com" ascii + $c2_890 = "ui.hdcdui.com" ascii + $c2_891 = "uk.dynamicdns.org.uk" ascii + $c2_892 = "ukuoka.cloud-maste.com" ascii + $c2_893 = "ultimedia.vmmini.com" ascii + $c2_894 = "un.ddns.info" ascii + $c2_895 = "un.dnsrd.com" ascii + $c2_896 = "unhamj.com" ascii + $c2_897 = "update.yourtrap.com" ascii + $c2_898 = "updatemirrors.fartit.com" ascii + $c2_899 = "updates.itsaol.com" ascii + $c2_900 = "ups.improvejpese.com" ascii + $c2_901 = "urearapetsu.com" ascii + $c2_902 = "usa.got-game.org" ascii + $c2_903 = "usa.itsaol.com" ascii + $c2_904 = "usa.japanteam.org" ascii + $c2_905 = "usffunicef.com" ascii + $c2_906 = "usmirocomney.net" ascii + $c2_907 = "usrobothome.com" ascii + $c2_908 = "usyahooapis.com" ascii + $c2_909 = "uu.logon-live.com" ascii + $c2_910 = "uu.niushenghuo.info" ascii + $c2_911 = "ux.niushenghuo.info" ascii + $c2_912 = "v4.appledownload.ourhobby.com" ascii + $c2_913 = "v4.itunesmusic.jkub.com" ascii + $c2_914 = "v4.microsoftmusic.onedumb.com" ascii + $c2_915 = "v4.microsoftupdate.mrbasic.com" ascii + $c2_916 = "v4.windowsupdate.DEDGESUITE.NET" ascii + $c2_917 = "v4.windowsupdate.authorizeddns.org" ascii + $c2_918 = "v4.windowsupdate.dnset.com" ascii + $c2_919 = "v4.windowsupdate.itsaol.com" ascii + $c2_920 = "v4.windowsupdate.lflinkup.com" ascii + $c2_921 = "v4.windowsupdate.mrface.com" ascii + $c2_922 = "v4.windowsupdate.nsatcdns.com" ascii + $c2_923 = "v4.windowsupdate.x24hr.com" ascii + $c2_924 = "v4.windowsupdates.dnsrd.com" ascii + $c2_925 = "veryhuai.info" ascii + $c2_926 = "video.vmdnsup.org" ascii + $c2_927 = "vmdnsup.org" ascii + $c2_929 = "vmyiersend.WEBSAGO.INFO" ascii + $c2_930 = "vmyisan.website0012.net" ascii + $c2_932 = "wchildress.com" ascii + $c2_934 = "wcxh.mynetav.net" ascii + $c2_935 = "wdsupdates.com" ascii + $c2_936 = "webbooting.com" ascii + $c2_937 = "webdirectnews.dynamicdns.biz" ascii + $c2_938 = "webinfoseco.ygto.com" ascii + $c2_939 = "webmailentry.jetos.com" ascii + $c2_940 = "weboot.info" ascii + $c2_941 = "websago.info" ascii + $c2_942 = "websegoo.net" ascii + $c2_943 = "website0012.net" ascii + $c2_944 = "websiteboo.website0012.net" ascii + $c2_945 = "websqlnewsmanager.ninth.biz" ascii + $c2_946 = "webssl9.info" ascii + $c2_947 = "well.itsaol.com" ascii + $c2_948 = "well.mrbasic.com" ascii + $c2_949 = "whale.toshste.com" ascii + $c2_950 = "whellbuy.wschandler.com" ascii + $c2_951 = "whyis.haoyujd.info" ascii + $c2_952 = "wike.wikaba.com" ascii + $c2_953 = "windowfile.itemdb.com" ascii + $c2_954 = "windowsimages.itemdb.com" ascii + $c2_955 = "windowsimages.qhigh.com" ascii + $c2_956 = "windowsmirrors.vizvaz.com" ascii + $c2_957 = "windowsstores.gettrials.com" ascii + $c2_958 = "windowsstores.organiccrap.com" ascii + $c2_959 = "windowsupdate.2waky.com" ascii + $c2_960 = "windowsupdate.3-a.net" ascii + $c2_961 = "windowsupdate.acmetoy.com" ascii + $c2_962 = "windowsupdate.authorizeddns.net" ascii + $c2_963 = "windowsupdate.authorizeddns.org" ascii + $c2_964 = "windowsupdate.authorizeddns.us" ascii + $c2_965 = "windowsupdate.com.mwcname.com" ascii + $c2_966 = "windowsupdate.dedgesuite.net" ascii + $c2_967 = "windowsupdate.dns05.com" ascii + $c2_968 = "windowsupdate.dnset.com" ascii + $c2_969 = "windowsupdate.esmtp.biz" ascii + $c2_970 = "windowsupdate.ezua.com" ascii + $c2_971 = "windowsupdate.fartit.com" ascii + $c2_972 = "windowsupdate.gettrials.com" ascii + $c2_973 = "windowsupdate.instanthq.com" ascii + $c2_974 = "windowsupdate.itsaol.com" ascii + $c2_975 = "windowsupdate.jungleheart.com" ascii + $c2_976 = "windowsupdate.lflink.com" ascii + $c2_977 = "windowsupdate.mrface.com" ascii + $c2_978 = "windowsupdate.mylftv.com" ascii + $c2_979 = "windowsupdate.nsatcdns.com" ascii + $c2_980 = "windowsupdate.organiccrap.com" ascii + $c2_981 = "windowsupdate.rebatesrule.net" ascii + $c2_982 = "windowsupdate.sellclassics.com" ascii + $c2_983 = "windowsupdate.serveusers.com" ascii + $c2_984 = "windowsupdate.vizvaz.com" ascii + $c2_985 = "windowsupdate.wcwname.com" ascii + $c2_986 = "windowsupdate.x24hr.com" ascii + $c2_987 = "windowsupdate.ygto.com" ascii + $c2_988 = "windowsupdates.dnset.com" ascii + $c2_989 = "windowsupdates.ezua.com" ascii + $c2_990 = "windowsupdates.ikwb.com" ascii + $c2_991 = "windowsupdates.itemdb.com" ascii + $c2_992 = "windowsupdates.proxydns.com" ascii + $c2_993 = "workerisgood.com" ascii + $c2_994 = "woyaofanwen.com" ascii + $c2_995 = "wschandler.com" ascii + $c2_996 = "wthelpdesk.com" ascii + $c2_997 = "wubangtu.info" ascii + $c2_998 = "www-meti-go-jp.tyoto-go-jp.com" ascii + $c2_999 = "www.2014.zzux.com" ascii + $c2_1000 = "www.97sm.com" ascii + $c2_1001 = "www.9gowg.tech" ascii + $c2_1002 = "www.abdominal.faqserv.com" ascii + $c2_1003 = "www.additional.sexidude.com" ascii + $c2_1004 = "www.afc.https443.org" ascii + $c2_1005 = "www.androidmusicapp.onmypc.us" ascii + $c2_1006 = "www.announcements.toythieves.com" ascii + $c2_1007 = "www.anx-own-334.mrbasic.com" ascii + $c2_1008 = "www.apple.ikwb.com" ascii + $c2_1009 = "www.appledownload.ourhobby.com" ascii + $c2_1010 = "www.appleimages.itemdb.com" ascii + $c2_1011 = "www.appleimages.longmusic.com" ascii + $c2_1012 = "www.appleimages.organiccrap.com" ascii + $c2_1013 = "www.applejuice.itemdb.com" ascii + $c2_1014 = "www.applemirror.organiccrap.com" ascii + $c2_1015 = "www.applemirror.squirly.info" ascii + $c2_1016 = "www.applemusic.isasecret.com" ascii + $c2_1017 = "www.applemusic.itemdb.com" ascii + $c2_1018 = "www.applemusic.wikaba.com" ascii + $c2_1019 = "www.applemusic.xxuz.com" ascii + $c2_1020 = "www.applemusic.zzux.com" ascii + $c2_1021 = "www.appleupdate.itemdb.com" ascii + $c2_1022 = "www.appleupdateurl.2waky.com" ascii + $c2_1023 = "www.architectisusa.com" ascii + $c2_1024 = "www.army.xxuz.com" ascii + $c2_1025 = "www.art.p6p6.net" ascii + $c2_1026 = "www.asfzx.x24hr.com" ascii + $c2_1027 = "www.availab.wikaba.com" ascii + $c2_1028 = "www.availability.justdied.com" ascii + $c2_1029 = "www.babymusicsitetr.mymom.info" ascii + $c2_1030 = "www.back.jungleheart.com" ascii + $c2_1031 = "www.balance1.wikaba.com" ascii + $c2_1032 = "www.be.mrslove.com" ascii + $c2_1033 = "www.belowto.com" ascii + $c2_1034 = "www.billing.organiccrap.com" ascii + $c2_1035 = "www.blaaaaaaaaaaaa.windowsupdate.3-a.net" ascii + $c2_1036 = "www.brand.fartit.com" ascii + $c2_1037 = "www.bulletproof.squirly.info" ascii + $c2_1038 = "www.cabbage.iownyour.biz" ascii + $c2_1039 = "www.ccupdatedata.authorizeddns.net" ascii + $c2_1040 = "www.cdn.incloud-go.com" ascii + $c2_1041 = "www.center.shenajou.com" ascii + $c2_1042 = "www.chaindungeons.com" ascii + $c2_1043 = "www.cia.ezua.com" ascii + $c2_1044 = "www.cia.toh.info" ascii + $c2_1045 = "www.civilwar123.authorizeddns.org" ascii + $c2_1046 = "www.civilwar520.onmypc.org" ascii + $c2_1047 = "www.cloud-maste.com" ascii + $c2_1048 = "www.cnnews.mylftv.com" ascii + $c2_1049 = "www.commissioner.shenajou.com" ascii + $c2_1050 = "www.commons.onedumb.com" ascii + $c2_1051 = "www.contractus.qpoe.com" ascii + $c2_1052 = "www.corp-dnsonline.itsaol.com" ascii + $c2_1053 = "www.courier.jetos.com" ascii + $c2_1054 = "www.cress.mynetav.net" ascii + $c2_1055 = "www.ctdl.windowsupdate.nsatcdns.com" ascii + $c2_1056 = "www.ctldl.microsoftupdate.qhigh.com" ascii + $c2_1057 = "www.ctldl.windowsupdate.authorizeddns.us" ascii + $c2_1058 = "www.ctldl.windowsupdate.esmtp.biz" ascii + $c2_1059 = "www.ctldl.windowsupdate.mrface.com" ascii + $c2_1060 = "www.cwiinatonal.com" ascii + $c2_1061 = "www.dasoftactivemodule.toythieves.com" ascii + $c2_1062 = "www.dasonews.youdontcare.com" ascii + $c2_1063 = "www.daughter.vizvaz.com" ascii + $c2_1064 = "www.de.onmypc.info" ascii + $c2_1065 = "www.details.squirly.info" ascii + $c2_1066 = "www.development.shenajou.com" ascii + $c2_1067 = "www.devilcase.acmetoy.com" ascii + $c2_1068 = "www.disruptive.https443.net" ascii + $c2_1069 = "www.dns-hinettw.25u.com" ascii + $c2_1070 = "www.document.shenajou.com" ascii + $c2_1071 = "www.domainnow.yourtrap.com" ascii + $c2_1072 = "www.download.windowsupdate.nsatcdns.com" ascii + $c2_1073 = "www.ea.onmypc.info" ascii + $c2_1074 = "www.eddo.qpoe.com" ascii + $c2_1075 = "www.ehshiroshima.mylftv.com" ascii + $c2_1076 = "www.eric-averyanov.wha.la" ascii + $c2_1077 = "www.eu.acmetoy.com" ascii + $c2_1078 = "www.eu.wha.la" ascii + $c2_1079 = "www.express.lflinkup.com" ascii + $c2_1080 = "www.extraordinary.dynamic-dns.net" ascii + $c2_1081 = "www.f068v.site" ascii + $c2_1082 = "www.facefile.fartit.com" ascii + $c2_1083 = "www.fertile.authorizeddns.net" ascii + $c2_1084 = "www.file.zzux.com" ascii + $c2_1085 = "www.findme.epac.to" ascii + $c2_1086 = "www.fire.mrface.com" ascii + $c2_1087 = "www.firstnews.jkub.com" ascii + $c2_1088 = "www.fjs.wikaba.com" ascii + $c2_1089 = "www.foal.wchildress.com" ascii + $c2_1090 = "www.fr.wikaba.com" ascii + $c2_1091 = "www.freegamecenter.onedumb.com" ascii + $c2_1092 = "www.fruit.qhigh.com" ascii + $c2_1093 = "www.fuck.ikwb.com" ascii + $c2_1094 = "www.fuckmm.dns-dns.com" ascii + $c2_1095 = "www.fukuoka.cloud-maste.com" ascii + $c2_1096 = "www.g3ypf.online" ascii + $c2_1097 = "www.garlic.dyndns.pro" ascii + $c2_1098 = "www.generat.almostmy.com" ascii + $c2_1099 = "www.glicense.shenajou.com" ascii + $c2_1100 = "www.goldtoyota.com" ascii + $c2_1101 = "www.goodmusic.justdied.com" ascii + $c2_1102 = "www.gooesdataios.instanthq.com" ascii + $c2_1103 = "www.grammar.jkub.com" ascii + $c2_1104 = "www.helpus.ddns.info" ascii + $c2_1105 = "www.hii.qhigh.com" ascii + $c2_1106 = "www.hinetonlinedns.dns05.com" ascii + $c2_1107 = "www.incloud-go.com" ascii + $c2_1108 = "www.innocent-isayev.sexidude.com" ascii + $c2_1109 = "www.interpreter.shenajou.com" ascii + $c2_1110 = "www.invoices.sexxxy.biz" ascii + $c2_1111 = "www.iphone.vizvaz.com" ascii + $c2_1112 = "www.ipv4.microsoftupdate.mrbasic.com" ascii + $c2_1113 = "www.ipv4.windowsupdate.3-a.net" ascii + $c2_1114 = "www.ipv4.windowsupdate.esmtp.biz" ascii + $c2_1115 = "www.ipv4.windowsupdate.fartit.com" ascii + $c2_1116 = "www.ipv4.windowsupdate.lflink.com" ascii + $c2_1117 = "www.ipv4.windowsupdate.mrface.com" ascii + $c2_1118 = "www.ipv4.windowsupdate.mylftv.com" ascii + $c2_1119 = "www.ipv4.windowsupdate.nsatcdns.com" ascii + $c2_1120 = "www.itlans.isasecret.com" ascii + $c2_1121 = "www.itunesdownload.jkub.com" ascii + $c2_1122 = "www.itunesdownload.vizvaz.com" ascii + $c2_1123 = "www.itunesdownload.wikaba.com" ascii + $c2_1124 = "www.itunesimages.itemdb.com" ascii + $c2_1125 = "www.itunesimages.itsaol.com" ascii + $c2_1126 = "www.itunesimages.qpoe.com" ascii + $c2_1127 = "www.itunesmirror.fartit.com" ascii + $c2_1128 = "www.itunesmirror.itsaol.com" ascii + $c2_1129 = "www.itunesmusic.ikwb.com" ascii + $c2_1130 = "www.itunesmusic.jetos.com" ascii + $c2_1131 = "www.itunesmusic.jkub.com" ascii + $c2_1132 = "www.itunesmusic.zzux.com" ascii + $c2_1133 = "www.itunesupdate.itsaol.com" ascii + $c2_1134 = "www.itunesupdates.organiccrap.com" ascii + $c2_1135 = "www.japanenvnews.qpoe.com" ascii + $c2_1136 = "www.jd978.com" ascii + $c2_1137 = "www.jimin.jimindaddy.com" ascii + $c2_1138 = "www.jimin.mymom.info" ascii + $c2_1139 = "www.jp.serveuser.com" ascii + $c2_1140 = "www.jpnappstore.ourhobby.com" ascii + $c2_1141 = "www.jpnewslogs.sendsmtp.com" ascii + $c2_1142 = "www.jpnxzshopdata.authorizeddns.org" ascii + $c2_1143 = "www.kawasaki.cloud-maste.com" ascii + $c2_1144 = "www.kawasaki.unhamj.com" ascii + $c2_1145 = "www.key.zzux.com" ascii + $c2_1146 = "www.knowledge.sellclassics.com" ascii + $c2_1147 = "www.lan.dynssl.com" ascii + $c2_1148 = "www.last.p6p6.net" ascii + $c2_1149 = "www.latestnews.epac.to" ascii + $c2_1150 = "www.latestnews.organiccrap.com" ascii + $c2_1151 = "www.leedong.longmusic.com" ascii + $c2_1152 = "www.leeks.mrbonus.com" ascii + $c2_1153 = "www.liberty.acmetoy.com" ascii + $c2_1154 = "www.license.shenajou.com" ascii + $c2_1155 = "www.lion.wchildress.com" ascii + $c2_1156 = "www.loveddos.com" ascii + $c2_1157 = "www.macfee.mrface.com" ascii + $c2_1158 = "www.macforlinux.net" ascii + $c2_1159 = "www.maffc.mrface.com" ascii + $c2_1160 = "www.malware.dsmtp.com" ascii + $c2_1161 = "www.manager.jetos.com" ascii + $c2_1162 = "www.markabcinfo.dynamicdns.me.uk" ascii + $c2_1163 = "www.mason.vizvaz.com" ascii + $c2_1164 = "www.mediapath.organiccrap.com" ascii + $c2_1165 = "www.meiji-ac-jp.com" ascii + $c2_1166 = "www.messagea.emailfound.info" ascii + $c2_1167 = "www.microsoft.got-game.org" ascii + $c2_1168 = "www.microsoft.mrface.com" ascii + $c2_1169 = "www.microsoftempowering.sendsmtp.com" ascii + $c2_1170 = "www.microsoftgame.mrface.com" ascii + $c2_1171 = "www.microsoftgetstarted.sexidude.com" ascii + $c2_1172 = "www.microsoftimages.organiccrap.com" ascii + $c2_1173 = "www.microsoftmirror.mrbasic.com" ascii + $c2_1174 = "www.microsoftmusic.itemdb.com" ascii + $c2_1175 = "www.microsoftmusic.mrbasic.com" ascii + $c2_1176 = "www.microsoftqckmanager.pcanywhere.net" ascii + $c2_1177 = "www.microsoftupdate.mrbasic.com" ascii + $c2_1178 = "www.microsoftupdate.qhigh.com" ascii + $c2_1179 = "www.micrsoftware.dsmtp.com" ascii + $c2_1180 = "www.mircsoft.compress.to" ascii + $c2_1181 = "www.mmy.ddns.us" ascii + $c2_1182 = "www.mod.jetos.com" ascii + $c2_1183 = "www.mofa.dynamic-dns.net" ascii + $c2_1184 = "www.mofa.ns01.info" ascii + $c2_1185 = "www.moonnightthse.zyns.com" ascii + $c2_1186 = "www.moscowdic.trickip.org" ascii + $c2_1187 = "www.moscowstdsupdate.toythieves.com" ascii + $c2_1188 = "www.mseupdate.ourhobby.com" ascii + $c2_1189 = "www.msg.ezua.com" ascii + $c2_1190 = "www.msn.incloud-go.com" ascii + $c2_1191 = "www.musicfile.ikwb.com" ascii + $c2_1192 = "www.musicjj.zzux.com" ascii + $c2_1193 = "www.musicsecph.squirly.info" ascii + $c2_1194 = "www.mymusicbox.lflinkup.org" ascii + $c2_1195 = "www.mymusicbox.vizvaz.com" ascii + $c2_1196 = "www.myrestroomimage.isasecret.com" ascii + $c2_1197 = "www.mytwhomeinst.sendsmtp.com" ascii + $c2_1198 = "www.myurinikoreaaps.ninth.biz" ascii + $c2_1199 = "www.na.americanunfinished.com" ascii + $c2_1200 = "www.na.onmypc.org" ascii + $c2_1201 = "www.networkjpnzee.mynetav.org" ascii + $c2_1202 = "www.newcityoforward.rebatesrule.net" ascii + $c2_1203 = "www.newdnssec-info.4mydomain.com" ascii + $c2_1204 = "www.newsdata.jkub.com" ascii + $c2_1205 = "www.newsfile.toythieves.com" ascii + $c2_1206 = "www.newsroom.cleansite.info" ascii + $c2_1207 = "www.nlddnsinfo.https443.org" ascii + $c2_1208 = "www.no.authorizeddns.org" ascii + $c2_1209 = "www.nposnewsinfo.qhigh.com" ascii + $c2_1210 = "www.nsa.mefound.com" ascii + $c2_1211 = "www.nt.mynumber.org" ascii + $c2_1212 = "www.nttdata.otzo.com" ascii + $c2_1213 = "www.nuisance.serveusers.com" ascii + $c2_1214 = "www.nz.compress.to" ascii + $c2_1215 = "www.ol.almostmy.com" ascii + $c2_1216 = "www.oldbmwy.com" ascii + $c2_1217 = "www.onion.jkub.com" ascii + $c2_1218 = "www.onlinednsserver.sendsmtp.com" ascii + $c2_1219 = "www.oracleupdate.dns04.com" ascii + $c2_1220 = "www.oyster.jkub.com" ascii + $c2_1221 = "www.p6p6.net" ascii + $c2_1222 = "www.packetsdsquery.dns05.com" ascii + $c2_1223 = "www.pepper.sexxxy.biz" ascii + $c2_1224 = "www.phptecinfohelp.itemdb.com" ascii + $c2_1225 = "www.pickled.myddns.com" ascii + $c2_1226 = "www.polopurple.com" ascii + $c2_1227 = "www.portal.mrface.com" ascii + $c2_1228 = "www.portal.sendsmtp.com" ascii + $c2_1229 = "www.portalser.dynamic-dns.net" ascii + $c2_1230 = "www.praskovya-matveyeva.mefound.com" ascii + $c2_1231 = "www.praskovya-ulyanova.dumb1.com" ascii + $c2_1232 = "www.products.almostmy.com" ascii + $c2_1233 = "www.products.cleansite.us" ascii + $c2_1234 = "www.products.serveuser.com" ascii + $c2_1235 = "www.purchase.lflinkup.org" ascii + $c2_1236 = "www.rainbow.mypop3.org" ascii + $c2_1237 = "www.re26.com" ascii + $c2_1238 = "www.read.xxuz.com" ascii + $c2_1239 = "www.recent.dns-stuff.com" ascii + $c2_1240 = "www.recent.fartit.com" ascii + $c2_1241 = "www.redflower.isasecret.com" ascii + $c2_1242 = "www.referred.gr8domain.biz" ascii + $c2_1243 = "www.referred.yourtrap.com" ascii + $c2_1244 = "www.register.ourhobby.com" ascii + $c2_1245 = "www.registration2.instanthq.com" ascii + $c2_1246 = "www.registrations.4pu.com" ascii + $c2_1247 = "www.registrations.organiccrap.com" ascii + $c2_1248 = "www.remeberdata.iownyour.org" ascii + $c2_1249 = "www.reserveds.onedumb.com" ascii + $c2_1250 = "www.rethem.almostmy.com" ascii + $c2_1251 = "www.rg197.win" ascii + $c2_1252 = "www.sakai.unhamj.com" ascii + $c2_1253 = "www.sapporo.cloud-maste.com" ascii + $c2_1254 = "www.sauerkraut.sellclassics.com" ascii + $c2_1255 = "www.saverd.re26.com" ascii + $c2_1256 = "www.sbuudd.webssl9.info" ascii + $c2_1257 = "www.sdmsg.onmypc.org" ascii + $c2_1258 = "www.se.toythieves.com" ascii + $c2_1259 = "www.secertnews.mrbasic.com" ascii + $c2_1260 = "www.secnetshit.com" ascii + $c2_1261 = "www.secserverupdate.toh.info" ascii + $c2_1262 = "www.senseye.ikwb.com" ascii + $c2_1263 = "www.senseye.mrbonus.com" ascii + $c2_1264 = "www.septdlluckysystem.jungleheart.com" ascii + $c2_1265 = "www.seraphim-yurieva.justdied.com" ascii + $c2_1266 = "www.serv.justdied.com" ascii + $c2_1267 = "www.server1.proxydns.com" ascii + $c2_1268 = "www.seyesb.acmetoy.com" ascii + $c2_1269 = "www.showy.almostmy.com" ascii + $c2_1270 = "www.shugiin.jkub.com" ascii + $c2_1271 = "www.sindeali.com" ascii + $c2_1272 = "www.singed.otzo.com" ascii + $c2_1273 = "www.sojourner.mypicture.info" ascii + $c2_1274 = "www.sstday.jkub.com" ascii + $c2_1275 = "www.support1.mrface.com" ascii + $c2_1276 = "www.supportus.mefound.com" ascii + $c2_1277 = "www.svc.dynssl.com" ascii + $c2_1278 = "www.sweetheart.sexxxy.biz" ascii + $c2_1279 = "www.synssl.dnset.com" ascii + $c2_1280 = "www.tamraj.fartit.com" ascii + $c2_1281 = "www.telegraph.mefound.com" ascii + $c2_1282 = "www.tfa.longmusic.com" ascii + $c2_1283 = "www.thunder.wikaba.com" ascii + $c2_1284 = "www.ticket.instanthq.com" ascii + $c2_1285 = "www.ticket.serveuser.com" ascii + $c2_1286 = "www.tisupdateinfo.faqserv.com" ascii + $c2_1287 = "www.tokyofile.2waky.com" ascii + $c2_1288 = "www.tophost.dynamicdns.co.uk" ascii + $c2_1289 = "www.transfer.lflinkup.org" ascii + $c2_1290 = "www.transfer.mrbasic.com" ascii + $c2_1291 = "www.transfer.vizvaz.com" ascii + $c2_1292 = "www.twgovernmentinfo.acmetoy.com" ascii + $c2_1293 = "www.twsslpopservupro.dynssl.com" ascii + $c2_1294 = "www.ugreen.itemdb.com" ascii + $c2_1295 = "www.uk.dynamicdns.org.uk" ascii + $c2_1296 = "www.un.ddns.info" ascii + $c2_1297 = "www.un.dnsrd.com" ascii + $c2_1298 = "www.unhamj.com" ascii + $c2_1299 = "www.usa.itsaol.com" ascii + $c2_1300 = "www.usffunicef.com" ascii + $c2_1301 = "www.usliveupdateonline.ygto.com" ascii + $c2_1302 = "www.ut-portal-u-tokyo-ac-jp.tyoto-go-jp.com" ascii + $c2_1303 = "www.v4.windowsupdate.mrface.com" ascii + $c2_1304 = "www.v4.windowsupdate.nsatcdns.com" ascii + $c2_1305 = "www.vmmini.com" ascii + $c2_1306 = "www.wchildress.com" ascii + $c2_1307 = "www.webdirectnews.dynamicdns.biz" ascii + $c2_1308 = "www.webmailentry.jetos.com" ascii + $c2_1309 = "www.websqlnewsmanager.ninth.biz" ascii + $c2_1310 = "www.well.itsaol.com" ascii + $c2_1311 = "www.well.mrbasic.com" ascii + $c2_1312 = "www.windowfile.itemdb.com" ascii + $c2_1313 = "www.windowsimages.itemdb.com" ascii + $c2_1314 = "www.windowsimages.qhigh.com" ascii + $c2_1315 = "www.windowsmirrors.vizvaz.com" ascii + $c2_1316 = "www.windowsupdate.2waky.com" ascii + $c2_1317 = "www.windowsupdate.3-a.net" ascii + $c2_1318 = "www.windowsupdate.acmetoy.com" ascii + $c2_1319 = "www.windowsupdate.authorizeddns.net" ascii + $c2_1320 = "www.windowsupdate.authorizeddns.org" ascii + $c2_1321 = "www.windowsupdate.authorizeddns.us" ascii + $c2_1322 = "www.windowsupdate.dns05.com" ascii + $c2_1323 = "www.windowsupdate.dnset.com" ascii + $c2_1324 = "www.windowsupdate.esmtp.biz" ascii + $c2_1325 = "www.windowsupdate.ezua.com" ascii + $c2_1326 = "www.windowsupdate.fartit.com" ascii + $c2_1327 = "www.windowsupdate.gettrials.com" ascii + $c2_1328 = "www.windowsupdate.instanthq.com" ascii + $c2_1329 = "www.windowsupdate.itsaol.com" ascii + $c2_1330 = "www.windowsupdate.jungleheart.com" ascii + $c2_1331 = "www.windowsupdate.lflink.com" ascii + $c2_1332 = "www.windowsupdate.mrface.com" ascii + $c2_1333 = "www.windowsupdate.mylftv.com" ascii + $c2_1334 = "www.windowsupdate.nsatcdns.com" ascii + $c2_1335 = "www.windowsupdate.organiccrap.com" ascii + $c2_1336 = "www.windowsupdate.rebatesrule.net" ascii + $c2_1337 = "www.windowsupdate.sellclassics.com" ascii + $c2_1338 = "www.windowsupdate.serveusers.com" ascii + $c2_1339 = "www.windowsupdate.x24hr.com" ascii + $c2_1340 = "www.yahoo.incloud-go.com" ascii + $c2_1341 = "www.yandexr.sellclassics.com" ascii + $c2_1342 = "www.yeahyeahyeahs.3322.org" ascii + $c2_1343 = "www.yokohamajpinstaz.mrbonus.com" ascii + $c2_1344 = "www.zaigawebinfo.rebatesrule.net" ascii + $c2_1345 = "www.zebra.incloud-go.com" ascii + $c2_1346 = "www2.qpoe.com" ascii + $c2_1347 = "www2.zyns.com" ascii + $c2_1348 = "www2.zzux.com" ascii + $c2_1349 = "x7.usyahooapis.com" ascii + $c2_1350 = "xi.dyndns.pro" ascii + $c2_1351 = "xi.sexxxy.biz" ascii + $c2_1352 = "xread10821.9966.org" ascii + $c2_1353 = "xsince.tk" ascii + $c2_1354 = "xt.dnset.com" ascii + $c2_1355 = "xyrn998754.2288.org" ascii + $c2_1356 = "yahoo.incloud-go.com" ascii + $c2_1357 = "yallago.cu.cc" ascii + $c2_1358 = "yandexr.sellclassics.com" ascii + $c2_1359 = "yeahyeahyeahs.3322.org" ascii + $c2_1360 = "yeap1.jumpingcrab.com" ascii + $c2_1361 = "yfrfyhf.youdontcare.com" ascii + $c2_1362 = "yo.acmetoy.com" ascii + $c2_1363 = "za.myftp.info" ascii + $c2_1364 = "zabbix.servercontrols.pw" ascii + $c2_1365 = "zaigawebinfo.rebatesrule.net" ascii + $c2_1367 = "zebra.UsFfUnicef.com" ascii + $c2_1368 = "zebra.bdoncloud.com" ascii + $c2_1369 = "zebra.incloud-go.com" ascii + $c2_1370 = "zebra.unhamj.com" ascii + $c2_1371 = "zebra.wthelpdesk.com" ascii + $c2_1372 = "zero.pcanywhere.net" ascii + $c2_1373 = "zg.ns02.biz" ascii + $c2_1374 = "zone.demoones.com" ascii + condition: + 1 of ($c2_*) +} +*/ + +rule APT_APT10_Malware_Imphash_Dec18_1 { + meta: + description = "Detects APT10 malware based on ImpHashes" + author = "Florian Roth (Nextron Systems)" + reference = "AlienVault OTX IOCs - statistical sample analysis" + date = "2018-12-28" + id = "2de195a3-63a4-50ac-a83d-ab0db0f784bf" + condition: + uint16(0) == 0x5a4d and filesize < 6000KB and ( + pe.imphash() == "0556ff5e5f8744bff47d4921494ba46d" or + pe.imphash() == "cb1194123f68a68eb14552c085b620ce" or + pe.imphash() == "efad9ff8c0d2a6419bf1dd970bcd806d" or + pe.imphash() == "7a861cd9c495e1d950a43cb708a22985" or + pe.imphash() == "a5d0545030be75a421529c2b0be6c4bd" or + pe.imphash() == "94491f4a812b0297419dc888aa4fd2a5" + ) +} diff --git a/yara-Neo23x0/apt_apt10_redleaves.yar b/yara-Neo23x0/apt_apt10_redleaves.yar new file mode 100644 index 0000000..3b163d3 --- /dev/null +++ b/yara-Neo23x0/apt_apt10_redleaves.yar @@ -0,0 +1,48 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2018-05-01 + Identifier: APT10 / Hogfish Report + Reference: https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +import "pe" + +rule MAL_Hogfish_Report_Related_Sample { + meta: + description = "Detects APT10 / Hogfish related samples" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" + date = "2018-05-01" + hash1 = "f9acc706d7bec10f88f9cfbbdf80df0d85331bd4c3c0188e4d002d6929fe4eac" + hash2 = "7188f76ca5fbc6e57d23ba97655b293d5356933e2ab5261e423b3f205fe305ee" + hash3 = "4de5a22cd798950a69318fdcc1ec59e9a456b4e572c2d3ac4788ee96a4070262" + id = "7fc4fdda-b71f-5c9c-87a4-5d8290b99348" + strings: + $s1 = "R=user32.dll" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 1000KB and ( + pe.imphash() == "efad9ff8c0d2a6419bf1dd970bcd806d" or + 1 of them + ) +} + +rule MAL_RedLeaves_Apr18_1 { + meta: + description = "Detects RedLeaves malware" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" + date = "2018-05-01" + hash1 = "f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b" + hash2 = "db7c1534dede15be08e651784d3a5d2ae41963d192b0f8776701b4b72240c38d" + hash3 = "d956e2ff1b22ccee2c5d9819128103d4c31ecefde3ce463a6dea19ecaaf418a1" + id = "578b40d7-6818-56d5-92ce-535141c0aa8e" + condition: + uint16(0) == 0x5a4d and filesize < 1000KB and ( + pe.imphash() == "7a861cd9c495e1d950a43cb708a22985" or + pe.imphash() == "566a7a4ef613a797389b570f8b4f79df" + ) +} diff --git a/yara-Neo23x0/apt_apt12_malware.yar b/yara-Neo23x0/apt_apt12_malware.yar new file mode 100644 index 0000000..d8d7f79 --- /dev/null +++ b/yara-Neo23x0/apt_apt12_malware.yar @@ -0,0 +1,25 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2017-08-30 + Identifier: APT 12 Japanese Incident + Reference: http://blog.macnica.net/blog/2017/08/post-fb81.html +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +import "pe" + +rule APT12_Malware_Aug17 { + meta: + description = "Detects APT 12 Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://blog.macnica.net/blog/2017/08/post-fb81.html" + date = "2017-08-30" + hash1 = "dc7521c00ec2534cf494c0263ddf67ea4ba9915eb17bdc0b3ebe9e840ec63643" + hash2 = "42da51b69bd6625244921a4eef9a2a10153e012a3213e8e9877cf831aea3eced" + id = "6c9cd68f-b839-5c99-a9f5-14c2d8a28bec" + condition: + ( uint16(0) == 0x5a4d and pe.imphash() == "9ba915fd04f248ad62e856c7238c0264" ) +} diff --git a/yara-Neo23x0/apt_apt15.yar b/yara-Neo23x0/apt_apt15.yar new file mode 100644 index 0000000..cd95357 --- /dev/null +++ b/yara-Neo23x0/apt_apt15.yar @@ -0,0 +1,307 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2018-03-10 + Identifier: APT15 Report + Reference: https://goo.gl/HZ5XMN +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +import "pe" + +rule APT15_Malware_Mar18_RoyalCli { + meta: + description = "Detects malware from APT 15 report by NCC Group" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/HZ5XMN" + date = "2018-03-10" + hash1 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785" + id = "165bfa6c-1a8d-5628-8c35-da4e4a2ae04f" + strings: + $s1 = "\\Release\\RoyalCli.pdb" ascii + $s2 = "%snewcmd.exe" fullword ascii + $s3 = "Run cmd error %d" fullword ascii + $s4 = "%s~clitemp%08x.ini" fullword ascii + $s5 = "run file failed" fullword ascii + $s6 = "Cmd timeout %d" fullword ascii + $s7 = "2 %s %d 0 %d" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 200KB and 2 of them +} + +rule APT15_Malware_Mar18_RoyalDNS { + meta: + description = "Detects malware from APT 15 report by NCC Group" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/HZ5XMN" + date = "2018-03-10" + hash1 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d" + id = "c2f519db-2750-53ce-ae18-697ea041faaf" + strings: + $x1 = "del c:\\windows\\temp\\r.exe /f /q" fullword ascii + $x2 = "%s\\r.exe" fullword ascii + + $s1 = "rights.dll" fullword ascii + $s2 = "\"%s\">>\"%s\"\\s.txt" fullword ascii + $s3 = "Nwsapagent" fullword ascii + $s4 = "%s\\r.bat" fullword ascii + $s5 = "%s\\s.txt" fullword ascii + $s6 = "runexe" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 200KB and ( + ( pe.exports("RunInstallA") and pe.exports("RunUninstallA") ) or + 1 of ($x*) or + 2 of them + ) +} + +rule APT15_Malware_Mar18_BS2005 { + meta: + description = "Detects malware from APT 15 report by NCC Group" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/HZ5XMN" + date = "2018-03-10" + hash1 = "750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b" + id = "700bbe14-d79e-5a35-aab3-31eacd5bd950" + strings: + $x1 = "AAAAKQAASCMAABi+AABnhEBj8vep7VRoAEPRWLweGc0/eiDrXGajJXRxbXsTXAcZAABK4QAAPWwAACzWAAByrg==" fullword ascii + $x2 = "AAAAKQAASCMAABi+AABnhKv3kXJJousn5YzkjGF46eE3G8ZGse4B9uoqJo8Q2oF0AABK4QAAPWwAACzWAAByrg==" fullword ascii + + $a1 = "http://%s/content.html?id=%s" fullword ascii + $a2 = "http://%s/main.php?ssid=%s" fullword ascii + $a3 = "http://%s/webmail.php?id=%s" fullword ascii + $a9 = "http://%s/error.html?tab=%s" fullword ascii + + $s1 = "%s\\~tmp.txt" fullword ascii + $s2 = "%s /C %s >>\"%s\" 2>&1" fullword ascii + $s3 = "DisableFirstRunCustomize" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 200KB and ( + 1 of ($x*) or + 2 of them + ) +} + +rule APT15_Malware_Mar18_MSExchangeTool { + meta: + description = "Detects malware from APT 15 report by NCC Group" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/HZ5XMN" + date = "2018-03-10" + hash1 = "16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce" + id = "81b826b6-8c2e-5a8a-a626-9515d40dbbb0" + strings: + $s1 = "\\Release\\EWSTEW.pdb" ascii + $s2 = "EWSTEW.exe" fullword wide + $s3 = "Microsoft.Exchange.WebServices.Data" fullword ascii + $s4 = "tmp.dat" fullword wide + $s6 = "/v or /t is null" fullword wide + condition: + uint16(0) == 0x5a4d and filesize < 40KB and all of them +} + +/* + Identifier: APT15 = Mirage = Ke3chang + Author: NCCGroup + Revised by Florian Roth for performance reasons + see https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7 + > some rules were untightened + Date: 2018-03-09 + Reference: https://github.com/nccgroup/Royal_APT/blob/master/signatures/apt15.yara +*/ + +rule clean_apt15_patchedcmd{ + meta: + author = "Ahmed Zaki" + description = "This is a patched CMD. This is the CMD that RoyalCli uses." + sha256 = "90d1f65cfa51da07e040e066d4409dc8a48c1ab451542c894a623bc75c14bf8f" + id = "c6867ad4-f7f2-5d63-bffd-07599ede635d" + strings: + $ = "eisableCMD" wide + $ = "%WINDOWS_COPYRIGHT%" wide + $ = "Cmd.Exe" wide + $ = "Windows Command Processor" wide + condition: + uint16(0) == 0x5A4D and all of them +} + +rule malware_apt15_royalcli_1{ + meta: + description = "Generic strings found in the Royal CLI tool" + author = "David Cannings" + sha256 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785" + id = "432c09bf-3c44-5a2c-ba69-7b4fe7eb43cc" + strings: + $ = "%s~clitemp%08x.tmp" fullword + $ = "%s /c %s>%s" fullword + $ = "%snewcmd.exe" fullword + $ = "%shkcmd.exe" fullword + $ = "%s~clitemp%08x.ini" fullword + $ = "myRObject" fullword + $ = "myWObject" fullword + $ = "2 %s %d 0 %d\x0D\x0A" + $ = "2 %s %d 1 %d\x0D\x0A" + $ = "%s file not exist" fullword + condition: + uint16(0) == 0x5A4D and 5 of them +} + +rule malware_apt15_royalcli_2{ + meta: + author = "Nikolaos Pantazopoulos" + description = "APT15 RoyalCli backdoor" + id = "d4acfd2d-385d-5063-898e-d339b50733eb" + strings: + $string1 = "%shkcmd.exe" fullword + $string2 = "myRObject" fullword + $string3 = "%snewcmd.exe" fullword + $string4 = "%s~clitemp%08x.tmp" fullword + $string6 = "myWObject" fullword + condition: + uint16(0) == 0x5A4D and 2 of them +} + +/* +rule malware_apt15_bs2005{ + meta: + author = "Ahmed Zaki" + md5 = "ed21ce2beee56f0a0b1c5a62a80c128b" + description = "APT15 bs2005" + strings: + $ = "%s&%s&%s&%s" wide ascii + $ = "%s\\%s" wide ascii fullword + $ = "WarOnPostRedirect" wide ascii fullword + $ = "WarnonZoneCrossing" wide ascii fullword + $ = "^^^^^" wide ascii fullword + $ = /"?%s\s*"?\s*\/C\s*"?%s\s*>\s*\\?"?%s\\(\w+\.\w+)?"\s*2>&1\s*"?/ + $ ="IEharden" wide ascii fullword + $ ="DEPOff" wide ascii fullword + $ ="ShownVerifyBalloon" wide ascii fullword + $ ="IEHardenIENoWarn" wide ascii fullword + condition: + ( uint16(0) == 0x5A4D and 5 of them ) or + ( uint16(0) == 0x5A4D and 3 of them and + ( pe.imports("advapi32.dll", "CryptDecrypt") and pe.imports("advapi32.dll", "CryptEncrypt") and + pe.imports("ole32.dll", "CoCreateInstance") + ) + ) +} +*/ + +rule malware_apt15_royaldll { + meta: + author = "David Cannings" + description = "DLL implant, originally rights.dll and runs as a service" + sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d" + id = "26baef92-1055-56dc-b274-e2a6bc05d85b" + strings: + /* + 56 push esi + B8 A7 C6 67 4E mov eax, 4E67C6A7h + 83 C1 02 add ecx, 2 + BA 04 00 00 00 mov edx, 4 + 57 push edi + 90 nop + */ + // JSHash implementation (Justin Sobel's hash algorithm) + $opcodes_jshash = { B8 A7 C6 67 4E 83 C1 02 BA 04 00 00 00 57 90 } + + /* + 0F B6 1C 03 movzx ebx, byte ptr [ebx+eax] + 8B 55 08 mov edx, [ebp+arg_0] + 30 1C 17 xor [edi+edx], bl + 47 inc edi + 3B 7D 0C cmp edi, [ebp+arg_4] + 72 A4 jb short loc_10003F31 + */ + // Encode loop, used to "encrypt" data before DNS request + $opcodes_encode = { 0F B6 1C 03 8B 55 08 30 1C 17 47 3B 7D 0C } + + /* + 68 88 13 00 00 push 5000 # Also seen 3000, included below + FF D6 call esi ; Sleep + 4F dec edi + 75 F6 jnz short loc_10001554 + */ + // Sleep loop + $opcodes_sleep_loop = { 68 (88|B8) (13|0B) 00 00 FF D6 4F 75 F6 } + + // Generic strings + $ = "Nwsapagent" fullword + $ = "\"%s\">>\"%s\"\\s.txt" + $ = "myWObject" fullword + $ = "del c:\\windows\\temp\\r.exe /f /q" + $ = "del c:\\windows\\temp\\r.ini /f /q" + + condition: + 3 of them +} + +rule malware_apt15_royaldll_2 { + meta: + author = "Ahmed Zaki" + sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d" + description = "DNS backdoor used by APT15" + id = "3bc546a5-38b9-5504-b09e-305ba7bbd6bc" + strings: + $= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" wide ascii + $= "netsvcs" wide ascii fullword + $= "%SystemRoot%\\System32\\svchost.exe -k netsvcs" wide ascii fullword + $= "SYSTEM\\CurrentControlSet\\Services\\" wide ascii + $= "myWObject" wide ascii + condition: + uint16(0) == 0x5A4D and all of them + and pe.exports("ServiceMain") + and filesize > 50KB and filesize < 600KB +} + +rule malware_apt15_exchange_tool { + meta: + author = "Ahmed Zaki" + md5 = "d21a7e349e796064ce10f2f6ede31c71" + description = "This is a an exchange enumeration/hijacking tool used by an APT 15" + id = "f07b9537-0741-51c8-a9fa-836430fe4855" + strings: + $s1= "subjectname" fullword + $s2= "sendername" fullword + $s3= "WebCredentials" fullword + $s4= "ExchangeVersion" fullword + $s5= "ExchangeCredentials" fullword + $s6= "slfilename" fullword + $s7= "EnumMail" fullword + $s8= "EnumFolder" fullword + $s9= "set_Credentials" fullword + $s18 = "/v or /t is null" wide + $s24 = "2013sp1" wide + condition: + uint16(0) == 0x5A4D and all of them +} + +rule malware_apt15_generic { + meta: + author = "David Cannings" + description = "Find generic data potentially relating to AP15 tools" + id = "4eb50731-22df-5f7a-bf5f-166ef84cf8b5" + strings: + // Appears to be from copy/paste code + $str01 = "myWObject" fullword + $str02 = "myRObject" fullword + + /* + 6A 02 push 2 ; dwCreationDisposition + 6A 00 push 0 ; lpSecurityAttributes + 6A 00 push 0 ; dwShareMode + 68 00 00 00 C0 push 0C0000000h ; dwDesiredAccess + 50 push eax ; lpFileName + FF 15 44 F0 00 10 call ds:CreateFileA + */ + // Arguments for CreateFileA + $opcodes01 = { 6A (02|03) 6A 00 6A 00 68 00 00 00 C0 50 FF 15 } + condition: + 2 of them +} diff --git a/yara-Neo23x0/apt_apt17_mal_sep17.yar b/yara-Neo23x0/apt_apt17_mal_sep17.yar new file mode 100644 index 0000000..8216068 --- /dev/null +++ b/yara-Neo23x0/apt_apt17_mal_sep17.yar @@ -0,0 +1,107 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2017-10-03 + Identifier: APT17 Oct 10 + Reference: https://goo.gl/puVc9q +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +import "pe" + +rule APT17_Malware_Oct17_1 { + meta: + description = "Detects APT17 malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/puVc9q" + date = "2017-10-03" + hash1 = "dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83" + id = "457312d8-5bfe-5282-9ace-2f169278569c" + strings: + $s1 = "\\spool\\prtprocs\\w32x86\\localspl.dll" ascii + $s2 = "\\spool\\prtprocs\\x64\\localspl.dll" ascii + $s3 = "\\msvcrt.dll" ascii + $s4 = "\\TSMSISrv.dll" ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 500KB and all of them ) +} + +rule APT17_Malware_Oct17_2 { + meta: + description = "Detects APT17 malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/puVc9q" + date = "2017-10-03" + hash1 = "20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27" + id = "9f21514a-168b-5158-8322-60fa8499b11a" + strings: + $x1 = "Cookie: __xsptplus=%s" fullword ascii + $x2 = "http://services.fiveemotions.co.jp" fullword ascii + $x3 = "http://%s/ja-JP/2015/%d/%d/%d%d%d%d%d%d%d%d.gif" fullword ascii + + $s1 = "FoxHTTPClient_EXE_x86.exe" fullword ascii + $s2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.3072" ascii + $s3 = "hWritePipe2 Error:%d" fullword ascii + $s4 = "Not Support This Function!" fullword ascii + $s5 = "Global\\PnP_No_Management" fullword ascii + $s6 = "Content-Type: image/x-png" fullword ascii + $s7 = "Accept-Language: ja-JP" fullword ascii + $s8 = "IISCMD Error:%d" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 100KB and ( + pe.exports("_foo@0") or + 1 of ($x*) or + 6 of them + ) +} + +rule APT17_Unsigned_Symantec_Binary_EFA { + meta: + description = "Detects APT17 malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/puVc9q" + date = "2017-10-03" + hash1 = "128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f" + id = "56eec517-8b00-5cb5-9806-249e50f53b99" + strings: + $s1 = "Copyright (c) 2007 - 2011 Symantec Corporation" fullword wide + $s2 = "\\\\.\\SYMEFA" fullword wide + condition: + ( uint16(0) == 0x5a4d and filesize < 200KB and all of them and pe.number_of_signatures == 0 ) +} + +rule APT17_Malware_Oct17_Gen { + meta: + description = "Detects APT17 malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/puVc9q" + date = "2017-10-03" + hash1 = "0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2" + hash2 = "07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d" + hash3 = "ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550" + id = "c2156e68-d5b5-5bd7-858c-2d5e90199287" + strings: + $x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)" fullword ascii + $x2 = "http://%s/imgres?q=A380&hl=en-US&sa=X&biw=1440&bih=809&tbm=isus&tbnid=aLW4-J8Q1lmYBM" ascii + + $s1 = "hWritePipe2 Error:%d" fullword ascii + $s2 = "Not Support This Function!" fullword ascii + $s3 = "Cookie: SESSIONID=%s" fullword ascii + $s4 = "http://0.0.0.0/1" fullword ascii + $s5 = "Content-Type: image/x-png" fullword ascii + $s6 = "Accept-Language: en-US" fullword ascii + $s7 = "IISCMD Error:%d" fullword ascii + $s8 = "[IISEND=0x%08X][Recv:] 0x%08X %s" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 200KB and ( + pe.imphash() == "414bbd566b700ea021cfae3ad8f4d9b9" or + 1 of ($x*) or + 6 of them + ) + ) +} diff --git a/yara-Neo23x0/apt_apt17_malware.yar b/yara-Neo23x0/apt_apt17_malware.yar new file mode 100644 index 0000000..bd40117 --- /dev/null +++ b/yara-Neo23x0/apt_apt17_malware.yar @@ -0,0 +1,36 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2015-05-14 + Identifier: APT17 +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +rule APT17_Sample_FXSST_DLL { + meta: + description = "Detects Samples related to APT17 activity - file FXSST.DLL" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/ZiJyQv" + date = "2015-05-14" + hash = "52f1add5ad28dc30f68afda5d41b354533d8bce3" + id = "e4b9b25e-8895-5ba5-b706-bfb6892c16ae" + strings: + $x1 = "Microsoft? Windows? Operating System" fullword wide + $x2 = "fxsst.dll" fullword ascii + + $y1 = "DllRegisterServer" fullword ascii + $y2 = ".cSV" fullword ascii + + $s1 = "GetLastActivePopup" + $s2 = "Sleep" + $s3 = "GetModuleFileName" + $s4 = "VirtualProtect" + $s5 = "HeapAlloc" + $s6 = "GetProcessHeap" + $s7 = "GetCommandLine" + condition: + uint16(0) == 0x5a4d and filesize < 800KB and + ( all of ($x*) or all of ($y*) ) and all of ($s*) +} diff --git a/yara-Neo23x0/apt_apt19.yar b/yara-Neo23x0/apt_apt19.yar new file mode 100644 index 0000000..c527edd --- /dev/null +++ b/yara-Neo23x0/apt_apt19.yar @@ -0,0 +1,69 @@ + +/* + Yara Rule Set + Author: Ian.Ahl@fireeye.com @TekDefense, modified by Florian Roth + Date: 2017-06-05 + Identifier: APT19 + Reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html +*/ + +rule Beacon_K5om { + meta: + description = "Detects Meterpreter Beacon - file K5om.dll" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html" + date = "2017-06-07" + hash1 = "e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9" + id = "9354d20a-d798-55bf-a735-820f21d4a861" + strings: + $x1 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii + $x2 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii + $x3 = "%d is an x86 process (can't inject x64 content)" fullword ascii + + $s1 = "Could not open process token: %d (%u)" fullword ascii + $s2 = "0fd00b.dll" fullword ascii + $s3 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii + $s4 = "Could not connect to pipe (%s): %d" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 600KB and ( 1 of ($x*) or 3 of them ) ) +} + +/* Rule Set ----------------------------------------------------------------- */ + +rule FE_LEGALSTRIKE_MACRO { + meta: + version=".1" + filetype="MACRO" + author="Ian.Ahl@fireeye.com @TekDefense - modified by Florian Roth" + date="2017-06-02" + description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7." + id = "eb15e5aa-16e5-5c07-a293-ad15c0c09d8e" + strings: + // OBSFUCATION + $ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide + // wscript + $wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide + $wsobj2 = "Obj.Run " ascii wide + condition: + all of them +} + +rule FE_LEGALSTRIKE_RTF { + meta: + version=".1" + filetype="MACRO" + author="joshua.kim@FireEye. - modified by Florian Roth" + date="2017-06-02" + description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom" + id = "b62ceffa-445f-517e-b86b-56e47876c6c0" + strings: + $lnkinfo = "4c0069006e006b0049006e0066006f" + $encoded1 = "4f4c45324c696e6b" + $encoded2 = "52006f006f007400200045006e007400720079" + $encoded3 = "4f0062006a0049006e0066006f" + $encoded4 = "4f006c0065" + $datastore = "\\*\\datastore" + condition: + uint32be(0) == 0x7B5C7274 and all of them +} diff --git a/yara-Neo23x0/apt_apt27_hyperbro.yar b/yara-Neo23x0/apt_apt27_hyperbro.yar new file mode 100644 index 0000000..9413f31 --- /dev/null +++ b/yara-Neo23x0/apt_apt27_hyperbro.yar @@ -0,0 +1,389 @@ +import "pe" + +rule APT_RU_APT27_HyperBro_Vftrace_Loader_Jan22_1 { + meta: + description = "Yara rule to detect first Hyperbro Loader Stage, often called vftrace.dll. Detects decoding function." + author = "Bundesamt fuer Verfassungsschutz (modified by Florian Roth)" + date = "2022-01-14" + sharing = "TLP:WHITE" + reference = "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf" + hash1 = "333B52C2CFAC56B86EE9D54AEF4F0FF4144528917BC1AA1FE1613EFC2318339A" + id = "b049e163-2694-5fb9-a3a3-98cc77bcd0ca" + strings: + $decoder_routine = { 8A ?? 41 10 00 00 8B ?? 28 ?? ?? 4? 3B ?? 72 ?? } + condition: + uint16(0) == 0x5a4d and + filesize < 5MB and + $decoder_routine and + pe.exports("D_C_Support_SetD_File") +} + +rule APT_CN_APT27_Compromised_Certficate_Jan22_1 { + meta: + description = "Detects compromised certifcates used by APT27 malware" + author = "Florian Roth (Nextron Systems)" + date = "2022-01-29" + score = 80 + reference = "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf" + id = "f2f015af-219d-51ab-9529-01687a879ebb" + condition: + for any i in (0 .. pe.number_of_signatures) : ( + pe.signatures[i].issuer contains "DigiCert SHA2 Assured ID Code Signing CA" and + pe.signatures[i].serial == "08:68:70:51:50:f1:cf:c1:fc:c3:fc:91:a4:49:49:a6" + ) +} +rule HvS_APT27_HyperBro_Decrypted_Stage2 { + meta: + description = "HyperBro Stage 2 and compressed Stage 3 detection" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Moritz Oettle" + reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27" + date = "2022-02-07" + hash1 = "fc5a58bf0fce9cb96f35ee76842ff17816fe302e3164bc7c6a5ef46f6eff67ed" + id = "039e5d41-eadb-5c53-82cd-20ffd4105326" + strings: + $lznt1_compressed_pe_header_small = { FC B9 00 4D 5A 90 } // This is the lznt1 compressed PE header + + $lznt1_compressed_pe_header_large_1 = { FC B9 00 4D 5A 90 00 03 00 00 00 82 04 00 30 FF FF 00 } + $lznt1_compressed_pe_header_large_2 = { 00 b8 00 38 0d 01 00 40 04 38 19 00 10 01 00 00 } + $lznt1_compressed_pe_header_large_3 = { 00 0e 1f ba 0e 00 b4 09 cd 00 21 b8 01 4c cd 21 } + $lznt1_compressed_pe_header_large_4 = { 54 68 00 69 73 20 70 72 6f 67 72 00 61 6d 20 63 } + $lznt1_compressed_pe_header_large_5 = { 61 6e 6e 6f 00 74 20 62 65 20 72 75 6e 00 20 69 } + $lznt1_compressed_pe_header_large_6 = { 6e 20 44 4f 53 20 00 6d 6f 64 65 2e 0d 0d 0a 02 } + + condition: + filesize < 200KB and + ($lznt1_compressed_pe_header_small at 0x9ce) or (all of ($lznt1_compressed_pe_header_large_*)) +} + +rule HvS_APT27_HyperBro_Stage3 { + meta: + description = "HyperBro Stage 3 detection - also tested in memory" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Markus Poelloth" + reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27" + date = "2022-02-07" + modified = "2023-01-07" + hash1 = "624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8" + id = "b4002777-f129-5177-a8f1-690012a207fa" + strings: + $s1 = "\\cmd.exe /A" wide + $s2 = "vftrace.dll" fullword wide + $s3 = "msmpeng.exe" fullword wide + $s4 = "\\\\.\\pipe\\testpipe" fullword wide + $s5 = "thumb.dat" fullword wide + + $g1 = "%s\\%d.exe" fullword wide + $g2 = "https://%s:%d/api/v2/ajax" fullword wide + $g3 = " -k networkservice" fullword wide + $g4 = " -k localservice" fullword wide + + condition: + uint16(0) == 0x5a4d and filesize < 300KB and + (( 4 of ($s*) ) or (4 of ($g*))) +} + +rule HvS_APT27_HyperBro_Stage3_C2 { + meta: + description = "HyperBro Stage 3 C2 path and user agent detection - also tested in memory" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Marc Stroebel" + reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27" + date = "2022-02-07" + hash1 = "624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8" + id = "d1fe03b9-440c-5127-9572-dddcd5c9966b" + strings: + $s1 = "api/v2/ajax" ascii wide nocase + $s2 = "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36" ascii wide nocase + condition: + all of them +} + + +rule HvS_APT27_HyperBro_Stage3_Persistence { + meta: + description = "HyperBro Stage 3 registry keys for persistence" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Marko Dorfhuber" + reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27" + date = "2022-02-07" + hash1 = "624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8" + id = "2bb1d28b-5fc4-5f0b-b546-c8b8192b0d48" + strings: + $ = "SOFTWARE\\WOW6432Node\\Microsoft\\config_" ascii + $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\windefenders" ascii + condition: + 1 of them +} + + +rule HvS_APT27_HyperBro_Encrypted_Stage2 { + meta: + description = "HyperBro Encrypted Stage 2 detection. Looks for all possible one byte shifts of the lznt1 compressed PE header" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Moritz Oettle" + reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27" + date = "2022-02-07" + hash1 = "fc5a58bf0fce9cb96f35ee76842ff17816fe302e3164bc7c6a5ef46f6eff67ed" + id = "fa4fe057-4c3f-5785-a8d3-588398360996" + strings: + $encrypted_pe_header_shift_0 = { fc b9 00 4d 5a 90 00 03 00 00 00 82 04 00 30 ff ff 00 } + $encrypted_pe_header_shift_1 = { fd ba 01 4e 5b 91 01 04 01 01 01 83 05 01 31 00 00 01 } + $encrypted_pe_header_shift_2 = { fe bb 02 4f 5c 92 02 05 02 02 02 84 06 02 32 01 01 02 } + $encrypted_pe_header_shift_3 = { ff bc 03 50 5d 93 03 06 03 03 03 85 07 03 33 02 02 03 } + $encrypted_pe_header_shift_4 = { 00 bd 04 51 5e 94 04 07 04 04 04 86 08 04 34 03 03 04 } + $encrypted_pe_header_shift_5 = { 01 be 05 52 5f 95 05 08 05 05 05 87 09 05 35 04 04 05 } + $encrypted_pe_header_shift_6 = { 02 bf 06 53 60 96 06 09 06 06 06 88 0a 06 36 05 05 06 } + $encrypted_pe_header_shift_7 = { 03 c0 07 54 61 97 07 0a 07 07 07 89 0b 07 37 06 06 07 } + $encrypted_pe_header_shift_8 = { 04 c1 08 55 62 98 08 0b 08 08 08 8a 0c 08 38 07 07 08 } + $encrypted_pe_header_shift_9 = { 05 c2 09 56 63 99 09 0c 09 09 09 8b 0d 09 39 08 08 09 } + $encrypted_pe_header_shift_10 = { 06 c3 0a 57 64 9a 0a 0d 0a 0a 0a 8c 0e 0a 3a 09 09 0a } + $encrypted_pe_header_shift_11 = { 07 c4 0b 58 65 9b 0b 0e 0b 0b 0b 8d 0f 0b 3b 0a 0a 0b } + $encrypted_pe_header_shift_12 = { 08 c5 0c 59 66 9c 0c 0f 0c 0c 0c 8e 10 0c 3c 0b 0b 0c } + $encrypted_pe_header_shift_13 = { 09 c6 0d 5a 67 9d 0d 10 0d 0d 0d 8f 11 0d 3d 0c 0c 0d } + $encrypted_pe_header_shift_14 = { 0a c7 0e 5b 68 9e 0e 11 0e 0e 0e 90 12 0e 3e 0d 0d 0e } + $encrypted_pe_header_shift_15 = { 0b c8 0f 5c 69 9f 0f 12 0f 0f 0f 91 13 0f 3f 0e 0e 0f } + $encrypted_pe_header_shift_16 = { 0c c9 10 5d 6a a0 10 13 10 10 10 92 14 10 40 0f 0f 10 } + $encrypted_pe_header_shift_17 = { 0d ca 11 5e 6b a1 11 14 11 11 11 93 15 11 41 10 10 11 } + $encrypted_pe_header_shift_18 = { 0e cb 12 5f 6c a2 12 15 12 12 12 94 16 12 42 11 11 12 } + $encrypted_pe_header_shift_19 = { 0f cc 13 60 6d a3 13 16 13 13 13 95 17 13 43 12 12 13 } + $encrypted_pe_header_shift_20 = { 10 cd 14 61 6e a4 14 17 14 14 14 96 18 14 44 13 13 14 } + $encrypted_pe_header_shift_21 = { 11 ce 15 62 6f a5 15 18 15 15 15 97 19 15 45 14 14 15 } + $encrypted_pe_header_shift_22 = { 12 cf 16 63 70 a6 16 19 16 16 16 98 1a 16 46 15 15 16 } + $encrypted_pe_header_shift_23 = { 13 d0 17 64 71 a7 17 1a 17 17 17 99 1b 17 47 16 16 17 } + $encrypted_pe_header_shift_24 = { 14 d1 18 65 72 a8 18 1b 18 18 18 9a 1c 18 48 17 17 18 } + $encrypted_pe_header_shift_25 = { 15 d2 19 66 73 a9 19 1c 19 19 19 9b 1d 19 49 18 18 19 } + $encrypted_pe_header_shift_26 = { 16 d3 1a 67 74 aa 1a 1d 1a 1a 1a 9c 1e 1a 4a 19 19 1a } + $encrypted_pe_header_shift_27 = { 17 d4 1b 68 75 ab 1b 1e 1b 1b 1b 9d 1f 1b 4b 1a 1a 1b } + $encrypted_pe_header_shift_28 = { 18 d5 1c 69 76 ac 1c 1f 1c 1c 1c 9e 20 1c 4c 1b 1b 1c } + $encrypted_pe_header_shift_29 = { 19 d6 1d 6a 77 ad 1d 20 1d 1d 1d 9f 21 1d 4d 1c 1c 1d } + $encrypted_pe_header_shift_30 = { 1a d7 1e 6b 78 ae 1e 21 1e 1e 1e a0 22 1e 4e 1d 1d 1e } + $encrypted_pe_header_shift_31 = { 1b d8 1f 6c 79 af 1f 22 1f 1f 1f a1 23 1f 4f 1e 1e 1f } + $encrypted_pe_header_shift_32 = { 1c d9 20 6d 7a b0 20 23 20 20 20 a2 24 20 50 1f 1f 20 } + $encrypted_pe_header_shift_33 = { 1d da 21 6e 7b b1 21 24 21 21 21 a3 25 21 51 20 20 21 } + $encrypted_pe_header_shift_34 = { 1e db 22 6f 7c b2 22 25 22 22 22 a4 26 22 52 21 21 22 } + $encrypted_pe_header_shift_35 = { 1f dc 23 70 7d b3 23 26 23 23 23 a5 27 23 53 22 22 23 } + $encrypted_pe_header_shift_36 = { 20 dd 24 71 7e b4 24 27 24 24 24 a6 28 24 54 23 23 24 } + $encrypted_pe_header_shift_37 = { 21 de 25 72 7f b5 25 28 25 25 25 a7 29 25 55 24 24 25 } + $encrypted_pe_header_shift_38 = { 22 df 26 73 80 b6 26 29 26 26 26 a8 2a 26 56 25 25 26 } + $encrypted_pe_header_shift_39 = { 23 e0 27 74 81 b7 27 2a 27 27 27 a9 2b 27 57 26 26 27 } + $encrypted_pe_header_shift_40 = { 24 e1 28 75 82 b8 28 2b 28 28 28 aa 2c 28 58 27 27 28 } + $encrypted_pe_header_shift_41 = { 25 e2 29 76 83 b9 29 2c 29 29 29 ab 2d 29 59 28 28 29 } + $encrypted_pe_header_shift_42 = { 26 e3 2a 77 84 ba 2a 2d 2a 2a 2a ac 2e 2a 5a 29 29 2a } + $encrypted_pe_header_shift_43 = { 27 e4 2b 78 85 bb 2b 2e 2b 2b 2b ad 2f 2b 5b 2a 2a 2b } + $encrypted_pe_header_shift_44 = { 28 e5 2c 79 86 bc 2c 2f 2c 2c 2c ae 30 2c 5c 2b 2b 2c } + $encrypted_pe_header_shift_45 = { 29 e6 2d 7a 87 bd 2d 30 2d 2d 2d af 31 2d 5d 2c 2c 2d } + $encrypted_pe_header_shift_46 = { 2a e7 2e 7b 88 be 2e 31 2e 2e 2e b0 32 2e 5e 2d 2d 2e } + $encrypted_pe_header_shift_47 = { 2b e8 2f 7c 89 bf 2f 32 2f 2f 2f b1 33 2f 5f 2e 2e 2f } + $encrypted_pe_header_shift_48 = { 2c e9 30 7d 8a c0 30 33 30 30 30 b2 34 30 60 2f 2f 30 } + $encrypted_pe_header_shift_49 = { 2d ea 31 7e 8b c1 31 34 31 31 31 b3 35 31 61 30 30 31 } + $encrypted_pe_header_shift_50 = { 2e eb 32 7f 8c c2 32 35 32 32 32 b4 36 32 62 31 31 32 } + $encrypted_pe_header_shift_51 = { 2f ec 33 80 8d c3 33 36 33 33 33 b5 37 33 63 32 32 33 } + $encrypted_pe_header_shift_52 = { 30 ed 34 81 8e c4 34 37 34 34 34 b6 38 34 64 33 33 34 } + $encrypted_pe_header_shift_53 = { 31 ee 35 82 8f c5 35 38 35 35 35 b7 39 35 65 34 34 35 } + $encrypted_pe_header_shift_54 = { 32 ef 36 83 90 c6 36 39 36 36 36 b8 3a 36 66 35 35 36 } + $encrypted_pe_header_shift_55 = { 33 f0 37 84 91 c7 37 3a 37 37 37 b9 3b 37 67 36 36 37 } + $encrypted_pe_header_shift_56 = { 34 f1 38 85 92 c8 38 3b 38 38 38 ba 3c 38 68 37 37 38 } + $encrypted_pe_header_shift_57 = { 35 f2 39 86 93 c9 39 3c 39 39 39 bb 3d 39 69 38 38 39 } + $encrypted_pe_header_shift_58 = { 36 f3 3a 87 94 ca 3a 3d 3a 3a 3a bc 3e 3a 6a 39 39 3a } + $encrypted_pe_header_shift_59 = { 37 f4 3b 88 95 cb 3b 3e 3b 3b 3b bd 3f 3b 6b 3a 3a 3b } + $encrypted_pe_header_shift_60 = { 38 f5 3c 89 96 cc 3c 3f 3c 3c 3c be 40 3c 6c 3b 3b 3c } + $encrypted_pe_header_shift_61 = { 39 f6 3d 8a 97 cd 3d 40 3d 3d 3d bf 41 3d 6d 3c 3c 3d } + $encrypted_pe_header_shift_62 = { 3a f7 3e 8b 98 ce 3e 41 3e 3e 3e c0 42 3e 6e 3d 3d 3e } + $encrypted_pe_header_shift_63 = { 3b f8 3f 8c 99 cf 3f 42 3f 3f 3f c1 43 3f 6f 3e 3e 3f } + $encrypted_pe_header_shift_64 = { 3c f9 40 8d 9a d0 40 43 40 40 40 c2 44 40 70 3f 3f 40 } + $encrypted_pe_header_shift_65 = { 3d fa 41 8e 9b d1 41 44 41 41 41 c3 45 41 71 40 40 41 } + $encrypted_pe_header_shift_66 = { 3e fb 42 8f 9c d2 42 45 42 42 42 c4 46 42 72 41 41 42 } + $encrypted_pe_header_shift_67 = { 3f fc 43 90 9d d3 43 46 43 43 43 c5 47 43 73 42 42 43 } + $encrypted_pe_header_shift_68 = { 40 fd 44 91 9e d4 44 47 44 44 44 c6 48 44 74 43 43 44 } + $encrypted_pe_header_shift_69 = { 41 fe 45 92 9f d5 45 48 45 45 45 c7 49 45 75 44 44 45 } + $encrypted_pe_header_shift_70 = { 42 ff 46 93 a0 d6 46 49 46 46 46 c8 4a 46 76 45 45 46 } + $encrypted_pe_header_shift_71 = { 43 00 47 94 a1 d7 47 4a 47 47 47 c9 4b 47 77 46 46 47 } + $encrypted_pe_header_shift_72 = { 44 01 48 95 a2 d8 48 4b 48 48 48 ca 4c 48 78 47 47 48 } + $encrypted_pe_header_shift_73 = { 45 02 49 96 a3 d9 49 4c 49 49 49 cb 4d 49 79 48 48 49 } + $encrypted_pe_header_shift_74 = { 46 03 4a 97 a4 da 4a 4d 4a 4a 4a cc 4e 4a 7a 49 49 4a } + $encrypted_pe_header_shift_75 = { 47 04 4b 98 a5 db 4b 4e 4b 4b 4b cd 4f 4b 7b 4a 4a 4b } + $encrypted_pe_header_shift_76 = { 48 05 4c 99 a6 dc 4c 4f 4c 4c 4c ce 50 4c 7c 4b 4b 4c } + $encrypted_pe_header_shift_77 = { 49 06 4d 9a a7 dd 4d 50 4d 4d 4d cf 51 4d 7d 4c 4c 4d } + $encrypted_pe_header_shift_78 = { 4a 07 4e 9b a8 de 4e 51 4e 4e 4e d0 52 4e 7e 4d 4d 4e } + $encrypted_pe_header_shift_79 = { 4b 08 4f 9c a9 df 4f 52 4f 4f 4f d1 53 4f 7f 4e 4e 4f } + $encrypted_pe_header_shift_80 = { 4c 09 50 9d aa e0 50 53 50 50 50 d2 54 50 80 4f 4f 50 } + $encrypted_pe_header_shift_81 = { 4d 0a 51 9e ab e1 51 54 51 51 51 d3 55 51 81 50 50 51 } + $encrypted_pe_header_shift_82 = { 4e 0b 52 9f ac e2 52 55 52 52 52 d4 56 52 82 51 51 52 } + $encrypted_pe_header_shift_83 = { 4f 0c 53 a0 ad e3 53 56 53 53 53 d5 57 53 83 52 52 53 } + $encrypted_pe_header_shift_84 = { 50 0d 54 a1 ae e4 54 57 54 54 54 d6 58 54 84 53 53 54 } + $encrypted_pe_header_shift_85 = { 51 0e 55 a2 af e5 55 58 55 55 55 d7 59 55 85 54 54 55 } + $encrypted_pe_header_shift_86 = { 52 0f 56 a3 b0 e6 56 59 56 56 56 d8 5a 56 86 55 55 56 } + $encrypted_pe_header_shift_87 = { 53 10 57 a4 b1 e7 57 5a 57 57 57 d9 5b 57 87 56 56 57 } + $encrypted_pe_header_shift_88 = { 54 11 58 a5 b2 e8 58 5b 58 58 58 da 5c 58 88 57 57 58 } + $encrypted_pe_header_shift_89 = { 55 12 59 a6 b3 e9 59 5c 59 59 59 db 5d 59 89 58 58 59 } + $encrypted_pe_header_shift_90 = { 56 13 5a a7 b4 ea 5a 5d 5a 5a 5a dc 5e 5a 8a 59 59 5a } + $encrypted_pe_header_shift_91 = { 57 14 5b a8 b5 eb 5b 5e 5b 5b 5b dd 5f 5b 8b 5a 5a 5b } + $encrypted_pe_header_shift_92 = { 58 15 5c a9 b6 ec 5c 5f 5c 5c 5c de 60 5c 8c 5b 5b 5c } + $encrypted_pe_header_shift_93 = { 59 16 5d aa b7 ed 5d 60 5d 5d 5d df 61 5d 8d 5c 5c 5d } + $encrypted_pe_header_shift_94 = { 5a 17 5e ab b8 ee 5e 61 5e 5e 5e e0 62 5e 8e 5d 5d 5e } + $encrypted_pe_header_shift_95 = { 5b 18 5f ac b9 ef 5f 62 5f 5f 5f e1 63 5f 8f 5e 5e 5f } + $encrypted_pe_header_shift_96 = { 5c 19 60 ad ba f0 60 63 60 60 60 e2 64 60 90 5f 5f 60 } + $encrypted_pe_header_shift_97 = { 5d 1a 61 ae bb f1 61 64 61 61 61 e3 65 61 91 60 60 61 } + $encrypted_pe_header_shift_98 = { 5e 1b 62 af bc f2 62 65 62 62 62 e4 66 62 92 61 61 62 } + $encrypted_pe_header_shift_99 = { 5f 1c 63 b0 bd f3 63 66 63 63 63 e5 67 63 93 62 62 63 } + $encrypted_pe_header_shift_100 = { 60 1d 64 b1 be f4 64 67 64 64 64 e6 68 64 94 63 63 64 } + $encrypted_pe_header_shift_101 = { 61 1e 65 b2 bf f5 65 68 65 65 65 e7 69 65 95 64 64 65 } + $encrypted_pe_header_shift_102 = { 62 1f 66 b3 c0 f6 66 69 66 66 66 e8 6a 66 96 65 65 66 } + $encrypted_pe_header_shift_103 = { 63 20 67 b4 c1 f7 67 6a 67 67 67 e9 6b 67 97 66 66 67 } + $encrypted_pe_header_shift_104 = { 64 21 68 b5 c2 f8 68 6b 68 68 68 ea 6c 68 98 67 67 68 } + $encrypted_pe_header_shift_105 = { 65 22 69 b6 c3 f9 69 6c 69 69 69 eb 6d 69 99 68 68 69 } + $encrypted_pe_header_shift_106 = { 66 23 6a b7 c4 fa 6a 6d 6a 6a 6a ec 6e 6a 9a 69 69 6a } + $encrypted_pe_header_shift_107 = { 67 24 6b b8 c5 fb 6b 6e 6b 6b 6b ed 6f 6b 9b 6a 6a 6b } + $encrypted_pe_header_shift_108 = { 68 25 6c b9 c6 fc 6c 6f 6c 6c 6c ee 70 6c 9c 6b 6b 6c } + $encrypted_pe_header_shift_109 = { 69 26 6d ba c7 fd 6d 70 6d 6d 6d ef 71 6d 9d 6c 6c 6d } + $encrypted_pe_header_shift_110 = { 6a 27 6e bb c8 fe 6e 71 6e 6e 6e f0 72 6e 9e 6d 6d 6e } + $encrypted_pe_header_shift_111 = { 6b 28 6f bc c9 ff 6f 72 6f 6f 6f f1 73 6f 9f 6e 6e 6f } + $encrypted_pe_header_shift_112 = { 6c 29 70 bd ca 00 70 73 70 70 70 f2 74 70 a0 6f 6f 70 } + $encrypted_pe_header_shift_113 = { 6d 2a 71 be cb 01 71 74 71 71 71 f3 75 71 a1 70 70 71 } + $encrypted_pe_header_shift_114 = { 6e 2b 72 bf cc 02 72 75 72 72 72 f4 76 72 a2 71 71 72 } + $encrypted_pe_header_shift_115 = { 6f 2c 73 c0 cd 03 73 76 73 73 73 f5 77 73 a3 72 72 73 } + $encrypted_pe_header_shift_116 = { 70 2d 74 c1 ce 04 74 77 74 74 74 f6 78 74 a4 73 73 74 } + $encrypted_pe_header_shift_117 = { 71 2e 75 c2 cf 05 75 78 75 75 75 f7 79 75 a5 74 74 75 } + $encrypted_pe_header_shift_118 = { 72 2f 76 c3 d0 06 76 79 76 76 76 f8 7a 76 a6 75 75 76 } + $encrypted_pe_header_shift_119 = { 73 30 77 c4 d1 07 77 7a 77 77 77 f9 7b 77 a7 76 76 77 } + $encrypted_pe_header_shift_120 = { 74 31 78 c5 d2 08 78 7b 78 78 78 fa 7c 78 a8 77 77 78 } + $encrypted_pe_header_shift_121 = { 75 32 79 c6 d3 09 79 7c 79 79 79 fb 7d 79 a9 78 78 79 } + $encrypted_pe_header_shift_122 = { 76 33 7a c7 d4 0a 7a 7d 7a 7a 7a fc 7e 7a aa 79 79 7a } + $encrypted_pe_header_shift_123 = { 77 34 7b c8 d5 0b 7b 7e 7b 7b 7b fd 7f 7b ab 7a 7a 7b } + $encrypted_pe_header_shift_124 = { 78 35 7c c9 d6 0c 7c 7f 7c 7c 7c fe 80 7c ac 7b 7b 7c } + $encrypted_pe_header_shift_125 = { 79 36 7d ca d7 0d 7d 80 7d 7d 7d ff 81 7d ad 7c 7c 7d } + $encrypted_pe_header_shift_126 = { 7a 37 7e cb d8 0e 7e 81 7e 7e 7e 00 82 7e ae 7d 7d 7e } + $encrypted_pe_header_shift_127 = { 7b 38 7f cc d9 0f 7f 82 7f 7f 7f 01 83 7f af 7e 7e 7f } + $encrypted_pe_header_shift_128 = { 7c 39 80 cd da 10 80 83 80 80 80 02 84 80 b0 7f 7f 80 } + $encrypted_pe_header_shift_129 = { 7d 3a 81 ce db 11 81 84 81 81 81 03 85 81 b1 80 80 81 } + $encrypted_pe_header_shift_130 = { 7e 3b 82 cf dc 12 82 85 82 82 82 04 86 82 b2 81 81 82 } + $encrypted_pe_header_shift_131 = { 7f 3c 83 d0 dd 13 83 86 83 83 83 05 87 83 b3 82 82 83 } + $encrypted_pe_header_shift_132 = { 80 3d 84 d1 de 14 84 87 84 84 84 06 88 84 b4 83 83 84 } + $encrypted_pe_header_shift_133 = { 81 3e 85 d2 df 15 85 88 85 85 85 07 89 85 b5 84 84 85 } + $encrypted_pe_header_shift_134 = { 82 3f 86 d3 e0 16 86 89 86 86 86 08 8a 86 b6 85 85 86 } + $encrypted_pe_header_shift_135 = { 83 40 87 d4 e1 17 87 8a 87 87 87 09 8b 87 b7 86 86 87 } + $encrypted_pe_header_shift_136 = { 84 41 88 d5 e2 18 88 8b 88 88 88 0a 8c 88 b8 87 87 88 } + $encrypted_pe_header_shift_137 = { 85 42 89 d6 e3 19 89 8c 89 89 89 0b 8d 89 b9 88 88 89 } + $encrypted_pe_header_shift_138 = { 86 43 8a d7 e4 1a 8a 8d 8a 8a 8a 0c 8e 8a ba 89 89 8a } + $encrypted_pe_header_shift_139 = { 87 44 8b d8 e5 1b 8b 8e 8b 8b 8b 0d 8f 8b bb 8a 8a 8b } + $encrypted_pe_header_shift_140 = { 88 45 8c d9 e6 1c 8c 8f 8c 8c 8c 0e 90 8c bc 8b 8b 8c } + $encrypted_pe_header_shift_141 = { 89 46 8d da e7 1d 8d 90 8d 8d 8d 0f 91 8d bd 8c 8c 8d } + $encrypted_pe_header_shift_142 = { 8a 47 8e db e8 1e 8e 91 8e 8e 8e 10 92 8e be 8d 8d 8e } + $encrypted_pe_header_shift_143 = { 8b 48 8f dc e9 1f 8f 92 8f 8f 8f 11 93 8f bf 8e 8e 8f } + $encrypted_pe_header_shift_144 = { 8c 49 90 dd ea 20 90 93 90 90 90 12 94 90 c0 8f 8f 90 } + $encrypted_pe_header_shift_145 = { 8d 4a 91 de eb 21 91 94 91 91 91 13 95 91 c1 90 90 91 } + $encrypted_pe_header_shift_146 = { 8e 4b 92 df ec 22 92 95 92 92 92 14 96 92 c2 91 91 92 } + $encrypted_pe_header_shift_147 = { 8f 4c 93 e0 ed 23 93 96 93 93 93 15 97 93 c3 92 92 93 } + $encrypted_pe_header_shift_148 = { 90 4d 94 e1 ee 24 94 97 94 94 94 16 98 94 c4 93 93 94 } + $encrypted_pe_header_shift_149 = { 91 4e 95 e2 ef 25 95 98 95 95 95 17 99 95 c5 94 94 95 } + $encrypted_pe_header_shift_150 = { 92 4f 96 e3 f0 26 96 99 96 96 96 18 9a 96 c6 95 95 96 } + $encrypted_pe_header_shift_151 = { 93 50 97 e4 f1 27 97 9a 97 97 97 19 9b 97 c7 96 96 97 } + $encrypted_pe_header_shift_152 = { 94 51 98 e5 f2 28 98 9b 98 98 98 1a 9c 98 c8 97 97 98 } + $encrypted_pe_header_shift_153 = { 95 52 99 e6 f3 29 99 9c 99 99 99 1b 9d 99 c9 98 98 99 } + $encrypted_pe_header_shift_154 = { 96 53 9a e7 f4 2a 9a 9d 9a 9a 9a 1c 9e 9a ca 99 99 9a } + $encrypted_pe_header_shift_155 = { 97 54 9b e8 f5 2b 9b 9e 9b 9b 9b 1d 9f 9b cb 9a 9a 9b } + $encrypted_pe_header_shift_156 = { 98 55 9c e9 f6 2c 9c 9f 9c 9c 9c 1e a0 9c cc 9b 9b 9c } + $encrypted_pe_header_shift_157 = { 99 56 9d ea f7 2d 9d a0 9d 9d 9d 1f a1 9d cd 9c 9c 9d } + $encrypted_pe_header_shift_158 = { 9a 57 9e eb f8 2e 9e a1 9e 9e 9e 20 a2 9e ce 9d 9d 9e } + $encrypted_pe_header_shift_159 = { 9b 58 9f ec f9 2f 9f a2 9f 9f 9f 21 a3 9f cf 9e 9e 9f } + $encrypted_pe_header_shift_160 = { 9c 59 a0 ed fa 30 a0 a3 a0 a0 a0 22 a4 a0 d0 9f 9f a0 } + $encrypted_pe_header_shift_161 = { 9d 5a a1 ee fb 31 a1 a4 a1 a1 a1 23 a5 a1 d1 a0 a0 a1 } + $encrypted_pe_header_shift_162 = { 9e 5b a2 ef fc 32 a2 a5 a2 a2 a2 24 a6 a2 d2 a1 a1 a2 } + $encrypted_pe_header_shift_163 = { 9f 5c a3 f0 fd 33 a3 a6 a3 a3 a3 25 a7 a3 d3 a2 a2 a3 } + $encrypted_pe_header_shift_164 = { a0 5d a4 f1 fe 34 a4 a7 a4 a4 a4 26 a8 a4 d4 a3 a3 a4 } + $encrypted_pe_header_shift_165 = { a1 5e a5 f2 ff 35 a5 a8 a5 a5 a5 27 a9 a5 d5 a4 a4 a5 } + $encrypted_pe_header_shift_166 = { a2 5f a6 f3 00 36 a6 a9 a6 a6 a6 28 aa a6 d6 a5 a5 a6 } + $encrypted_pe_header_shift_167 = { a3 60 a7 f4 01 37 a7 aa a7 a7 a7 29 ab a7 d7 a6 a6 a7 } + $encrypted_pe_header_shift_168 = { a4 61 a8 f5 02 38 a8 ab a8 a8 a8 2a ac a8 d8 a7 a7 a8 } + $encrypted_pe_header_shift_169 = { a5 62 a9 f6 03 39 a9 ac a9 a9 a9 2b ad a9 d9 a8 a8 a9 } + $encrypted_pe_header_shift_170 = { a6 63 aa f7 04 3a aa ad aa aa aa 2c ae aa da a9 a9 aa } + $encrypted_pe_header_shift_171 = { a7 64 ab f8 05 3b ab ae ab ab ab 2d af ab db aa aa ab } + $encrypted_pe_header_shift_172 = { a8 65 ac f9 06 3c ac af ac ac ac 2e b0 ac dc ab ab ac } + $encrypted_pe_header_shift_173 = { a9 66 ad fa 07 3d ad b0 ad ad ad 2f b1 ad dd ac ac ad } + $encrypted_pe_header_shift_174 = { aa 67 ae fb 08 3e ae b1 ae ae ae 30 b2 ae de ad ad ae } + $encrypted_pe_header_shift_175 = { ab 68 af fc 09 3f af b2 af af af 31 b3 af df ae ae af } + $encrypted_pe_header_shift_176 = { ac 69 b0 fd 0a 40 b0 b3 b0 b0 b0 32 b4 b0 e0 af af b0 } + $encrypted_pe_header_shift_177 = { ad 6a b1 fe 0b 41 b1 b4 b1 b1 b1 33 b5 b1 e1 b0 b0 b1 } + $encrypted_pe_header_shift_178 = { ae 6b b2 ff 0c 42 b2 b5 b2 b2 b2 34 b6 b2 e2 b1 b1 b2 } + $encrypted_pe_header_shift_179 = { af 6c b3 00 0d 43 b3 b6 b3 b3 b3 35 b7 b3 e3 b2 b2 b3 } + $encrypted_pe_header_shift_180 = { b0 6d b4 01 0e 44 b4 b7 b4 b4 b4 36 b8 b4 e4 b3 b3 b4 } + $encrypted_pe_header_shift_181 = { b1 6e b5 02 0f 45 b5 b8 b5 b5 b5 37 b9 b5 e5 b4 b4 b5 } + $encrypted_pe_header_shift_182 = { b2 6f b6 03 10 46 b6 b9 b6 b6 b6 38 ba b6 e6 b5 b5 b6 } + $encrypted_pe_header_shift_183 = { b3 70 b7 04 11 47 b7 ba b7 b7 b7 39 bb b7 e7 b6 b6 b7 } + $encrypted_pe_header_shift_184 = { b4 71 b8 05 12 48 b8 bb b8 b8 b8 3a bc b8 e8 b7 b7 b8 } + $encrypted_pe_header_shift_185 = { b5 72 b9 06 13 49 b9 bc b9 b9 b9 3b bd b9 e9 b8 b8 b9 } + $encrypted_pe_header_shift_186 = { b6 73 ba 07 14 4a ba bd ba ba ba 3c be ba ea b9 b9 ba } + $encrypted_pe_header_shift_187 = { b7 74 bb 08 15 4b bb be bb bb bb 3d bf bb eb ba ba bb } + $encrypted_pe_header_shift_188 = { b8 75 bc 09 16 4c bc bf bc bc bc 3e c0 bc ec bb bb bc } + $encrypted_pe_header_shift_189 = { b9 76 bd 0a 17 4d bd c0 bd bd bd 3f c1 bd ed bc bc bd } + $encrypted_pe_header_shift_190 = { ba 77 be 0b 18 4e be c1 be be be 40 c2 be ee bd bd be } + $encrypted_pe_header_shift_191 = { bb 78 bf 0c 19 4f bf c2 bf bf bf 41 c3 bf ef be be bf } + $encrypted_pe_header_shift_192 = { bc 79 c0 0d 1a 50 c0 c3 c0 c0 c0 42 c4 c0 f0 bf bf c0 } + $encrypted_pe_header_shift_193 = { bd 7a c1 0e 1b 51 c1 c4 c1 c1 c1 43 c5 c1 f1 c0 c0 c1 } + $encrypted_pe_header_shift_194 = { be 7b c2 0f 1c 52 c2 c5 c2 c2 c2 44 c6 c2 f2 c1 c1 c2 } + $encrypted_pe_header_shift_195 = { bf 7c c3 10 1d 53 c3 c6 c3 c3 c3 45 c7 c3 f3 c2 c2 c3 } + $encrypted_pe_header_shift_196 = { c0 7d c4 11 1e 54 c4 c7 c4 c4 c4 46 c8 c4 f4 c3 c3 c4 } + $encrypted_pe_header_shift_197 = { c1 7e c5 12 1f 55 c5 c8 c5 c5 c5 47 c9 c5 f5 c4 c4 c5 } + $encrypted_pe_header_shift_198 = { c2 7f c6 13 20 56 c6 c9 c6 c6 c6 48 ca c6 f6 c5 c5 c6 } + $encrypted_pe_header_shift_199 = { c3 80 c7 14 21 57 c7 ca c7 c7 c7 49 cb c7 f7 c6 c6 c7 } + $encrypted_pe_header_shift_200 = { c4 81 c8 15 22 58 c8 cb c8 c8 c8 4a cc c8 f8 c7 c7 c8 } + $encrypted_pe_header_shift_201 = { c5 82 c9 16 23 59 c9 cc c9 c9 c9 4b cd c9 f9 c8 c8 c9 } + $encrypted_pe_header_shift_202 = { c6 83 ca 17 24 5a ca cd ca ca ca 4c ce ca fa c9 c9 ca } + $encrypted_pe_header_shift_203 = { c7 84 cb 18 25 5b cb ce cb cb cb 4d cf cb fb ca ca cb } + $encrypted_pe_header_shift_204 = { c8 85 cc 19 26 5c cc cf cc cc cc 4e d0 cc fc cb cb cc } + $encrypted_pe_header_shift_205 = { c9 86 cd 1a 27 5d cd d0 cd cd cd 4f d1 cd fd cc cc cd } + $encrypted_pe_header_shift_206 = { ca 87 ce 1b 28 5e ce d1 ce ce ce 50 d2 ce fe cd cd ce } + $encrypted_pe_header_shift_207 = { cb 88 cf 1c 29 5f cf d2 cf cf cf 51 d3 cf ff ce ce cf } + $encrypted_pe_header_shift_208 = { cc 89 d0 1d 2a 60 d0 d3 d0 d0 d0 52 d4 d0 00 cf cf d0 } + $encrypted_pe_header_shift_209 = { cd 8a d1 1e 2b 61 d1 d4 d1 d1 d1 53 d5 d1 01 d0 d0 d1 } + $encrypted_pe_header_shift_210 = { ce 8b d2 1f 2c 62 d2 d5 d2 d2 d2 54 d6 d2 02 d1 d1 d2 } + $encrypted_pe_header_shift_211 = { cf 8c d3 20 2d 63 d3 d6 d3 d3 d3 55 d7 d3 03 d2 d2 d3 } + $encrypted_pe_header_shift_212 = { d0 8d d4 21 2e 64 d4 d7 d4 d4 d4 56 d8 d4 04 d3 d3 d4 } + $encrypted_pe_header_shift_213 = { d1 8e d5 22 2f 65 d5 d8 d5 d5 d5 57 d9 d5 05 d4 d4 d5 } + $encrypted_pe_header_shift_214 = { d2 8f d6 23 30 66 d6 d9 d6 d6 d6 58 da d6 06 d5 d5 d6 } + $encrypted_pe_header_shift_215 = { d3 90 d7 24 31 67 d7 da d7 d7 d7 59 db d7 07 d6 d6 d7 } + $encrypted_pe_header_shift_216 = { d4 91 d8 25 32 68 d8 db d8 d8 d8 5a dc d8 08 d7 d7 d8 } + $encrypted_pe_header_shift_217 = { d5 92 d9 26 33 69 d9 dc d9 d9 d9 5b dd d9 09 d8 d8 d9 } + $encrypted_pe_header_shift_218 = { d6 93 da 27 34 6a da dd da da da 5c de da 0a d9 d9 da } + $encrypted_pe_header_shift_219 = { d7 94 db 28 35 6b db de db db db 5d df db 0b da da db } + $encrypted_pe_header_shift_220 = { d8 95 dc 29 36 6c dc df dc dc dc 5e e0 dc 0c db db dc } + $encrypted_pe_header_shift_221 = { d9 96 dd 2a 37 6d dd e0 dd dd dd 5f e1 dd 0d dc dc dd } + $encrypted_pe_header_shift_222 = { da 97 de 2b 38 6e de e1 de de de 60 e2 de 0e dd dd de } + $encrypted_pe_header_shift_223 = { db 98 df 2c 39 6f df e2 df df df 61 e3 df 0f de de df } + $encrypted_pe_header_shift_224 = { dc 99 e0 2d 3a 70 e0 e3 e0 e0 e0 62 e4 e0 10 df df e0 } + $encrypted_pe_header_shift_225 = { dd 9a e1 2e 3b 71 e1 e4 e1 e1 e1 63 e5 e1 11 e0 e0 e1 } + $encrypted_pe_header_shift_226 = { de 9b e2 2f 3c 72 e2 e5 e2 e2 e2 64 e6 e2 12 e1 e1 e2 } + $encrypted_pe_header_shift_227 = { df 9c e3 30 3d 73 e3 e6 e3 e3 e3 65 e7 e3 13 e2 e2 e3 } + $encrypted_pe_header_shift_228 = { e0 9d e4 31 3e 74 e4 e7 e4 e4 e4 66 e8 e4 14 e3 e3 e4 } + $encrypted_pe_header_shift_229 = { e1 9e e5 32 3f 75 e5 e8 e5 e5 e5 67 e9 e5 15 e4 e4 e5 } + $encrypted_pe_header_shift_230 = { e2 9f e6 33 40 76 e6 e9 e6 e6 e6 68 ea e6 16 e5 e5 e6 } + $encrypted_pe_header_shift_231 = { e3 a0 e7 34 41 77 e7 ea e7 e7 e7 69 eb e7 17 e6 e6 e7 } + $encrypted_pe_header_shift_232 = { e4 a1 e8 35 42 78 e8 eb e8 e8 e8 6a ec e8 18 e7 e7 e8 } + $encrypted_pe_header_shift_233 = { e5 a2 e9 36 43 79 e9 ec e9 e9 e9 6b ed e9 19 e8 e8 e9 } + $encrypted_pe_header_shift_234 = { e6 a3 ea 37 44 7a ea ed ea ea ea 6c ee ea 1a e9 e9 ea } + $encrypted_pe_header_shift_235 = { e7 a4 eb 38 45 7b eb ee eb eb eb 6d ef eb 1b ea ea eb } + $encrypted_pe_header_shift_236 = { e8 a5 ec 39 46 7c ec ef ec ec ec 6e f0 ec 1c eb eb ec } + $encrypted_pe_header_shift_237 = { e9 a6 ed 3a 47 7d ed f0 ed ed ed 6f f1 ed 1d ec ec ed } + $encrypted_pe_header_shift_238 = { ea a7 ee 3b 48 7e ee f1 ee ee ee 70 f2 ee 1e ed ed ee } + $encrypted_pe_header_shift_239 = { eb a8 ef 3c 49 7f ef f2 ef ef ef 71 f3 ef 1f ee ee ef } + $encrypted_pe_header_shift_240 = { ec a9 f0 3d 4a 80 f0 f3 f0 f0 f0 72 f4 f0 20 ef ef f0 } + $encrypted_pe_header_shift_241 = { ed aa f1 3e 4b 81 f1 f4 f1 f1 f1 73 f5 f1 21 f0 f0 f1 } + $encrypted_pe_header_shift_242 = { ee ab f2 3f 4c 82 f2 f5 f2 f2 f2 74 f6 f2 22 f1 f1 f2 } + $encrypted_pe_header_shift_243 = { ef ac f3 40 4d 83 f3 f6 f3 f3 f3 75 f7 f3 23 f2 f2 f3 } + $encrypted_pe_header_shift_244 = { f0 ad f4 41 4e 84 f4 f7 f4 f4 f4 76 f8 f4 24 f3 f3 f4 } + $encrypted_pe_header_shift_245 = { f1 ae f5 42 4f 85 f5 f8 f5 f5 f5 77 f9 f5 25 f4 f4 f5 } + $encrypted_pe_header_shift_246 = { f2 af f6 43 50 86 f6 f9 f6 f6 f6 78 fa f6 26 f5 f5 f6 } + $encrypted_pe_header_shift_247 = { f3 b0 f7 44 51 87 f7 fa f7 f7 f7 79 fb f7 27 f6 f6 f7 } + $encrypted_pe_header_shift_248 = { f4 b1 f8 45 52 88 f8 fb f8 f8 f8 7a fc f8 28 f7 f7 f8 } + $encrypted_pe_header_shift_249 = { f5 b2 f9 46 53 89 f9 fc f9 f9 f9 7b fd f9 29 f8 f8 f9 } + $encrypted_pe_header_shift_250 = { f6 b3 fa 47 54 8a fa fd fa fa fa 7c fe fa 2a f9 f9 fa } + $encrypted_pe_header_shift_251 = { f7 b4 fb 48 55 8b fb fe fb fb fb 7d ff fb 2b fa fa fb } + $encrypted_pe_header_shift_252 = { f8 b5 fc 49 56 8c fc ff fc fc fc 7e 00 fc 2c fb fb fc } + $encrypted_pe_header_shift_253 = { f9 b6 fd 4a 57 8d fd 00 fd fd fd 7f 01 fd 2d fc fc fd } + $encrypted_pe_header_shift_254 = { fa b7 fe 4b 58 8e fe 01 fe fe fe 80 02 fe 2e fd fd fe } + $encrypted_pe_header_shift_255 = { fb b8 ff 4c 59 8f ff 02 ff ff ff 81 03 ff 2f fe fe ff } + + condition: + filesize < 200KB and (1 of ($encrypted_pe_header_shift_*)) +} diff --git a/yara-Neo23x0/apt_apt27_rshell.yar b/yara-Neo23x0/apt_apt27_rshell.yar new file mode 100644 index 0000000..25fc84e --- /dev/null +++ b/yara-Neo23x0/apt_apt27_rshell.yar @@ -0,0 +1,40 @@ + +rule APT_MAL_APT27_Rshell_Jul24 { + meta: + sharing = "TLP:WHITE" + source = "BUNDESAMT FUER VERFASSUNGSSCHUTZ" + author = "Bundesamt fuer Verfassungsschutz, modified by Florian Roth" + description = "YARA rule to detect RSHELL of APT27" + category = "MALWARE" + malware = "RSHELL / SYSUPDATE" + reference = "https://x.com/bfv_bund/status/1811364839656185985?s=12&t=C0_T_re0wRP_NfKa27Xw9w" + date = "2024-07-11" + hash1 = "0433edfad648e1e29be54101abaded690302dc7e49ad916cfbbddf99b3ade12c" + hash2 = "10bb89fdf25c88d3c5623e8d68573124c9a42549750014e3675e2ca342aeba4a" + hash3 = "2603e1f61363451891c97b0c4ce8acfbfb680d3df4282f9d151ecce3a5679616" + hash4 = "70dac42491f8f19568a5d7b1d10b29f732a88d75e7f2bfa07b23202bacadf56f" + hash5 = "b988a6583ce40f07e5fc8e890ae2b1c84a93db8a2e3ca8769241b94bea332a7a" + hash6 = "c4fe1e56f601d411e2385352606524fb8bbf773bc2ba14889a8de605c2d14da0" + hash7 = "c787144d285fcca8a542f7a5525a37bcd089b39068b9a4db7fe3554ee6c08301" + hash8 = "ddaa4d23e4651a517fffbd29f0924607ba6b6253171144da5e49237afe91666b" + strings: + $a1 = "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%" ascii + $a2 = "/proc/self/exe" ascii + + $s1 = "HISTFILE" ascii fullword + $s2 = "/tmp/guid" ascii fullword + + $sop1 = { e8 ?? ?? ?? ?? c7 43 04 00 00 00 00 8b 3b 85 ff 7e 2? e8 ?? ?? 0? 00 85 c0 7e 0? } + $sop2 = { c7 43 04 00 00 00 00 8b 3b 85 ff 7e 2? e8 ?? ?? 0? 00 85 c0 7e 0? f7 d8 } + condition: + ( + uint32be(0) == 0x7f454c46 // Linux + or ( uint32be(0) == 0xcafebabe and uint32be(4) < 0x20 ) // Universal mach-O App with dont-match-java-class-file hack + or uint32(0) == 0xfeedface // 32-bit mach-O + or uint32(0) == 0xfeedfacf // 64-bit mach-O + ) + and filesize < 2MB + and all of ($a*) + and 2 of ($s*) + or 3 of ($s*) +} diff --git a/yara-Neo23x0/apt_apt28.yar b/yara-Neo23x0/apt_apt28.yar new file mode 100644 index 0000000..fa3169b --- /dev/null +++ b/yara-Neo23x0/apt_apt28.yar @@ -0,0 +1,159 @@ +/* + Yara Rule Set + Author: YarGen Rule Generator + Date: 2015-06-02 + Identifier: APT28 +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +rule APT28_CHOPSTICK { + meta: + description = "Detects a malware that behaves like CHOPSTICK mentioned in APT28 report" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/v3ebal" + date = "2015-06-02" + hash = "f4db2e0881f83f6a2387ecf446fcb4a4c9f99808" + score = 60 + id = "08bc4cc2-1844-5218-bb89-20a3ac70a951" + strings: + $s0 = "jhuhugit.tmp" fullword ascii /* score: '14.005' */ + $s8 = "KERNEL32.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 14405 times */ + $s9 = "IsDebuggerPresent" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 3518 times */ + $s10 = "IsProcessorFeaturePresent" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 1383 times */ + $s11 = "TerminateProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 13081 times */ + $s13 = "DeleteFileA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 1384 times */ + $s15 = "GetProcessHeap" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 5875 times */ + $s16 = "!This program cannot be run in DOS mode." fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 20908 times */ + $s17 = "LoadLibraryA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 5461 times */ + condition: + uint16(0) == 0x5a4d and filesize < 722KB and all of them +} + +rule APT28_SourFace_Malware1 { + meta: + description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server." + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html" + date = "2015-06-01" + hash1 = "e2450dffa675c61aa43077b25b12851a910eeeb6" + hash2 = "d9c53adce8c35ec3b1e015ec8011078902e6800b" + score = 60 + id = "d4275b8d-384f-58b7-bac5-05fb7db659e2" + strings: + $s0 = "coreshell.dll" fullword wide /* PEStudio Blacklist: strings */ + $s1 = "Core Shell Runtime Service" fullword wide /* PEStudio Blacklist: strings */ + $s2 = "\\chkdbg.log" wide + condition: + uint16(0) == 0x5a4d and filesize < 62KB and all of them +} + +rule APT28_SourFace_Malware2 { + meta: + description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server." + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html" + date = "2015-06-01" + super_rule = 1 + hash0 = "367d40465fd1633c435b966fa9b289188aa444bc" + hash1 = "cf3220c867b81949d1ce2b36446642de7894c6dc" + hash2 = "ed48ef531d96e8c7360701da1c57e2ff13f12405" + hash3 = "682e49efa6d2549147a21993d64291bfa40d815a" + hash4 = "a8551397e1f1a2c0148e6eadcb56fa35ee6009ca" + hash5 = "f5b3e98c6b5d65807da66d50bd5730d35692174d" + score = 60 + id = "8a9df742-82c1-56bb-ab70-6384403f70b5" + strings: + $s0 = "coreshell.dll" fullword ascii /* PEStudio Blacklist: strings */ + $s1 = "Applicate" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 550KB and all of them +} + +rule APT28_SourFace_Malware3 { + meta: + description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server." + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html" + date = "2015-06-01" + super_rule = 1 + hash0 = "85522190958c82589fa290c0835805f3d9a2f8d6" + hash1 = "d9c53adce8c35ec3b1e015ec8011078902e6800b" + hash2 = "367d40465fd1633c435b966fa9b289188aa444bc" + hash3 = "d87b310aa81ae6254fff27b7d57f76035f544073" + hash4 = "cf3220c867b81949d1ce2b36446642de7894c6dc" + hash5 = "ed48ef531d96e8c7360701da1c57e2ff13f12405" + hash6 = "682e49efa6d2549147a21993d64291bfa40d815a" + hash7 = "a8551397e1f1a2c0148e6eadcb56fa35ee6009ca" + hash8 = "f5b3e98c6b5d65807da66d50bd5730d35692174d" + hash9 = "e2450dffa675c61aa43077b25b12851a910eeeb6" + score = 60 + id = "b49843b9-3a54-5525-958e-ac545cc00bde" + strings: + $s0 = "coreshell.dll" fullword wide /* PEStudio Blacklist: strings */ + $s1 = "Core Shell Runtime Service" fullword wide /* PEStudio Blacklist: strings */ + condition: + uint16(0) == 0x5a4d and filesize < 550KB and all of them +} + + +import "pe" + +rule APT28_SkinnyBoy_Dropper: RUSSIA { + meta: + description = "Detects APT28 SkinnyBoy droppers" + author = "Cluster25" + date = "2021-05-24" + reference = "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf" + hash1 = "12331809c3e03d84498f428a37a28cf6cbb1dafe98c36463593ad12898c588c9" + id = "ed0b2d2b-f820-57b5-9654-c24734d81996" + strings: + $ = "cmd /c DEL " ascii + /* $ = " \"" ascii */ /* slowing down scanning */ + $ = {8a 08 40 84 c9 75 f9} + $ = {0f b7 84 0d fc fe ff ff 66 31 84 0d fc fd ff ff} + condition: + (uint16(0) == 0x5A4D and all of them) +} + +rule APT28_SkinnyBoy_Launcher: RUSSIA { + meta: + description = "Detects APT28 SkinnyBoy launchers" + author = "Cluster25" + date = "2021-05-24" + reference = "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf" + hash1 ="2a652721243f29e82bdf57b565208c59937bbb6af4ab51e7b6ba7ed270ea6bce" + id = "eaf4e8e5-cbec-5000-a2ff-31d1dac4c30f" + strings: + $sha = {F4 EB 56 52 AF 4B 48 EE 08 FF 9D 44 89 4B D5 66 24 61 2A 15 1D 58 14 F9 6D 97 + 13 2C 6D 07 6F 86} + $l1 = "CryptGetHashParam" ascii + $l2 = "CryptCreateHash" ascii + $l3 = "FindNextFile" ascii + $l4 = "PathAddBackslashW" ascii + $l5 = "PathRemoveFileSpecW" ascii + $h1 = {50 6A 00 6A 00 68 0C 80 00 00 FF ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A 00 + 56 ?? ?? ?? ?? 50 FF ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ??} + $h2 = {8B 01 3B 02 75 10 83 C1 04 83 C2 04 83 EE 04 73 EF} + condition: + uint16(0) == 0x5a4d and filesize < 100KB and ($sha or (all of ($l*) and all of ($h*))) +} + +rule APT28_SkinnyBoy_Implanter: RUSSIA { + meta: + description = "Detects APT28 SkinnyBoy implanter" + author = "Cluster25" + date = "2021-05-24" + reference = "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf" + hash1 = "ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698" + id = "c44faf95-a64c-58f4-97d4-2fe17aefc813" + strings: + $enc_string = {F3 0F 7E 05 ?? ?? ?? ?? 6? [5] 6A ?? 66 [6] 66 [7] F3 0F 7E 05 ?? ?? ?? ?? 8D + 85 [4] 6A ?? 50 66 [7] E8} + $heap_ops = {8B [1-5] 03 ?? 5? 5? 6A 08 FF [1-6] FF ?? ?? ?? ?? ?? [0-6] 8B ?? [0-6] 8?} + $xor_cycle = { 8A 8C ?? ?? ?? ?? ?? 30 8C ?? ?? ?? ?? ?? 42 3B D0 72 } + condition: + uint16(0) == 0x5a4d and pe.is_dll() and filesize < 100KB and $xor_cycle and $heap_ops and + $enc_string +} diff --git a/yara-Neo23x0/apt_apt28_drovorub.yar b/yara-Neo23x0/apt_apt28_drovorub.yar new file mode 100644 index 0000000..f61c5dc --- /dev/null +++ b/yara-Neo23x0/apt_apt28_drovorub.yar @@ -0,0 +1,115 @@ + rule APT_APT28_generic_poco_openssl { + meta: + description = "Rule to detect statically linked POCO and OpenSSL libraries (COULD be Drovorub related and should be further investigated)" + author = "NSA / FBI" + reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/" + date = "2020-08-13" + score = 50 + strings: + $mw1 = { 89 F1 48 89 FE 48 89 D7 48 F7 C6 FF FF FF FF 0F 84 6B 02 00 00 48 F7 C7 + FF FF FF FF 0F 84 5E 02 00 00 48 8D 2D } + + $mw2 = { 41 54 49 89 D4 55 53 F6 47 19 04 48 8B 2E 75 08 31 DB F6 45 00 03 75 } + $mw3 = { 85C0BA15000000750989D05BC30F1F44 0000BE } + + $mw4 = { 53 8A 47 08 3C 06 74 21 84 C0 74 1D 3C 07 74 20 B9 ?? ?? ?? ?? BA FD 03 + 00 00 BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 E8 06 3C 01 77 2B 48 8B 1F 48 8B 73 + 10 48 89 DF E8 ?? ?? ?? ?? 48 8D 43 08 48 C7 43 10 00 00 00 00 48 C7 43 28 00 00 00 00 48 + 89 43 18 48 89 43 20 5B C3 } + condition: + all of them +} + +rule APT_APT28_drovorub_library_and_unique_strings { + meta: + description = "Rule to detect Drovorub-server, Drovorub-agent, and Drovorub-client" + author = "NSA / FBI" + reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/" + date = "2020-08-13" + score = 75 + id = "8e010356-09c7-5897-9cbe-051cd0800502" + strings: + $s1 = "Poco" ascii wide + $s2 = "Json" ascii wide + $s3 = "OpenSSL" ascii wide + + $a1 = "clientid" ascii wide + $a2 = "-----BEGIN" ascii wide + $a3 = "-----END" ascii wide + $a4 = "tunnel" ascii wide + condition: + (filesize > 1MB and filesize < 10MB and (uint32(0) == 0x464c457f)) and (#s1 > 20 and #s2 > 15 and #s3 > 15 and all of ($a*)) +} + +rule APT_APT28_drovorub_unique_network_comms_strings { + meta: + description = "Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based" + author = "NSA / FBI" + reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/" + date = "2020-08-13" + score = 75 + id = "c6a930e8-c1c0-5d96-9051-7516df848b45" + strings: + $s_01 = "action" wide ascii + $s_02 = "auth.commit" wide ascii + $s_03 = "auth.hello" wide ascii + $s_04 = "auth.login" wide ascii + $s_05 = "auth.pending" wide ascii + $s_06 = "client_id" wide ascii + $s_07 = "client_login" wide ascii + $s_08 = "client_pass" wide ascii + $s_09 = "clientid" wide ascii + $s_10 = "clientkey_base64" wide ascii + $s_11 = "file_list_request" wide ascii + $s_12 = "module_list_request" wide ascii + $s_13 = "monitor" wide ascii + $s_14 = "net_list_request" wide ascii + $s_15 = "server finished" wide ascii + $s_16 = "serverid" wide ascii + $s_17 = "tunnel" wide ascii + condition: + all of them +} +/* FPs +48505c956c005576b1292495102a5a4d37a830dc936ce85204d2783e13082c1f + +rule APT_APT28_drovorub_kernel_module_unique_strings { + meta: + description = "Rule detects the Drovorub-kernel module based on unique strings" + author = "NSA / FBI" + reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/" + date = "2020-08-13" + score = 75 + strings: + $s_01 = "/proc" wide ascii + $s_02 = "/proc/net/packet" wide ascii + $s_03 = "/proc/net/raw" wide ascii + $s_04 = "/proc/net/tcp" wide ascii + $s_05 = "/proc/net/tcp6" wide ascii + $s_06 = "/proc/net/udp" wide ascii + $s_07 = "/proc/net/udp6" wide ascii + $s_08 = "cs02" wide ascii + $s_09 = "do_fork" wide ascii + $s_10 = "es01" wide ascii + $s_11 = "g001" wide ascii + $s_12 = "g002" wide ascii + $s_13 = "i001" wide ascii + $s_14 = "i002" wide ascii + $s_15 = "i003" wide ascii + $s_16 = "i004" wide ascii + $s_17 = "module" wide ascii + $s_18 = "sc!^2a" wide ascii + $s_19 = "sysfs" wide ascii + $s_20 = "tr01" wide ascii + $s_21 = "tr02" wide ascii + $s_22 = "tr03" wide ascii + $s_23 = "tr04" wide ascii + $s_24 = "tr05" wide ascii + $s_25 = "tr06" wide ascii + $s_26 = "tr07" wide ascii + $s_27 = "tr08" wide ascii + $s_28 = "tr09" wide ascii + condition: + all of them +} +*/ \ No newline at end of file diff --git a/yara-Neo23x0/apt_apt29_grizzly_steppe.yar b/yara-Neo23x0/apt_apt29_grizzly_steppe.yar new file mode 100644 index 0000000..fefbf6c --- /dev/null +++ b/yara-Neo23x0/apt_apt29_grizzly_steppe.yar @@ -0,0 +1,311 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2016-12-29 + Identifier: GRIZZLY STEPPE +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +rule GRIZZLY_STEPPE_Malware_1 { + meta: + description = "Auto-generated rule - file HRDG022184_certclint.dll" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/WVflzO" + date = "2016-12-29" + hash1 = "9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5" + id = "7239a5f3-9c29-57d7-be95-946d14039353" + strings: + $s1 = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb" fullword ascii + $s2 = "Repeat last find command)Replace specific text with different text" fullword wide + $s3 = "l\\Processor(0)\\% Processor Time" fullword wide + $s6 = "Self Process" fullword wide + $s7 = "Default Process" fullword wide + $s8 = "Star Polk.exe" fullword wide + condition: + ( uint16(0) == 0x5a4d and filesize < 300KB and 4 of them ) +} + +rule GRIZZLY_STEPPE_Malware_2 { + meta: + description = "Auto-generated rule" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/WVflzO" + date = "2016-12-29" + hash1 = "9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0" + hash2 = "55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641" + id = "37cfba67-af85-5efe-9b07-9f1e5d9f9195" + strings: + $x1 = "GoogleCrashReport.dll" fullword ascii + + $s1 = "CrashErrors" fullword ascii + $s2 = "CrashSend" fullword ascii + $s3 = "CrashAddData" fullword ascii + $s4 = "CrashCleanup" fullword ascii + $s5 = "CrashInit" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 1000KB and $x1 ) or ( all of them ) +} + +rule PAS_TOOL_PHP_WEB_KIT_mod { + meta: + description = "Detects PAS Tool PHP Web Kit" + reference = "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity" + author = "US CERT - modified by Florian Roth due to performance reasons" + date = "2016/12/29" + id = "6bc75e44-7784-5e48-9bbc-052d84ebee83" + strings: + $php = " 10KB and filesize < 30KB) and + #cookie == 2 and + #isset == 3 and + all of them +} + +rule WebShell_PHP_Web_Kit_v3 { + meta: + description = "Detects PAS Tool PHP Web Kit" + reference = "https://github.com/wordfence/grizzly" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + date = "2016/01/01" + id = "dc5fa2c9-3e1e-594d-be4f-141e1f4915f1" + strings: + $php = " 8KB and filesize < 100KB and + all of ($s*) +} + +rule WebShell_PHP_Web_Kit_v4 { + meta: + description = "Detects PAS Tool PHP Web Kit" + reference = "https://github.com/wordfence/grizzly" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + date = "2016/01/01" + id = "a5f915cd-b9c5-5cd3-b0a2-c15f6124737a" + strings: + $php = " 8KB and filesize < 100KB and + 2 of ($s*) +} + + + +rule APT_APT29_wellmess_dotnet_unique_strings { + meta: + description = "Rule to detect WellMess .NET samples based on unique strings and function/variable names" + author = "NCSC" + reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development" + hash = "2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41" + id = "7a058ec7-f795-5226-b511-ff469a969ee6" + strings: + $s1 = "HealthInterval" wide + $s2 = "Hello from Proxy" wide + $s3 = "Start bot:" wide + $s4 = "FromNormalToBase64" ascii + $s5 = "FromBase64ToNormal" ascii + $s6 = "WellMess" ascii + condition: + uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550 and 3 of them +} + +rule APT_APT29_sorefang_encryption_key_schedule { + meta: + description = "Rule to detect SoreFang based on the key schedule used for encryption" + author = "NCSC" + reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development" + hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2" + id = "8d89edc1-a9fc-5155-9dc2-8d7f952f90d1" + strings: + $ = { C7 05 ?? ?? ?? ?? 63 51 E1 B7 B8 ?? ?? ?? ?? 8B 48 + FC 81 E9 47 86 C8 61 89 08 83 C0 04 3D ?? ?? ?? ?? + 7E EB 33 D2 33 C9 B8 2C 00 00 00 89 55 D4 33 F6 89 + 4D D8 33 DB 3B F8 0F 4F C7 8D 04 40 89 45 D0 83 F8 + 01 7C 4F 0F 1F 80 00 00 00 00 } + condition: + (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them +} + +rule APT_APT29_sorefang_encryption_key_2b62 { + meta: + description = "Rule to detect SoreFang based on hardcoded encryption key" + author = "NCSC" + reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development" + hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2" + id = "9a7abad7-1cfa-52c8-9416-47cb80486714" + strings: + $ = "2b6233eb3e872ff78988f4a8f3f6a3ba" + condition: + ( uint16(0) == 0x5A4D and uint16(uint32(0x3c) ) == 0x4550) + and any of them +} + +rule APT_APT29_sorefang_directory_enumeration_output_strings { + meta: + description = "Rule to detect SoreFang based on formatted string output for directory enumeration" + author = "NCSC" + reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development" + hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2" + id = "e24dbda1-3d43-52a7-9249-70a648f4913e" + strings: + $ = "----------All usres directory----------" + $ = "----------Desktop directory----------" + $ = "----------Documents directory----------" + condition: + (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) + and 2 of them +} + +rule APT_APT29_sorefang_command_elem_cookie_ga_boundary_string { + meta: + description = "Rule to detect SoreFang based on scheduled task element and Cookie header/boundary strings" + author = "NCSC" + reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development" + hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2" + id = "3c6ffbad-9b39-5518-aa66-d76531ddb9ea" + strings: + $ = "" wide + $ = "Cookie:_ga=" + $ = "------974767299852498929531610575" + condition: + (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) + and 2 of them +} + +rule APT_APT29_sorefang_encryption_round_function { + meta: + description = "Rule to detect SoreFang based on the encryption round function" + author = "NCSC" + reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development" + hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2" + id = "0be1c084-c8df-5920-a320-90364a7fb542" + strings: + $ = { 8A E9 8A FB 8A 5D 0F 02 C9 88 45 0F FE C1 0F BE C5 88 6D F3 8D + 14 45 01 00 00 00 0F AF D0 0F BE C5 0F BE C9 0F AF C8 C1 FA 1B C0 E1 05 0A D1 8B 4D EC 0F BE C1 89 55 E4 8D 14 45 01 00 00 00 0F AF D0 8B C1} + condition: + (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) + and any of them +} + +rule APT_APT29_sorefang_add_random_commas_spaces { + meta: + description = "Rule to detect SoreFang based on function that adds commas and spaces" + author = "NCSC" + reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development" + hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2" + id = "9a89c619-6309-500f-b4dc-c8a3e8fc4417" + strings: + $ = { E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 8B CE 83 FA 04 7E 09 6A + 02 68 ?? ?? ?? ?? EB 07 6A 01 68 } + condition: + (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) + and any of them +} + +rule APT_APT29_sorefang_modify_alphabet_custom_encode { + meta: + description = "Rule to detect SoreFang based on arguments passed into custom encoding algorithm function" + author = "NCSC" + reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development" + hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2" + id = "7c5c1be0-ccad-5c8f-a026-445994b1f279" + strings: + $ = { 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 + 64 } + condition: + (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them +} + +rule APT_APT29_sorefang_custom_encode_decode { + meta: + description = "Rule to detect SoreFang based on the custom encoding/decoding algorithm function" + author = "NCSC" + reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development" + hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2" + id = "4885a659-bb3a-5e33-99cc-b827931bf58f" + strings: + $ = { 55 8B EC 8B D1 53 56 8B 75 08 8B DE 80 42 62 FA 8A 4A 62 66 D3 + EB 57 3A 5A 5C 74 0F} + $ = { 3A 5A 5D 74 0A 3A 5A 58 74 05 3A 5A 59 75 05 FE C1 88 4A 62 8A + 4A 62 B8 01 00 00 00} + $ = { 8A 46 62 84 C0 74 3E 3C 06 73 12 0F B6 C0 B9 06 00 00 00 2B C8 + C6 46 62 06 66 D3 66 60 0F B7 4E 60} + $ = { 80 3C 38 0D 0F 84 93 01 00 00 C6 42 62 06 8B 56 14 83 FA 10 72 + 04 8B 06} + $ = { 0F BE 0C 38 8B 45 EC 0F B6 40 5B 3B C8 75 07 8B 55 EC B3 3E} + $ = { 0F BE 0C 38 8B 45 EC 0F B6 40 5E 3B C8 75 0B 8B 55 EC D0 EB C6 + 42 62 05} + $ = { 8B 55 EC 0F BE 04 38 0F B6 DB 0F B6 4A 5F 3B C1 B8 3F 00 00 00 + 0F 44 D8} + $ = { 8A 4A 62 66 8B 52 60 66 D3 E2 0F B6 C3 66 0B D0 8B 45 EC 66 89 + 50 60 8A 45 F3 02 C1 88 45 F3 3C 08 72 2E 04 F8 8A C8 88 45 F3 + 66 D3 EA 8B 4D 08 0F B6 C2 50 } + $ = { 3A 5A 5C 74 0F 3A 5A 5D 74 0A 3A 5A 58 74 05 3A 5A 59 75 05 FE + C1 88 4A 62 } + condition: + (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) + and any of them +} + +rule APT_APT29_sorefang_remove_chars_comma_space_dot { + meta: + description = "Rule to detect SoreFang based on function that removes commas, spaces and dots" + author = "NCSC" + reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development" + hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2" + id = "c15779b0-6a5e-5345-94ad-95615b567f1f" + strings: + $ = {8A 18 80 FB 2C 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08} + $ = {8A 18 80 FB 2E 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08} + $ = {8A 18 80 FB 20 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08} + condition: + (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them +} + +rule APT_APT29_sorefang_disk_enumeration_strings { + meta: + description = "Rule to detect SoreFang based on disk enumeration strings" + author = "NCSC" + reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development" + hash = "a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064" + id = "0ff01793-6fb7-5cff-b4e4-6709269ab0f0" + strings: + $ = "\x0D\x0AFree on disk: " + $ = "Total disk: " + $ = "Error in GetDiskFreeSpaceEx\x0D\x0A" + $ = "\x0D\x0AVolume label: " + $ = "Serial number: " + $ = "File system: " + $ = "Error in GetVolumeInformation\x0D\x0A" + $ = "I can not het information about this disk\x0D\x0A" + condition: + (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) + and all of them +} + diff --git a/yara-Neo23x0/apt_apt29_nobelium_apr22.yar b/yara-Neo23x0/apt_apt29_nobelium_apr22.yar new file mode 100644 index 0000000..16bcebd --- /dev/null +++ b/yara-Neo23x0/apt_apt29_nobelium_apr22.yar @@ -0,0 +1,38 @@ +rule M_APT_Downloader_BEATDROP { + meta: + author = "Mandiant" + description = "Rule looking for BEATDROP malware" + reference = "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns" + date = "2022-04-28" + score = 90 + id = "5720870e-8989-59f2-998b-019084d091ce" + strings: + $ntdll1 = "ntdll" ascii fullword + $ntdll2 = "C:\\Windows\\System32\\ntdll.dll" ascii fullword nocase + $url1 = "api.trello.com" ascii + $url2 = "/members/me/boards?key=" ascii + $url3 = "/cards?key=" ascii + condition: + uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 1MB and all of them +} + +rule M_APT_Downloader_BOOMMIC { + meta: + author = "Mandiant" + description = "Rule looking for BOOMMIC malware" + reference = "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns" + date = "2022-04-28" + score = 75 + id = "34ea08a6-5d6f-5cdd-a629-fa36313c98f7" + strings: + $loc_10001000 = { 55 8B EC 8D 45 0C 50 8B 4D 08 51 6A 02 FF 15 [4] 85 C0 74 09 B8 01 00 00 00 EB 04 EB 02 33 C0 5D C3 } + $loc_100012fd = {6A 00 8D 55 EC 52 8B 45 D4 50 6A 05 8B 4D E4 51 FF 15 } + $func1 = "GetComputerNameExA" ascii + $func2 = "HttpQueryInfoA" ascii + condition: + uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 1MB and + ( + ($loc_10001000 and $func1) or + ($loc_100012fd and $func2) + ) +} diff --git a/yara-Neo23x0/apt_apt29_nobelium_may21.yar b/yara-Neo23x0/apt_apt29_nobelium_may21.yar new file mode 100644 index 0000000..b456d05 --- /dev/null +++ b/yara-Neo23x0/apt_apt29_nobelium_may21.yar @@ -0,0 +1,305 @@ +import "math" +import "pe" + +/* + YARA Rules by Volexity + Reference: https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ +*/ + +rule APT_APT29_Win_FlipFlop_LDR : APT29 { + meta: + author = "threatintel@volexity.com" + date = "2021-05-25" + description = "A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload." + hash = "ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330" + reference = "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/" + id = "58696a6f-55a9-5212-9372-a539cc327e6b" + strings: + $s1 = "irnjadle" + $s2 = "BADCFEHGJILKNMPORQTSVUXWZY" + $s3 = "iMrcsofo taBesC yrtpgoarhpciP orived r1v0." + condition: + all of ($s*) +} + +rule APT_APT28_Win_FreshFire : APT29 { + meta: + author = "threatintel@volexity.com" + date = "2021-05-27" + description = "The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server." + hash = "ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c" + reference = "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/" + id = "050b8e61-139a-5ff5-998a-7de67c9975bf" + strings: + $uniq1 = "UlswcXJJWhtHIHrVqWJJ" + $uniq2 = "gyibvmt\x00" + + $path1 = "root/time/%d/%s.json" + $path2 = "C:\\dell.sdr" + $path3 = "root/data/%d/%s.json" + condition: + ( + pe.number_of_exports == 1 and pe.exports("WaitPrompt") + ) or + any of ($uniq*) or + 2 of ($path*) +} + +/* + YARA Rules by Florian + Mostly based on MSTICs report + https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ + Not shared publicly: rules for CobaltStrike loader samples, ISOs, specifc msiexec method found in some samples + only available in THOR and VALHALLA +*/ + +rule APT_APT29_NOBELIUM_JS_EnvyScout_May21_1 { + meta: + description = "Detects EnvyScout deobfuscator code as used by NOBELIUM group" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" + date = "2021-05-29" + id = "42739aad-a88a-545b-8256-1f727c79c4f8" + strings: + $x1 = "[i].charCodeAt(0) ^ 2);}" + condition: + filesize < 5000KB and 1 of them +} + +rule APT_APT29_NOBELIUM_JS_EnvyScout_May21_2 { + meta: + description = "Detects EnvyScout deobfuscator code as used by NOBELIUM group" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" + date = "2021-05-29" + id = "d5cf3365-fe24-533a-a678-b5b6d4d99997" + strings: + $s1 = "saveAs(blob, " ascii + $s2 = ".iso\");" ascii + $s3 = "application/x-cd-image" ascii + $s4 = ".indexOf(\"Win\")!=-1" ascii + condition: + filesize < 5000KB and all of them +} + +rule APT_APT29_NOBELIUM_LNK_NV_Link_May21_2 { + meta: + description = "Detects NV Link as used by NOBELIUM group" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" + date = "2021-05-29" + id = "52c2caf9-13df-5614-9c9e-afcd76ec77f9" + strings: + $s1 = "RegisterOCX BOOM" ascii wide + $s2 = "cmd.exe /c start BOOM.exe" ascii wide + condition: + filesize < 5000KB and 1 of them +} + +rule APT_APT29_NOBELIUM_LNK_Samples_May21_1 { + meta: + description = "Detects link file characteristics as described in APT29 NOBELIUM report" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" + date = "2021-05-27" + score = 85 + hash1 = "24caf54e7c3fe308444093f7ac64d6d520c8f44ea4251e09e24931bdb72f5548" + id = "c807ab5a-f66a-5622-81b1-6e69b6df8446" + strings: + $a1 = "rundll32.exe" wide + + $sa1 = "IMGMountingService.dll" wide + $sa2 = "MountImgHelper" wide + + $sb1 = "diassvcs.dll" wide + $sb2 = "InitializeComponent" wide + + $sc1 = "MsDiskMountService.dll" wide + $sc2 = "DiskDriveIni" wide + + $sd1 = "GraphicalComponent.dll" wide + $sd2 = "VisualServiceComponent" wide + + $se1 = "data/mstu.dll,MicrosoftUpdateService" wide + condition: + uint16(0) == 0x004c and + filesize < 4KB and $a1 and + ( all of ($sa*) or all of ($sb*) or all of ($sc*) or all of ($sd*) or all of ($se*) ) +} + +rule APT_APT29_NOBELIUM_BoomBox_May21_1 { + meta: + description = "Detects BoomBox malware as described in APT29 NOBELIUM report" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" + date = "2021-05-27" + score = 85 + id = "fe964f3e-1cda-5f16-838f-dd7b23cd5651" + strings: + $xa1 = "123do3y4r378o5t34onf7t3o573tfo73" ascii wide fullword + $xa2 = "1233t04p7jn3n4rg" ascii wide fullword + condition: + 1 of them +} + +rule APT_APT29_NOBELIUM_BoomBox_PDF_Masq_May21_1 { + meta: + description = "Detects PDF documents as used by BoomBox as described in APT29 NOBELIUM report" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" + date = "2021-05-27" + score = 70 + id = "bdfb9600-edda-5c8c-ab23-14fb71c8e647" + strings: + $ah1 = { 25 50 44 46 2d 31 2e 33 0a 25 } /* PDF Header */ + $af1 = { 0a 25 25 45 4f 46 0a } /* EOF */ + + $fp1 = "endobj" ascii + $fp2 = "endstream" ascii + $fp3 = { 20 6F 62 6A 0A } /* obj\x0a */ + condition: + $ah1 at 0 and $af1 at (filesize-7) and filesize < 100KB + and not 1 of ($fp*) + and math.entropy(16,filesize) > 7 +} + +rule APT_APT29_NOBELIUM_NativeZone_Loader_May21_1 { + meta: + description = "Detects NativeZone loader as described in APT29 NOBELIUM report" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" + date = "2021-05-27" + score = 85 + hash1 = "136f4083b67bc8dc999eb15bb83042aeb01791fc0b20b5683af6b4ddcf0bbc7d" + id = "02d9257d-f439-5071-96b0-a973b088e329" + strings: + $s1 = "\\SystemCertificates\\Lib\\CertPKIProvider.dll" ascii + $s2 = "rundll32.exe %s %s" ascii fullword + $s3 = "eglGetConfigs" ascii fullword + + $op1 = { 80 3d 74 8c 01 10 00 0f 85 96 00 00 00 33 c0 40 b9 6c 8c 01 10 87 01 33 db 89 5d fc } + $op2 = { 8b 46 18 e9 30 ff ff ff 90 87 2f 00 10 90 2f 00 10 } + $op3 = { e8 14 dd ff ff 8b f1 80 3d 74 8c 01 10 00 0f 85 96 00 00 00 33 c0 40 b9 6c 8c 01 10 87 01 } + condition: + uint16(0) == 0x5a4d and + filesize < 3000KB and 3 of them or 4 of them +} + +rule APT_APT29_NOBELIUM_BoomBox_May21_2 { + meta: + description = "Detects BoomBox malware used by APT29 / NOBELIUM" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" + date = "2021-05-29" + hash1 = "0acb884f2f4cfa75b726cb8290b20328c8ddbcd49f95a1d761b7d131b95bafec" + hash2 = "8199f309478e8ed3f03f75e7574a3e9bce09b4423bd7eb08bb5bff03af2b7c27" + hash3 = "cf1d992f776421f72eabc31d5afc2f2067ae856f1c9c1d6dc643a67cb9349d8c" + id = "a4144c00-48b2-5520-b773-5d0a5de95fb1" + strings: + $x1 = "\\Microsoft\\NativeCache\\NativeCacheSvc.dll" wide + $x2 = "\\NativeCacheSvc.dll _configNativeCache" wide + + $a1 = "/content.dropboxapi.com" wide fullword + + $s1 = "rundll32.exe {0} {1}" wide fullword + $s2 = "\\\\CertPKIProvider.dll" wide + $s3 = "/tmp/readme.pdf" wide + $s4 = "temp/[^\"]*)\"" wide fullword + + $op1 = { 00 78 00 2d 00 41 00 50 00 49 00 2d 00 41 00 72 00 67 00 01 2f 4f 00 72 00 } + $op2 = { 25 72 98 01 00 70 6f 34 00 00 0a 25 6f 35 00 00 0a 72 71 02 00 70 72 } + $op3 = { 4d 05 20 00 12 80 91 04 20 01 08 0e 04 20 00 12 } + condition: + uint16(0) == 0x5a4d and + filesize < 40KB and + 3 of them or 4 of them +} + +rule APT_APT29_NOBELIUM_Malware_May21_2 { + meta: + description = "Detects malware used by APT29 / NOBELIUM" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" + date = "2021-05-29" + hash1 = "292e5b0a12fea4ff3fc02e1f98b7a370f88152ce71fe62670dd2f5edfaab2ff8" + hash2 = "776014a63bf3cc7034bd5b6a9c36c75a930b59182fe232535bb7a305e539967b" + id = "b1462b4b-227f-5aeb-92ea-bda6a86831c7" + strings: + $op1 = { 48 03 c8 42 0f b6 04 21 88 03 0f b6 43 01 8b c8 83 e0 0f 48 83 e1 f0 48 03 c8 } + $op2 = { 48 03 c8 42 0f b6 04 21 88 43 01 41 0f b6 c7 8b c8 83 e0 0f 48 83 e1 f0 48 03 c8 } + $op3 = { 45 0f b6 43 ff 41 8b c2 99 44 88 03 41 0f b6 2b 83 e2 03 03 c2 40 88 6b 01 } + condition: + filesize < 2200KB and + all of them +} + +rule APT_APT29_NOBELIUM_Stageless_Loader_May21_2 { + meta: + description = "Detects stageless loader as used by APT29 / NOBELIUM" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" + date = "2021-05-29" + hash1 = "a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf" + hash2 = "c4ff632696ec6e406388e1d42421b3cd3b5f79dcb2df67e2022d961d5f5a9e78" + id = "7b83d327-52fc-5401-ae35-00f6b825678a" + strings: + $x1 = "DLL_stageless.dll" ascii fullword + + $s1 = "c:\\users\\devuser\\documents" ascii fullword nocase + $s2 = "VisualServiceComponent" ascii fullword + $s3 = "CheckUpdteFrameJavaCurrentVersion" ascii fullword + + $op1 = { a3 d? 6? 04 10 ff d6 33 05 00 ?0 0? 10 68 d8 d4 00 10 57 a3 d? 6? 04 10 ff d6 33 05 00 ?0 0? 10 } + $op2 = { ff d6 33 05 00 ?0 0? 10 68 d8 d4 00 10 57 a3 d? 6? 04 10 ff d6 33 05 00 ?0 0? 10 68 e8 d4 00 10 } + condition: + uint16(0) == 0x5a4d and + filesize < 900KB and + 2 of them or 3 of them +} + +rule APT_APT29_NOBELIUM_Malware_May21_3 { + meta: + description = "Detects malware used by APT29 / NOBELIUM" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" + date = "2021-05-29" + hash1 = "2a352380d61e89c89f03f4008044241a38751284995d000c73acf9cad38b989e" + id = "89cb6884-4242-5b5a-b0ac-b31041dd261c" + strings: + $s1 = "Win32Project1.dll" ascii fullword + + $op1 = { 59 c3 6a 08 68 70 5e 01 10 e8 d2 8c ff ff 8b 7d 08 8b c7 c1 f8 05 } + $op2 = { 8d 4d f0 e8 c4 12 00 00 68 64 5b 01 10 8d 45 f0 c7 45 f0 6c 01 01 10 50 e8 ea 13 00 00 cc } + $op4 = { 40 c3 8b 65 e8 e8 a6 86 ff ff cc 6a 0c 68 88 60 01 10 e8 b0 4d ff ff } + + $xc1 = { 25 73 25 73 00 00 00 00 2F 65 2C 20 00 00 00 00 + 43 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00 + 77 00 73 00 5C 00 65 00 78 00 70 00 6C 00 6F 00 + 72 00 65 00 72 00 2E 00 65 00 78 00 65 } + condition: + filesize < 3000KB and + ( $xc1 or 3 of them ) +} + +rule APT_APT29_NOBELIUM_Malware_May21_4 { + meta: + description = "Detects malware used by APT29 / NOBELIUM" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" + date = "2021-05-29" + hash1 = "3b94cc71c325f9068105b9e7d5c9667b1de2bde85b7abc5b29ff649fd54715c4" + id = "56193475-52b4-5720-abc5-72249e2a0c37" + strings: + $s1 = "KM.FileSystem.dll" ascii fullword + + $op1 = { 80 3d 50 6b 04 10 00 0f 85 96 00 00 00 33 c0 40 b9 48 6b 04 10 87 01 33 db 89 5d fc } + $op2 = { c3 33 c0 b9 7c 6f 04 10 40 87 01 c3 8b ff 55 } + $op3 = { 8d 4d f4 e8 53 ff ff ff 68 d0 22 01 10 8d 45 f4 50 e8 d8 05 00 00 cc 8b 41 04 } + + $xc1 = { 2E 64 6C 6C 00 00 00 00 41 53 4B 4F 44 00 00 00 + 53 75 63 63 65 73 73 } + condition: + uint16(0) == 0x5a4d and + filesize < 3000KB and + ( $xc1 or 3 of them ) +} diff --git a/yara-Neo23x0/apt_apt30_backspace.yar b/yara-Neo23x0/apt_apt30_backspace.yar new file mode 100644 index 0000000..94c27d3 --- /dev/null +++ b/yara-Neo23x0/apt_apt30_backspace.yar @@ -0,0 +1,1255 @@ +/* + Yara Rule to detect Backspace Malware mentioned in FireEye APT30 Report + https://www.fireeye.com/blog/threat-research/2015/04/apt_30_and_the_mecha.html + + 13.04.2015 + v1.0 + please report back false positives via the 'issue' section of the LOKI github page +*/ + +rule APT30_Generic_H { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash1 = "2a4c8752f3e7fde0139421b8d5713b29c720685d" + hash2 = "4350e906d590dca5fcc90ed3215467524e0a4e3d" + id = "1908e985-9634-51dc-8972-53afa13c26a3" + strings: + $s0 = "\\Temp1020.txt" ascii + $s1 = "Xmd.Txe" fullword ascii + $s2 = "\\Internet Exp1orer" ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_2 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "0359ffbef6a752ee1a54447b26e272f4a5a35167" + id = "821a2de9-48c4-58d8-acc4-1e25025ab5cf" + strings: + $s0 = "ForZRLnkWordDlg.EXE" fullword wide + $s1 = "ForZRLnkWordDlg Microsoft " fullword wide + $s9 = "ForZRLnkWordDlg 1.0 " fullword wide + $s11 = "ForZRLnkWordDlg" fullword wide + $s12 = " (C) 2011" fullword wide + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_3 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "d0320144e65c9af0052f8dee0419e8deed91b61b" + id = "62e81385-26f5-545d-92ff-6604ff4d0186" + strings: + $s5 = "Software\\Mic" ascii + $s6 = "HHOSTR" ascii + $s9 = "ThEugh" fullword ascii + $s10 = "Moziea/" ascii + $s12 = "%s%s(X-" ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_C { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash1 = "8667f635fe089c5e2c666b3fe22eaf3ff8590a69" + hash2 = "0c4fcef3b583d0ffffc2b14b9297d3a4" + hash3 = "37aee58655f5859e60ece6b249107b87" + hash4 = "4154548e1f8e9e7eb39d48a4cd75bcd1" + hash5 = "a2e0203e665976a13cdffb4416917250" + hash6 = "b4ae0004094b37a40978ef06f311a75e" + hash7 = "e39756bc99ee1b05e5ee92a1cdd5faf4" + id = "25ec8d54-9875-5bf5-abc9-296f18f3c5e5" + strings: + $s0 = "MYUSER32.dll" fullword ascii + $s1 = "MYADVAPI32.dll" fullword ascii + $s2 = "MYWSOCK32.dll" fullword ascii + $s3 = "MYMSVCRT.dll" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_4 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "75367d8b506031df5923c2d8d7f1b9f643a123cd" + id = "e5c6afde-0ab5-54ed-8d18-5ad477a527d7" + strings: + $s0 = "GetStartupIn" ascii + $s1 = "enMutex" ascii + $s2 = "tpsvimi" ascii + $s3 = "reateProcesy" ascii + $s5 = "FreeLibr1y*S" ascii + $s6 = "foAModuleHand" ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_5 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "1a2dd2a0555dc746333e7c956c58f7c4cdbabd4b" + id = "bdbebe44-7423-5793-8a42-4f9b70de2231" + strings: + $s0 = "Version 4.7.3001" fullword wide + $s1 = "Copyright (c) Microsoft Corporation 2004" fullword wide + $s3 = "Microsoft(R) is a registered trademark of Microsoft Corporation in the U" wide + $s7 = "msmsgs" fullword wide + $s10 = "----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_6 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "00e69b059ad6b51b76bc476a115325449d10b4c0" + id = "2f19809c-09fc-51bf-9a20-6b95099a92dd" + strings: + $s0 = "GreateProcessA" fullword ascii + $s1 = "Ternel32.dll" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_7 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "868d1f4c106a08bd2e5af4f23139f0e0cd798fba" + id = "612732d9-8df5-5388-b299-2da4f8118435" + strings: + $s0 = "datain" fullword ascii + $s3 = "C:\\Prog" ascii + $s4 = "$LDDATA$" ascii + $s5 = "Maybe a Encrypted Flash" fullword ascii + $s6 = "Jean-loup Gailly" ascii + $s8 = "deflate 1.1.3 Copyright" ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_E { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash1 = "1dbb584e19499e26398fb0a7aa2a01b7" + hash2 = "572c9cd4388699347c0b2edb7c6f5e25" + hash3 = "8ff473bedbcc77df2c49a91167b1abeb" + hash4 = "a813eba27b2166620bd75029cc1f04b0" + hash5 = "b5546842e08950bc17a438d785b5a019" + id = "69e76a59-3529-541d-9017-07e6d67fbda4" + strings: + $s0 = "Nkfvtyvn}" ascii + $s6 = "----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_8 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "9531e21652143b8b129ab8c023dc05fef2a17cc3" + id = "5053c2db-32a9-58ae-9a72-eb16ef14168e" + strings: + $s0 = "ateProcessA" ascii + $s1 = "Ternel32.dllFQ" fullword ascii + $s2 = "StartupInfoAModuleHand" fullword ascii + $s3 = "OpenMutex" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_B { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash1 = "0fcb4ffe2eb391421ec876286c9ddb6c" + hash2 = "29395c528693b69233c1c12bef8a64b3" + hash3 = "4c6b21e98ca03e0ef0910e07cef45dac" + hash4 = "550459b31d8dabaad1923565b7e50242" + hash5 = "65232a8d555d7c4f7bc0d7c5da08c593" + hash6 = "853a20f5fc6d16202828df132c41a061" + hash7 = "ed151602dea80f39173c2f7b1dd58e06" + id = "df3b8896-7229-5b3b-ad2f-774b0cea167c" + strings: + $s2 = "Moziea/4.0" ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_I { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash1 = "fe211c7a081c1dac46e3935f7c614549" + hash2 = "8c9db773d387bf9b3f2b6a532e4c937c" + id = "55046e1a-731a-5418-9a7a-4fe1611c77d0" + strings: + $s0 = "Copyright 2012 Google Inc. All rights reserved." fullword wide + $s1 = "(Prxy%c-%s:%u)" fullword ascii + $s2 = "Google Inc." fullword wide + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_9 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "442bf8690401a2087a340ce4a48151c39101652f" + id = "bf24bb57-aff9-579c-b8a2-265a6d2a06d0" + strings: + $s0 = "\\Windo" ascii + $s2 = "oHHOSTR" ascii + $s3 = "Softwa]\\Mic" ascii + $s4 = "Startup'T" ascii + $s6 = "Ora\\%^" ascii + $s7 = "\\Ohttp=r" ascii + $s17 = "help32Snapshot0L" ascii + $s18 = "TimUmoveH" ascii + $s20 = "WideChc[lobalAl" ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} +rule APT30_Sample_10 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "eb518cda3c4f4e6938aaaee07f1f7db8ee91c901" + id = "e5dd6bc9-9383-5d48-92df-709996373655" + strings: + $s0 = "Version 4.7.3001" fullword wide + $s1 = "Copyright (c) Microsoft Corporation 2004" fullword wide + $s2 = "Microsoft(R) is a registered trademark of Microsoft Corporation in the U" wide + $s3 = "!! Use Connect Method !!" fullword ascii + $s4 = "(Prxy%c-%s:%u)" fullword ascii + $s5 = "msmsgs" fullword wide + $s18 = "(Prxy-No)" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_11 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "59066d5d1ee3ad918111ed6fcaf8513537ff49a6" + id = "e5dd6bc9-9383-5d48-92df-709996373655" + strings: + $s0 = "System\\CurrentControlSet\\control\\ComputerName\\ComputerName" fullword ascii + $s1 = "msofscan.exe" fullword wide + $s2 = "Mozilla/4.0 (compatible; MSIE 5.0; Win32)" fullword ascii + $s3 = "Microsoft? is a registered trademark of Microsoft Corporation." fullword wide + $s4 = "Windows XP Professional x64 Edition or Windows Server 2003" fullword ascii + $s9 = "NetEagle_Scout - " fullword ascii + $s10 = "Server 4.0, Enterprise Edition" fullword ascii + $s11 = "Windows 3.1(Win32s)" fullword ascii + $s12 = "%s%s%s %s" fullword ascii + $s13 = "Server 4.0" fullword ascii + $s15 = "Windows Millennium Edition" fullword ascii + $s16 = "msofscan" fullword wide + $s17 = "Eagle-Norton360-OfficeScan" fullword ascii + $s18 = "Workstation 4.0" fullword ascii + $s19 = "2003 Microsoft Office system" fullword wide + condition: + filesize < 250KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_12 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "b02b5720ff0f73f01eb2ba029a58b645c987c4bc" + id = "e5dd6bc9-9383-5d48-92df-709996373655" + strings: + $s0 = "Richic" fullword ascii + $s1 = "Accept: image/gif, */*" fullword ascii + $s2 = "----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" fullword ascii + condition: + filesize < 250KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_13 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "a359f705a833c4a4254443b87645fd579aa94bcf" + id = "e5dd6bc9-9383-5d48-92df-709996373655" + strings: + $s0 = "msofscan.exe" fullword wide + $s1 = "Microsoft? is a registered trademark of Microsoft Corporation." fullword wide + $s2 = "Microsoft Office Word Plugin Scan" fullword wide + $s3 = "? 2006 Microsoft Corporation. All rights reserved." fullword wide + $s4 = "msofscan" fullword wide + $s6 = "2003 Microsoft Office system" fullword wide + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_14 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "b0740175d20eab79a5d62cdbe0ee1a89212a8472" + id = "e5dd6bc9-9383-5d48-92df-709996373655" + strings: + $s0 = "AdobeReader.exe" fullword wide + $s4 = "10.1.7.27" fullword wide + $s5 = "Copyright 1984-2012 Adobe Systems Incorporated and its licensors. All ri" wide + $s8 = "Adobe Reader" fullword wide + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_15 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "7a8576804a2bbe4e5d05d1718f90b6a4332df027" + id = "e5dd6bc9-9383-5d48-92df-709996373655" + strings: + $s0 = "\\Windo" ascii + $s2 = "HHOSTR" ascii + $s3 = "Softwa]\\Mic" ascii + $s4 = "Startup'T" fullword ascii + $s17 = "help32Snapshot0L" fullword ascii + $s18 = "TimUmoveH" ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_16 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "066d06ac08b48d3382d46bbeda6ad411b6d6130e" + id = "e5dd6bc9-9383-5d48-92df-709996373655" + strings: + $s0 = "\\Temp1020.txt" ascii + $s1 = "cmcbqyjs" fullword ascii + $s2 = "SPVSWh\\" fullword ascii + $s4 = "PSShxw@" fullword ascii + $s5 = "VWhHw@" fullword ascii + $s7 = "SVWhHw@" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_A { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash1 = "9f49aa1090fa478b9857e15695be4a89f8f3e594" + hash2 = "396116cfb51cee090822913942f6ccf81856c2fb" + hash3 = "fef9c3b4b35c226501f7d60816bb00331a904d5b" + hash4 = "7c9a13f1fdd6452fb6d62067f958bfc5fec1d24e" + hash5 = "5257ba027abe3a2cf397bfcae87b13ab9c1e9019" + id = "6b851d94-d3bd-5c76-8fd0-adb42b3fab73" + strings: + $s5 = "WPVWhhiA" fullword ascii + $s6 = "VPWVhhiA" fullword ascii + $s11 = "VPhhiA" fullword ascii + $s12 = "uUhXiA" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_17 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "c3aa52ff1d19e8fc6704777caf7c5bd120056845" + id = "e5dd6bc9-9383-5d48-92df-709996373655" + strings: + $s1 = "Nkfvtyvn}]ty}ztU" fullword ascii + $s4 = "IEXPL0RE" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} +rule APT30_Sample_18 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "355436a16d7a2eba8a284b63bb252a8bb1644751" + id = "e5dd6bc9-9383-5d48-92df-709996373655" + strings: + $s0 = "w.km-nyc.com" fullword ascii + $s1 = "tscv.exe" fullword ascii + $s2 = "Exit/app.htm" ascii + $s3 = "UBD:\\D" ascii + $s4 = "LastError" ascii + $s5 = "MicrosoftHaveAck" ascii + $s7 = "HHOSTR" ascii + $s20 = "XPL0RE." ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_G { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "1612b392d6145bfb0c43f8a48d78c75f" + hash = "53f1358cbc298da96ec56e9a08851b4b" + hash = "c2acc9fc9b0f050ec2103d3ba9cb11c0" + hash = "f18be055fae2490221c926e2ad55ab11" + id = "34269de3-4559-58a5-a621-0ad72857dc9e" + strings: + $s0 = "%s\\%s\\%s=%s" fullword ascii + $s1 = "Copy File %s OK!" fullword ascii + $s2 = "%s Space:%uM,FreeSpace:%uM" fullword ascii + $s4 = "open=%s" fullword ascii + $s5 = "Maybe a Encrypted Flash Disk" fullword ascii + $s12 = "%04u-%02u-%02u %02u:%02u:%02u" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_19 { + meta: + description = "FireEye APT30 Report Sample" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/03" + modified = "2023-01-06" + score = 75 + hash = "cfa438449715b61bffa20130df8af778ef011e15" + id = "e5dd6bc9-9383-5d48-92df-709996373655" + strings: + $s0 = "C:\\Program Files\\Common Files\\System\\wab32" fullword ascii + $s1 = "%s,Volume:%s,Type:%s,TotalSize:%uMB,FreeSize:%uMB" fullword ascii + $s2 = "\\TEMP\\" ascii + $s3 = "\\Temporary Internet Files\\" ascii + $s5 = "%s TotalSize:%u Bytes" fullword ascii + $s6 = "This Disk Maybe a Encrypted Flash Disk!" fullword ascii + $s7 = "User:%-32s" fullword ascii + $s8 = "\\Desktop\\" ascii + $s9 = "%s.%u_%u" fullword ascii + $s10 = "Nick:%-32s" fullword ascii + $s11 = "E-mail:%-32s" fullword ascii + $s13 = "%04u-%02u-%02u %02u:%02u:%02u" fullword ascii + $s14 = "Type:%-8s" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and 8 of them +} + +rule APT30_Generic_E_v2 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "eca53a9f6251ddf438508b28d8a483f91b99a3fd" + id = "40897687-fb17-568e-9907-e9588a53bbe0" + strings: + $s0 = "Nkfvtyvn}duf_Z}{Ys" fullword ascii + $s1 = "Nkfvtyvn}*Zrswru1i" fullword ascii + $s2 = "Nkfvtyvn}duf_Z}{V" fullword ascii + $s3 = "Nkfvtyvn}*ZrswrumT\\b" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_20 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "b1c37632e604a5d1f430c9351f87eb9e8ea911c0" + id = "91246101-246b-5da9-9e55-7f361d1f6437" + strings: + $s0 = "dizhi.gif" fullword ascii + $s2 = "Mozilla/u" ascii + $s3 = "XicrosoftHaveAck" ascii + $s4 = "flyeagles" ascii + $s10 = "iexplore." ascii + $s13 = "WindowsGV" fullword ascii + $s16 = "CatePipe" fullword ascii + $s17 = "'QWERTY:/webpage3" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_21 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "d315daa61126616a79a8582145777d8a1565c615" + id = "72005b40-91f7-5661-9478-8680f999b245" + strings: + $s0 = "Service.dll" fullword ascii + $s1 = "(%s:%s %s)" fullword ascii + $s2 = "%s \"%s\",%s %s" fullword ascii + $s5 = "Proxy-%s:%u" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_22 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "0d17a58c24753e5f8fd5276f62c8c7394d8e1481" + id = "6c1b3dd2-4383-51a2-9185-2365a4d1e784" + strings: + $s1 = "(\\TEMP" fullword ascii + $s2 = "Windows\\Cur" fullword ascii + $s3 = "LSSAS.exeJ" fullword ascii + $s4 = "QC:\\WINDOWS" fullword ascii + $s5 = "System Volume" fullword ascii + $s8 = "PROGRAM FILE" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_F { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash1 = "09010917cd00dc8ddd21aeb066877aa2" + hash2 = "4c10a1efed25b828e4785d9526507fbc" + hash3 = "b7b282c9e3eca888cbdb5a856e07e8bd" + hash4 = "df1799845b51300b03072c6569ab96d5" + id = "cff8b921-9afc-5a52-84cb-825de33fc86e" + strings: + $s0 = "\\~zlzl.exe" ascii + $s2 = "\\Internet Exp1orer" ascii + $s3 = "NodAndKabIsExcellent" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_23 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "9865e24aadb4480bd3c182e50e0e53316546fc01" + id = "9366dd34-9967-5b40-935e-4b0d8f2f5e9e" + strings: + $s0 = "hostid" ascii + $s1 = "\\Window" ascii + $s2 = "%u:%u%s" fullword ascii + $s5 = "S2tware\\Mic" ascii + $s6 = "la/4.0 (compa" ascii + $s7 = "NameACKernel" fullword ascii + $s12 = "ToWideChc[lo" fullword ascii + $s14 = "help32SnapshotfL" ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_24 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "572caa09f2b600daa941c60db1fc410bef8d1771" + id = "aed2201d-b557-56ec-aa53-fff5b1e17dbd" + strings: + $s1 = "dizhi.gif" fullword ascii + $s3 = "Mozilla/4.0" fullword ascii + $s4 = "lyeagles" fullword ascii + $s6 = "HHOSTR" ascii + $s7 = "#MicrosoftHaveAck7" ascii + $s8 = "iexplore." fullword ascii + $s17 = "ModuleH" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_25 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "44a21c8b3147fabc668fee968b62783aa9d90351" + id = "8b2f2ba2-e9cc-5b3c-8af9-4217d662bc3f" + strings: + $s1 = "C:\\WINDOWS" fullword ascii + $s2 = "aragua" fullword ascii + $s4 = "\\driver32\\7$" ascii + $s8 = "System V" fullword ascii + $s9 = "Compu~r" fullword ascii + $s10 = "PROGRAM L" fullword ascii + $s18 = "GPRTMAX" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_26 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "e26588113417bf68cb0c479638c9cd99a48e846d" + id = "aa80a142-c8fc-504e-b475-e9838607bec6" + strings: + $s1 = "forcegue" fullword ascii + $s3 = "Windows\\Cur" fullword ascii + $s4 = "System Id" fullword ascii + $s5 = "Software\\Mic" fullword ascii + $s6 = "utiBy0ToWideCh&$a" fullword ascii + $s10 = "ModuleH" fullword ascii + $s15 = "PeekNamed6G" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_D { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash1 = "35dfb55f419f476a54241f46e624a1a4" + hash2 = "4fffcbdd4804f6952e0daf2d67507946" + hash3 = "597805832d45d522c4882f21db800ecf" + hash4 = "6bd422d56e85024e67cc12207e330984" + hash5 = "82e13f3031130bd9d567c46a9c71ef2b" + hash6 = "b79d87ff6de654130da95c73f66c15fa" + id = "9b8d8a60-a357-5cfd-8ff1-6264144ad7be" + strings: + $s0 = "Windows Security Service Feedback" fullword wide + $s1 = "wssfmgr.exe" fullword wide + $s2 = "\\rb.htm" ascii + $s3 = "rb.htm" fullword ascii + $s4 = "cook5" ascii + $s5 = "5, 4, 2600, 0" fullword wide + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_27 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "959573261ca1d7e5ddcd19447475b2139ca24fe1" + id = "22815745-086f-59ee-aac1-f35e49aa5835" + strings: + $s0 = "Mozilla/4.0" fullword ascii + $s1 = "dizhi.gif" fullword ascii + $s5 = "oftHaveAck+" ascii + $s10 = "HlobalAl" fullword ascii + $s13 = "$NtRND1$" fullword ascii + $s14 = "_NStartup" ascii + $s16 = "GXSYSTEM" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_28 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash1 = "e62a63307deead5c9fcca6b9a2d51fb0" + hash2 = "5b590798da581c894d8a87964763aa8b" + id = "1bc8c68f-ebbb-58b1-92aa-5954318096a0" + strings: + $s0 = "www.flyeagles.com" fullword ascii + $s1 = "iexplore.exe" fullword ascii + $s2 = "www.km-nyc.com" fullword ascii + $s3 = "cmdLine.exe" fullword ascii + $s4 = "Software\\Microsoft\\CurrentNetInf" fullword ascii + $s5 = "/dizhi.gif" ascii + $s6 = "/connect.gif" ascii + $s7 = "USBTest.sys" fullword ascii + $s8 = "/ver.htm" fullword ascii + $s11 = "\\netscv.exe" ascii + $s12 = "/app.htm" fullword ascii + $s13 = "\\netsvc.exe" ascii + $s14 = "/exe.htm" fullword ascii + $s18 = "MicrosoftHaveAck" fullword ascii + $s19 = "MicrosoftHaveExit" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and 7 of them +} + +rule APT30_Sample_29 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "44492c53715d7c79895904543843a321491cb23a" + id = "24334885-fcb4-5a13-82e8-c8465f97361e" + strings: + $s0 = "LSSAS.exe" fullword ascii + $s1 = "Software\\Microsoft\\FlashDiskInf" fullword ascii + $s2 = ".petite" fullword ascii + $s3 = "MicrosoftFlashExit" fullword ascii + $s4 = "MicrosoftFlashHaveExit" fullword ascii + $s5 = "MicrosoftFlashHaveAck" fullword ascii + $s6 = "\\driver32" ascii + $s7 = "MicrosoftFlashZJ" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_30 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "3b684fa40b4f096e99fbf535962c7da5cf0b4528" + id = "787b288a-6fb4-5483-af76-933651ec6d58" + strings: + $s0 = "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" fullword wide + $s3 = "RnhwtxtkyLRRMf{jJ}ny" fullword ascii + $s4 = "RnhwtxtkyLRRJ}ny" fullword ascii + $s5 = "ZRLDownloadToFileA" fullword ascii + $s9 = "5.1.2600.2180" fullword wide + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_31 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "8b4271167655787be1988574446125eae5043aca" + id = "9333870b-7eaa-54dd-a801-7292708fb592" + strings: + $s0 = "\\ZJRsv.tem" ascii + $s1 = "forceguest" fullword ascii + $s4 = "\\$NtUninstallKB570317$" ascii + $s8 = "[Can'tGetIP]" fullword ascii + $s14 = "QWERTY:,`/" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_J { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash1 = "49aca228674651cba776be727bdb7e60" + hash2 = "5c7a6b3d1b85fad17333e02608844703" + hash3 = "649fa64127fef1305ba141dd58fb83a5" + hash4 = "9982fd829c0048c8f89620691316763a" + hash5 = "baff5262ae01a9217b10fcd5dad9d1d5" + hash6 = "9982fd829c0048c8f89620691316763a" + id = "64a5106e-d7f3-5c68-a14e-410149a1bb9e" + strings: + $s0 = "Launcher.EXE" fullword wide + $s1 = "Symantec Security Technologies" fullword wide + $s2 = "\\Symantec LiveUpdate.lnk" ascii + $s3 = "Symantec Service Framework" fullword wide + $s4 = "\\ccSvcHst.exe" ascii + $s5 = "\\wssfmgr.exe" ascii + $s6 = "Symantec Corporation" fullword wide + $s7 = "\\5.1.0.29" ascii + $s8 = "\\Engine" ascii + $s9 = "Copyright (C) 2000-2010 Symantec Corporation. All rights reserved." fullword wide + $s10 = "Symantec LiveUpdate" fullword ascii + $s11 = "\\Norton360" ascii + $s15 = "BinRes" fullword ascii + $s16 = "\\readme.lz" ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Microfost { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "57169cb4b8ef7a0d7ebd7aa039d1a1efd6eb639e" + id = "19231001-1da3-5be6-8275-03c9fc7c6377" + strings: + $s1 = "Copyright (c) 2007 Microfost All Rights Reserved" fullword wide + $s2 = "Microfost" fullword wide + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_K { + meta: + description = "FireEye APT30 Report Sample" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/03" + modified = "2023-01-06" + score = 75 + hash = "142bc01ad412799a7f9ffed994069fecbd5a2f93" + id = "49629825-4233-5d74-b763-b2500536eb90" + strings: + $x1 = "Maybe a Encrypted Flash" fullword ascii + + $s0 = "C:\\Program Files\\Common Files\\System\\wab32" fullword ascii + $s1 = "\\TEMP\\" ascii + $s2 = "\\Temporary Internet Files\\" ascii + $s5 = "%s Size:%u Bytes" fullword ascii + $s7 = "$.DATA$" fullword ascii + $s10 = "? Size:%u By s" fullword ascii + $s12 = "Maybe a Encrypted Flash" fullword ascii + $s14 = "Name:%-32s" fullword ascii + $s15 = "NickName:%-32s" fullword ascii + $s19 = "Email:%-32s" fullword ascii + $s21 = "C:\\Prog" ascii + $s22 = "$LDDATA$" ascii + $s31 = "Copy File %s OK!" fullword ascii + $s32 = "%s Space:%uM,FreeSpace:%uM" fullword ascii + $s34 = "open=%s" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and ( all of ($x*) and 3 of ($s*) ) +} + +rule APT30_Sample_33 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "72c568ee2dd75406858c0294ccfcf86ad0e390e4" + id = "be6afc4a-97fe-56ba-b057-e21415f9833d" + strings: + $s0 = "Version 4.7.3001" fullword wide + $s1 = "msmsgr.exe" fullword wide + $s2 = "MYUSER32.dll" fullword ascii + $s3 = "MYADVAPI32.dll" fullword ascii + $s4 = "CeleWare.NET1" fullword ascii + $s6 = "MYMSVCRT.dll" fullword ascii + $s7 = "Microsoft(R) is a registered trademark of Microsoft Corporation in the" wide + $s8 = "WWW.CeleWare.NET1" ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and 6 of them +} + +rule APT30_Sample_34 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "216868edbcdd067bd2a9cce4f132d33ba9c0d818" + id = "a4802e13-4151-5f17-ba91-dcf9ef6b52bb" + strings: + $s0 = "dizhi.gif" ascii + $s1 = "eagles.vip.nse" ascii + $s4 = "o%S:S0" ascii + $s5 = "la/4.0" ascii + $s6 = "s#!<4!2>s02==<'s1" ascii + $s7 = "HlobalAl" ascii + $s9 = "vcMicrosoftHaveAck7" ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_35 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "df48a7cd6c4a8f78f5847bad3776abc0458499a6" + id = "8a30720b-06da-5a82-8bab-bf06121afd68" + strings: + $s0 = "WhBoyIEXPLORE.EXE.exe" fullword ascii + $s5 = "Startup>A" fullword ascii + $s18 = "olhelp32Snapshot" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Sample_1 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + hash = "8cea83299af8f5ec6c278247e649c9d91d4cf3bc" + id = "e5dd6bc9-9383-5d48-92df-709996373655" + strings: + $s0 = "#hostid" fullword ascii + $s1 = "\\Windows\\C" ascii + $s5 = "TimUmove" fullword ascii + $s6 = "Moziea/4.0 (c" fullword ascii + $s7 = "StartupNA" fullword ascii + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_1 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + super_rule = 1 + hash0 = "aaa5c64200ff0818c56ebe4c88bcc1143216c536" + hash1 = "cb4263cab467845dae9fae427e3bbeb31c6a14c2" + hash2 = "b69b95db8a55a050d6d6c0cba13d73975b8219ca" + hash3 = "5c29e21bbe8873778f9363258f5e570dddcadeb9" + hash4 = "d5cb07d178963f2dea2c754d261185ecc94e09d6" + hash5 = "626dcdd7357e1f8329e9137d0f9883f57ec5c163" + hash6 = "843997b36ed80d3aeea3c822cb5dc446b6bfa7b9" + id = "4d21f402-24da-5e38-9225-a1461e61802f" + strings: + $s0 = "%s\\%s.txt" fullword + $s1 = "\\ldsysinfo.txt" + $s4 = "(Extended Wansung)" fullword + $s6 = "Computer Name:" fullword + $s7 = "%s %uKB %04u-%02u-%02u %02u:%02u" fullword + $s8 = "ASSAMESE" fullword + $s9 = "BELARUSIAN" fullword + $s10 = "(PR China)" fullword + $s14 = "(French)" fullword + $s15 = "AdvancedServer" fullword + $s16 = "DataCenterServer" fullword + $s18 = "(Finland)" fullword + $s19 = "%s %04u-%02u-%02u %02u:%02u" fullword + $s20 = "(Chile)" fullword + condition: + filesize < 250KB and uint16(0) == 0x5A4D and all of them +} +rule APT30_Generic_2 { + meta: + description = "FireEye APT30 Report Sample - from many files" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + super_rule = 1 + hash0 = "aba8b9fa213e5e2f1f0404d13fecc20ea8651b57" + hash1 = "7f11f5c9475240e5dd2eea7726c9229972cffc1f" + hash2 = "94d3f91d1e50ecea729617729013c3d143bf2c3e" + hash3 = "7e516ec04f28c76d67b8111ddfe58bbd628362cc" + hash4 = "6b27bc0b0460b0a25b45d897ed4f399106c284d9" + hash5 = "6df5b4b3da0964153bad22fb1f69483ae8316655" + hash6 = "b68bce61dfd8763c3003480ba4066b3cb1ef126e" + hash7 = "cc124682246d098740cfa7d20aede850d49b6597" + hash8 = "1ef415bca310575944934fc97b0aa720943ba512" + hash9 = "0559ab9356dcc869da18b2c96f48b76478c472b3" + hash10 = "f15272042a4f9324ad5de884bd50f4072f4bdde3" + hash11 = "1d93d5f5463cdf85e3c22c56ed1381957f4efaac" + hash12 = "b6f1fb0f8a2fb92a3c60e154f24cfbca1984529f" + hash13 = "9967a99a1b627ddb6899919e32a0f544ea498b48" + hash14 = "95a3c812ca0ad104f045b26c483495129bcf37ca" + hash15 = "bde9a72b2113d18b4fa537cc080d8d8ba1a231e8" + hash16 = "ce1f53e06feab1e92f07ed544c288bf39c6fce19" + hash17 = "72dae031d885dbf492c0232dd1c792ab4785a2dc" + hash18 = "a2ccba46e40d0fb0dd3e1dba160ecbb5440862ec" + hash19 = "c8007b59b2d495029cdf5b7b8fc8a5a1f7aa7611" + hash20 = "9c6f470e2f326a055065b2501077c89f748db763" + hash21 = "af3e232559ef69bdf2ee9cd96434dcec58afbe5a" + hash22 = "e72e67ba32946c2702b7662c510cc1242cffe802" + hash23 = "8fc0b1618b61dce5f18eba01809301cb7f021b35" + hash24 = "6a8159da055dac928ba7c98ea1cdbe6dfb4a3c22" + hash25 = "47463412daf0b0a410d3ccbb7ea294db5ff42311" + hash26 = "e6efa0ccfddda7d7d689efeb28894c04ebc72be2" + hash27 = "43a3fc9a4fee43252e9a570492e4efe33043e710" + hash28 = "7406ebef11ca9f97c101b37f417901c70ab514b1" + hash29 = "53ed9b22084f89b4b595938e320f20efe65e0409" + id = "60d7d661-50e8-5a9b-8366-eda8ff8ad9d4" + strings: + $s0 = "%s\\%s\\KB985109.log" fullword + $s1 = "%s\\%s\\KB989109.log" fullword + $s2 = "Opera.exe" fullword wide + $s3 = "%s:All online success on %u!" fullword + $s4 = "%s:list online success on %u!" fullword + $s5 = "%s:All online fail!" fullword + $s6 = "Copyright Opera Software 1995-" wide + $s7 = "%s:list online fail!" fullword + $s8 = "OnlineTmp.txt" fullword + $s9 = "Opera Internet Browser" fullword wide + $s12 = "Opera Software" fullword wide + $s15 = "Check lan have done!!!" fullword + $s16 = "List End." fullword + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +/* I disabled this shit rule - F.R. +rule APT30_Generic_3 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + super_rule = 1 + hash0 = "b90ac3e58ed472829e2562023e6e892d2d61ac44" + hash1 = "342036ace2e9e6d504b0dec6399e4fa92de46c12" + hash2 = "5cdf397dfd9eb66ff5ff636777f6982c1254a37a" + strings: + $s0 = "Acrobat.exe" fullword wide + $s14 = "********************************" fullword + $s16 = "FFFF:>>>>>>>>>>>>>>>>>@" fullword + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} +*/ + +rule APT30_Generic_4 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + super_rule = 1 + hash0 = "bb390f99bfde234bbed59f6a0d962ba874b2396c" + hash1 = "b47e20ac5889700438dc241f28f4e224070810d2" + hash2 = "a9a50673ac000a313f3ddba55d63d9773b9f4143" + hash3 = "ac96d7f5957aef09bd983465c497de24c6d17a92" + id = "2b246ae2-ec7d-5813-913e-729e4192da59" + strings: + $s0 = "del NetEagle_Scout.bat" fullword + $s1 = "NetEagle_Scout.bat" fullword + $s2 = "\\visit.exe" + $s3 = "\\System.exe" + $s4 = "\\System.dat" + $s5 = "\\ieupdate.exe" + $s6 = "GOTO ERROR" fullword + $s7 = ":ERROR" fullword + $s9 = "IF EXIST " fullword + $s10 = "ioiocn" fullword + $s11 = "SetFileAttribute" fullword + $s12 = "le_0*^il" fullword + $s13 = "le_.*^il" fullword + $s14 = "le_-*^il" fullword + condition: + filesize < 250KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_5 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + super_rule = 1 + hash0 = "cb4833220c508182c0ccd4e0d5a867d6c4e675f8" + hash1 = "dfc9a87df2d585c479ab02602133934b055d156f" + hash2 = "bf59d5ff7d38ec5ffb91296e002e8742baf24db5" + id = "e00a670e-cd95-515f-8109-219ce5121ba4" + strings: + $s0 = "regsvr32 /s \"%ProgramFiles%\\Norton360\\Engine\\5.1.0.29\\ashelper.dll\"" fullword + $s1 = "name=\"ftpserver.exe\"/>" fullword + $s2 = "LiveUpdate.EXE" fullword wide + $s3 = "FTP Explorer" fullword + $s4 = "\\ashelper.dll" + $s5 = "LiveUpdate" fullword wide + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_6 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + super_rule = 1 + hash0 = "b9aafb575d3d1732cb8fdca5ea226cebf86ea3c9" + hash1 = "2c5e347083b77c9ead9e75d41e2fabe096460bba" + hash2 = "5d39a567b50c74c4a921b5f65713f78023099933" + id = "dfd104bd-daf4-593a-b161-61f43aec048c" + strings: + $s0 = "GetStar" fullword + $s1 = ".rdUaS" fullword + $s2 = "%sOTwp/&A\\L" fullword + $s3 = "a Encrt% Flash Disk" fullword + $s4 = "ypeAutoRuChec" fullword + $s5 = "NoDriveT" fullword + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_7 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + super_rule = 1 + hash0 = "2415f661046fdbe3eea8cd276b6f13354019b1a6" + hash1 = "e814914079af78d9f1b71000fee3c29d31d9b586" + hash2 = "0263de239ccef669c47399856d481e3361408e90" + id = "bba40092-267b-5231-92f1-f222c9f888ee" + strings: + $s1 = "Xjapor_*ata" fullword + $s2 = "Xjapor_o*ata" fullword + $s4 = "Ouopai" fullword + condition: + filesize < 100KB and uint16(0) == 0x5A4D and all of them +} +rule APT30_Generic_8 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + super_rule = 1 + hash0 = "b47e20ac5889700438dc241f28f4e224070810d2" + hash1 = "a9a50673ac000a313f3ddba55d63d9773b9f4143" + hash2 = "ac96d7f5957aef09bd983465c497de24c6d17a92" + id = "a6845222-0a3e-5327-a448-36e8d54362a5" + strings: + $s0 = "Windows NT4.0" fullword + $s1 = "Windows NT3.51" fullword + $s2 = "%d;%d;%d;%ld;%ld;%ld;" fullword + $s3 = "%s %d.%d Build%d %s" fullword + $s4 = "MSAFD Tcpip [TCP/IP]" fullword + $s5 = "SQSRSS" fullword + $s8 = "WM_COMP" fullword + $s9 = "WM_MBU" fullword + $s11 = "WM_GRID" fullword + $s12 = "WM_RBU" fullword + condition: + filesize < 250KB and uint16(0) == 0x5A4D and all of them +} + +rule APT30_Generic_9 { + meta: + description = "FireEye APT30 Report Sample" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + date = "2015/04/13" + super_rule = 1 + hash0 = "00d9949832dc3533592c2ce06a403ef19deddce9" + hash1 = "27a2b981d4c0bb8c3628bfe990db4619ddfdff74" + hash2 = "05f66492c163ec2a24c6a87c7a43028c5f632437" + hash3 = "263f094da3f64e72ef8dc3d02be4fb33de1fdb96" + id = "cf259f8d-e0a9-579d-93e7-ec14d99faf81" + strings: + $s0 = "%s\\%s\\$NtRecDoc$" fullword + $s1 = "%s(%u)%s" fullword + $s2 = "http://%s%s%s" fullword + $s3 = "1.9.1.17" fullword wide + $s4 = "(C)Firefox and Mozilla Developers, according to the MPL 1.1/GPL 2.0/LGPL" wide + condition: + filesize < 250KB and uint16(0) == 0x5A4D and all of them +} diff --git a/yara-Neo23x0/apt_apt32.yar b/yara-Neo23x0/apt_apt32.yar new file mode 100644 index 0000000..0e8dba3 --- /dev/null +++ b/yara-Neo23x0/apt_apt32.yar @@ -0,0 +1,49 @@ +import "pe" + +rule EXT_APT32_goopdate_installer { + meta: + reference = "https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/" + author = "Facebook" + description = "Detects APT32 installer side-loaded with goopdate.dll" + sample = "69730f2c2bb9668a17f8dfa1f1523e0e1e997ba98f027ce98f5cbaa869347383" + id = "08f3cbda-ccb7-517a-b205-5f71de26c735" + strings: + $s0 = { 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 33 05 ?? ?? ?? ?? } + $s1 = "GetProcAddress" + $s2 = { 8B 4D FC ?? ?? 0F B6 51 0C ?? ?? 8B 4D F0 0F B6 1C 01 33 DA } + $s3 = "FindNextFileW" + $s4 = "Process32NextW" + + condition: + (pe.is_64bit() or pe.is_32bit()) and + all of them +} + +rule EXT_APT32_osx_backdoor_loader { + meta: + reference = "https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/" + author = "Facebook" + description = "Detects APT32 backdoor loader on OSX" + sample = "768510fa9eb807bba9c3dcb3c7f87b771e20fa3d81247539e9ea4349205e39eb" + id = "ac313bd8-bf15-5b72-b651-35015f71dd90" + strings: + $a1 = { 00 D2 44 8A 04 0F 44 88 C0 C0 E8 07 08 D0 88 44 0F FF 48 FF C1 48 83 F9 10 44 88 C2 } + $a2 = { 41 0F 10 04 07 0F 57 84 05 A0 FE FF FF 41 0F 11 04 07 48 83 C0 10 48 83 F8 10 75 } + + // Encrypted data + $e1 = { CA CF 3E F2 DA 43 E6 D1 D5 6C D4 23 3A AE F1 B2 } // Decoded to drop filepath: '/tmp/panels' + $e2 = "MlkHVdRbOkra9s+G65MAoLga340t3+zj/u8LPfP3hig=" // Decoded to export API name 'ArchaeologistCodeine' + $e3 = { 5A 69 98 0E 6C 4B 5C 69 7E 19 34 3B C3 07 CA 13 } // Decoded to 'ifconfig -l' + $e4 = "1Sib4HfPuRQjpxIpECnxxTPiu3FXOFAHMx/+9MEVv9M+h1ngV7T5WUP3b0zsg0Qd" // Decoded to export API 'PlayerAberadurtheIncomprehensible' + + // Decoded export func names + $e5 = "_ArchaeologistCodeine" + $e6 = "_PlayerAberadurtheIncomprehensible" + + condition: + ((uint32(0) == 0xfeedface or uint32be(0) == 0xfeedface) or (uint32(0) == 0xfeedfacf or uint32be(0) == 0xfeedfacf)) and + ( + 2 of ($e*) or + all of ($a*) + ) +} diff --git a/yara-Neo23x0/apt_apt34.yar b/yara-Neo23x0/apt_apt34.yar new file mode 100644 index 0000000..79d6663 --- /dev/null +++ b/yara-Neo23x0/apt_apt34.yar @@ -0,0 +1,59 @@ + +/* + Yara Rule Set + Author: Florian Roth + Date: 2017-12-07 + Identifier: APT 34 + Reference: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +rule APT34_Malware_HTA { + meta: + description = "Detects APT 34 malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" + date = "2017-12-07" + hash1 = "f6fa94cc8efea0dbd7d4d4ca4cf85ac6da97ee5cf0c59d16a6aafccd2b9d8b9a" + id = "683faded-7e4b-5b2f-9f85-300db96ed9d1" + strings: + $x1 = "WshShell.run \"cmd.exe /C C:\\ProgramData\\" ascii + $x2 = ".bat&ping 127.0.0.1 -n 6 > nul&wscript /b" ascii + $x3 = "cmd.exe /C certutil -f -decode C:\\ProgramData\\" ascii + $x4 = "a.WriteLine(\"set Shell0 = CreateObject(" ascii + $x5 = "& vbCrLf & \"Shell0.run" ascii + + $s1 = "Blog.tkacprow.pl: HTA Hello World!" fullword ascii + $s2 = "" fullword ascii + condition: + filesize < 60KB and ( 1 of ($x*) or all of ($s*) ) +} + +rule APT34_Malware_Exeruner { + meta: + description = "Detects APT 34 malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" + date = "2017-12-07" + hash1 = "c75c85acf0e0092d688a605778425ba4cb2a57878925eee3dc0f4dd8d636a27a" + id = "8ddfa59d-9b8a-5cb6-a992-6498ac9be75d" + strings: + $x1 = "\\obj\\Debug\\exeruner.pdb" ascii + $x2 = "\"wscript.shell`\")`nShell0.run" wide + $x3 = "powershell.exe -exec bypass -enc \" + ${global:$http_ag} +" wide + $x4 = "/c powershell -exec bypass -window hidden -nologo -command " fullword wide + $x5 = "\\UpdateTasks\\JavaUpdatesTasksHosts\\" wide + $x6 = "schtasks /create /F /ru SYSTEM /sc minute /mo 1 /tn" wide + $x7 = "UpdateChecker.ps1 & ping 127.0.0.1" wide + $s8 = "exeruner.exe" fullword wide + $s9 = "${global:$address1} = $env:ProgramData + \"\\Windows\\Microsoft\\java\";" fullword wide + $s10 = "C:\\ProgramData\\Windows\\Microsoft\\java" fullword wide + $s11 = "function runByVBS" fullword wide + $s12 = "$84e31856-683b-41c0-81dd-a02d8b795026" fullword ascii + $s13 = "${global:$dns_ag} = \"aQBmACAAKAAoAEcAZQB0AC0AVwBtAGk" wide + condition: + uint16(0) == 0x5a4d and filesize < 100KB and 1 of them +} \ No newline at end of file diff --git a/yara-Neo23x0/apt_apt37.yar b/yara-Neo23x0/apt_apt37.yar new file mode 100644 index 0000000..efb80c8 --- /dev/null +++ b/yara-Neo23x0/apt_apt37.yar @@ -0,0 +1,17 @@ +rule APT_NK_Methodology_Artificial_UserAgent_IE_Win7 { + meta: + author = "Steve Miller aka @stvemillertime" + description = "Detects hard-coded User-Agent string that has been present in several APT37 malware families." + hash1 = "e63efbf8624a531bb435b7446dbbfc25" + score = 45 + id = "a747c908-7af7-5c29-8386-a71db7648061" + strings: + $a1 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" + $a2 = {4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 3b 20 54 72 69 64 65 6e 74 2f 37 2e 30 3b 20 72 76 3a 31 31 2e 30 29 20 6c 69 6b 65 20 47 65 63 6b 6f 00 00 00 00} + + $fp1 = "Esumsoft" wide + $fp2 = "Acunetix" wide ascii + $fp3 = "TASER SYNC" ascii + condition: + uint16(0) == 0x5A4D and all of ($a*) and not 1 of ($fp*) +} diff --git a/yara-Neo23x0/apt_apt37_bluelight.yar b/yara-Neo23x0/apt_apt37_bluelight.yar new file mode 100644 index 0000000..f4c2521 --- /dev/null +++ b/yara-Neo23x0/apt_apt37_bluelight.yar @@ -0,0 +1,144 @@ +/* +Copyright 2021 by Volexity, Inc. + +The 2-Clause BSD License + +Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: +1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +*/ + +rule APT_MAL_Win_BlueLight_B : InkySquid +{ + meta: + author = "threatintel@volexity.com" + description = "North Korean origin malware which uses a custom Google App for c2 communications." + date = "2021-06-21" + hash1 = "837eaf7b736583497afb8bbdb527f70577901eff04cc69d807983b233524bfed" + license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt" + reference = "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" + id = "3ec2d44c-4c08-514d-a839-acef3f53f7dc" + strings: + $magic = "host_name: %ls, cookie_name: %s, cookie: %s, CT: %llu, ET: %llu, value: %s, path: %ls, secu: %d, http: %d, last: %llu, has: %d" + + $f1 = "%ls.INTEG.RAW" wide + $f2 = "edb.chk" ascii + $f3 = "edb.log" ascii + $f4 = "edbres00001.jrs" ascii + $f5 = "edbres00002.jrs" ascii + $f6 = "edbtmp.log" ascii + $f7 = "cheV01.dat" ascii + + $chrome1 = "Failed to get chrome cookie" + $chrome2 = "mail.google.com, cookie_name: OSID" + $chrome3 = ".google.com, cookie_name: SID," + $chrome4 = ".google.com, cookie_name: __Secure-3PSID," + $chrome5 = "Failed to get Edge cookie" + $chrome6 = "google.com, cookie_name: SID," + $chrome7 = "google.com, cookie_name: __Secure-3PSID," + $chrome8 = "Failed to get New Edge cookie" + $chrome9 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0" + $chrome10 = "Content-Type: application/x-www-form-urlencoded;charset=utf-8" + $chrome11 = "Cookie: SID=%s; OSID=%s; __Secure-3PSID=%s" + $chrome12 = "https://mail.google.com" + $chrome13 = "result.html" + $chrome14 = "GM_ACTION_TOKEN" + $chrome15 = "GM_ID_KEY=" + $chrome16 = "/mail/u/0/?ik=%s&at=%s&view=up&act=prefs" + $chrome17 = "p_bx_ie=1" + $chrome18 = "myaccount.google.com, cookie_name: OSID" + $chrome19 = "Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3" + $chrome20 = "Content-Type: application/x-www-form-urlencoded;charset=utf-8" + $chrome21 = "Cookie: SID=%s; OSID=%s; __Secure-3PSID=%s" + $chrome22 = "https://myaccount.google.com" + $chrome23 = "result.html" + $chrome24 = "myaccount.google.com" + $chrome25 = "/_/AccountSettingsUi/data/batchexecute" + $chrome26 = "f.req=%5B%5B%5B%22BqLdsd%22%2C%22%5Btrue%5D%22%2Cnull%2C%22generic%22%5D%5D%5D&at=" + $chrome27 = "response.html" + + $msg1 = "https_status is %s" + $msg2 = "Success to find GM_ACTION_TOKEN and GM_ID_KEY" + $msg3 = "Failed to find GM_ACTION_TOKEN and GM_ID_KEY" + $msg4 = "Failed HttpSendRequest to mail.google.com" + $msg5 = "Success to enable imap" + $msg6 = "Failed to enable imap" + $msg7 = "Success to find SNlM0e" + $msg8 = "Failed to find SNlM0e" + $msg9 = "Failed HttpSendRequest to myaccount.google.com" + $msg10 = "Success to enable thunder access" + $msg11 = "Failed to enable thunder access" + + $keylogger_component1 = "[TAB]" + $keylogger_component2 = "[RETURN]" + $keylogger_component3 = "PAUSE" + $keylogger_component4 = "[ESC]" + $keylogger_component5 = "[PAGE UP]" + $keylogger_component6 = "[PAGE DOWN]" + $keylogger_component7 = "[END]" + $keylogger_component8 = "[HOME]" + $keylogger_component9 = "[ARROW LEFT]" + $keylogger_component10 = "[ARROW UP]" + $keylogger_component11 = "[ARROW RIGHT]" + $keylogger_component12 = "[ARROW DOWN]" + $keylogger_component13 = "[INS]" + $keylogger_component14 = "[DEL]" + $keylogger_component15 = "[WIN]" + $keylogger_component16 = "[NUM *]" + $keylogger_component17 = "[NUM +]" + $keylogger_component18 = "[NUM ,]" + $keylogger_component19 = "[NUM -]" + $keylogger_component20 = "[NUM .]" + $keylogger_component21 = "NUM /]" + $keylogger_component22 = "[NUMLOCK]" + $keylogger_component23 = "[SCROLLLOCK]" + $keylogger_component24 = "Time: " + $keylogger_component25 = "Window: " + $keylogger_component26 = "CAPSLOCK+" + $keylogger_component27 = "SHIFT+" + $keylogger_component28 = "CTRL+" + $keylogger_component29 = "ALT+" + + condition: + $magic or + ( + all of ($f*) and + 5 of ($keylogger_component*) + ) or + 24 of ($chrome*) or + 4 of ($msg*) or + 27 of ($keylogger_component*) +} + +rule APT_MAL_Win_BlueLight : InkySquid { + meta: + author = "threatintel@volexity.com" + date = "2021-04-23" + description = "The BLUELIGHT malware family. Leverages Microsoft OneDrive for network communications." + hash1 = "7c40019c1d4cef2ffdd1dd8f388aaba537440b1bffee41789c900122d075a86d" + hash2 = "94b71ee0861cc7cfbbae53ad2e411a76f296fd5684edf6b25ebe79bf6a2a600a" + license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt" + reference = "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" + id = "3ec2d44c-4c08-514d-a839-acef3f53f7dc" + strings: + $pdb1 = "\\Development\\BACKDOOR\\ncov\\" + $pdb2 = "Release\\bluelight.pdb" + + $msg0 = "https://ipinfo.io" fullword + $msg1 = "country" fullword + $msg5 = "\"UserName\":\"" fullword + $msg7 = "\"ComName\":\"" fullword + $msg8 = "\"OS\":\"" fullword + $msg9 = "\"OnlineIP\":\"" fullword + $msg10 = "\"LocalIP\":\"" fullword + $msg11 = "\"Time\":\"" fullword + $msg12 = "\"Compiled\":\"" fullword + $msg13 = "\"Process Level\":\"" fullword + $msg14 = "\"AntiVirus\":\"" fullword + $msg15 = "\"VM\":\"" fullword + + condition: + any of ($pdb*) or + all of ($msg*) +} \ No newline at end of file diff --git a/yara-Neo23x0/apt_apt3_bemstour.yar b/yara-Neo23x0/apt_apt3_bemstour.yar new file mode 100644 index 0000000..c457376 --- /dev/null +++ b/yara-Neo23x0/apt_apt3_bemstour.yar @@ -0,0 +1,275 @@ +rule apt3_bemstour_strings +{ +meta: + +description = "Detects strings used by the Bemstour exploitation tool" +author = "Mark Lechtik" +company = "Check Point Software Technologies LTD." +date = "2019-06-25" +sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a" +uuid = "8b76e10a-040f-505e-9dff-cd0a689b121e" +strings: + +$dbg_print_1 = "leaked address is 0x%llx" ascii wide +$dbg_print_2 = "========== %s ==========" ascii wide +$dbg_print_3 = "detailVersion:%d" ascii wide +$dbg_print_4 = "create pipe twice failed" ascii wide +$dbg_print_5 = "WSAStartup function failed with error: %d" ascii wide +$dbg_print_6 = "can't open input file." ascii wide +$dbg_print_7 = "Allocate Buffer Failed." ascii wide +$dbg_print_8 = "Connect to target failed." ascii wide +$dbg_print_9 = "connect successful." ascii wide +$dbg_print_10 = "not supported Platform" ascii wide +$dbg_print_11 = "Wait several seconds." ascii wide +$dbg_print_12 = "not set where to write ListEntry ." ascii wide +$dbg_print_13 = "backdoor not installed." ascii wide +$dbg_print_14 = "REConnect to target failed." ascii wide +$dbg_print_15 = "Construct TreeConnectAndX Request Failed." ascii wide +$dbg_print_16 = "Construct NTCreateAndXRequest Failed." ascii wide +$dbg_print_17 = "Construct Trans2 Failed." ascii wide +$dbg_print_18 = "Construct ConsWXR Failed." ascii wide +$dbg_print_19 = "Construct ConsTransSecondary Failed." ascii wide +$dbg_print_20 = "if you don't want to input password , use server2003 version.." ascii wide + +$cmdline_1 = "Command format %s TargetIp domainname username password 2" ascii wide +$cmdline_2 = "Command format %s TargetIp domainname username password 1" ascii wide +$cmdline_3 = "cmd.exe /c net user test test /add && cmd.exe /c net localgroup administrators test /add" ascii wide +$cmdline_4 = "hello.exe \"C:\\WINDOWS\\DEBUG\\test.exe\"" ascii wide +$cmdline_5 = "parameter not right" ascii wide + +$smb_param_1 = "browser" ascii wide +$smb_param_2 = "spoolss" ascii wide +$smb_param_3 = "srvsvc" ascii wide +$smb_param_4 = "\\PIPE\\LANMAN" ascii wide +$smb_param_5 = "Werttys for Workgroups 3.1a" ascii wide +$smb_param_6 = "PC NETWORK PROGRAM 1.0" ascii wide +$smb_param_7 = "LANMAN1.0" ascii wide +$smb_param_8 = "LM1.2X002" ascii wide +$smb_param_9 = "LANMAN2.1" ascii wide +$smb_param_10 = "NT LM 0.12" ascii wide +$smb_param_12 = "WORKGROUP" ascii wide +$smb_param_13 = "Windows Server 2003 3790 Service Pack 2" ascii wide +$smb_param_14 = "Windows Server 2003 5.2" ascii wide +$smb_param_15 = "Windows 2002 Service Pack 2 2600" ascii wide +$smb_param_16 = "Windows 2002 5.1" ascii wide +$smb_param_17 = "PC NETWORK PROGRAM 1.0" ascii wide +$smb_param_18 = "Windows 2002 5.1" ascii wide +$smb_param_19 = "Windows for Workgroups 3.1a" ascii wide + +$unique_str_1 = "WIN-NGJ7GKNROVS" +$unique_str_2 = "XD-A31C2E0087B2" + +condition: + uint16(0) == 0x5a4d and (5 of ($dbg_print*) or 2 of ($cmdline*) or 1 of ($unique_str*)) and 3 of ($smb_param*) +} + + + + +rule apt3_bemstour_implant_byte_patch +{ +meta: + +description = "Detects an implant used by Bemstour exploitation tool (APT3)" +author = "Mark Lechtik" +company = "Check Point Software Technologies LTD." +date = "2019-06-25" +sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a" + +/* + +0x41b7e1L C745B8558BEC83 mov dword ptr [ebp - 0x48], 0x83ec8b55 +0x41b7e8L C745BCEC745356 mov dword ptr [ebp - 0x44], 0x565374ec +0x41b7efL C745C08B750833 mov dword ptr [ebp - 0x40], 0x3308758b +0x41b7f6L C745C4C957C745 mov dword ptr [ebp - 0x3c], 0x45c757c9 +0x41b7fdL C745C88C4C6F61 mov dword ptr [ebp - 0x38], 0x616f4c8c + +*/ + +uuid = "c30434c3-8949-566c-b6a6-29bffdaf961d" +strings: + +$chunk_1 = { + +C7 45 ?? 55 8B EC 83 +C7 45 ?? EC 74 53 56 +C7 45 ?? 8B 75 08 33 +C7 45 ?? C9 57 C7 45 +C7 45 ?? 8C 4C 6F 61 + +} + +condition: + any of them +} + + +rule apt3_bemstour_implant_command_stack_variable +{ +meta: + +description = "Detecs an implant used by Bemstour exploitation tool (APT3)" +author = "Mark Lechtik" +company = "Check Point Software Technologies LTD." +date = "2019-06-25" +sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a" + + +uuid = "c773da5a-2d3f-5a0a-af2e-28ad382622b3" +strings: + + +/* + +0x41ba18L C78534FFFFFF636D642E mov dword ptr [ebp - 0xcc], 0x2e646d63 +0x41ba22L C78538FFFFFF65786520 mov dword ptr [ebp - 0xc8], 0x20657865 +0x41ba2cL C7853CFFFFFF2F632063 mov dword ptr [ebp - 0xc4], 0x6320632f +0x41ba36L C78540FFFFFF6F707920 mov dword ptr [ebp - 0xc0], 0x2079706f +0x41ba40L C78544FFFFFF2577696E mov dword ptr [ebp - 0xbc], 0x6e697725 +0x41ba4aL C78548FFFFFF64697225 mov dword ptr [ebp - 0xb8], 0x25726964 +0x41ba54L C7854CFFFFFF5C737973 mov dword ptr [ebp - 0xb4], 0x7379735c +0x41ba5eL C78550FFFFFF74656D33 mov dword ptr [ebp - 0xb0], 0x336d6574 +0x41ba68L C78554FFFFFF325C636D mov dword ptr [ebp - 0xac], 0x6d635c32 +0x41ba72L C78558FFFFFF642E6578 mov dword ptr [ebp - 0xa8], 0x78652e64 +0x41ba7cL C7855CFFFFFF65202577 mov dword ptr [ebp - 0xa4], 0x77252065 +0x41ba86L C78560FFFFFF696E6469 mov dword ptr [ebp - 0xa0], 0x69646e69 +0x41ba90L C78564FFFFFF72255C73 mov dword ptr [ebp - 0x9c], 0x735c2572 +0x41ba9aL C78568FFFFFF79737465 mov dword ptr [ebp - 0x98], 0x65747379 +0x41baa4L C7856CFFFFFF6D33325C mov dword ptr [ebp - 0x94], 0x5c32336d +0x41baaeL C78570FFFFFF73657468 mov dword ptr [ebp - 0x90], 0x68746573 +0x41bab8L C78574FFFFFF632E6578 mov dword ptr [ebp - 0x8c], 0x78652e63 +0x41bac2L C78578FFFFFF65202F79 mov dword ptr [ebp - 0x88], 0x792f2065 +0x41baccL 83A57CFFFFFF00 and dword ptr [ebp - 0x84], 0 + +*/ + +$chunk_1 = { + +C7 85 ?? ?? ?? ?? 63 6D 64 2E +C7 85 ?? ?? ?? ?? 65 78 65 20 +C7 85 ?? ?? ?? ?? 2F 63 20 63 +C7 85 ?? ?? ?? ?? 6F 70 79 20 +C7 85 ?? ?? ?? ?? 25 77 69 6E +C7 85 ?? ?? ?? ?? 64 69 72 25 +C7 85 ?? ?? ?? ?? 5C 73 79 73 +C7 85 ?? ?? ?? ?? 74 65 6D 33 +C7 85 ?? ?? ?? ?? 32 5C 63 6D +C7 85 ?? ?? ?? ?? 64 2E 65 78 +C7 85 ?? ?? ?? ?? 65 20 25 77 +C7 85 ?? ?? ?? ?? 69 6E 64 69 +C7 85 ?? ?? ?? ?? 72 25 5C 73 +C7 85 ?? ?? ?? ?? 79 73 74 65 +C7 85 ?? ?? ?? ?? 6D 33 32 5C +C7 85 ?? ?? ?? ?? 73 65 74 68 +C7 85 ?? ?? ?? ?? 63 2E 65 78 +C7 85 ?? ?? ?? ?? 65 20 2F 79 +83 A5 ?? ?? ?? ?? 00 +} + + + + +/* + +0x41baeeL C785D8FEFFFF636D6420 mov dword ptr [ebp - 0x128], 0x20646d63 +0x41baf8L C785DCFEFFFF2F632022 mov dword ptr [ebp - 0x124], 0x2220632f +0x41bb02L C785E0FEFFFF6E657420 mov dword ptr [ebp - 0x120], 0x2074656e +0x41bb0cL C785E4FEFFFF75736572 mov dword ptr [ebp - 0x11c], 0x72657375 +0x41bb16L C785E8FEFFFF20636573 mov dword ptr [ebp - 0x118], 0x73656320 +0x41bb20L C785ECFEFFFF73757070 mov dword ptr [ebp - 0x114], 0x70707573 +0x41bb2aL C785F0FEFFFF6F727420 mov dword ptr [ebp - 0x110], 0x2074726f +0x41bb34L C785F4FEFFFF3171617A mov dword ptr [ebp - 0x10c], 0x7a617131 +0x41bb3eL C785F8FEFFFF23454443 mov dword ptr [ebp - 0x108], 0x43444523 +0x41bb48L C785FCFEFFFF202F6164 mov dword ptr [ebp - 0x104], 0x64612f20 +0x41bb52L C78500FFFFFF64202626 mov dword ptr [ebp - 0x100], 0x26262064 +0x41bb5cL C78504FFFFFF206E6574 mov dword ptr [ebp - 0xfc], 0x74656e20 +0x41bb66L C78508FFFFFF206C6F63 mov dword ptr [ebp - 0xf8], 0x636f6c20 +0x41bb70L C7850CFFFFFF616C6772 mov dword ptr [ebp - 0xf4], 0x72676c61 +0x41bb7aL C78510FFFFFF6F757020 mov dword ptr [ebp - 0xf0], 0x2070756f +0x41bb84L C78514FFFFFF61646D69 mov dword ptr [ebp - 0xec], 0x696d6461 +0x41bb8eL C78518FFFFFF6E697374 mov dword ptr [ebp - 0xe8], 0x7473696e +0x41bb98L C7851CFFFFFF7261746F mov dword ptr [ebp - 0xe4], 0x6f746172 +0x41bba2L C78520FFFFFF72732063 mov dword ptr [ebp - 0xe0], 0x63207372 +0x41bbacL C78524FFFFFF65737375 mov dword ptr [ebp - 0xdc], 0x75737365 +0x41bbb6L C78528FFFFFF70706F72 mov dword ptr [ebp - 0xd8], 0x726f7070 +0x41bbc0L C7852CFFFFFF74202F61 mov dword ptr [ebp - 0xd4], 0x612f2074 +0x41bbcaL C78530FFFFFF64642200 mov dword ptr [ebp - 0xd0], 0x226464 +0x41bbd4L 6A5C push 0x5c + +*/ + +$chunk_2 = { + +C7 85 ?? ?? ?? ?? 63 6D 64 20 +C7 85 ?? ?? ?? ?? 2F 63 20 22 +C7 85 ?? ?? ?? ?? 6E 65 74 20 +C7 85 ?? ?? ?? ?? 75 73 65 72 +C7 85 ?? ?? ?? ?? 20 63 65 73 +C7 85 ?? ?? ?? ?? 73 75 70 70 +C7 85 ?? ?? ?? ?? 6F 72 74 20 +C7 85 ?? ?? ?? ?? 31 71 61 7A +C7 85 ?? ?? ?? ?? 23 45 44 43 +C7 85 ?? ?? ?? ?? 20 2F 61 64 +C7 85 ?? ?? ?? ?? 64 20 26 26 +C7 85 ?? ?? ?? ?? 20 6E 65 74 +C7 85 ?? ?? ?? ?? 20 6C 6F 63 +C7 85 ?? ?? ?? ?? 61 6C 67 72 +C7 85 ?? ?? ?? ?? 6F 75 70 20 +C7 85 ?? ?? ?? ?? 61 64 6D 69 +C7 85 ?? ?? ?? ?? 6E 69 73 74 +C7 85 ?? ?? ?? ?? 72 61 74 6F +C7 85 ?? ?? ?? ?? 72 73 20 63 +C7 85 ?? ?? ?? ?? 65 73 73 75 +C7 85 ?? ?? ?? ?? 70 70 6F 72 +C7 85 ?? ?? ?? ?? 74 20 2F 61 +C7 85 ?? ?? ?? ?? 64 64 22 00 +6A 5C + +} + +/* + +0x41be22L C745D057696E45 mov dword ptr [ebp - 0x30], 0x456e6957 +0x41be29L C745D478656300 mov dword ptr [ebp - 0x2c], 0x636578 +0x41be30L C7459C47657450 mov dword ptr [ebp - 0x64], 0x50746547 +0x41be37L C745A0726F6341 mov dword ptr [ebp - 0x60], 0x41636f72 +0x41be3eL C745A464647265 mov dword ptr [ebp - 0x5c], 0x65726464 +0x41be45L C745A873730000 mov dword ptr [ebp - 0x58], 0x7373 +0x41be4cL C745C443726561 mov dword ptr [ebp - 0x3c], 0x61657243 +0x41be53L C745C874654669 mov dword ptr [ebp - 0x38], 0x69466574 +0x41be5aL C745CC6C654100 mov dword ptr [ebp - 0x34], 0x41656c +0x41be61L C745B857726974 mov dword ptr [ebp - 0x48], 0x74697257 +0x41be68L C745BC6546696C mov dword ptr [ebp - 0x44], 0x6c694665 +0x41be6fL C745C065000000 mov dword ptr [ebp - 0x40], 0x65 +0x41be76L C745AC436C6F73 mov dword ptr [ebp - 0x54], 0x736f6c43 +0x41be7dL C745B06548616E mov dword ptr [ebp - 0x50], 0x6e614865 +0x41be84L C745B4646C6500 mov dword ptr [ebp - 0x4c], 0x656c64 +0x41be8bL 894DE8 mov dword ptr [ebp - 0x18], ecx + +*/ + +$chunk_3 = { + +C7 45 ?? 57 69 6E 45 +C7 45 ?? 78 65 63 00 +C7 45 ?? 47 65 74 50 +C7 45 ?? 72 6F 63 41 +C7 45 ?? 64 64 72 65 +C7 45 ?? 73 73 00 00 +C7 45 ?? 43 72 65 61 +C7 45 ?? 74 65 46 69 +C7 45 ?? 6C 65 41 00 +C7 45 ?? 57 72 69 74 +C7 45 ?? 65 46 69 6C +C7 45 ?? 65 00 00 00 +C7 45 ?? 43 6C 6F 73 +C7 45 ?? 65 48 61 6E +C7 45 ?? 64 6C 65 00 +89 4D ?? + +} + + + condition: + any of them +} diff --git a/yara-Neo23x0/apt_apt41.yar b/yara-Neo23x0/apt_apt41.yar new file mode 100644 index 0000000..355e85c --- /dev/null +++ b/yara-Neo23x0/apt_apt41.yar @@ -0,0 +1,267 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2019-08-07 + Identifier: APT41 + Reference: https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html + License: https://creativecommons.org/licenses/by-nc/4.0/ +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +import "pe" + +rule APT_APT41_POISONPLUG_3 { + meta: + description = "Detects APT41 malware POISONPLUG" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" + date = "2019-08-07" + score = 80 + hash1 = "70c03ce5c80aca2d35a5555b0532eedede24d4cc6bdb32a2c8f7e630bba5f26e" + id = "e150dd69-c611-53de-9c7d-de28d3a208dc" + strings: + $s1 = "Rundll32.exe \"%s\", DisPlay 64" fullword ascii + $s2 = "tcpview.exe" fullword ascii + $s3 = "nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" fullword ascii /* reversed goodware string 'Software\\Microsoft\\Windows\\CurrentVersion\\Run' */ + $s4 = "AxEeulaVteSgeR" fullword ascii /* reversed goodware string 'RegSetValueExA' */ + $s5 = "%04d-%02d-%02d_%02d-%02d-%02d.dmp" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 900KB and 3 of them +} + +rule APT_APT41_POISONPLUG_SHADOW { + meta: + description = "Detects APT41 malware POISONPLUG SHADOW" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" + date = "2019-08-07" + score = 85 + hash1 = "462a02a8094e833fd456baf0a6d4e18bb7dab1a9f74d5f163a8334921a4ffde8" + id = "e150dd69-c611-53de-9c7d-de28d3a208dc" + condition: + uint16(0) == 0x5a4d and filesize < 500KB and pe.imphash() == "c67de089f2009b21715744762fc484e8" +} + +rule APT_APT41_CRACKSHOT { + meta: + description = "Detects APT41 malware CRACKSHOT" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" + date = "2019-08-07" + score = 85 + hash1 = "993d14d00b1463519fea78ca65d8529663f487cd76b67b3fd35440bcdf7a8e31" + id = "4ec34a77-dc7f-5f27-9f0a-c98438389018" + strings: + $x1 = ";procmon64.exe;netmon.exe;tcpview.exe;MiniSniffer.exe;smsniff.exe" ascii + + $s1 = "RunUrlBinInMem" fullword ascii + $s2 = "DownRunUrlFile" fullword ascii + $s3 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" fullword ascii + $s4 = "%s|%s|%s|%s|%s|%s|%s|%dx%d|%04x|%08X|%s|%s" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 250KB and ( 1 of ($x*) or 2 of them ) +} + +rule APT_APT41_POISONPLUG_2 { + meta: + description = "Detects APT41 malware POISONPLUG" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" + date = "2019-08-07" + score = 70 + hash1 = "0055dfaccc952c99b1171ce431a02abfce5c6f8fb5dc39e4019b624a7d03bfcb" + id = "e150dd69-c611-53de-9c7d-de28d3a208dc" + strings: + $s1 = "ma_lockdown_service.dll" fullword wide + $s2 = "acbde.dll" fullword ascii + $s3 = "MA lockdown Service" fullword wide + $s4 = "McAfee Agent" fullword wide + condition: + uint16(0) == 0x5a4d and filesize < 11000KB and all of them +} + +rule APT_APT41_POISONPLUG { + meta: + description = "Detects APT41 malware POISONPLUG" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" + date = "2019-08-07" + score = 80 + hash1 = "2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd" + hash2 = "5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90" + hash3 = "f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661" + hash4 = "3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f" + id = "e150dd69-c611-53de-9c7d-de28d3a208dc" + strings: + $s1 = "TSMSISrv.DLL" fullword wide + $s2 = "[-]write failed[%d]" fullword ascii + $s3 = "[-]load failed" fullword ascii + $s4 = "Remote Desktop Services" fullword wide + condition: + uint16(0) == 0x5a4d and filesize < 10000KB and ( + pe.imphash() == "1b074ef7a1c0888ef31337c8ad2f2e0a" or + 2 of them + ) +} + +rule APT_APT41_HIGHNOON { + meta: + description = "Detects APT41 malware HIGHNOON" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" + date = "2019-08-07" + score = 85 + hash1 = "63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7" + hash2 = "4aa6970cac04ace4a930de67d4c18106cf4004ba66670cfcdaa77a4c4821a213" + id = "6611fb04-7237-52d1-b29f-941c3853aeca" + strings: + $x1 = "workdll64.dll" fullword ascii + + $s1 = "\\Fonts\\Error.log" ascii + $s2 = "[%d/%d/%d/%d:%d:%d]" fullword ascii + $s3 = "work_end" fullword ascii + $s4 = "work_start" fullword ascii + $s5 = "\\svchost.exe" ascii + $s6 = "LoadAppInit_DLLs" fullword ascii + $s7 = "netsvcs" fullword ascii + $s8 = "HookAPIs ...PID %d " fullword ascii + $s9 = "SOFTWARE\\Microsoft\\HTMLHelp" fullword ascii + $s0 = "DllMain_mem" fullword ascii + $s10 = "%s\\NtKlRes.dat" fullword ascii + $s11 = "Global\\%s-%d" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 4 of them ) +} + +rule APT_APT41_HIGHNOON_2 { + meta: + description = "Detects APT41 malware HIGHNOON" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" + date = "2019-08-07" + hash1 = "79190925bd1c3fae65b0d11db40ac8e61fb9326ccfed9b7e09084b891089602d" + id = "1e48d859-2da9-583e-80e5-8d59054cfb85" + strings: + $x1 = "H:\\RBDoor\\" ascii + + $s1 = "PlusDll.dll" fullword ascii + $s2 = "ShutDownEvent.dll" fullword ascii + $s3 = "\\svchost.exe" ascii + condition: + uint16(0) == 0x5a4d and filesize < 600KB and ( + pe.imphash() == "b70358b00dd0138566ac940d0da26a03" or + pe.exports("DllMain_mem") or + $x1 or 3 of them + ) +} + +rule APT_APT41_HIGHNOON_BIN { + meta: + description = "Detects APT41 malware HIGHNOON.BIN" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" + date = "2019-08-07" + score = 90 + hash1 = "490c3e4af829e85751a44d21b25de1781cfe4961afdef6bb5759d9451f530994" + hash2 = "79190925bd1c3fae65b0d11db40ac8e61fb9326ccfed9b7e09084b891089602d" + id = "c8bd62b4-b882-5c04-aace-76dd4a21a784" + strings: + $s1 = "PlusDll.dll" fullword ascii + $s2 = "\\Device\\PORTLESS_DeviceName" wide + $s3 = "%s%s\\Security" fullword ascii + $s4 = "%s\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword ascii + $s5 = "%s%s\\Enum" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 600KB and ( + pe.imphash() == "b70358b00dd0138566ac940d0da26a03" or + 3 of them + ) +} + +rule APT_APT41_HIGHNOON_BIN_2 { + meta: + description = "Detects APT41 malware HIGHNOON.BIN" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" + date = "2019-08-07" + score = 85 + hash1 = "63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7" + hash2 = "c51c5bbc6f59407286276ce07f0f7ea994e76216e0abe34cbf20f1b1cbd9446d" + id = "37d6a44d-7811-5e87-84e2-b2a8b3da3124" + strings: + $x1 = "\\Double\\Door_wh\\" ascii + $x2 = "[Stone] Config --> 2k3 TCP Positive Logout." fullword ascii + $x3 = "\\RbDoorX64.pdb" ascii + $x4 = "RbDoor, Version 1.0" fullword wide + $x5 = "About RbDoor" fullword wide + condition: + uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them +} + +rule APT_APT41_RevokedCert_Aug19_1 { + meta: + description = "Detects revoked certificates used by APT41 group" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" + date = "2019-08-07" + score = 60 + id = "f107cc42-58ec-500d-b1c3-27e9e00826aa" + condition: + uint16(0) == 0x5a4d and + for any i in (0 .. pe.number_of_signatures) : ( + pe.signatures[i].serial == "0b:72:79:06:8b:eb:15:ff:e8:06:0d:2c:56:15:3c:35" or + pe.signatures[i].serial == "63:66:a9:ac:97:df:4d:e1:73:66:94:3c:9b:29:1a:aa" or + pe.signatures[i].serial == "01:00:00:00:00:01:30:73:85:f7:02" or + pe.signatures[i].serial == "14:0d:2c:51:5e:8e:e9:73:9b:b5:f1:b2:63:7d:c4:78" or + pe.signatures[i].serial == "7b:d5:58:18:c5:97:1b:63:dc:45:cf:57:cb:eb:95:0b" or + pe.signatures[i].serial == "53:0c:e1:4c:81:f3:62:10:a1:68:2a:ff:17:9e:25:80" or + pe.signatures[i].serial == "54:c6:c1:40:6f:b4:ac:b5:d2:06:74:e9:93:92:c6:3e" or + pe.signatures[i].serial == "fd:f2:83:7d:ac:12:b7:bb:30:ad:05:8f:99:9e:cf:00" or + pe.signatures[i].serial == "18:63:79:57:5a:31:46:e2:6b:ef:c9:0a:58:0d:1b:d2" or + pe.signatures[i].serial == "5c:2f:97:a3:1a:bc:32:b0:8c:ac:01:00:59:8f:32:f6" or + pe.signatures[i].serial == "4c:0b:2e:9d:2e:f9:09:d1:52:70:d4:dd:7f:a5:a4:a5" or + pe.signatures[i].serial == "58:01:5a:cd:50:1f:c9:c3:44:26:4e:ac:e2:ce:57:30" or + pe.signatures[i].serial == "47:6b:f2:4a:4b:1e:9f:4b:c2:a6:1b:15:21:15:e1:fe" or + pe.signatures[i].serial == "30:d3:c1:67:26:5b:52:0c:b8:7f:25:84:4f:95:cb:04" or + pe.signatures[i].serial == "1e:52:bb:f5:c9:0e:c1:64:d0:5b:e0:e4:16:61:52:5f" or + pe.signatures[i].serial == "25:f8:78:22:de:56:d3:98:21:59:28:73:ea:09:ca:37" or + pe.signatures[i].serial == "67:24:34:0d:db:c7:25:2f:7f:b7:14:b8:12:a5:c0:4d" + ) +} + +rule APT_APT41_CN_ELF_Speculoos_Backdoor { + meta: + description = "Detects Speculoos Backdoor used by APT41" + author = "Florian Roth (Nextron Systems)" + reference = "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/" + date = "2020-04-14" + score = 90 + hash1 = "6943fbb194317d344ca9911b7abb11b684d3dca4c29adcbcff39291822902167" + hash2 = "99c5dbeb545af3ef1f0f9643449015988c4e02bf8a7164b5d6c86f67e6dc2d28" + id = "efe2b368-33af-5382-a5f0-0e7dd7f4dea4" + strings: + $xc1 = { 2F 70 72 69 76 61 74 65 2F 76 61 72 00 68 77 2E + 70 68 79 73 6D 65 6D 00 68 77 2E 75 73 65 72 6D + 65 6D 00 4E 41 2D 4E 41 2D 4E 41 2D 4E 41 2D 4E + 41 2D 4E 41 00 6C 6F 30 00 00 00 00 25 30 32 78 + 2D 25 30 32 78 2D 25 30 32 78 2D 25 30 32 78 2D + 25 30 32 78 2D 25 30 32 78 0A 00 72 00 4E 41 00 + 75 6E 61 6D 65 20 2D 76 } + + $s1 = "badshell" ascii fullword + $s2 = "hw.physmem" ascii fullword + $s3 = "uname -v" ascii fullword + $s4 = "uname -s" ascii fullword + $s5 = "machdep.tsc_freq" ascii fullword + $s6 = "/usr/sbin/config.bak" ascii fullword + $s7 = "enter MessageLoop..." ascii fullword + $s8 = "exit StartCBProcess..." ascii fullword + + $sc1 = { 72 6D 20 2D 72 66 20 22 25 73 22 00 2F 70 72 6F + 63 2F } + condition: + uint16(0) == 0x457f and + filesize < 600KB and + 1 of ($x*) or 4 of them +} diff --git a/yara-Neo23x0/apt_apt6_malware.yar b/yara-Neo23x0/apt_apt6_malware.yar new file mode 100644 index 0000000..a70ce8b --- /dev/null +++ b/yara-Neo23x0/apt_apt6_malware.yar @@ -0,0 +1,55 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2016-04-09 + Identifier: APT 6 Malware +*/ + +rule APT6_Malware_Sample_Gen : FILE { + meta: + description = "Rule written for 2 malware samples that communicated to APT6 C2 servers" + author = "Florian Roth (Nextron Systems)" + reference = "https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/" + date = "2016-04-09" + modified = "2023-01-06" + score = 80 + hash1 = "321ec239bfa6927d39155ef5f10741ed786219489bbbb1dc8fee66e22f9f8e80" + hash2 = "7aef130b19d1f940e4c4cee6efe0f190f1402d2e0f741ee605c77518a04cb6d7" + id = "142d2714-f7bf-5725-bf7e-9497be7ed234" + strings: + /* Specific strings from samples */ + $x2 = "SPCK!it is a [(?riddle?) wrapped in a {mystery}] inside an !" fullword ascii + $x3 = "636C7369643A46334430443336462D323346382D343638322D413139352D373443393242303344344146" fullword ascii + + /* Malware Strings */ + $s1 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" fullword ascii + $s2 = "DUMPTHIN" fullword ascii + $s3 = "\"C:\\WINDOWS\\system32\\" ascii + $s4 = "window.eval(f.decodeURIComponent(a));" fullword ascii + $s5 = "/tbedrs.dll" fullword ascii + $s6 = "NSISDL/1.2 (Mozilla)" fullword ascii + $s7 = "NSIS_Inetc (Mozilla)" fullword ascii + $s8 = "/logos.gif" fullword ascii + $s9 = "synflood" fullword ascii + $s10 = "IconFile=C:\\WINDOWS\\system32\\SHELL32.dll" fullword ascii + $s11 = "udpflood" fullword ascii + $s12 = "shellcode" fullword ascii + $s13 = "&PassWord=" fullword ascii + $s14 = "SystemPropertiesProtection.exe" fullword ascii + $s15 = "SystemPropertiesRemote.exe" fullword ascii + + /* C2 Server user by APT 6 group */ + $c1 = "jobcall.org" ascii + $c2 = "sportsinfinite.com" ascii + $c3 = "milsatcom.us" ascii + $c4 = "geographicphotographer.com" ascii + $c5 = "snowsmooth.com" ascii + $c6 = "goodre.net" ascii + $c7 = "gloflabs.com" ascii + condition: + ( + uint16(0) == 0x5a4d and filesize < 1000KB and + ( ( 1 of ($x*) and 3 of ($s*) ) or 1 of ($c*) ) + ) or + ( 6 of them ) +} diff --git a/yara-Neo23x0/apt_ar18_165a.yar b/yara-Neo23x0/apt_ar18_165a.yar new file mode 100644 index 0000000..a21524c --- /dev/null +++ b/yara-Neo23x0/apt_ar18_165a.yar @@ -0,0 +1,76 @@ + +rule APT_HiddenCobra_enc_PK_header { + meta: + author = "NCCIC trusted 3rd party - Edit: Tobias Michalski" + incident = "10135536" + date = "2018-04-12" + category = "hidden_cobra" + family = "TYPEFRAME" + hash0 = "3229a6cea658b1b3ca5ca9ad7b40d8d4" + reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" + description = "Hidden Cobra - Detects trojan with encrypted header" + id = "5d7001b3-162c-5a97-a740-1b8e33d4aa9e" + strings: + $s0 = { 5f a8 80 c5 a0 87 c7 f0 9e e6 } + $s1 = { 95 f1 6e 9c 3f c1 2c 88 a0 5a } + $s2 = { ae 1d af 74 c0 f5 e1 02 50 10 } + condition: + (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them +} + +rule APT_HiddenCobra_import_obfuscation_2 { + meta: + author = "NCCIC trusted 3rd party - Edit: Tobias Michalski" + incident = "10135536" + date = "2018-04-12" + category = "hidden_cobra" + family = "TYPEFRAME" + hash0 = "bfb41bc0c3856aa0a81a5256b7b8da51" + reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" + description = "Hidden Cobra - Detects remote access trojan" + id = "bc139580-a55b-514f-8a4e-ca1402ce3ad9" + strings: + $s0 = {A6 D6 02 EB 4E B2 41 EB C3 EF 1F} + $s1 = {B6 DF 01 FD 48 B5 } + $s2 = {B6 D5 0E F3 4E B5 } + $s3 = {B7 DF 0E EE } + $s4 = {B6 DF 03 FC } + $s5 = {A7 D3 03 FC } + condition: + (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them +} + +rule APT_NK_AR18_165A_HiddenCobra_import_deob { + meta: + author = "NCCIC trusted 3rd party - Edit: Tobias Michalski" + incident = "10135536" + date = "2018-04-12" + category = "hidden_cobra" + family = "TYPEFRAME" + md5 = "ae769e62fef4a1709c12c9046301aa5d" + md5 = "e48fe20eblf5a5887f2ac631fed9ed63" + reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" + description = "Hidden Cobra - Detects installed proxy module as a service" + id = "f403d589-be35-57a7-9675-f92657c11acc" + strings: + $ = { 8a 01 3c 62 7c 0a 3c 79 7f 06 b2 db 2a d0 88 11 8a 41 01 41 84 c0 75 e8} + $ = { 8A 08 80 F9 62 7C 0B 80 F9 79 7F 06 82 DB 2A D1 88 10 8A 48 01 40 84 C9 75 E6} + condition: + (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them +} + +rule APT_NK_AR18_165A_1 { + meta: + description = "Detects APT malware from AR18-165A report by US CERT" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" + date = "2018-06-15" + hash1 = "089e49de61701004a5eff6de65476ed9c7632b6020c2c0f38bb5761bca897359" + id = "45f5205d-7f69-5646-aef8-f95d139f9720" + strings: + $s1 = "netsh.exe advfirewall firewall add rule name=\"PortOpenning\" dir=in protocol=tcp localport=%d action=allow enable=yes" fullword wide + $s2 = "netsh.exe firewall add portopening TCP %d \"PortOpenning\" enable" fullword wide + condition: + uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them +} diff --git a/yara-Neo23x0/apt_area1_phishing_diplomacy.yar b/yara-Neo23x0/apt_area1_phishing_diplomacy.yar new file mode 100644 index 0000000..bc4b015 --- /dev/null +++ b/yara-Neo23x0/apt_area1_phishing_diplomacy.yar @@ -0,0 +1,46 @@ + +rule APT_Area1_SSF_PlugX { + meta: + description = "Detects send tool used in phishing campaign reported by Area 1 in December 2018" + reference = "https://cdn.area1security.com/reports/Area-1-Security-PhishingDiplomacy.pdf" + date = "2018-12-19" + author = "Area 1" + id = "a5b4e781-f0d1-55df-926c-2d321aa48139" + strings: + $feature_call = { 8b 0? 56 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 6a 07 6a ff ff d0 8b f0 85 f6 74 14 } + $keylogger_reg = { 8b 4d 08 6a 0c 6a 01 8d 55 f4 52 c7 45 f4 01 00 06 00 + c7 45 f8 00 01 00 00 89 4d fc ff d0 85 c0 75 1d } + $file_op = { 55 8b ec 83 ec 20 0f b7 56 18 8b 46 10 66 8b 4e 14 89 45 e4 + 8d 44 32 10 66 89 4d f0 0f b7 4e 1a 57 89 45 e8 33 ff 8d 45 e0 8d 54 + 31 10 50 89 7d e0 89 55 ec c7 45 fa ?? ?? ?? ?? 89 7d f2 89 7d f6 ff + 15 1c 43 02 10 } + $ver_cmp = { 0f b6 8d b0 fe ff ff 0f b6 95 b4 fe ff ff 66 c1 e1 08 0f b7 + c1 0b c2 3d 02 05 00 00 7f 2c } + $regedit = { c7 06 23 01 12 20 c7 46 04 01 90 00 00 89 5e 0c 89 5e 08 e8 + 51 fb ff ff 8b 4d 08 8b 50 38 68 30 75 00 00 56 51 ff d2 } + $get_device_caps = { 8b 1d ?? ?? ?? ?? 6a 08 50 ff d3 0f b7 56 12 8b c8 0f af ca + b8 1f 85 eb 51 f7 e9 c1 fa 05 8b c2 c1 e8 1f 03 c2 89 45 f8 8b 45 f0 6a 0a 50 ff d3 + 0f b7 56 14 8b c8 0f af ca b8 1f 85 eb 51 } + condition: + 3 of them +} + +rule APT_Area1_SSF_GoogleSend_Strings { + meta: + description = "Detects send tool used in phishing campaign reported by Area 1 in December 2018" + reference = "https://cdn.area1security.com/reports/Area-1-Security-PhishingDiplomacy.pdf" + date = "2018-12-19" + author = "Area 1 (modified by Florian Roth)" + id = "66a2faa1-b133-528c-91a9-06a43d2c00a0" + strings: + $conf = "RefreshToken.ini" wide + $client_id = "Enter your client ID here" wide + $client_secret = "Enter your client secret here" wide + $status = "We are going to send" wide + $s1 = { b8 00 01 00 00 f0 0f b0 23 74 94 f3 90 80 3d ?? ?? ?? ?? 00 75 ?? + 51 52 6a 00 e8 ?? ?? ?? ?? 5a 59 b8 00 01 00 00 f0 0f b0 + 23 0f ?? ?? ?? ?? ?? 51 52 6a 0a e8 ?? ?? ?? ?? 5a 59 eb c3 } + condition: + uint16(0) == 0x5a4d and 3 of them +} diff --git a/yara-Neo23x0/apt_aus_parl_compromise.yar b/yara-Neo23x0/apt_aus_parl_compromise.yar new file mode 100644 index 0000000..67adaea --- /dev/null +++ b/yara-Neo23x0/apt_aus_parl_compromise.yar @@ -0,0 +1,172 @@ +/* + YARA Rule Set + Author: Florian Roth + Date: 2019-02-18 + Identifier: Compromise of the Australian Parliament House network + Reference: https://cyber.gov.au/government/news/parliament-house-network-compromise/ + https://twitter.com/cyb3rops/status/1097423665472376832 +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +rule APT_WebShell_Tiny_1 { + meta: + description = "Detetcs a tiny webshell involved in the Australian Parliament House network compromise" + author = "Florian Roth (Nextron Systems)" + reference = "https://twitter.com/cyb3rops/status/1097423665472376832" + date = "2019-02-18" + id = "e65a8920-0684-5aae-a2b8-079c2beae08a" + strings: + $x1 = "eval(" ascii wide + condition: + ( uint16(0) == 0x3f3c or uint16(0) == 0x253c ) and filesize < 40 and $x1 +} + +rule APT_WebShell_AUS_Tiny_2 { + meta: + description = "Detetcs a tiny webshell involved in the Australian Parliament House network compromise" + author = "Florian Roth (Nextron Systems)" + reference = "https://twitter.com/cyb3rops/status/1097423665472376832" + date = "2019-02-18" + hash1 = "0d6209d86f77a0a69451b0f27b476580c14e0cda15fa6a5003aab57a93e7e5a5" + id = "4746d4ce-628a-59b0-9032-7e0759d96ad3" + strings: + $x1 = "Request.Item[System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(\"[password]\"))];" ascii + $x2 = "eval(arguments,System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(\"" ascii + condition: + ( uint16(0) == 0x3f3c or uint16(0) == 0x253c ) and filesize < 1KB and 1 of them +} + +rule APT_WebShell_AUS_JScript_3 { + meta: + description = "Detetcs a webshell involved in the Australian Parliament House network compromise" + author = "Florian Roth (Nextron Systems)" + reference = "https://twitter.com/cyb3rops/status/1097423665472376832" + date = "2019-02-18" + hash1 = "7ac6f973f7fccf8c3d58d766dec4ab7eb6867a487aa71bc11d5f05da9322582d" + id = "ff7e780b-ccf9-53b6-b741-f04a8cbaf580" + strings: + $s1 = "<%@ Page Language=\"Jscript\" validateRequest=\"false\"%><%try{eval(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String" ascii + $s2 = ".Item[\"[password]\"])),\"unsafe\");}" ascii + condition: + uint16(0) == 0x6568 and filesize < 1KB and all of them +} + + +rule APT_WebShell_AUS_4 { + meta: + description = "Detetcs a webshell involved in the Australian Parliament House network compromise" + author = "Florian Roth (Nextron Systems)" + reference = "https://twitter.com/cyb3rops/status/1097423665472376832" + date = "2019-02-18" + hash1 = "83321c02339bb51735fbcd9a80c056bd3b89655f3dc41e5fef07ca46af09bb71" + id = "bb5b10d1-3528-5361-92fc-8440c65dcda4" + strings: + $s1 = "wProxy.Credentials = new System.Net.NetworkCredential(pusr, ppwd);" fullword ascii + $s2 = "{return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(" ascii + $s3 = ".Equals('User-Agent', StringComparison.OrdinalIgnoreCase))" ascii + $s4 = "gen.Emit(System.Reflection.Emit.OpCodes.Ret);" fullword ascii + condition: + uint16(0) == 0x7566 and filesize < 10KB and 3 of them +} + +rule APT_Script_AUS_4 { + meta: + description = "Detetcs a script involved in the Australian Parliament House network compromise" + author = "Florian Roth (Nextron Systems)" + reference = "https://twitter.com/cyb3rops/status/1097423665472376832" + date = "2019-02-18" + hash1 = "fdf15f388a511a63fbad223e6edb259abdd4009ec81fcc87ce84f0f2024c8057" + id = "5cbf2476-5ce8-540d-b87b-e400daf49b43" + strings: + $x1 = "myMutex = CreateMutex(0, 1, \"teX23stNew\")" fullword ascii + $x2 = "mmpath = Environ(appdataPath) & \"\\\" & \"Microsoft\" & \"\\\" & \"mm.accdb\"" fullword ascii + $x3 = "Dim mmpath As String, newmmpath As String, appdataPath As String" fullword ascii + $x4 = "'MsgBox \"myMutex Created\" Do noting" fullword ascii + $x5 = "appdataPath = \"app\" & \"DatA\"" fullword ascii + $x6 = ".DoCmd.Close , , acSaveYes" fullword ascii + condition: + filesize < 7KB and 1 of them +} + +rule APT_WebShell_AUS_5 { + meta: + description = "Detetcs a webshell involved in the Australian Parliament House network compromise" + author = "Florian Roth (Nextron Systems)" + reference = "https://twitter.com/cyb3rops/status/1097423665472376832" + date = "2019-02-18" + hash1 = "54a17fb257db2d09d61af510753fd5aa00537638a81d0a8762a5645b4ef977e4" + id = "59b3f6aa-2d3b-54b4-b543-57bd9d981e87" + strings: + $a1 = "function DEC(d){return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(d));}" fullword ascii + $a2 = "function ENC(d){return Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(d));}" fullword ascii + + $s1 = "var hash=DEC(Request.Item['" ascii + $s2 = "Response.Write(ENC(SET_ASS_SUCCESS));" fullword ascii + $s3 = "hashtable[hash] = assCode;" fullword ascii + $s4 = "Response.Write(ss);" fullword ascii + $s5 = "var hashtable = Application[CachePtr];" fullword ascii + condition: + uint16(0) == 0x7566 and filesize < 2KB and 4 of them +} + +rule HKTL_LazyCat_LogEraser { + meta: + description = "Detetcs a tool used in the Australian Parliament House network compromise" + author = "Florian Roth (Nextron Systems)" + reference = "https://twitter.com/cyb3rops/status/1097423665472376832" + date = "2019-02-18" + hash1 = "1c113dce265e4d744245a7c55dadc80199ae972a9e0ecbd0c5ced57067cf755b" + hash2 = "510375f8142b3651df67d42c3eff8d2d880987c0e057fc75a5583f36de34bf0e" + id = "a3d74657-a389-5482-ab26-966e790afd50" + strings: + $x1 = "LazyCat.dll" ascii wide fullword + $x2 = ".local_privilege_escalation.rotten_potato" ascii wide + $x3 = "LazyCat.Extension" ascii wide + $x4 = " MEOWof" ascii wide + $x5 = "VirtualSite: {0}, Address: {1:X16}, Name: {2}, Handle: {3:X16}, LogPath: {4}" fullword wide + + $s1 = "LazyCat" fullword ascii wide + $s2 = "$e3ff37f2-85d7-4b24-a385-7eeb1f5a9562" + $s3 = "local -> remote {0} bytes" + $s4 = "remote -> local {0} bytes" + condition: + 3 of them +} + +rule HKTL_PowerKatz_Feb19_1 { + meta: + description = "Detetcs a tool used in the Australian Parliament House network compromise" + author = "Florian Roth (Nextron Systems)" + reference = "https://twitter.com/cyb3rops/status/1097423665472376832" + date = "2019-02-18" + id = "294d6f6c-dbc8-5431-87a0-64abe582c4ea" + strings: + $x1 = "Powerkatz32" ascii wide fullword + $x2 = "Powerkatz64" ascii wide + + $s1 = "GetData: not found taskName" fullword ascii wide + $s2 = "GetRes Ex:" fullword ascii wide + condition: + 1 of ($x*) and 1 of ($s*) +} + +rule HKTL_Unknown_Feb19_1 { + meta: + description = "Detetcs a tool used in the Australian Parliament House network compromise" + author = "Florian Roth (Nextron Systems)" + reference = "https://twitter.com/cyb3rops/status/1097423665472376832" + date = "2019-02-18" + id = "bdcadc4b-8881-5dc7-b203-4e79cbc850ed" + strings: + $x1 = "not a valid timeout format!" ascii wide fullword + $x2 = "host can not be empty!" ascii wide fullword + $x3 = "not a valid port format!" ascii wide fullword + $x4 = "{0} - {1} TTL={2} time={3}" ascii wide fullword + $x5 = "ping count is not a correct format!" ascii wide fullword + + $s1 = "The result is too large,program store to '{0}'.Please download it manully." fullword ascii wide + $s2 = "C:\\Windows\\temp\\" ascii wide + condition: + 1 of ($x*) or 2 of them +} diff --git a/yara-Neo23x0/apt_babyshark.yar b/yara-Neo23x0/apt_babyshark.yar new file mode 100644 index 0000000..e66a863 --- /dev/null +++ b/yara-Neo23x0/apt_babyshark.yar @@ -0,0 +1,53 @@ + +import "pe" + +rule MAL_PE_Type_BabyShark_Loader { + meta: + description = "Detects PE Type babyShark loader mentioned in February 2019 blog post by PaloAltNetworks" + author = "Florian Roth (Nextron Systems)" + reference = "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" + date = "2019-02-24" + hash1 = "6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c" + id = "141e7a67-7930-5fd8-ac91-5d31b99e4ff3" + strings: + $x1 = "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\" /v AutoRun /t REG_SZ /d \"%s\" /f" fullword ascii + $x2 = /mshta\.exe http:\/\/[a-z0-9\.\/]{5,30}\.hta/ + + $xc1 = { 57 69 6E 45 78 65 63 00 6B 65 72 6E 65 6C 33 32 + 2E 44 4C 4C 00 00 00 00 } /* WinExec kernel32.DLL */ + condition: + uint16(0) == 0x5a4d and ( + pe.imphash() == "57b6d88707d9cd1c87169076c24f962e" or + 1 of them or + for any i in (0 .. pe.number_of_signatures) : ( + pe.signatures[i].issuer contains "thawte SHA256 Code Signing CA" and + pe.signatures[i].serial == "0f:ff:e4:32:a5:3f:f0:3b:92:23:f8:8b:e1:b8:3d:9d" + ) + ) +} + +rule APT_NK_BabyShark_KimJoingRAT_Apr19_1 { + meta: + description = "Detects BabyShark KimJongRAT" + author = "Florian Roth (Nextron Systems)" + reference = "https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/" + date = "2019-04-27" + hash1 = "d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712" + id = "c6bd1e1a-68f2-5a2d-a159-b16ea0d33987" + strings: + $x1 = "%s\\Microsoft\\ttmp.log" fullword wide + + $a1 = "logins.json" fullword ascii + + $s1 = "https://www.google.com/accounts/servicelogin" fullword ascii + $s2 = "https://login.yahoo.com/config/login" fullword ascii + $s3 = "SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login" ascii + $s4 = "\\mozsqlite3.dll" ascii + $s5 = "SMTP Password" fullword ascii + $s6 = "Yandex\\YandexBrowser\\User Data\\Default\\Login Data" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 2000KB and ( + 1 of ($x*) or + ( $a1 and 3 of ($s*) ) + ) +} diff --git a/yara-Neo23x0/apt_backdoor_ssh_python.yar b/yara-Neo23x0/apt_backdoor_ssh_python.yar new file mode 100644 index 0000000..3e0a9da --- /dev/null +++ b/yara-Neo23x0/apt_backdoor_ssh_python.yar @@ -0,0 +1,17 @@ + +rule custom_ssh_backdoor_server { + meta: + description = "Custome SSH backdoor based on python and paramiko - file server.py" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/S46L3o" + date = "2015-05-14" + modified = "2022-08-18" + hash = "0953b6c2181249b94282ca5736471f85d80d41c9" + id = "eccf705b-b2c3-5af6-ab86-70292089812b" + strings: + $s0 = "command= raw_input(\"Enter command: \").strip('n')" fullword ascii + $s1 = "print '[-] (Failed to load moduli -- gex will be unsupported.)'" fullword ascii + $s2 = "print '[-] Listen/bind/accept failed: ' + str(e)" fullword ascii + condition: + 2 of them +} diff --git a/yara-Neo23x0/apt_backdoor_sunburst_fnv1a_experimental.yar b/yara-Neo23x0/apt_backdoor_sunburst_fnv1a_experimental.yar new file mode 100644 index 0000000..edd0e96 --- /dev/null +++ b/yara-Neo23x0/apt_backdoor_sunburst_fnv1a_experimental.yar @@ -0,0 +1,47 @@ + +rule APT_fnv1a_plus_extra_XOR_in_MSIL_experimental +{ + meta: + description = "This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.)" + reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + author = "Arnim Rupp" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + date = "2020-12-22" + hash1 = "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77" + hash2 = "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6" + hash3 = "019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134" + id = "5505f7ff-eca5-5274-bdd1-dbbd648c3ccc" + strings: + $fnv64a_offset = { 25 23 22 84 e4 9c f2 cb } + $fnv64a_prime_plus_gap_plus_xor_ret = { B3 01 00 00 00 01 [8-40] 61 2A 00 00 } + + // use for less false positives, xor before fnv1a prime + //$fnv64a_prime_plus_gap_plus_xor_ret = { 61 [0-3] B3 01 00 00 00 01 [8-40] 61 2A } + // even less false positives, not sure if it misses beef + //$fnv64a_prime_plus_gap_plus_xor_ret = { 61 [0-3] B3 01 00 00 00 01 [8-40] 61 2A 00 00 } + condition: + (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them +} + +// todo: +// Rules wouldn't work yet for bitshift instead of multiplication as described in http://www.isthe.com/chongo/tech/comp/fnv/index.html : hval += (hval << 1) + (hval << 4) + (hval << 5) + (hval << 7) + (hval << 8) + (hval << 40); + +// Deactivated. This rule is probably only useful for developers to check their own software repository +/* +rule TEST_false_positive_plain_fnv1a_in_x64 +{ + meta: + description = "This rule detects x64 implementations of standard fnv1a just by looking for the standard fnv64a_offset and fnv64a_prime (unless bitshifting is used instead of multiplication). This rule would have found the SUNBURST backdoor at Solarwinds but will also find any other programm which implements fnv1a. Just useful for developers, pls check if that fnv1a was put there by you ;)" + reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + author = "Arnim Rupp" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + date = "2020-12-22" + score = 10 + strings: + $fnv64a_offset = { 25 23 22 84 e4 9c f2 cb } + $fnv64a_prime = { B3 01 00 00 00 01 } + condition: + // MZ or ELF + ( uint16(0) == 0x5a4d or uint32be(0) == 0x7f454c46 ) and all of them +} +*/ diff --git a/yara-Neo23x0/apt_backspace.yar b/yara-Neo23x0/apt_backspace.yar new file mode 100644 index 0000000..8944413 --- /dev/null +++ b/yara-Neo23x0/apt_backspace.yar @@ -0,0 +1,19 @@ +/* +Author: Bit Byte Bitten +Date: 5/14/2015 +*/ + +rule apt_backspace{ + meta: + description = "Detects APT backspace" + author = "Bit Byte Bitten" + date = "2015-05-14" + hash = "6cbfeb7526de65eb2e3c848acac05da1e885636d17c1c45c62ad37e44cd84f99" + id = "3da3337d-b6d3-5661-b43e-535e06817303" + strings: + $s1 = "!! Use Splice Socket !!" + $s2 = "User-Agent: SJZJ (compatible; MSIE 6.0; Win32)" + $s3 = "g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" + condition: + uint16(0) == 0x5a4d and all of them +} \ No newline at end of file diff --git a/yara-Neo23x0/apt_barracuda_esg_unc4841_jun23.yar b/yara-Neo23x0/apt_barracuda_esg_unc4841_jun23.yar new file mode 100644 index 0000000..90f81c0 --- /dev/null +++ b/yara-Neo23x0/apt_barracuda_esg_unc4841_jun23.yar @@ -0,0 +1,228 @@ + +rule APT_UNC4841_ESG_Barracuda_CVE_2023_2868_Forensic_Artifacts_Jun23_1 : SCRIPT { + meta: + description = "Detects forensic artifacts found in the exploitation of CVE-2023-2868 in Barracuda ESG devices by UNC4841" + author = "Florian Roth" + reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally" + date = "2023-06-15" + modified = "2023-06-16" + score = 75 + id = "50518fa1-33de-5fe5-b957-904d976fb29a" + strings: + $x01 = "=;ee=ba;G=s;_ech_o $abcdefg_${ee}se64" ascii + $x02 = ";echo $abcdefg | base64 -d | sh" ascii + $x03 = "setsid sh -c \"mkfifo /tmp/p" ascii + $x04 = "sh -i &1" ascii + $x05 = "if string.match(hdr:body(), \"^[%w%+/=" ascii + $x06 = "setsid sh -c \"/sbin/BarracudaMailService eth0\"" + $x07 = "echo \"set the bvp ok\"" + $x08 = "find ${path} -type f ! -name $excludeFileNameKeyword | while read line ;" + $x09 = " /mail/mstore | xargs -i cp {} /usr/share/.uc/" + $x10 = "tar -T /mail/mstore/tmplist -czvf " + + $sa1 = "sh -c wget --no-check-certificate http" + $sa2 = ".tar;chmod +x " + condition: + 1 of ($x*) + or all of ($sa*) +} + +rule APT_MAL_UNC4841_SEASPY_Jun23_1 { + meta: + description = "Detects SEASPY malware used by UNC4841 in attacks against Barracuda ESG appliances exploiting CVE-2023-2868" + author = "Florian Roth" + reference = "https://blog.talosintelligence.com/alchimist-offensive-framework/" + date = "2023-06-16" + score = 85 + hash1 = "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115" + id = "bcff58f8-87f6-5371-8b96-5d4c0f349000" + strings: + $sx1 = "usage: ./BarracudaMailService . e.g.: ./BarracudaMailService eth0" ascii fullword + $s1 = "fcntl.tmp.amd64." ascii + $s2 = "Child process id:%d" ascii fullword + $s3 = "[*]Success!" ascii fullword + $s4 = "NO port code" ascii + $s5 = "enter open tty shell" ascii + + $op1 = { 48 89 c6 f3 a6 0f 84 f7 01 00 00 bf 6c 84 5f 00 b9 05 00 00 00 48 89 c6 f3 a6 0f 84 6a 01 00 00 } + $op2 = { f3 a6 0f 84 d2 00 00 00 48 89 de bf 51 5e 61 00 b9 05 00 00 00 f3 a6 74 21 48 89 de } + $op3 = { 72 de 45 89 f4 e9 b8 f4 ff ff 48 8b 73 08 45 85 e4 ba 49 3d 62 00 b8 44 81 62 00 48 0f 45 d0 } + condition: + uint16(0) == 0x457f + and filesize < 9000KB + and 3 of them + or 5 of them +} + +rule APT_MAL_UNC4841_SEASPY_LUA_Jun23_1 { + meta: + description = "Detects SEASPY malware related LUA script" + author = "Florian Roth" + reference = "https://blog.talosintelligence.com/alchimist-offensive-framework/" + date = "2023-06-16" + score = 90 + hash1 = "56e8066bf83ff6fe0cec92aede90f6722260e0a3f169fc163ed88589bffd7451" + id = "a44861d0-107e-589b-8cf1-3fbc2f5c78dc" + strings: + $x1 = "os.execute('rverify'..' /tmp/'..attachment:filename())" ascii fullword + $x2 = "log.debug(\"--- opening archive [%s], mimetype [%s]\", tmpfile" ascii fullword + + $xe1 = "os.execute('rverify'..' /tmp/'..attachment:filename())" ascii base64 + $xe2 = "log.debug(\"--- opening archive [%s], mimetype [%s]\", tmpfile" ascii base64 + condition: + filesize < 500KB and 1 of them +} + +rule APT_HKTL_Proxy_Tool_Jun23_1 { + meta: + description = "Detects agent used as proxy tool in UNC4841 intrusions - possibly Alchemist C2 framework implant" + author = "Florian Roth" + reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally" + date = "2023-06-16" + score = 75 + hash1 = "ca72fa64ed0a9c22d341a557c6e7c1b6a7264b0c4de0b6f717dd44bddf550bca" + hash2 = "57e4b180fd559f15b59c43fb3335bd59435d4d76c4676e51a06c6b257ce67fb2" + id = "0e406737-3083-53c2-a6d2-14c07794125a" + strings: + //$a1 = "Go build" // not available in all samples + $a2 = "/src/runtime/panic.go" + + $s1 = "main.handleClientRequest" ascii fullword + $s2 = "main.sockIP.toAddr" ascii fullword + // $s3 = "main.slave" ascii fullword + condition: + ( + uint16(0) == 0x5a4d // Windows PE + or uint32be(0) == 0x7f454c46 // ELF + or uint16(0) == 0xfeca or uint16(0) == 0xfacf or uint32(0) == 0xbebafeca or uint32(0) == 0xbebafeca // MacOS + ) + and filesize < 10MB + and all of them +} + +rule SUSP_FScan_Port_Scanner_Output_Jun23 : SCRIPT { + meta: + description = "Detects output generated by the command line port scanner FScan" + author = "Florian Roth" + reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally" + date = "2023-06-15" + score = 70 + id = "7eb4b27f-0c5b-5d7e-b759-95d7894d5822" + strings: + $s1 = "[*] NetInfo:" ascii + $s2 = ":443 open" ascii + $s3 = " [->]" + condition: + filesize < 800KB and all of them +} + +rule SUSP_PY_Shell_Spawn_Jun23_1 : SCRIPT { + meta: + description = "Detects suspicious one-liner to spawn a shell using Python" + author = "Florian Roth" + reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally" + date = "2023-06-15" + score = 70 + id = "15fd2c9a-c425-5d4d-9209-fd3826074d6c" + strings: + $x1 = "python -c import pty;pty.spawn(\"/bin/" ascii + condition: + 1 of them +} + +/* Mandiant Rules */ +/* Source: https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally */ + +rule APT_MAL_Hunting_LUA_SEASIDE_1 { + meta: + description = "Hunting rule looking for strings observed in SEASIDE samples." + author = "Mandiant" + date = "2023-06-15" + score = 70 + reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally" + hash = "cd2813f0260d63ad5adf0446253c2172" + id = "86eaff7b-4ca0-53cd-8886-da66a36c778f" + strings: + $s1 = "function on_helo()" + $s2 = "local bindex,eindex = string.find(helo,'.onion')" + $s3 = "helosend = 'pd'..' '..helosend" + $s4 = "os.execute(helosend)" + condition: + filesize < 1MB and all of ($s*) +} + +rule APT_MAL_LNX_Hunting_Linux_WHIRLPOOL_1 { + meta: + description = "Hunting rule looking for strings observed in WHIRLPOOL samples." + author = "Mandiant" + date = "2023-06-15" + score = 70 + reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally" + hash = "177add288b289d43236d2dba33e65956" + id = "a997bd65-c502-53a0-8bb8-62daaa916f0d" + strings: + $s1 = "error -1 exit" fullword + $s2 = "create socket error: %s(error: %d)\n" fullword + $s3 = "connect error: %s(error: %d)\n" fullword + $s4 = {C7 00 20 32 3E 26 66 C7 40 04 31 00} + $c1 = "plain_connect" fullword + $c2 = "ssl_connect" fullword + $c3 = "SSLShell.c" fullword + condition: + uint32(0) == 0x464c457f and filesize < 15MB and (all of ($s*) or all of ($c*)) +} + +rule APT_MAL_LUA_Hunting_SKIPJACK_1 { + meta: + author = "Mandiant" + date = "2023-06-15" + reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally" + description = "Hunting rule looking for strings observed in SKIPJACK installation script." + hash = "e4e86c273a2b67a605f5d4686783e0cc" + score = 70 + id = "0026375c-7f37-5ef9-bd55-5b9fc499e5d2" + strings: + $str1 = "hdr:name() == 'Content-ID'" base64 + $str2 = "hdr:body() ~= nil" base64 + $str3 = "string.match(hdr:body(),\"^[%w%+/=\\r\\n]+$\")" base64 + $str4 = "openssl aes-256-cbc" base64 + $str5 = "mod_content.lua" + $str6 = "#!/bin/sh" + condition: + all of them +} + +rule APT_MAL_LUA_Hunting_Lua_SKIPJACK_2 { + meta: + author = "Mandiant" + date = "2023-06-15" + reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally" + description = "Hunting rule looking for strings observed in SKIPJACK samples." + hash = "87847445f9524671022d70f2a812728f" + score = 70 + id = "e1eac294-fe60-5bb2-bae4-0f7bcbe6b1db" + strings: + $str1 = "hdr:name() == 'Content-ID'" + $str2 = "hdr:body() ~= nil" + $str3 = "string.match(hdr:body(),\"^[%w%+/=\\r\\n]+$\")" + $str4 = "openssl aes-256-cbc" + $str5 = "| base64 -d| sh 2>" + condition: + all of them +} +rule APT_MAL_LUA_Hunting_Lua_SEASPRAY_1 { + meta: + author = "Mandiant" + date = "2023-06-15" + reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally" + description = "Hunting rule looking for strings observed in SEASPRAY samples." + hash = "35cf6faf442d325961935f660e2ab5a0" + score = 70 + id = "8c744b85-b61e-56d0-8a9e-ae6a954e1b95" + strings: + $str1 = "string.find(attachment:filename(),'obt075') ~= nil" + $str2 = "os.execute('cp '..tostring(tmpfile)..' /tmp/'..attachment:filename())" + $str3 = "os.execute('rverify'..' /tmp/'..attachment:filename())" + condition: + all of them +} diff --git a/yara-Neo23x0/apt_beepservice.yar b/yara-Neo23x0/apt_beepservice.yar new file mode 100644 index 0000000..95b9677 --- /dev/null +++ b/yara-Neo23x0/apt_beepservice.yar @@ -0,0 +1,31 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2016-05-12 + Identifier: +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +rule BeepService_Hacktool { + meta: + description = "Detects BeepService Hacktool used by Chinese APT groups" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/p32Ozf" + date = "2016-05-12" + score = 85 + hash1 = "032df812a68852b6f3822b9eac4435e531ca85bdaf3ee99c669134bd16e72820" + hash2 = "e30933fcfc9c2a7443ee2f23a3df837ca97ea5653da78f782e2884e5a7b734f7" + hash3 = "ebb9c4f7058e19b006450b8162910598be90428998df149977669e61a0b7b9ed" + hash4 = "6db2ffe7ec365058f9d3b48dcca509507c138f19ade1adb5f13cf43ea0623813" + id = "8813a01a-10db-52e7-bb1e-322864e87b15" + strings: + $x1 = "\\\\%s\\admin$\\system32\\%s" fullword ascii + + $s1 = "123.exe" fullword ascii + $s2 = "regclean.exe" fullword ascii + $s3 = "192.168.88.69" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 100KB and $x1 and 1 of ($s*) +} diff --git a/yara-Neo23x0/apt_between-hk-and-burma.yar b/yara-Neo23x0/apt_between-hk-and-burma.yar new file mode 100644 index 0000000..42c40fd --- /dev/null +++ b/yara-Neo23x0/apt_between-hk-and-burma.yar @@ -0,0 +1,224 @@ +rule dubseven_file_set +{ + meta: + author = "Matt Brooks, @cmatthewbrooks" + date = "2016/04/18" + score = 75 + description = "Searches for service files loading UP007" + + id = "5b0a9cb9-aeef-5508-8854-51ad846b22c5" + strings: + $file1 = "\\Microsoft\\Internet Explorer\\conhost.exe" + $file2 = "\\Microsoft\\Internet Explorer\\dll2.xor" + $file3 = "\\Microsoft\\Internet Explorer\\HOOK.DLL" + $file4 = "\\Microsoft\\Internet Explorer\\main.dll" + $file5 = "\\Microsoft\\Internet Explorer\\nvsvc.exe" + $file6 = "\\Microsoft\\Internet Explorer\\SBieDll.dll" + $file7 = "\\Microsoft\\Internet Explorer\\mon" + $file8 = "\\Microsoft\\Internet Explorer\\runas.exe" + + condition: + //MZ header + uint16(0) == 0x5A4D and + + //PE signature + uint32(uint32(0x3C)) == 0x00004550 and + + //Just a few of these as they differ + 3 of ($file*) +} + +rule dubseven_dropper_registry_checks +{ + meta: + author = "Matt Brooks, @cmatthewbrooks" + date = "2016/04/18" + score = 75 + description = "Searches for registry keys checked for by the dropper" + + id = "8369cdbb-53b8-5dc5-9181-fd49747042a7" + strings: + $reg1 = "SOFTWARE\\360Safe\\Liveup" + $reg2 = "Software\\360safe" + $reg3 = "SOFTWARE\\kingsoft\\Antivirus" + $reg4 = "SOFTWARE\\Avira\\Avira Destop" + $reg5 = "SOFTWARE\\rising\\RAV" + $reg6 = "SOFTWARE\\JiangMin" + $reg7 = "SOFTWARE\\Micropoint\\Anti-Attack" + + condition: + //MZ header + uint16(0) == 0x5A4D and + + //PE signature + uint32(uint32(0x3C)) == 0x00004550 and + + all of ($reg*) +} + +rule dubseven_dropper_dialog_remains +{ + meta: + author = "Matt Brooks, @cmatthewbrooks" + date = "2016/04/18" + score = 75 + description = "Searches for related dialog remnants. How rude." + + id = "6029ea74-26fc-57d1-aaed-be1ea2138844" + strings: + $dia1 = "fuckMessageBox 1.0" wide + $dia2 = "Rundll 1.0" wide + + condition: + //MZ header + uint16(0) == 0x5A4D and + + //PE signature + uint32(uint32(0x3C)) == 0x00004550 and + + any of them +} + + +rule maindll_mutex +{ + meta: + author = "Matt Brooks, @cmatthewbrooks" + date = "2016/04/18" + score = 75 + description = "Matches on the maindll mutex" + + id = "7a89dae3-9e03-5803-9729-78e6e65e91d3" + strings: + $mutex = "h31415927tttt" + + condition: + //MZ header + uint16(0) == 0x5A4D and + + //PE signature + uint32(uint32(0x3C)) == 0x00004550 and + + $mutex +} + + +rule SLServer_dialog_remains +{ + meta: + author = "Matt Brooks, @cmatthewbrooks / modified by Florian Roth" + date = "2016/04/18" + score = 75 + description = "Searches for related dialog remnants." + + id = "cf199d25-ce5e-52c2-88de-32a48dee4c6f" + strings: + $slserver = "SLServer" wide fullword + + $fp1 = "Dell Inc." wide fullword + $fp2 = "ScriptLogic Corporation" wide + + $extra1 = "SLSERVER" wide fullword + $extra2 = "\\SLServer.pdb" ascii + + condition: + //MZ header + uint16(0) == 0x5A4D and + + //PE signature + uint32(uint32(0x3C)) == 0x00004550 and + + // Reduce false positives + not 1 of ($fp*) and + 1 of ($extra*) and + + $slserver +} + +rule SLServer_mutex +{ + meta: + author = "Matt Brooks, @cmatthewbrooks" + date = "2016/04/18" + score = 75 + description = "Searches for the mutex." + + id = "decdefd0-fe20-5adf-9d8c-0e2b954481a0" + strings: + $mutex = "M&GX^DSF&DA@F" + + condition: + //MZ header + uint16(0) == 0x5A4D and + + //PE signature + uint32(uint32(0x3C)) == 0x00004550 and + + $mutex +} + +rule SLServer_command_and_control +{ + meta: + author = "Matt Brooks, @cmatthewbrooks" + date = "2016/04/18" + score = 75 + description = "Searches for the C2 server." + + id = "e4fcda6c-1c9f-5b58-8b07-8d1a0dc4eaf6" + strings: + $c2 = "safetyssl.security-centers.com" + + condition: + //MZ header + uint16(0) == 0x5A4D and + + //PE signature + uint32(uint32(0x3C)) == 0x00004550 and + + $c2 +} + +rule SLServer_campaign_code +{ + meta: + author = "Matt Brooks, @cmatthewbrooks" + date = "2016/04/18" + score = 75 + description = "Searches for the related campaign code." + + id = "672f506e-0cc1-5b09-873b-c3d206486bac" + strings: + $campaign = "wthkdoc0106" + + condition: + //MZ header + uint16(0) == 0x5A4D and + + //PE signature + uint32(uint32(0x3C)) == 0x00004550 and + + $campaign +} + +rule SLServer_unknown_string +{ + meta: + author = "Matt Brooks, @cmatthewbrooks" + date = "2016/04/18" + score = 75 + description = "Searches for a unique string." + + id = "00341604-480f-59aa-9c18-009e7b53928e" + strings: + $string = "test-b7fa835a39" + + condition: + //MZ header + uint16(0) == 0x5A4D and + + //PE signature + uint32(uint32(0x3C)) == 0x00004550 and + + $string +} diff --git a/yara-Neo23x0/apt_bigbang.yar b/yara-Neo23x0/apt_bigbang.yar new file mode 100644 index 0000000..89a014a --- /dev/null +++ b/yara-Neo23x0/apt_bigbang.yar @@ -0,0 +1,51 @@ +import "pe" + +rule APT_ME_BigBang_Gen_Jul18_1 { + meta: + description = "Detects malware from Big Bang campaign against Palestinian authorities" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://research.checkpoint.com/apt-attack-middle-east-big-bang/" + date = "2018-07-09" + hash1 = "4db68522600f2d8aabd255e2da999a9d9c9f1f18491cfce9dadf2296269a172b" + hash2 = "ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224" + hash3 = "e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc" + id = "f1097998-9414-511c-b177-ff09154964a8" + strings: + $x2 = "%@W@%S@c@ri%@p@%t.S@%he@%l%@l" ascii + $x3 = "S%@h%@e%l%@l." ascii + $x4 = "(\"S@%t@%a%@rt%@up\")" ascii + $x5 = "aW5zdGFsbCBwcm9nOiBwcm9nIHdpbGwgZGVsZXRlIG9sZCB0bXAgZmlsZQ==" fullword ascii /* base64 encoded string 'install prog: prog will delete old tmp file' */ + $x6 = "aW5zdGFsbCBwcm9nOiBUaGVyZSBpcyBubyBvbGQgZmlsZSBpbiB0ZW1wLg==" fullword ascii /* base64 encoded string 'install prog: There is no old file in temp.' */ + $x7 = "VXBkYXRlIHByb2c6IFRoZXJlIGlzIG5vIG9sZCBmaWxlIGluIHRlbXAu" fullword ascii /* base64 encoded string 'Update prog: There is no old file in temp.' */ + $x8 = "aW5zdGFsbCBwcm9nOiBDcmVhdGUgVGFzayBhZnRlciA1IG1pbiB0byBydW4gRmlsZSBmcm9tIHRtcA==" fullword ascii /* base64 encoded string 'install prog: Create Task after 5 min to run File from tmp' */ + $x9 = "UnVuIEZpbGU6IE15IHByb2cgaXMgRXhpdC4=" fullword ascii /* base64 encoded string 'Run File: My prog is Exit.' */ + $x10 = "li%@%@nk.W%@%@indo@%%@%@%wS%@%@tyle = 3" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 3000KB and ( + 1 of them or + pe.imphash() == "0f09ea2a68d04f331df9a5d0f8641332" + ) +} + +rule APT_ME_BigBang_Mal_Jul18_1 { + meta: + description = "Detects malware from Big Bang report" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://research.checkpoint.com/apt-attack-middle-east-big-bang/" + date = "2018-07-09" + hash1 = "ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224" + hash2 = "e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc" + id = "f30b2e11-f90a-5068-8eaa-25f11218ec6c" + strings: + $s1 = "%Y%m%d-%I-%M-%S" fullword ascii + $s2 = "/api/serv/requests/%s/runfile/delete" fullword ascii + $s3 = "\\part.txt" ascii + $s4 = "\\ALL.txt" ascii + $s5 = "\\sat.txt" ascii + $s6 = "runfile.proccess_name" fullword ascii + $s7 = "%s%s%p%s%zd%s%d%s%s%s%s%s" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 3000KB and 4 of them +} diff --git a/yara-Neo23x0/apt_bitter.yar b/yara-Neo23x0/apt_bitter.yar new file mode 100644 index 0000000..04e2114 --- /dev/null +++ b/yara-Neo23x0/apt_bitter.yar @@ -0,0 +1,21 @@ + +rule EXT_APT_Bitter_Win32k_0day_Feb21 { + meta: + description = "Detects code that exploits a Windows 0day exploited by Bitter APT group" + author = "dbappsecurity_lieying_lab" + date = "2021-01-01" + reference = "https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/" + id = "b1892b52-4b94-5571-ad63-8750a321f1f2" + strings: + $s1 = "NtUserConsoleControl" ascii wide + $s2 = "NtCallbackReturn" ascii wide + $s3 = "CreateWindowEx" ascii wide + $s4 = "SetWindowLong" ascii wide + + $a1 = {48 C1 E8 02 48 C1 E9 02 C7 04 8A} + $a2 = {66 0F 1F 44 00 00 80 3C 01 E8 74 22 FF C2 48 FF C1} + $a3 = {48 63 05 CC 69 05 00 8B 0D C2 69 05 00 48 C1 E0 20 48 03 C1} + + condition: + uint16(0) == 0x5a4d and all of ($s*) and 1 of ($a*) +} diff --git a/yara-Neo23x0/apt_blackenergy.yar b/yara-Neo23x0/apt_blackenergy.yar new file mode 100644 index 0000000..e574469 --- /dev/null +++ b/yara-Neo23x0/apt_blackenergy.yar @@ -0,0 +1,188 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2015-02-19 + Identifier: BlackEnergy Malware +*/ + +rule BlackEnergy_BE_2 { + meta: + description = "Detects BlackEnergy 2 Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://goo.gl/DThzLz" + date = "2015/02/19" + hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77" + id = "c93991b9-77e8-5a73-80ef-e21df770c3a5" + strings: + $s0 = " Windows system utility service " fullword ascii + $s1 = "WindowsSysUtility - Unicode" fullword wide + $s2 = "msiexec.exe" fullword wide + $s3 = "WinHelpW" fullword ascii + $s4 = "ReadProcessMemory" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 250KB and all of ($s*) +} + +/* + Yara Rule Set + Author: Florian Roth + Date: 2016-01-03 + Identifier: BlackEnergy Malware +*/ + +rule BlackEnergy_VBS_Agent { + meta: + description = "Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" + date = "2016-01-03" + hash = "b90f268b5e7f70af1687d9825c09df15908ad3a6978b328dc88f96143a64af0f" + id = "0876f752-d476-5706-918e-edfda9bd7928" + strings: + $s0 = "WshShell.Run \"dropbear.exe -r rsa -d dss -a -p 6789\", 0, false" fullword ascii + $s1 = "WshShell.CurrentDirectory = \"C:\\WINDOWS\\TEMP\\Dropbear\\\"" fullword ascii + $s2 = "Set WshShell = CreateObject(\"WScript.Shell\")" fullword ascii /* Goodware String - occured 1 times */ + condition: + filesize < 1KB and 2 of them +} + +rule DropBear_SSH_Server { + meta: + description = "Detects DropBear SSH Server (not a threat but used to maintain access)" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" + date = "2016-01-03" + score = 50 + hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd" + id = "22595d8b-b7ea-570e-ad17-d5bcec613abf" + strings: + $s1 = "Dropbear server v%s https://matt.ucc.asn.au/dropbear/dropbear.html" fullword ascii + $s2 = "Badly formatted command= authorized_keys option" fullword ascii + $s3 = "This Dropbear program does not support '%s' %s algorithm" fullword ascii + $s4 = "/etc/dropbear/dropbear_dss_host_key" fullword ascii + $s5 = "/etc/dropbear/dropbear_rsa_host_key" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them +} + +rule BlackEnergy_BackdoorPass_DropBear_SSH { + meta: + description = "Detects the password of the backdoored DropBear SSH Server - BlackEnergy" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" + date = "2016-01-03" + hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd" + id = "60db00dd-72b3-5a28-90de-2a397b1e007b" + strings: + $s1 = "passDs5Bu9Te7" fullword ascii + condition: + uint16(0) == 0x5a4d and $s1 +} + +/* Super Rules ------------------------------------------------------------- */ + +rule BlackEnergy_KillDisk_1 { + meta: + description = "Detects KillDisk malware from BlackEnergy" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" + date = "2016-01-03" + score = 80 + super_rule = 1 + hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80" + hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6" + hash3 = "c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d" + hash4 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95" + id = "304e7aa3-48d3-5015-aaf1-6b1df2441b75" + strings: + $s0 = "system32\\cmd.exe" fullword ascii + $s1 = "system32\\icacls.exe" fullword wide + $s2 = "/c del /F /S /Q %c:\\*.*" fullword ascii + $s3 = "shutdown /r /t %d" fullword ascii + $s4 = "/C /Q /grant " fullword wide + $s5 = "%08X.tmp" fullword ascii + $s6 = "/c format %c: /Y /X /FS:NTFS" fullword ascii + $s7 = "/c format %c: /Y /Q" fullword ascii + $s8 = "taskhost.exe" fullword wide /* Goodware String - occured 1 times */ + $s9 = "shutdown.exe" fullword wide /* Goodware String - occured 1 times */ + condition: + uint16(0) == 0x5a4d and filesize < 500KB and 8 of them +} + +rule BlackEnergy_KillDisk_2 { + meta: + description = "Detects KillDisk malware from BlackEnergy" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" + date = "2016-01-03" + modified = "2023-01-06" + score = 80 + super_rule = 1 + hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80" + hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6" + hash3 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95" + id = "f0304e87-a278-5963-9af0-935c088c00ec" + strings: + $s0 = "%c:\\~tmp%08X.tmp" fullword ascii + $s1 = "%s%08X.tmp" fullword ascii + $s2 = ".exe.sys.drv.doc.docx.xls.xlsx.mdb.ppt.pptx.xml.jpg.jpeg.ini.inf.ttf" wide + $s3 = "%ls_%ls_%ls_%d.~tmp" fullword wide + condition: + uint16(0) == 0x5a4d and filesize < 500KB and 3 of them +} + +rule BlackEnergy_Driver_USBMDM { + meta: + description = "Black Energy Driver" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + date = "2016-01-04" + super_rule = 1 + hash1 = "7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094" + hash2 = "b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a" + hash3 = "edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281" + hash4 = "ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc" + hash5 = "7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291" + hash6 = "405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5" + hash7 = "244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5" + hash8 = "edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf" + id = "d5e8faf0-38cb-5193-b859-83ea09278011" + strings: + $s1 = "USB MDM Driver" fullword wide + $s2 = "KdDebuggerNotPresent" fullword ascii /* Goodware String - occured 50 times */ + $s3 = "KdDebuggerEnabled" fullword ascii /* Goodware String - occured 69 times */ + condition: + uint16(0) == 0x5a4d and filesize < 180KB and all of them +} + +rule BlackEnergy_Driver_AMDIDE { + meta: + description = "Black Energy Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + date = "2016-01-04" + super_rule = 1 + hash1 = "32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614" + hash2 = "3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2" + hash3 = "90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c" + hash4 = "97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1" + hash5 = "5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc" + hash6 = "cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988" + hash7 = "1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68" + id = "e5b57c33-87f7-5411-995c-384e0afa0348" + strings: + $s1 = " AMD IDE driver" fullword wide + $s2 = "SessionEnv" fullword wide + $s3 = "\\DosDevices\\{C9059FFF-1C49-4445-83E8-" wide + $s4 = "\\Device\\{C9059FFF-1C49-4445-83E8-" wide + condition: + uint16(0) == 0x5a4d and filesize < 150KB and all of them +} diff --git a/yara-Neo23x0/apt_blackenergy_installer.yar b/yara-Neo23x0/apt_blackenergy_installer.yar new file mode 100644 index 0000000..12c2a9c --- /dev/null +++ b/yara-Neo23x0/apt_blackenergy_installer.yar @@ -0,0 +1,16 @@ + +rule blackenergy3_installer +{ + meta: + author = "Mike Schladt" + date = "2015-05-29" + description = "Matches unique code block for import name construction " + md5 = "78387651DD9608FCDF6BFB9DF8B84DB4" + sha1 = "78636F7BBD52EA80D79B4E2A7882403092BBB02D" + reference = "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf" + id = "4afeb7ac-ce8d-506c-9c97-db7ec6102490" + strings: + $import_names = { C7 45 D0 75 73 65 72 C7 45 D4 33 32 2E 64 66 C7 45 D8 6C 6C 88 5D DA C7 45 84 61 64 76 61 C7 45 88 70 69 33 32 C7 45 8C 2E 64 6C 6C 88 5D 90 C7 45 B8 77 69 6E 69 C7 45 BC 6E 65 74 2E C7 45 C0 64 6C 6C 00 C7 45 C4 77 73 32 5F C7 45 C8 33 32 2E 64 66 C7 45 CC 6C 6C 88 5D CE C7 45 94 73 68 65 6C C7 45 98 6C 33 32 2E C7 45 9C 64 6C 6C 00 C7 45 E8 70 73 61 70 C7 45 EC 69 2E 64 6C 66 C7 45 F0 6C 00 C7 85 74 FF FF FF 6E 65 74 61 C7 85 78 FF FF FF 70 69 33 32 C7 85 7C FF FF FF 2E 64 6C 6C 88 5D 80 C7 85 64 FF FF FF 6F 6C 65 61 C7 85 68 FF FF FF 75 74 33 32 C7 85 6C FF FF FF 2E 64 6C 6C 88 9D 70 FF FF FF C7 45 DC 6F 6C 65 33 C7 45 E0 32 2E 64 6C 66 C7 45 E4 6C 00 C7 45 A0 76 65 72 73 C7 45 A4 69 6F 6E 2E C7 45 A8 64 6C 6C 00 C7 85 54 FF FF FF 69 6D 61 67 C7 85 58 FF FF FF 65 68 6C 70 C7 85 5C FF FF FF 2E 64 6C 6C 88 9D 60 FF FF FF C7 45 AC 61 70 70 68 C7 45 B0 65 6C 70 2E C7 45 B4 64 6C 6C 00 C7 45 F4 2E 64 6C 6C 88 5D F8 } + condition : + any of them +} \ No newline at end of file diff --git a/yara-Neo23x0/apt_bluetermite_emdivi.yar b/yara-Neo23x0/apt_bluetermite_emdivi.yar new file mode 100644 index 0000000..bdc78cd --- /dev/null +++ b/yara-Neo23x0/apt_bluetermite_emdivi.yar @@ -0,0 +1,143 @@ + +/* + Yara Rule Set + Author: Florian Roth @Cyber0ps + Date: 2015-08-20 + Identifier: Emdivi +*/ + +rule Emdivi_SFX { + meta: + description = "Detects Emdivi malware in SFX Archive" + author = "Florian Roth (Nextron Systems) @Cyber0ps" + reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/" + date = "2015-08-20" + score = 70 + hash1 = "7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196" + hash2 = "8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b" + id = "51367190-2e8d-507c-a19f-996bc6960977" + strings: + $x1 = "Setup=unsecess.exe" fullword ascii + $x2 = "Setup=leassnp.exe" fullword ascii + + $s1 = "&Enter password for the encrypted file:" fullword wide + $s2 = ";The comment below contains SFX script commands" fullword ascii + $s3 = "Path=%temp%" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 740KB and (1 of ($x*) and all of ($s*)) +} + +/* Super Rules ------------------------------------------------------------- */ + +rule Emdivi_Gen1 { + meta: + description = "Detects Emdivi Malware" + author = "Florian Roth (Nextron Systems) @Cyber0ps" + reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/" + date = "2015-08-20" + score = 80 + super_rule = 1 + hash1 = "17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24" + hash2 = "3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1" + hash3 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662" + hash4 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86" + id = "807cf3f9-4f58-5d22-88b2-9adb7866979f" + strings: + $x1 = "wmic nteventlog where filename=\"SecEvent\" call cleareventlog" fullword wide + $x2 = "del %Temp%\\*.exe %Temp%\\*.dll %Temp%\\*.bat %Temp%\\*.ps1 %Temp%\\*.cmd /f /q" fullword wide + $x3 = "userControl-v80.exe" fullword ascii + + $s1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" fullword wide + $s2 = "http://www.msftncsi.com" fullword wide + $s3 = "net use | find /i \"c$\"" fullword wide + $s4 = " /del /y & " fullword wide + $s5 = "\\auto.cfg" wide + $s6 = "/ncsi.txt" fullword wide + $s7 = "Dcmd /c" fullword wide + $s8 = "/PROXY" fullword wide + condition: + uint16(0) == 0x5a4d and filesize < 800KB and all of them +} + +rule Emdivi_Gen2 { + meta: + description = "Detects Emdivi Malware" + author = "Florian Roth (Nextron Systems) @Cyber0ps" + reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/" + date = "2015-08-20" + modified = "2023-01-27" + super_rule = 1 + score = 80 + hash1 = "9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1" + hash2 = "a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012" + hash3 = "9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4" + id = "9a77c85c-84b0-5e0f-93bc-e17e2aaec095" + strings: + $s1 = "%TEMP%\\IELogs\\" ascii + $s2 = "MSPUB.EXE" fullword ascii + $s3 = "%temp%\\" ascii + $s4 = "\\NOTEPAD.EXE" ascii + $s5 = "%4d-%02d-%02d %02d:%02d:%02d " fullword ascii + $s6 = "INTERNET_OPEN_TYPE_PRECONFIG" fullword ascii + $s7 = "%4d%02d%02d%02d%02d%02d" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 1300KB and 6 of them +} + +rule MAL_Emdivi_Gen3 { + meta: + description = "Detects Emdivi Malware" + author = "Florian Roth (Nextron Systems)" + reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/" + date = "2015-08-20" + modified = "2023-01-06" + super_rule = 1 + score = 80 + hash1 = "008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e" + hash2 = "a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d" + id = "c3d712ae-3f8e-578c-81cd-fd3e48213875" + strings: + $x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" fullword ascii + + $s2 = "\\Mozilla\\Firefox\\Profiles\\" ascii + $s4 = "\\auto.cfg" ascii + $s5 = "/ncsi.txt" fullword ascii + $s6 = "/en-us/default.aspx" fullword ascii + $s7 = "cmd /c" fullword ascii + $s9 = "APPDATA" fullword ascii /* Goodware String - occured 25 times */ + condition: + uint16(0) == 0x5a4d and filesize < 850KB and + ( + ( $x1 and 1 of ($s*) ) or + ( 4 of ($s*) ) + ) +} + +rule Emdivi_Gen4 { + meta: + description = "Detects Emdivi Malware" + author = "Florian Roth (Nextron Systems) @Cyber0ps" + reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/" + date = "2015-08-20" + super_rule = 1 + score = 80 + hash1 = "008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e" + hash2 = "17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24" + hash3 = "3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1" + hash4 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662" + hash5 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86" + hash6 = "a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d" + id = "02629873-a797-51ff-83fc-af499cafa1e8" + strings: + $s1 = ".http_port\", " fullword wide + $s2 = "UserAgent: " fullword ascii + $s3 = "AUTH FAILED" fullword ascii + $s4 = "INVALID FILE PATH" fullword ascii + $s5 = ".autoconfig_url\", \"" fullword wide + $s6 = "FAILED TO WRITE FILE" fullword ascii + $s7 = ".proxy" fullword wide + $s8 = "AuthType: " fullword ascii + $s9 = ".no_proxies_on\", \"" fullword wide + condition: + uint16(0) == 0x5a4d and filesize < 853KB and all of them +} diff --git a/yara-Neo23x0/apt_bronze_butler.yar b/yara-Neo23x0/apt_bronze_butler.yar new file mode 100644 index 0000000..fc79077 --- /dev/null +++ b/yara-Neo23x0/apt_bronze_butler.yar @@ -0,0 +1,197 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2017-10-14 + Identifier: Bronze Butler + Reference: https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +import "pe" + +rule BronzeButler_Daserf_Delphi_1 { + meta: + description = "Detects malware / hacktool sample from Bronze Butler incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + date = "2017-10-14" + hash1 = "89a80ca92600af64eb9c32cab4e936c7d675cf815424d72438973e2d6788ef64" + hash2 = "b1bd03cd12638f44d9ace271f65645e7f9b707f86e9bcf790e0e5a96b755556b" + hash3 = "22e1965154bdb91dd281f0e86c8be96bf1f9a1e5fe93c60a1d30b79c0c0f0d43" + id = "88372e62-3bba-58dc-825c-f35533e42825" + strings: + $s1 = "Services.exe" fullword ascii + $s2 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)" fullword ascii + $s3 = "l32.dll" fullword ascii + $s4 = "tProcess:" fullword ascii + $s5 = " InjectPr" ascii + $s6 = "Write$Error creating variant or safe array\x1fInvalid argument to time encode" fullword wide + $s7 = "on\\run /v " fullword ascii + $s8 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\run" fullword ascii + $s9 = "ms1ng2d3d2.exe" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) +} + +rule BronzeButler_Daserf_C_1 { + meta: + description = "Detects malware / hacktool sample from Bronze Butler incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + date = "2017-10-14" + hash1 = "a4afd9df1b4cc014c3a89d7b4a560fa3e368b02286c42841762714b23e68cc05" + hash2 = "90ac1fb148ded4f46949a5fea4cd8c65d4ea9585046d66459328a5866f8198b2" + hash3 = "331ac0965b50958db49b7794cc819b2945d7b5e5e919c185d83e997e205f107b" + hash4 = "b1fdc6dc330e78a66757b77cc67a0e9931b777cd7af9f839911eecb74c04420a" + hash5 = "15abe7b1355cd35375de6dde57608f6d3481755fdc9e71d2bfc7c7288db4cd92" + hash6 = "85544d2bcaf8e6ca32bbc0a9e9583c9db1dce837043f555a7ff66363d5858439" + hash7 = "2dc24622c1e91642a21a64c0dd31cbe953e8f77bd3d6abcf2c4676c3b11bb162" + hash8 = "2bdb88fa24cffba240b60416835189c76a9920b6c3f6e09c3c4b171c2f57031c" + id = "62a5cc4a-7c58-5e4d-ac23-8d1f850a540a" + strings: + $s1 = "(c) 2010 DYAMAR EnGineerinG, All rights reserved, http://www.dyamar.com." fullword ascii + $s2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)" fullword ascii + + $a1 = "ndkkwqgcm" fullword ascii + $a2 = "RtlGetCo" fullword ascii + $a3 = "hutils" fullword ascii + + $b1 = "%USERPROFILE%\\System" fullword ascii + $b2 = "msid.dat" fullword ascii + $b3 = "DRIVE_REMOTE" fullword wide + $b4 = "%s%s%s%s%s%s%s%s%s%s%s%s" fullword ascii + $b5 = "jcbhe.asp" fullword ascii + $b6 = "edset.asp" fullword ascii + $b7 = "bxcve.asp" fullword ascii + $b8 = "hcvery.php" fullword ascii + $b9 = "ynhkef.php" fullword ascii + $b10 = "dkgwey.php" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 300KB and ( + pe.imphash() == "088382f4887e3b2c4bd5157f2d72b618" or + all of ($a*) or + 4 of them + ) +} + +rule BronzeButler_DGet_1 { + meta: + description = "Detects malware / hacktool sample from Bronze Butler incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + date = "2017-10-14" + hash1 = "bd81521445639aaa5e3bcb5ece94f73feda3a91880a34a01f92639f8640251d6" + id = "d60fcc9f-0f17-5871-9e8e-71d26e2f46bc" + strings: + $s2 = "DGet Tool Made by XZ" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 10KB and 1 of them ) +} + +rule BronzeButler_UACBypass_1 { + meta: + description = "Detects malware / hacktool sample from Bronze Butler incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + date = "2017-10-14" + hash1 = "fe06b99a0287e2b2d9f7faffbda3a4b328ecc05eab56a3e730cfc99de803b192" + id = "01853352-58fc-56a3-8c20-08405c71e251" + strings: + $x1 = "\\Release\\BypassUacDll.pdb" ascii + $x2 = "%programfiles%internet exploreriexplore.exe" fullword wide + $x3 = "Elevation:Administrator!new:{3ad055" fullword wide + $x4 = "BypassUac.pdb" fullword ascii + $x5 = "[bypassUAC] started X64" fullword wide + $x6 = "[bypassUAC] started X86" fullword wide + condition: + ( uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them ) +} + +rule BronzeButler_xxmm_1 { + meta: + description = "Detects malware / hacktool sample from Bronze Butler incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + date = "2017-10-14" + hash1 = "7197de18bc5a4c854334ff979f3e4dafa16f43d7bf91edfe46f03e6cc88f7b73" + id = "0e413e3a-fb61-58bc-9ecb-4ef76e83a7f3" + strings: + $x1 = "\\Release\\ReflectivLoader.pdb" ascii + $x3 = "\\Projects\\xxmm2\\Release\\" ascii + $x5 = "http://127.0.0.1/phptunnel.php" fullword ascii + + $s1 = "xxmm2.exe" fullword ascii + $s2 = "\\AvUpdate.exe" wide + $s3 = "stdapi_fs_file_download" fullword ascii + $s4 = "stdapi_syncshell_open" fullword ascii + $s5 = "stdapi_execute_sleep" fullword ascii + $s6 = "stdapi_syncshell_kill" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 700KB and ( + 1 of ($x*) or + 4 of them + ) +} + +rule BronzeButler_RarStar_1 { + meta: + description = "Detects malware / hacktool sample from Bronze Butler incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + date = "2017-10-14" + hash1 = "0fc1b4fdf0dc5373f98de8817da9380479606f775f5aa0b9b0e1a78d4b49e5f4" + id = "770270b3-6743-5efb-84d8-b63f1df800d9" + strings: + $s1 = "Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.0;+SV1)" fullword wide + $s2 = "http://www.google.co.jp" fullword wide + $s3 = "16D73E22-873D-D58E-4F42-E6055BC9825E" fullword ascii + $s4 = "\\*.rar" ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 200KB and 2 of them ) +} + +/* + Yara Rule Set + Author: Florian Roth + Date: 2017-11-08 + Identifier: Bronze Butler + Reference: https://goo.gl/ffeCfd +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +rule Daserf_Nov1_BronzeButler { + meta: + description = "Detects Daserf malware used by Bronze Butler" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/ffeCfd" + date = "2017-11-08" + hash1 = "5ede6f93f26ccd6de2f93c9bd0f834279df5f5cfe3457915fae24a3aec46961b" + id = "58c4d3dc-c516-567b-8746-4e185c3cd328" + strings: + $x1 = "mstmp1845234.exe" fullword ascii + /* Bronce Butler UA String - see google search */ + $x2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)" fullword ascii + $x3 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)" fullword ascii + + $s1 = "Content-Type: */*" fullword ascii + $s2 = "ProxyEnable" ascii fullword + $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer" ascii fullword + $s4 = "iexplore.exe" ascii fullword + /* Looks random but present in many samples */ + $s5 = "\\SOFTWARE\\Microsoft\\Windows\\Cu" ascii + $s6 = "rrentVersion\\Internet Settings" fullword ascii + $s7 = "ws\\CurrentVersion\\Inter" fullword ascii + $s8 = "Documents an" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 700KB and ( 1 of ($x*) or 5 of them ) +} + diff --git a/yara-Neo23x0/apt_buckeye.yar b/yara-Neo23x0/apt_buckeye.yar new file mode 100644 index 0000000..9b08762 --- /dev/null +++ b/yara-Neo23x0/apt_buckeye.yar @@ -0,0 +1,76 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2016-09-05 + Identifier: Buckeye +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +rule Buckeye_Osinfo { + meta: + description = "Detects OSinfo tool used by the Buckeye APT group" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + date = "2016-09-05" + id = "e40a86d1-fd1a-5430-b7b7-8cc7ca128cc5" + strings: + $s1 = "-s ShareInfo ShareDir" fullword ascii + $s2 = "-a Local And Global Group User Info" fullword ascii + $s3 = "-f //input server list from infile, OneServerOneLine" fullword ascii + $s4 = "info <\\server> " fullword ascii + $s5 = "-c Connect Test" fullword ascii + $s6 = "-gd Group Domain Admins" fullword ascii + $s7 = "-n NetuseInfo" fullword ascii + condition: + uint16(0) == 0x5a4d and 3 of ($s*) +} + +rule RemoteCmd { + meta: + description = "Detects a remote access tool used by APT groups - file RemoteCmd.exe" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://goo.gl/igxLyF" + date = "2016-09-08" + modified = "2022-12-21" + hash1 = "5264d1de687432f8346617ac88ffcb31e025e43fc3da1dad55882b17b44f1f8b" + id = "384f37f3-4562-5d79-9793-0384c43d4602" + strings: + $s1 = "RemoteCmd.exe" fullword wide + $s2 = "\\Release\\RemoteCmd.pdb" ascii + $s3 = "RemoteCmd [ComputerName] [Executable] [Param1] [Param2] ..." fullword wide + $s4 = "http://{0}:65101/CommandEngine" fullword wide + $s5 = "Brenner.RemoteCmd.Client" fullword ascii + $s6 = "$b1888995-1ee5-4f6d-82df-d2ab8ae73d63" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 50KB and 2 of them ) or ( 4 of them ) +} + +rule ChromePass { + meta: + description = "Detects a tool used by APT groups - file ChromePass.exe" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://goo.gl/igxLyF" + date = "2016-09-08" + modified = "2022-12-21" + hash1 = "5ff43049ae18d03dcc74f2be4a870c7056f6cfb5eb636734cca225140029de9a" + id = "950b9761-bdfd-514b-90ea-a1454d35ce5a" + strings: + $x1 = "\\Release\\ChromePass.pdb" ascii + $x2 = "Windows Protect folder for getting the encryption keys" wide + $x3 = "Chrome User Data folder where the password file is stored" wide + + $s1 = "Opera Software\\Opera Stable\\Login Data" fullword wide + $s2 = "Yandex\\YandexBrowser\\User Data\\Default\\Login Data" fullword wide + $s3 = "Load the passwords from another Windows user or external drive: " fullword wide + $s4 = "Chrome Passwords List!Select the windows profile folder" fullword wide + $s5 = "Load the passwords of the current logged-on user" fullword wide + $s6 = "Windows Login Password:" fullword wide + $s7 = "SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created fr" ascii + $s8 = "Chrome Password Recovery" fullword wide + condition: + ( uint16(0) == 0x5a4d and filesize < 700KB and 1 of ($x*) ) or ( 5 of them ) +} diff --git a/yara-Neo23x0/apt_camaro_dragon_oct23.yar b/yara-Neo23x0/apt_camaro_dragon_oct23.yar new file mode 100644 index 0000000..d6c6ebf --- /dev/null +++ b/yara-Neo23x0/apt_camaro_dragon_oct23.yar @@ -0,0 +1,56 @@ + +rule MAL_LNX_CamaroDragon_Sheel_Oct23 { + meta: + description = "Detects CamaroDragon's tool named sheel" + author = "Florian Roth" + reference = "https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/" + date = "2023-10-06" + score = 85 + hash1 = "7985f992dcc6fcce76ee2892700c8538af075bd991625156bf2482dbfebd5a5a" + id = "f6f08c0e-236c-5194-9369-da8fdef4aa21" + strings: + $x1 = "-h server_ip -p server_port -i update_index[0-4] [-r]" ascii fullword + + $s1 = "read_ip" ascii fullword + $s2 = "open fail.%m" ascii fullword + $s3 = "ri:h:p:" ascii fullword /* flags */ + $s4 = "update server list success!" ascii fullword + condition: + uint16(0) == 0x457f and + filesize < 30KB and ( + 1 of ($x*) + or 3 of them + ) + or 4 of them +} + +rule MAL_LNX_CamaroDragon_HorseShell_Oct23 { + meta: + description = "Detects CamaroDragon's HorseShell implant for routers" + author = "Florian Roth" + reference = "https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/" + date = "2023-10-06" + score = 85 + hash1 = "998788472cb1502c03675a15a9f09b12f3877a5aeb687f891458a414b8e0d66c" + id = "9e54745f-146f-50a6-b30f-53aaaa6907b5" + strings: + $x1 = "echo \"start shell '%s' failed!\" > .remote_shell.log" ascii fullword + $x2 = "*****recv NET_REQ_HORSE_SHELL REQ_CONNECT_PORT*****" ascii fullword + + $s1 = "m.cremessage.com" ascii fullword + $s2 = "POST http://%s/index.php HTTP/1.1" ascii fullword + $s3 = "wzsw_encrypt_buf" ascii fullword + $s4 = "body:%d-%s" ascii fullword + $s5 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident" ascii fullword /* String occurs 1 times in goodware */ + $s6 = "process_http_read_events" ascii fullword + + $op1 = { c4 34 42 00 02 30 63 00 40 10 60 00 09 ae 62 00 48 8e 62 00 cc } + $op2 = { 27 f4 8c 46 27 f0 03 20 f8 09 00 60 28 21 } + condition: + uint16(0) == 0x457f and + filesize < 600KB and ( + 1 of ($x*) + or 3 of them + ) + or 5 of them +} diff --git a/yara-Neo23x0/apt_candiru.yar b/yara-Neo23x0/apt_candiru.yar new file mode 100644 index 0000000..1060cf1 --- /dev/null +++ b/yara-Neo23x0/apt_candiru.yar @@ -0,0 +1,47 @@ +import "pe" + +rule MAL_DevilsTongue_HijackDll { + meta: + description = "Detects SOURGUM's DevilsTongue hijack DLL" + author = "Microsoft Threat Intelligence Center (MSTIC)" + date = "2021-07-15" + reference = "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/" + score = 80 + id = "390b8b73-6740-513d-8c70-c9002be0ce69" + strings: + $str1 = "windows.old\\windows" wide + $str2 = "NtQueryInformationThread" + $str3 = "dbgHelp.dll" wide + $str4 = "StackWalk64" + $str5 = "ConvertSidToStringSidW" + $str6 = "S-1-5-18" wide + $str7 = "SMNew.dll" // DLL original name + // Call check in stack manipulation + // B8 FF 15 00 00 mov eax, 15FFh + // 66 39 41 FA cmp [rcx-6], ax + // 74 06 jz short loc_1800042B9 + // 80 79 FB E8 cmp byte ptr [rcx-5], 0E8h ; + $code1 = { B8 FF 15 00 00 66 39 41 FA 74 06 80 79 FB E8 } + // PRNG to generate number of times to sleep 1s before exiting + // 44 8B C0 mov r8d, eax + // B8 B5 81 4E 1B mov eax, 1B4E81B5h + // 41 F7 E8 imul r8d + // C1 FA 05 sar edx, 5 + // 8B CA mov ecx, edx + // C1 E9 1F shr ecx, 1Fh + // 03 D1 add edx, ecx + // 69 CA 2C 01 00 00 imul ecx, edx, 12Ch + // 44 2B C1 sub r8d, ecx + // 45 85 C0 test r8d, r8d + // 7E 19 jle short loc_1800014D0 + $code2 = { 44 8B C0 B8 B5 81 4E 1B 41 F7 E8 C1 FA 05 8B CA C1 E9 1F 03 D1 69 CA 2C 01 00 00 44 2B C1 45 85 C0 7E 19 } + condition: + filesize < 800KB and + uint16(0) == 0x5A4D and + ( pe.characteristics & pe.DLL ) and + ( + 4 of them or + ( $code1 and $code2 ) or + pe.imphash() == "9a964e810949704ff7b4a393d9adda60" + ) +} diff --git a/yara-Neo23x0/apt_carbon_paper_turla.yar b/yara-Neo23x0/apt_carbon_paper_turla.yar new file mode 100644 index 0000000..3311e52 --- /dev/null +++ b/yara-Neo23x0/apt_carbon_paper_turla.yar @@ -0,0 +1,71 @@ +// For feedback or questions contact us at: github@eset.com +// https://github.com/eset/malware-ioc/ +// +// These yara rules are provided to the community under the two-clause BSD +// license as follows: +// +// Copyright (c) 2017, ESET +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are met: +// +// 1. Redistributions of source code must retain the above copyright notice, this +// list of conditions and the following disclaimer. +// +// 2. Redistributions in binary form must reproduce the above copyright notice, +// this list of conditions and the following disclaimer in the documentation +// and/or other materials provided with the distribution. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +import "pe" + +rule generic_carbon +{ + meta: + author = "ESET Research" + date = "2017-03-30" + description = "Turla Carbon malware" + reference = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" + source = "https://github.com/eset/malware-ioc/" + contact = "github@eset.com" + license = "BSD 2-Clause" + + id = "efdc0d16-a974-5c00-a401-391d60f3081e" + strings: + $s1 = "ModStart" + $t1 = "STOP|OK" + $t2 = "STOP|KILL" + + condition: + (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*)) +} + +rule carbon_metadata +{ + meta: + author = "ESET Research" + date = "2017-03-30" + description = "Turla Carbon malware" + reference = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" + source = "https://github.com/eset/malware-ioc/" + contact = "github@eset.com" + license = "BSD 2-Clause" + + id = "976b6a7d-00bf-5d0f-baf9-84fc5dbd21a2" + condition: + (pe.version_info["InternalName"] contains "SERVICE.EXE" or + pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or + pe.version_info["InternalName"] contains "MSXIML.DLL") + and pe.version_info["CompanyName"] contains "Microsoft Corporation" +} diff --git a/yara-Neo23x0/apt_casper.yar b/yara-Neo23x0/apt_casper.yar new file mode 100644 index 0000000..233fc71 --- /dev/null +++ b/yara-Neo23x0/apt_casper.yar @@ -0,0 +1,104 @@ + +/* State-sponsored Casper Malware Rules by @4nc4p - attribution and analysis by @pinkflawd @r00tbsd @circl_lu */ + +rule Casper_Backdoor_x86 { + meta: + description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo" + author = "Florian Roth (Nextron Systems)" + reference = "http://goo.gl/VRJNLo" + date = "2015-03-05" + modified = "2023-01-27" + hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0" + score = 80 + id = "9e54f00c-74a7-56cc-87e5-8dec1233cbb5" + strings: + $s1 = "\"svchost.exe\"" fullword wide + $s2 = "firefox.exe" fullword ascii + $s3 = "\"Host Process for Windows Services\"" fullword wide + + $x1 = "\\Users\\*" ascii + $x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" ascii + $x3 = "\\Mozilla\\Firefox\\Profiles\\*" ascii + $x4 = "\\Documents and Settings\\*" ascii + + $y1 = "%s; %S=%S" fullword wide + $y2 = "%s; %s=%s" fullword ascii + $y3 = "Cookie: %s=%s" fullword ascii + $y4 = "http://%S:%d" fullword wide + + $z1 = "http://google.com/" ascii + $z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii + $z3 = "Operating System\"" fullword wide + condition: + ( filesize < 250KB and all of ($s*) ) or + ( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) ) +} + +rule Casper_EXE_Dropper { + meta: + description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://goo.gl/VRJNLo" + date = "2015/03/05" + hash = "e4cc35792a48123e71a2c7b6aa904006343a157a" + score = 80 + id = "a901d045-6f9b-57e8-8347-6f78178b7231" + strings: + $s0 = "" fullword ascii + $s1 = "" fullword ascii + $s2 = "\" /d \"" fullword ascii + $s4 = "'%s' %s" fullword ascii + $s5 = "nKERNEL32.DLL" fullword wide + $s6 = "@ReturnValue" fullword wide + $s7 = "ID: 0x%x" fullword ascii + $s8 = "Name: %S" fullword ascii + condition: + 7 of them +} + +rule Casper_Included_Strings { + meta: + description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://goo.gl/VRJNLo" + date = "2015/03/06" + score = 50 + id = "34ba474d-0858-534a-8f32-db5a709e8814" + strings: + $a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST" + $a1 = "& SYSTEMINFO) ELSE EXIT" + + $c1 = "domcommon.exe" wide fullword // File Name + $c2 = "jpic.gov.sy" fullword // C2 Server + $c3 = "aiomgr.exe" wide fullword // File Name + $c4 = "perfaudio.dat" fullword // Temp File Name + $c5 = "Casper_DLL.dll" fullword // Name + $c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } // Decryption Key + $c7 = "{4216567A-4512-9825-7745F856}" fullword // Mutex + condition: + all of ($a*) or + uint16(0) == 0x5a4d and ( 1 of ($c*) ) +} + +rule Casper_SystemInformation_Output { + meta: + description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "http://goo.gl/VRJNLo" + date = "2015/03/06" + score = 70 + id = "aaae200c-7ef1-52eb-be5b-36e0ad29ecef" + strings: + $a0 = "***** SYSTEM INFORMATION ******" + $a1 = "***** SECURITY INFORMATION ******" + $a2 = "Antivirus: " + $a3 = "Firewall: " + $a4 = "***** EXECUTION CONTEXT ******" + $a5 = "Identity: " + $a6 = " 6KB and filesize < 1000KB + and (all of ($seq*) or 2 of ($s*)) +} + +rule MAL_Netfilter_May_2021_1 { + meta: + description = "Detects Netfilter rootkit" + author = "Arkbird_SOLG" + reference = "https://twitter.com/struppigel/status/1405483373280235520" + date = "2020-06-18" + hash1 = "63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0" + hash2 = "8249e9c0ac0840a36d9a5b9ff3e217198a2f533159acd4bf3d9b0132cc079870" + hash3 = "d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe" + tlp = "White" + adversary = "Chinese APT Group" + id = "0ac01eb3-435b-52b0-b8e8-ace2ebb34f60" + strings: + $seq1 = { 48 8b 05 a9 57 ff ff 45 33 c9 49 b8 32 a2 df 2d 99 2b 00 00 48 85 c0 74 05 49 3b c0 75 38 0f 31 48 c1 e2 20 48 8d 0d 85 57 ff ff 48 0b c2 48 33 c1 48 89 05 78 57 ff ff 66 44 89 0d 76 57 ff ff 48 8b 05 69 57 ff ff 48 85 c0 75 0a 49 8b c0 48 89 05 5a 57 ff ff 48 f7 d0 48 89 05 58 57 } + $seq2 = { 48 83 ec 38 48 83 64 24 20 00 48 8d 05 83 4c 00 00 48 8d 15 24 d1 00 00 48 89 44 24 28 48 8d 4c 24 20 e8 4d 05 00 00 85 c0 78 16 4c 8d 05 22 d1 00 00 83 ca ff 48 8d 0d 00 d1 00 00 e8 39 05 00 00 48 83 c4 } + $seq3 = { 45 33 c0 48 8d 4c 24 40 41 8d 50 01 ff 15 5d 62 00 00 c6 84 24 88 00 00 00 01 48 8d 84 24 88 00 00 00 48 89 46 18 48 8d 0d e2 fe ff ff 48 89 9e c0 00 00 00 48 8d 44 24 40 48 89 46 50 48 8d 44 24 30 48 89 46 48 65 48 8b 04 25 88 01 00 00 48 89 86 98 00 00 00 48 8b 86 b8 00 00 00 40 88 7e 40 c6 40 b8 06 4c 89 78 e0 48 89 58 e8 c7 40 c0 01 00 00 00 c7 40 c8 0d 00 00 00 48 89 58 d0 48 8b 86 b8 00 00 00 48 89 48 f0 48 8d 4c 24 40 48 89 48 f8 c6 40 bb e0 48 8b 43 28 48 85 c0 74 2f 48 8b 48 10 48 85 c9 74 07 48 21 78 10 4c 8b f1 48 8b 08 48 85 c9 74 06 48 21 38 48 8b e9 48 8b 48 08 48 85 c9 74 08 48 83 60 08 00 48 8b f9 48 8b d6 49 8b cf ff 15 74 61 00 00 3d 03 01 00 00 75 19 48 83 64 24 20 00 48 8d 4c 24 40 41 b1 01 45 33 c0 33 d2 ff 15 64 61 00 00 48 8b 43 28 48 85 c0 74 1a 4d } + $seq4 = { 8b 84 24 80 00 00 00 48 8d 54 24 38 48 8b 4c 24 30 44 8b ce 89 44 24 28 45 33 c0 48 89 7c 24 20 ff 15 66 2e 00 00 48 8b 4c 24 30 8b d8 ff 15 49 2e 00 00 48 8b 4c 24 30 ff 15 26 2d 00 00 8b } + $s1 = "%sc=%s" fullword ascii + $s2 = { 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 } + $s3 = "NETIO.SYS" fullword ascii + condition: + uint16(0) == 0x5a4d + and filesize > 20KB and filesize < 1000KB + and (3 of ($seq*) or 2 of ($s*)) +} \ No newline at end of file diff --git a/yara-Neo23x0/apt_cn_pp_zerot.yar b/yara-Neo23x0/apt_cn_pp_zerot.yar new file mode 100644 index 0000000..9c6cd8f --- /dev/null +++ b/yara-Neo23x0/apt_cn_pp_zerot.yar @@ -0,0 +1,241 @@ + +/* + Yara Rule Set + Author: Florian Roth + Date: 2017-02-03 + Identifier: ZeroT CN APT +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +rule PP_CN_APT_ZeroT_1 { + meta: + description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + date = "2017-02-03" + hash1 = "09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0" + id = "c16f3abb-ac7e-5d5f-b8d7-b105cff3886e" + strings: + $s1 = "suprise.exe" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) +} + +rule PP_CN_APT_ZeroT_2 { + meta: + description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + date = "2017-02-03" + hash1 = "74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df" + id = "8433216e-1189-568c-bd18-051fb1fec215" + strings: + $s1 = "NO2-2016101902.exe" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) +} + +rule PP_CN_APT_ZeroT_3 { + meta: + description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + date = "2017-02-03" + hash1 = "ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2" + id = "99aa29cf-d962-5a3d-bd28-6486c40822bb" + strings: + $s1 = "/svchost.exe" fullword ascii + $s2 = "RasTls.dll" fullword ascii + $s3 = "20160620.htm" fullword ascii + $s4 = "* $l&$" fullword ascii + $s5 = "dfjhmh" fullword ascii + $s6 = "/20160620.htm" fullword ascii + condition: + ( uint16(0) == 0x5449 and filesize < 1000KB and 3 of them ) or ( all of them ) +} + +rule PP_CN_APT_ZeroT_4 { + meta: + description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + date = "2017-02-03" + hash1 = "a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8" + id = "b21961ee-d346-51d3-bacd-02554240162d" + strings: + $s1 = "Mcutil.dll" fullword ascii + $s2 = "mcut.exe" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) +} + +rule PP_CN_APT_ZeroT_5 { + meta: + description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + date = "2017-02-03" + hash1 = "74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d" + id = "2a7c6a36-aace-562e-bbc4-425c1d93fab1" + strings: + $x1 = "dbozcb" fullword ascii + + $s1 = "nflogger.dll" fullword ascii + $s2 = "/svchost.exe" fullword ascii + $s3 = "1207.htm" fullword ascii + $s4 = "/1207.htm" fullword ascii + condition: + ( uint16(0) == 0x5449 and filesize < 1000KB and 1 of ($x*) and 1 of ($s*) ) or ( all of them ) +} + +rule PP_CN_APT_ZeroT_6 { + meta: + description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + date = "2017-02-03" + hash1 = "a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3" + id = "2e3bb4bd-5e20-56e7-a82b-d717d83eaeeb" + strings: + $s1 = "jGetgQ|0h9=" fullword ascii + $s2 = "\\sfxrar32\\Release\\sfxrar.pdb" + condition: + uint16(0) == 0x5a4d and filesize < 1000KB and all of them +} + +rule PP_CN_APT_ZeroT_7 { + meta: + description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + date = "2017-02-03" + hash1 = "fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478" + id = "e9cdca86-84a8-5673-935c-c319b523674b" + strings: + $s1 = "RasTls.dll" fullword ascii + $s2 = "RasTls.exe" fullword ascii + $s4 = "LOADER ERROR" fullword ascii + $s5 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) +} + +rule PP_CN_APT_ZeroT_8 { + meta: + description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + date = "2017-02-03" + hash1 = "4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff" + id = "f9a4f092-c699-5e91-9667-64ffe1b02bc1" + strings: + $s1 = "/svchost.exe" fullword ascii + $s2 = "RasTls.dll" fullword ascii + $s3 = "20160620.htm" fullword ascii + $s4 = "/20160620.htm" fullword ascii + condition: + ( uint16(0) == 0x5449 and filesize < 1000KB and 3 of them ) +} + +rule PP_CN_APT_ZeroT_9 { + meta: + description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + date = "2017-02-03" + hash1 = "a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0" + id = "e1c32993-409c-5a62-8239-cff99fb83a7f" + strings: + $x1 = "nflogger.dll" fullword ascii + $s7 = "Zlh.exe" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) +} + +rule CN_APT_ZeroT_nflogger { + meta: + description = "Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + date = "2017-02-04" + hash1 = "946adbeb017616d56193a6d43fe9c583be6ad1c7f6a22bab7df9db42e6e8ab10" + id = "0d23f312-e3b6-5c23-855b-25ae54265512" + strings: + $x1 = "\\LoaderDll.VS2010\\Release\\" ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) +} + +rule CN_APT_ZeroT_extracted_Go { + meta: + description = "Chinese APT by Proofpoint ZeroT RAT - file Go.exe" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + date = "2017-02-04" + modified = "2023-01-06" + hash1 = "83ddc69fe0d3f3d2f46df7e72995d59511c1bfcca1a4e14c330cb71860b4806b" + id = "ba929e6d-4162-58e7-b8a8-bcb066b64522" + strings: + $x1 = "%s\\cmd.exe /c %s\\Zlh.exe" fullword ascii + $x2 = "\\BypassUAC.VS2010\\Release\\" ascii + + $s1 = "Zjdsf.exe" fullword ascii + $s2 = "SS32prep.exe" fullword ascii + $s3 = "windowsgrep.exe" fullword ascii + $s4 = "Sysdug.exe" fullword ascii + $s5 = "Proessz.exe" fullword ascii + $s6 = "%s\\Zlh.exe" fullword ascii + $s7 = "/C %s\\%s" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) or 3 of ($s*) ) ) or ( 7 of them ) +} + +rule CN_APT_ZeroT_extracted_Mcutil { + meta: + description = "Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + date = "2017-02-04" + hash1 = "266c06b06abbed846ebabfc0e683f5d20dadab52241bc166b9d60e9b8493b500" + id = "c887d36b-8aeb-54f1-a683-727561723238" + strings: + $s1 = "LoaderDll.dll" fullword ascii + $s2 = "QageBox1USER" fullword ascii + $s3 = "xhmowl" fullword ascii + $s4 = "?KEYKY" fullword ascii + $s5 = "HH:mm:_s" fullword ascii + $s6 = "=licni] has maX0t" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 90KB and 3 of them ) or ( all of them ) +} + +rule CN_APT_ZeroT_extracted_Zlh { + meta: + description = "Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + date = "2017-02-04" + hash1 = "711f0a635bbd6bf1a2890855d0bd51dff79021db45673541972fe6e1288f5705" + id = "4c8b9a90-6cb3-5aba-a993-f73207341d0e" + strings: + $s1 = "nflogger.dll" fullword wide + $s2 = "%s %d: CreateProcess('%s', '%s') failed. Windows error code is 0x%08x" fullword ascii + $s3 = "_StartZlhh(): Executed \"%s\"" ascii + $s4 = "Executable: '%s' (%s) %i" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them ) +} diff --git a/yara-Neo23x0/apt_cn_reddelta.yar b/yara-Neo23x0/apt_cn_reddelta.yar new file mode 100644 index 0000000..c221068 --- /dev/null +++ b/yara-Neo23x0/apt_cn_reddelta.yar @@ -0,0 +1,78 @@ + +rule APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_1 { + meta: + description = "Detects Red Delta samples" + author = "Florian Roth (Nextron Systems)" + reference = "https://twitter.com/JAMESWT_MHT/status/1316387482708119556" + date = "2020-10-14" + hash1 = "30b2bbce0ca4cb066721c94a64e2c37b7825dd72fc19c20eb0ab156bea0f8efc" + hash2 = "42ed73b1d5cc49e09136ec05befabe0860002c97eb94e9bad145e4ea5b8be2e2" + hash3 = "480a8c883006232361c5812af85de9799b1182f1b52145ccfced4fa21b6daafa" + hash4 = "7ea7c6406c5a80d3c15511c4d97ec1e45813e9c58431f386710d0486c4898b98" + id = "47417488-e843-5346-9baa-fcce30b884d1" + strings: + $x1 = "InjectShellCode" ascii fullword + + $s1 = "DotNetLoader.exe" wide ascii fullword + $s2 = "clipboardinject" ascii fullword + $s3 = "download.php?raw=1" wide + $s4 = "Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\Levint" wide + $s5 = "FlashUpdate.exe" wide + $s6 = "raw_cc_url" ascii fullword + + $op1 = { 48 8b 4c 24 78 48 89 01 e9 1a ff ff ff 48 8b 44 } + $op2 = { ff ff 00 00 77 2a 8b 44 24 38 8b 8c 24 98 } + condition: + uint16(0) == 0x5a4d and + filesize < 200KB and + $x1 or 3 of them +} + +rule APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_2 { + meta: + description = "Detects Red Delta samples" + author = "Florian Roth (Nextron Systems)" + reference = "https://twitter.com/JAMESWT_MHT/status/1316387482708119556" + date = "2020-10-14" + hash1 = "260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b" + hash2 = "9ccb4ed133be5c9c554027347ad8b722f0b4c3f14bfd947edfe75a015bf085e5" + hash3 = "b3fd750484fca838813e814db7d6491fea36abe889787fb7cf3fb29d9d9f5429" + id = "acb1024a-64af-51ac-84c8-7fe9a5bd4538" + strings: + $x1 = "\\CLRLoader.exe" wide fullword + $x2 = "/callback.php?token=%s&computername=%s&username=%s" ascii fullword + + $s1 = "DotNetLoader.Program" wide fullword + $s2 = "/download.php?api=40" ascii fullword + $s3 = "get %d URLDir" ascii fullword + $s4 = "Read code failed" ascii fullword + $s5 = "OpenFile fail!" wide fullword + $s6 = "Writefile success" wide fullword + + $op1 = { 4c 8d 45 e0 49 8b cc 41 8d 51 c3 e8 34 77 02 00 } + condition: + uint16(0) == 0x5a4d and + filesize < 3000KB and + 1 of ($x*) or 4 of them +} + +rule APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_3 { + meta: + description = "Detects Red Delta samples" + author = "Florian Roth (Nextron Systems)" + reference = "https://twitter.com/JAMESWT_MHT/status/1316387482708119556" + date = "2020-10-14" + modified = "2022-12-21" + hash1 = "740992d40b84b10aa9640214a4a490e989ea7b869cea27dbbdef544bb33b1048" + id = "b52836bb-cdef-5416-a8e1-72d0b2298546" + strings: + $s1 = "Taskschd.dll" ascii fullword + $s2 = "AddTaskPlanDllVerson.dll" ascii fullword + $s3 = "\\FlashUpdate.exe" ascii + $s4 = "D:\\Project\\FBIRedTeam" ascii fullword + $s5 = "Error %s:%d, ErrorCode: %x" ascii fullword + condition: + uint16(0) == 0x5a4d and + filesize < 400KB and + 4 of them +} diff --git a/yara-Neo23x0/apt_cn_twisted_panda.yar b/yara-Neo23x0/apt_cn_twisted_panda.yar new file mode 100644 index 0000000..8240647 --- /dev/null +++ b/yara-Neo23x0/apt_cn_twisted_panda.yar @@ -0,0 +1,194 @@ +rule APT_CN_TwistedPanda_loader { + meta: + author = "Check Point Research" + description = "Detects loader used by TwistedPanda" + date = "2022-04-14" + reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/" + score = 80 + hash1 = "5b558c5fcbed8544cb100bd3db3c04a70dca02eec6fedffd5e3dcecb0b04fba0" + hash2 = "efa754450f199caae204ca387976e197d95cdc7e83641444c1a5a91b58ba6198" + + id = "a10f6019-f069-579c-b112-18537a7d8fd8" + strings: + + // 6A 40 push 40h ; '@' + // 68 00 30 00 00 push 3000h + $seq1 = { 6A 40 68 00 30 00 00 } + + // 6A 00 push 0 ; lpOverlapped + // 50 push eax ; lpNumberOfBytesRead + // 6A 14 push 14h ; nNumberOfBytesToRead + // 8D ?? ?? ?? ?? ?? lea eax, [ebp+Buffer] + // 50 push eax ; lpBuffer + // 53 push ebx ; hFile + // FF 15 04 D0 4C 70 call ds:ReadFile + $seq2 = { 6A 00 50 6A 14 8D ?? ?? ?? ?? ?? 50 53 FF } + // 6A 00 push 0 + // 6A 00 push 0 + // 6A 03 push 3 + // 6A 00 push 0 + // 6A 03 push 3 + // 68 00 00 00 80 push 80000000h + $seq3 = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 80 } + + // Decryption sequence + $decryption = { 8B C? [2-3] F6 D? 1A C? [2-3] [2-3] 30 0? ?? 4? } + + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and + filesize < 3000KB and all of ($seq*) and $decryption +} + +rule APT_CN_TwistedPanda_SPINNER_1 { + meta: + author = "Check Point Research" + description = "Detects the obfuscated variant of SPINNER payload used by TwistedPanda" + date = "2022-04-14" + reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/" + score = 80 + hash1 = "a9fb7bb40de8508606a318866e0e5ff79b98f314e782f26c7044622939dfde81" + + id = "0b44013d-0caa-5ea2-ab08-e2a6a5732c03" + strings: + // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ?? + // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ?? + // C6 mov byte ptr [eax], 0 + $config_init = { C7 ?? ?? ?? 00 00 00 C7 ?? ?? ?? 00 00 00 C6 } + $c2_cmd_1 = { 01 00 03 10} + $c2_cmd_2 = { 02 00 01 10} + $c2_cmd_3 = { 01 00 01 10} + // 8D 83 ?? ?? ?? ?? lea eax, xor_key[ebx] + // 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h + // 89 F1 mov ecx, esi ; this + // 6A 01 push 1 ; Size + // 50 push eax ; Src + // E8 ?? ?? ?? ?? call str_append + // 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h + $decryption = { 8D 83 [4] 80 B3 [5] 89 F1 6A 01 50 E8 [4] 80 B3 } + + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and + filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption +} + +rule APT_CN_TwistedPanda_SPINNER_2 { + meta: + author = "Check Point Research" + description = "Detects an older variant of SPINNER payload used by TwistedPanda" + date = "2022-04-14" + reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/" + score = 80 + hash1 = "28ecd1127bac08759d018787484b1bd16213809a2cc414514dc1ea87eb4c5ab8" + + id = "bbbf3af1-127f-5d32-967f-bdb94311d1d6" + strings: + // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ?? + // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ?? + // C6 mov byte ptr [eax], 0 + $config_init = { C7 [3] 00 00 00 C7 [3] 00 00 00 C6 } + $c2_cmd_1 = { 01 00 03 10 } + $c2_cmd_2 = { 02 00 01 10 } + $c2_cmd_3 = { 01 00 01 10 } + $c2_cmd_4 = { 01 00 00 10 } + $c2_cmd_5 = { 02 00 00 10 } + // 80 B3 ?? ?? ?? ?? ?? xor ds:dd_encrypted_url[ebx], 50h + // 8D BB ?? ?? ?? ?? lea edi, dd_encrypted_url[ebx] + // 8B 56 14 mov edx, [esi+14h] + // 8B C2 mov eax, edx + // 8B 4E 10 mov ecx, [esi+10h] + // 2B C1 sub eax, ecx + // 83 F8 01 cmp eax, 1 + $decryption = { 80 B3 [5] 8D BB [4] 8B 56 14 8B C2 8B 4E 10 2B C1 83 F8 01 } + + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and + filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption +} + +rule APT_CN_TwistedPanda_64bit_Loader { + meta: + author = "Check Point Research" + description = "Detects the 64bit Loader DLL used by TwistedPanda" + date = "2022-04-14" + reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/" + score = 80 + hash1 = "e0d4ef7190ff50e6ad2a2403c87cc37254498e8cc5a3b2b8798983b1b3cdc94f" + + id = "2172dd33-204b-5a05-ad26-534a0c1d7a17" + strings: + // 48 8D ?? ?? ?? ?? ?? ?? ?? lea rdx, ds:2[rdx*2] + // 48 8B C1 mov rax, rcx + // 48 81 ?? ?? ?? ?? ?? cmp rdx, 1000h + // 72 ?? jb short loc_7FFDF0BA1B48 + $path_check = { 48 8D [6] 48 8B ?? 48 81 [5] 72 } + // 48 8B D0 mov rdx, rax ; lpBuffer + // 41 B8 F0 16 00 00 mov r8d, 16F0h ; nNumberOfBytesToRead + // 48 8B CF mov rcx, rdi ; hFile + // 48 8B D8 mov rbx, rax + // FF ?? ?? ?? ?? call cs:ReadFile + $shellcode_read = { 48 8B D0 41 B8 F0 16 00 00 48 8B CF 48 8B D8 FF} + // BA F0 16 00 00 mov edx, 16F0h ; dwSize + // 44 8D 4E 40 lea r9d, [rsi+40h] ; flProtect + // 33 C9 xor ecx, ecx ; lpAddress + // 41 B8 00 30 00 00 mov r8d, 3000h ; flAllocationType + // FF ?? ?? ?? ?? ?? call cs:VirtualAlloc + $shellcode_allocate = { BA F0 16 00 00 44 8D 4E 40 33 C9 41 B8 00 30 00 00 FF } + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and + filesize < 3000KB and $path_check and $shellcode_allocate and $shellcode_read +} + +rule APT_CN_TwistedPanda_droppers { + meta: + author = "Check Point Research" + description = "Detects droppers used by TwistedPanda" + date = "2022-04-14" + reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/" + score = 80 + hash1 = "59dea38da6e515af45d6df68f8959601e2bbf0302e35b7989e741e9aba2f0291" + hash2 = "8b04479fdf22892cdfebd6e6fbed180701e036806ed0ddbe79f0b29f73449248" + hash3 = "f29a0cda6e56fc0e26efa3b6628c6bcaa0819a3275a10e9da2a8517778152d66" + + id = "f61c8b97-5870-5837-942f-f1650870960a" + strings: + // 81 FA ?? ?? ?? ?? cmp edx, 4BED1896h + // 75 ?? jnz short loc_140001829 + // E8 ?? ?? ?? ?? call sub_1400019D0 + // 48 89 05 ?? ?? ?? ?? mov cs:qword_14001ED38, rax + // E? ?? ?? ?? ?? jmp loc_1400018DD + $switch_control = { 81 FA [4] 75 ?? E8 [4] 48 89 05 [4] E? } + // 41 0F ?? ?? movsx edx, byte ptr [r9] + // 44 ?? ?? or r8d, edx + // 41 ?? ?? 03 rol r8d, 3 + // 41 81 ?? ?? ?? ?? ?? xor r8d, 0EF112233h + // 41 ?? ?? mov eax, r10d + $byte_manipulation = { 41 0F [2] 44 [2] 41 [2] 03 41 81 [5] 41 } + // %public% + $stack_strings_1 = { 25 00 70 00 } + $stack_strings_2 = { 75 00 62 00 } + $stack_strings_3 = { 6C 00 69 00 } + $stack_strings_4 = { 63 00 25 00 } + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and + filesize < 3000KB and #switch_control > 8 and all of ($stack_strings_*) and $byte_manipulation +} diff --git a/yara-Neo23x0/apt_cobaltstrike.yar b/yara-Neo23x0/apt_cobaltstrike.yar new file mode 100644 index 0000000..7c04dd6 --- /dev/null +++ b/yara-Neo23x0/apt_cobaltstrike.yar @@ -0,0 +1,122 @@ +/* + LICENSE + Copyright (C) 2015 JPCERT Coordination Center. All Rights Reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following acknowledgments and disclaimers. + 2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following acknowledgments and disclaimers + in the documentation and/or other materials provided with the distribution. + 3. Products derived from this software may not include "JPCERT Coordination + Center" in the name of such derived product, nor shall "JPCERT + Coordination Center" be used to endorse or promote products derived + from this software without prior written permission. For written + permission, please contact pr@jpcert.or.jp. + + ACKNOWLEDGMENTS AND DISCLAIMERS + Copyright (C) 2015 JPCERT Coordination Center + + This software is based upon work funded and supported by the Ministry of + Economy, Trade and Industry. + + Any opinions, findings and conclusions or recommendations expressed in this + software are those of the author(s) and do not necessarily reflect the views + of the Ministry of Economy, Trade and Industry. + + NO WARRANTY. THIS JPCERT COORDINATION CENTER SOFTWARE IS FURNISHED ON + AN "AS-IS" BASIS. JPCERT COORDINATION CENTER MAKES NO WARRANTIES OF + ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT + NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, + EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE SOFTWARE. JPCERT + COORDINATION CENTER DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH + RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. + + This software has been approved for public release and unlimited distribution. +*/ + +rule APT_CobaltStrike_Beacon_Indicator { + meta: + description = "Detects CobaltStrike beacons" + author = "JPCERT" + reference = "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py" + date = "2018-11-09" + id = "8508c7a0-0131-59b1-b537-a6d1c6cb2b35" + strings: + $v1 = { 73 70 72 6E 67 00 } + $v2 = { 69 69 69 69 69 69 69 69 } + condition: + uint16(0) == 0x5a4d and filesize < 300KB and all of them +} + +rule HKTL_CobaltStrike_Beacon_Strings { + meta: + author = "Elastic" + description = "Identifies strings used in Cobalt Strike Beacon DLL" + reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures" + date = "2021-03-16" + id = "af558aa2-a3dc-5a7a-bc74-42bb2246091c" + strings: + $s1 = "%02d/%02d/%02d %02d:%02d:%02d" + $s2 = "Started service %s on %s" + $s3 = "%s as %s\\%s: %d" + condition: + 2 of them +} + +rule HKTL_CobaltStrike_Beacon_XOR_Strings { + meta: + author = "Elastic" + description = "Identifies XOR'd strings used in Cobalt Strike Beacon DLL" + reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures" + date = "2021-03-16" + /* Used for beacon config decoding in THOR */ + xor_s1 = "%02d/%02d/%02d %02d:%02d:%02d" + xor_s2 = "Started service %s on %s" + xor_s3 = "%s as %s\\%s: %d" + id = "359160a8-cf1c-58a8-bf7f-c09a8d661308" + strings: + $s1 = "%02d/%02d/%02d %02d:%02d:%02d" xor(0x01-0xff) + $s2 = "Started service %s on %s" xor(0x01-0xff) + $s3 = "%s as %s\\%s: %d" xor(0x01-0xff) + + $fp1 = "MalwareRemovalTool" + condition: + 2 of ($s*) and not 1 of ($fp*) +} + +rule HKTL_CobaltStrike_Beacon_4_2_Decrypt { + meta: + author = "Elastic" + description = "Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2" + reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures" + date = "2021-03-16" + id = "63b71eef-0af5-5765-b957-ccdc9dde053b" + strings: + $a_x64 = {4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03} + $a_x86 = {8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2} + condition: + any of them +} + +rule HKTL_Win_CobaltStrike : Commodity { + meta: + author = "threatintel@volexity.com" + date = "2021-05-25" + description = "The CobaltStrike malware family." + hash = "b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c" + reference = "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/" + id = "113ba304-261f-5c59-bc56-57515c239b6d" + strings: + $s1 = "%s (admin)" fullword + $s2 = {48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63 74 65 74 2D 73 74 72 65 61 6D 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 25 64 0D 0A 0D 0A 00} + $s3 = "%02d/%02d/%02d %02d:%02d:%02d" fullword + $s4 = "%s as %s\\%s: %d" fullword + $s5 = "%s&%s=%s" fullword + $s6 = "rijndael" fullword + $s7 = "(null)" + condition: + all of them +} diff --git a/yara-Neo23x0/apt_cobaltstrike_evasive.yar b/yara-Neo23x0/apt_cobaltstrike_evasive.yar new file mode 100644 index 0000000..9eb2703 --- /dev/null +++ b/yara-Neo23x0/apt_cobaltstrike_evasive.yar @@ -0,0 +1,320 @@ +rule CobaltStrike_C2_Host_Indicator { + meta: + description = "Detects CobaltStrike C2 host artifacts" + author = "yara@s3c.za.net" + date = "2019-08-16" + id = "7f15ee30-664e-59b8-9e31-35d88e58a45e" + strings: + $c2_indicator_fp = "#Host: %s" + $c2_indicator = "#Host:" + condition: + $c2_indicator and not $c2_indicator_fp + and not uint32(0) == 0x0a786564 + and not uint32(0) == 0x0a796564 +} + +rule CobaltStrike_Sleep_Decoder_Indicator { + meta: + description = "Detects CobaltStrike sleep_mask decoder" + author = "yara@s3c.za.net" + date = "2021-07-19" + id = "d5b53d68-55f9-5837-9b0c-e7be2f3bd072" + strings: + $sleep_decoder = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 4C 8B 51 08 41 8B F0 48 8B EA 48 8B D9 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 } + condition: + $sleep_decoder +} + +rule CobaltStrike_C2_Encoded_XOR_Config_Indicator { + meta: + description = "Detects CobaltStrike C2 encoded profile configuration" + author = "yara@s3c.za.net" + date = "2021-07-08" + id = "8e33c63d-eaba-5851-88f4-ef7261a0a618" + strings: + $s000 = { 00 01 00 01 00 02 ?? ?? 00 02 00 01 00 02 ?? ?? 00 03 00 02 00 04 ?? ?? ?? ?? 00 04 00 02 00 04 ?? ?? ?? ?? 00 05 00 01 00 02 ?? ?? } + $s001 = { 01 00 01 00 01 03 ?? ?? 01 03 01 00 01 03 ?? ?? 01 02 01 03 01 05 ?? ?? ?? ?? 01 05 01 03 01 05 ?? ?? ?? ?? 01 04 01 00 01 03 ?? ?? } + $s002 = { 02 03 02 03 02 00 ?? ?? 02 00 02 03 02 00 ?? ?? 02 01 02 00 02 06 ?? ?? ?? ?? 02 06 02 00 02 06 ?? ?? ?? ?? 02 07 02 03 02 00 ?? ?? } + $s003 = { 03 02 03 02 03 01 ?? ?? 03 01 03 02 03 01 ?? ?? 03 00 03 01 03 07 ?? ?? ?? ?? 03 07 03 01 03 07 ?? ?? ?? ?? 03 06 03 02 03 01 ?? ?? } + $s004 = { 04 05 04 05 04 06 ?? ?? 04 06 04 05 04 06 ?? ?? 04 07 04 06 04 00 ?? ?? ?? ?? 04 00 04 06 04 00 ?? ?? ?? ?? 04 01 04 05 04 06 ?? ?? } + $s005 = { 05 04 05 04 05 07 ?? ?? 05 07 05 04 05 07 ?? ?? 05 06 05 07 05 01 ?? ?? ?? ?? 05 01 05 07 05 01 ?? ?? ?? ?? 05 00 05 04 05 07 ?? ?? } + $s006 = { 06 07 06 07 06 04 ?? ?? 06 04 06 07 06 04 ?? ?? 06 05 06 04 06 02 ?? ?? ?? ?? 06 02 06 04 06 02 ?? ?? ?? ?? 06 03 06 07 06 04 ?? ?? } + $s007 = { 07 06 07 06 07 05 ?? ?? 07 05 07 06 07 05 ?? ?? 07 04 07 05 07 03 ?? ?? ?? ?? 07 03 07 05 07 03 ?? ?? ?? ?? 07 02 07 06 07 05 ?? ?? } + $s008 = { 08 09 08 09 08 0A ?? ?? 08 0A 08 09 08 0A ?? ?? 08 0B 08 0A 08 0C ?? ?? ?? ?? 08 0C 08 0A 08 0C ?? ?? ?? ?? 08 0D 08 09 08 0A ?? ?? } + $s009 = { 09 08 09 08 09 0B ?? ?? 09 0B 09 08 09 0B ?? ?? 09 0A 09 0B 09 0D ?? ?? ?? ?? 09 0D 09 0B 09 0D ?? ?? ?? ?? 09 0C 09 08 09 0B ?? ?? } + $s010 = { 0A 0B 0A 0B 0A 08 ?? ?? 0A 08 0A 0B 0A 08 ?? ?? 0A 09 0A 08 0A 0E ?? ?? ?? ?? 0A 0E 0A 08 0A 0E ?? ?? ?? ?? 0A 0F 0A 0B 0A 08 ?? ?? } + $s011 = { 0B 0A 0B 0A 0B 09 ?? ?? 0B 09 0B 0A 0B 09 ?? ?? 0B 08 0B 09 0B 0F ?? ?? ?? ?? 0B 0F 0B 09 0B 0F ?? ?? ?? ?? 0B 0E 0B 0A 0B 09 ?? ?? } + $s012 = { 0C 0D 0C 0D 0C 0E ?? ?? 0C 0E 0C 0D 0C 0E ?? ?? 0C 0F 0C 0E 0C 08 ?? ?? ?? ?? 0C 08 0C 0E 0C 08 ?? ?? ?? ?? 0C 09 0C 0D 0C 0E ?? ?? } + $s013 = { 0D 0C 0D 0C 0D 0F ?? ?? 0D 0F 0D 0C 0D 0F ?? ?? 0D 0E 0D 0F 0D 09 ?? ?? ?? ?? 0D 09 0D 0F 0D 09 ?? ?? ?? ?? 0D 08 0D 0C 0D 0F ?? ?? } + $s014 = { 0E 0F 0E 0F 0E 0C ?? ?? 0E 0C 0E 0F 0E 0C ?? ?? 0E 0D 0E 0C 0E 0A ?? ?? ?? ?? 0E 0A 0E 0C 0E 0A ?? ?? ?? ?? 0E 0B 0E 0F 0E 0C ?? ?? } + $s015 = { 0F 0E 0F 0E 0F 0D ?? ?? 0F 0D 0F 0E 0F 0D ?? ?? 0F 0C 0F 0D 0F 0B ?? ?? ?? ?? 0F 0B 0F 0D 0F 0B ?? ?? ?? ?? 0F 0A 0F 0E 0F 0D ?? ?? } + $s016 = { 10 11 10 11 10 12 ?? ?? 10 12 10 11 10 12 ?? ?? 10 13 10 12 10 14 ?? ?? ?? ?? 10 14 10 12 10 14 ?? ?? ?? ?? 10 15 10 11 10 12 ?? ?? } + $s017 = { 11 10 11 10 11 13 ?? ?? 11 13 11 10 11 13 ?? ?? 11 12 11 13 11 15 ?? ?? ?? ?? 11 15 11 13 11 15 ?? ?? ?? ?? 11 14 11 10 11 13 ?? ?? } + $s018 = { 12 13 12 13 12 10 ?? ?? 12 10 12 13 12 10 ?? ?? 12 11 12 10 12 16 ?? ?? ?? ?? 12 16 12 10 12 16 ?? ?? ?? ?? 12 17 12 13 12 10 ?? ?? } + $s019 = { 13 12 13 12 13 11 ?? ?? 13 11 13 12 13 11 ?? ?? 13 10 13 11 13 17 ?? ?? ?? ?? 13 17 13 11 13 17 ?? ?? ?? ?? 13 16 13 12 13 11 ?? ?? } + $s020 = { 14 15 14 15 14 16 ?? ?? 14 16 14 15 14 16 ?? ?? 14 17 14 16 14 10 ?? ?? ?? ?? 14 10 14 16 14 10 ?? ?? ?? ?? 14 11 14 15 14 16 ?? ?? } + $s021 = { 15 14 15 14 15 17 ?? ?? 15 17 15 14 15 17 ?? ?? 15 16 15 17 15 11 ?? ?? ?? ?? 15 11 15 17 15 11 ?? ?? ?? ?? 15 10 15 14 15 17 ?? ?? } + $s022 = { 16 17 16 17 16 14 ?? ?? 16 14 16 17 16 14 ?? ?? 16 15 16 14 16 12 ?? ?? ?? ?? 16 12 16 14 16 12 ?? ?? ?? ?? 16 13 16 17 16 14 ?? ?? } + $s023 = { 17 16 17 16 17 15 ?? ?? 17 15 17 16 17 15 ?? ?? 17 14 17 15 17 13 ?? ?? ?? ?? 17 13 17 15 17 13 ?? ?? ?? ?? 17 12 17 16 17 15 ?? ?? } + $s024 = { 18 19 18 19 18 1A ?? ?? 18 1A 18 19 18 1A ?? ?? 18 1B 18 1A 18 1C ?? ?? ?? ?? 18 1C 18 1A 18 1C ?? ?? ?? ?? 18 1D 18 19 18 1A ?? ?? } + $s025 = { 19 18 19 18 19 1B ?? ?? 19 1B 19 18 19 1B ?? ?? 19 1A 19 1B 19 1D ?? ?? ?? ?? 19 1D 19 1B 19 1D ?? ?? ?? ?? 19 1C 19 18 19 1B ?? ?? } + $s026 = { 1A 1B 1A 1B 1A 18 ?? ?? 1A 18 1A 1B 1A 18 ?? ?? 1A 19 1A 18 1A 1E ?? ?? ?? ?? 1A 1E 1A 18 1A 1E ?? ?? ?? ?? 1A 1F 1A 1B 1A 18 ?? ?? } + $s027 = { 1B 1A 1B 1A 1B 19 ?? ?? 1B 19 1B 1A 1B 19 ?? ?? 1B 18 1B 19 1B 1F ?? ?? ?? ?? 1B 1F 1B 19 1B 1F ?? ?? ?? ?? 1B 1E 1B 1A 1B 19 ?? ?? } + $s028 = { 1C 1D 1C 1D 1C 1E ?? ?? 1C 1E 1C 1D 1C 1E ?? ?? 1C 1F 1C 1E 1C 18 ?? ?? ?? ?? 1C 18 1C 1E 1C 18 ?? ?? ?? ?? 1C 19 1C 1D 1C 1E ?? ?? } + $s029 = { 1D 1C 1D 1C 1D 1F ?? ?? 1D 1F 1D 1C 1D 1F ?? ?? 1D 1E 1D 1F 1D 19 ?? ?? ?? ?? 1D 19 1D 1F 1D 19 ?? ?? ?? ?? 1D 18 1D 1C 1D 1F ?? ?? } + $s030 = { 1E 1F 1E 1F 1E 1C ?? ?? 1E 1C 1E 1F 1E 1C ?? ?? 1E 1D 1E 1C 1E 1A ?? ?? ?? ?? 1E 1A 1E 1C 1E 1A ?? ?? ?? ?? 1E 1B 1E 1F 1E 1C ?? ?? } + $s031 = { 1F 1E 1F 1E 1F 1D ?? ?? 1F 1D 1F 1E 1F 1D ?? ?? 1F 1C 1F 1D 1F 1B ?? ?? ?? ?? 1F 1B 1F 1D 1F 1B ?? ?? ?? ?? 1F 1A 1F 1E 1F 1D ?? ?? } + $s032 = { 20 21 20 21 20 22 ?? ?? 20 22 20 21 20 22 ?? ?? 20 23 20 22 20 24 ?? ?? ?? ?? 20 24 20 22 20 24 ?? ?? ?? ?? 20 25 20 21 20 22 ?? ?? } + $s033 = { 21 20 21 20 21 23 ?? ?? 21 23 21 20 21 23 ?? ?? 21 22 21 23 21 25 ?? ?? ?? ?? 21 25 21 23 21 25 ?? ?? ?? ?? 21 24 21 20 21 23 ?? ?? } + $s034 = { 22 23 22 23 22 20 ?? ?? 22 20 22 23 22 20 ?? ?? 22 21 22 20 22 26 ?? ?? ?? ?? 22 26 22 20 22 26 ?? ?? ?? ?? 22 27 22 23 22 20 ?? ?? } + $s035 = { 23 22 23 22 23 21 ?? ?? 23 21 23 22 23 21 ?? ?? 23 20 23 21 23 27 ?? ?? ?? ?? 23 27 23 21 23 27 ?? ?? ?? ?? 23 26 23 22 23 21 ?? ?? } + $s036 = { 24 25 24 25 24 26 ?? ?? 24 26 24 25 24 26 ?? ?? 24 27 24 26 24 20 ?? ?? ?? ?? 24 20 24 26 24 20 ?? ?? ?? ?? 24 21 24 25 24 26 ?? ?? } + $s037 = { 25 24 25 24 25 27 ?? ?? 25 27 25 24 25 27 ?? ?? 25 26 25 27 25 21 ?? ?? ?? ?? 25 21 25 27 25 21 ?? ?? ?? ?? 25 20 25 24 25 27 ?? ?? } + $s038 = { 26 27 26 27 26 24 ?? ?? 26 24 26 27 26 24 ?? ?? 26 25 26 24 26 22 ?? ?? ?? ?? 26 22 26 24 26 22 ?? ?? ?? ?? 26 23 26 27 26 24 ?? ?? } + $s039 = { 27 26 27 26 27 25 ?? ?? 27 25 27 26 27 25 ?? ?? 27 24 27 25 27 23 ?? ?? ?? ?? 27 23 27 25 27 23 ?? ?? ?? ?? 27 22 27 26 27 25 ?? ?? } + $s040 = { 28 29 28 29 28 2A ?? ?? 28 2A 28 29 28 2A ?? ?? 28 2B 28 2A 28 2C ?? ?? ?? ?? 28 2C 28 2A 28 2C ?? ?? ?? ?? 28 2D 28 29 28 2A ?? ?? } + $s041 = { 29 28 29 28 29 2B ?? ?? 29 2B 29 28 29 2B ?? ?? 29 2A 29 2B 29 2D ?? ?? ?? ?? 29 2D 29 2B 29 2D ?? ?? ?? ?? 29 2C 29 28 29 2B ?? ?? } + $s042 = { 2A 2B 2A 2B 2A 28 ?? ?? 2A 28 2A 2B 2A 28 ?? ?? 2A 29 2A 28 2A 2E ?? ?? ?? ?? 2A 2E 2A 28 2A 2E ?? ?? ?? ?? 2A 2F 2A 2B 2A 28 ?? ?? } + $s043 = { 2B 2A 2B 2A 2B 29 ?? ?? 2B 29 2B 2A 2B 29 ?? ?? 2B 28 2B 29 2B 2F ?? ?? ?? ?? 2B 2F 2B 29 2B 2F ?? ?? ?? ?? 2B 2E 2B 2A 2B 29 ?? ?? } + $s044 = { 2C 2D 2C 2D 2C 2E ?? ?? 2C 2E 2C 2D 2C 2E ?? ?? 2C 2F 2C 2E 2C 28 ?? ?? ?? ?? 2C 28 2C 2E 2C 28 ?? ?? ?? ?? 2C 29 2C 2D 2C 2E ?? ?? } + $s045 = { 2D 2C 2D 2C 2D 2F ?? ?? 2D 2F 2D 2C 2D 2F ?? ?? 2D 2E 2D 2F 2D 29 ?? ?? ?? ?? 2D 29 2D 2F 2D 29 ?? ?? ?? ?? 2D 28 2D 2C 2D 2F ?? ?? } + $s046 = { 2E 2F 2E 2F 2E 2C ?? ?? 2E 2C 2E 2F 2E 2C ?? ?? 2E 2D 2E 2C 2E 2A ?? ?? ?? ?? 2E 2A 2E 2C 2E 2A ?? ?? ?? ?? 2E 2B 2E 2F 2E 2C ?? ?? } + $s047 = { 2F 2E 2F 2E 2F 2D ?? ?? 2F 2D 2F 2E 2F 2D ?? ?? 2F 2C 2F 2D 2F 2B ?? ?? ?? ?? 2F 2B 2F 2D 2F 2B ?? ?? ?? ?? 2F 2A 2F 2E 2F 2D ?? ?? } + $s048 = { 30 31 30 31 30 32 ?? ?? 30 32 30 31 30 32 ?? ?? 30 33 30 32 30 34 ?? ?? ?? ?? 30 34 30 32 30 34 ?? ?? ?? ?? 30 35 30 31 30 32 ?? ?? } + $s049 = { 31 30 31 30 31 33 ?? ?? 31 33 31 30 31 33 ?? ?? 31 32 31 33 31 35 ?? ?? ?? ?? 31 35 31 33 31 35 ?? ?? ?? ?? 31 34 31 30 31 33 ?? ?? } + $s050 = { 32 33 32 33 32 30 ?? ?? 32 30 32 33 32 30 ?? ?? 32 31 32 30 32 36 ?? ?? ?? ?? 32 36 32 30 32 36 ?? ?? ?? ?? 32 37 32 33 32 30 ?? ?? } + $s051 = { 33 32 33 32 33 31 ?? ?? 33 31 33 32 33 31 ?? ?? 33 30 33 31 33 37 ?? ?? ?? ?? 33 37 33 31 33 37 ?? ?? ?? ?? 33 36 33 32 33 31 ?? ?? } + $s052 = { 34 35 34 35 34 36 ?? ?? 34 36 34 35 34 36 ?? ?? 34 37 34 36 34 30 ?? ?? ?? ?? 34 30 34 36 34 30 ?? ?? ?? ?? 34 31 34 35 34 36 ?? ?? } + $s053 = { 35 34 35 34 35 37 ?? ?? 35 37 35 34 35 37 ?? ?? 35 36 35 37 35 31 ?? ?? ?? ?? 35 31 35 37 35 31 ?? ?? ?? ?? 35 30 35 34 35 37 ?? ?? } + $s054 = { 36 37 36 37 36 34 ?? ?? 36 34 36 37 36 34 ?? ?? 36 35 36 34 36 32 ?? ?? ?? ?? 36 32 36 34 36 32 ?? ?? ?? ?? 36 33 36 37 36 34 ?? ?? } + $s055 = { 37 36 37 36 37 35 ?? ?? 37 35 37 36 37 35 ?? ?? 37 34 37 35 37 33 ?? ?? ?? ?? 37 33 37 35 37 33 ?? ?? ?? ?? 37 32 37 36 37 35 ?? ?? } + $s056 = { 38 39 38 39 38 3A ?? ?? 38 3A 38 39 38 3A ?? ?? 38 3B 38 3A 38 3C ?? ?? ?? ?? 38 3C 38 3A 38 3C ?? ?? ?? ?? 38 3D 38 39 38 3A ?? ?? } + $s057 = { 39 38 39 38 39 3B ?? ?? 39 3B 39 38 39 3B ?? ?? 39 3A 39 3B 39 3D ?? ?? ?? ?? 39 3D 39 3B 39 3D ?? ?? ?? ?? 39 3C 39 38 39 3B ?? ?? } + $s058 = { 3A 3B 3A 3B 3A 38 ?? ?? 3A 38 3A 3B 3A 38 ?? ?? 3A 39 3A 38 3A 3E ?? ?? ?? ?? 3A 3E 3A 38 3A 3E ?? ?? ?? ?? 3A 3F 3A 3B 3A 38 ?? ?? } + $s059 = { 3B 3A 3B 3A 3B 39 ?? ?? 3B 39 3B 3A 3B 39 ?? ?? 3B 38 3B 39 3B 3F ?? ?? ?? ?? 3B 3F 3B 39 3B 3F ?? ?? ?? ?? 3B 3E 3B 3A 3B 39 ?? ?? } + $s060 = { 3C 3D 3C 3D 3C 3E ?? ?? 3C 3E 3C 3D 3C 3E ?? ?? 3C 3F 3C 3E 3C 38 ?? ?? ?? ?? 3C 38 3C 3E 3C 38 ?? ?? ?? ?? 3C 39 3C 3D 3C 3E ?? ?? } + $s061 = { 3D 3C 3D 3C 3D 3F ?? ?? 3D 3F 3D 3C 3D 3F ?? ?? 3D 3E 3D 3F 3D 39 ?? ?? ?? ?? 3D 39 3D 3F 3D 39 ?? ?? ?? ?? 3D 38 3D 3C 3D 3F ?? ?? } + $s062 = { 3E 3F 3E 3F 3E 3C ?? ?? 3E 3C 3E 3F 3E 3C ?? ?? 3E 3D 3E 3C 3E 3A ?? ?? ?? ?? 3E 3A 3E 3C 3E 3A ?? ?? ?? ?? 3E 3B 3E 3F 3E 3C ?? ?? } + $s063 = { 3F 3E 3F 3E 3F 3D ?? ?? 3F 3D 3F 3E 3F 3D ?? ?? 3F 3C 3F 3D 3F 3B ?? ?? ?? ?? 3F 3B 3F 3D 3F 3B ?? ?? ?? ?? 3F 3A 3F 3E 3F 3D ?? ?? } + $s064 = { 40 41 40 41 40 42 ?? ?? 40 42 40 41 40 42 ?? ?? 40 43 40 42 40 44 ?? ?? ?? ?? 40 44 40 42 40 44 ?? ?? ?? ?? 40 45 40 41 40 42 ?? ?? } + $s065 = { 41 40 41 40 41 43 ?? ?? 41 43 41 40 41 43 ?? ?? 41 42 41 43 41 45 ?? ?? ?? ?? 41 45 41 43 41 45 ?? ?? ?? ?? 41 44 41 40 41 43 ?? ?? } + $s066 = { 42 43 42 43 42 40 ?? ?? 42 40 42 43 42 40 ?? ?? 42 41 42 40 42 46 ?? ?? ?? ?? 42 46 42 40 42 46 ?? ?? ?? ?? 42 47 42 43 42 40 ?? ?? } + $s067 = { 43 42 43 42 43 41 ?? ?? 43 41 43 42 43 41 ?? ?? 43 40 43 41 43 47 ?? ?? ?? ?? 43 47 43 41 43 47 ?? ?? ?? ?? 43 46 43 42 43 41 ?? ?? } + $s068 = { 44 45 44 45 44 46 ?? ?? 44 46 44 45 44 46 ?? ?? 44 47 44 46 44 40 ?? ?? ?? ?? 44 40 44 46 44 40 ?? ?? ?? ?? 44 41 44 45 44 46 ?? ?? } + $s069 = { 45 44 45 44 45 47 ?? ?? 45 47 45 44 45 47 ?? ?? 45 46 45 47 45 41 ?? ?? ?? ?? 45 41 45 47 45 41 ?? ?? ?? ?? 45 40 45 44 45 47 ?? ?? } + $s070 = { 46 47 46 47 46 44 ?? ?? 46 44 46 47 46 44 ?? ?? 46 45 46 44 46 42 ?? ?? ?? ?? 46 42 46 44 46 42 ?? ?? ?? ?? 46 43 46 47 46 44 ?? ?? } + $s071 = { 47 46 47 46 47 45 ?? ?? 47 45 47 46 47 45 ?? ?? 47 44 47 45 47 43 ?? ?? ?? ?? 47 43 47 45 47 43 ?? ?? ?? ?? 47 42 47 46 47 45 ?? ?? } + $s072 = { 48 49 48 49 48 4A ?? ?? 48 4A 48 49 48 4A ?? ?? 48 4B 48 4A 48 4C ?? ?? ?? ?? 48 4C 48 4A 48 4C ?? ?? ?? ?? 48 4D 48 49 48 4A ?? ?? } + $s073 = { 49 48 49 48 49 4B ?? ?? 49 4B 49 48 49 4B ?? ?? 49 4A 49 4B 49 4D ?? ?? ?? ?? 49 4D 49 4B 49 4D ?? ?? ?? ?? 49 4C 49 48 49 4B ?? ?? } + $s074 = { 4A 4B 4A 4B 4A 48 ?? ?? 4A 48 4A 4B 4A 48 ?? ?? 4A 49 4A 48 4A 4E ?? ?? ?? ?? 4A 4E 4A 48 4A 4E ?? ?? ?? ?? 4A 4F 4A 4B 4A 48 ?? ?? } + $s075 = { 4B 4A 4B 4A 4B 49 ?? ?? 4B 49 4B 4A 4B 49 ?? ?? 4B 48 4B 49 4B 4F ?? ?? ?? ?? 4B 4F 4B 49 4B 4F ?? ?? ?? ?? 4B 4E 4B 4A 4B 49 ?? ?? } + $s076 = { 4C 4D 4C 4D 4C 4E ?? ?? 4C 4E 4C 4D 4C 4E ?? ?? 4C 4F 4C 4E 4C 48 ?? ?? ?? ?? 4C 48 4C 4E 4C 48 ?? ?? ?? ?? 4C 49 4C 4D 4C 4E ?? ?? } + $s077 = { 4D 4C 4D 4C 4D 4F ?? ?? 4D 4F 4D 4C 4D 4F ?? ?? 4D 4E 4D 4F 4D 49 ?? ?? ?? ?? 4D 49 4D 4F 4D 49 ?? ?? ?? ?? 4D 48 4D 4C 4D 4F ?? ?? } + $s078 = { 4E 4F 4E 4F 4E 4C ?? ?? 4E 4C 4E 4F 4E 4C ?? ?? 4E 4D 4E 4C 4E 4A ?? ?? ?? ?? 4E 4A 4E 4C 4E 4A ?? ?? ?? ?? 4E 4B 4E 4F 4E 4C ?? ?? } + $s079 = { 4F 4E 4F 4E 4F 4D ?? ?? 4F 4D 4F 4E 4F 4D ?? ?? 4F 4C 4F 4D 4F 4B ?? ?? ?? ?? 4F 4B 4F 4D 4F 4B ?? ?? ?? ?? 4F 4A 4F 4E 4F 4D ?? ?? } + $s080 = { 50 51 50 51 50 52 ?? ?? 50 52 50 51 50 52 ?? ?? 50 53 50 52 50 54 ?? ?? ?? ?? 50 54 50 52 50 54 ?? ?? ?? ?? 50 55 50 51 50 52 ?? ?? } + $s081 = { 51 50 51 50 51 53 ?? ?? 51 53 51 50 51 53 ?? ?? 51 52 51 53 51 55 ?? ?? ?? ?? 51 55 51 53 51 55 ?? ?? ?? ?? 51 54 51 50 51 53 ?? ?? } + $s082 = { 52 53 52 53 52 50 ?? ?? 52 50 52 53 52 50 ?? ?? 52 51 52 50 52 56 ?? ?? ?? ?? 52 56 52 50 52 56 ?? ?? ?? ?? 52 57 52 53 52 50 ?? ?? } + $s083 = { 53 52 53 52 53 51 ?? ?? 53 51 53 52 53 51 ?? ?? 53 50 53 51 53 57 ?? ?? ?? ?? 53 57 53 51 53 57 ?? ?? ?? ?? 53 56 53 52 53 51 ?? ?? } + $s084 = { 54 55 54 55 54 56 ?? ?? 54 56 54 55 54 56 ?? ?? 54 57 54 56 54 50 ?? ?? ?? ?? 54 50 54 56 54 50 ?? ?? ?? ?? 54 51 54 55 54 56 ?? ?? } + $s085 = { 55 54 55 54 55 57 ?? ?? 55 57 55 54 55 57 ?? ?? 55 56 55 57 55 51 ?? ?? ?? ?? 55 51 55 57 55 51 ?? ?? ?? ?? 55 50 55 54 55 57 ?? ?? } + $s086 = { 56 57 56 57 56 54 ?? ?? 56 54 56 57 56 54 ?? ?? 56 55 56 54 56 52 ?? ?? ?? ?? 56 52 56 54 56 52 ?? ?? ?? ?? 56 53 56 57 56 54 ?? ?? } + $s087 = { 57 56 57 56 57 55 ?? ?? 57 55 57 56 57 55 ?? ?? 57 54 57 55 57 53 ?? ?? ?? ?? 57 53 57 55 57 53 ?? ?? ?? ?? 57 52 57 56 57 55 ?? ?? } + $s088 = { 58 59 58 59 58 5A ?? ?? 58 5A 58 59 58 5A ?? ?? 58 5B 58 5A 58 5C ?? ?? ?? ?? 58 5C 58 5A 58 5C ?? ?? ?? ?? 58 5D 58 59 58 5A ?? ?? } + $s089 = { 59 58 59 58 59 5B ?? ?? 59 5B 59 58 59 5B ?? ?? 59 5A 59 5B 59 5D ?? ?? ?? ?? 59 5D 59 5B 59 5D ?? ?? ?? ?? 59 5C 59 58 59 5B ?? ?? } + $s090 = { 5A 5B 5A 5B 5A 58 ?? ?? 5A 58 5A 5B 5A 58 ?? ?? 5A 59 5A 58 5A 5E ?? ?? ?? ?? 5A 5E 5A 58 5A 5E ?? ?? ?? ?? 5A 5F 5A 5B 5A 58 ?? ?? } + $s091 = { 5B 5A 5B 5A 5B 59 ?? ?? 5B 59 5B 5A 5B 59 ?? ?? 5B 58 5B 59 5B 5F ?? ?? ?? ?? 5B 5F 5B 59 5B 5F ?? ?? ?? ?? 5B 5E 5B 5A 5B 59 ?? ?? } + $s092 = { 5C 5D 5C 5D 5C 5E ?? ?? 5C 5E 5C 5D 5C 5E ?? ?? 5C 5F 5C 5E 5C 58 ?? ?? ?? ?? 5C 58 5C 5E 5C 58 ?? ?? ?? ?? 5C 59 5C 5D 5C 5E ?? ?? } + $s093 = { 5D 5C 5D 5C 5D 5F ?? ?? 5D 5F 5D 5C 5D 5F ?? ?? 5D 5E 5D 5F 5D 59 ?? ?? ?? ?? 5D 59 5D 5F 5D 59 ?? ?? ?? ?? 5D 58 5D 5C 5D 5F ?? ?? } + $s094 = { 5E 5F 5E 5F 5E 5C ?? ?? 5E 5C 5E 5F 5E 5C ?? ?? 5E 5D 5E 5C 5E 5A ?? ?? ?? ?? 5E 5A 5E 5C 5E 5A ?? ?? ?? ?? 5E 5B 5E 5F 5E 5C ?? ?? } + $s095 = { 5F 5E 5F 5E 5F 5D ?? ?? 5F 5D 5F 5E 5F 5D ?? ?? 5F 5C 5F 5D 5F 5B ?? ?? ?? ?? 5F 5B 5F 5D 5F 5B ?? ?? ?? ?? 5F 5A 5F 5E 5F 5D ?? ?? } + $s096 = { 60 61 60 61 60 62 ?? ?? 60 62 60 61 60 62 ?? ?? 60 63 60 62 60 64 ?? ?? ?? ?? 60 64 60 62 60 64 ?? ?? ?? ?? 60 65 60 61 60 62 ?? ?? } + $s097 = { 61 60 61 60 61 63 ?? ?? 61 63 61 60 61 63 ?? ?? 61 62 61 63 61 65 ?? ?? ?? ?? 61 65 61 63 61 65 ?? ?? ?? ?? 61 64 61 60 61 63 ?? ?? } + $s098 = { 62 63 62 63 62 60 ?? ?? 62 60 62 63 62 60 ?? ?? 62 61 62 60 62 66 ?? ?? ?? ?? 62 66 62 60 62 66 ?? ?? ?? ?? 62 67 62 63 62 60 ?? ?? } + $s099 = { 63 62 63 62 63 61 ?? ?? 63 61 63 62 63 61 ?? ?? 63 60 63 61 63 67 ?? ?? ?? ?? 63 67 63 61 63 67 ?? ?? ?? ?? 63 66 63 62 63 61 ?? ?? } + $s100 = { 64 65 64 65 64 66 ?? ?? 64 66 64 65 64 66 ?? ?? 64 67 64 66 64 60 ?? ?? ?? ?? 64 60 64 66 64 60 ?? ?? ?? ?? 64 61 64 65 64 66 ?? ?? } + $s101 = { 65 64 65 64 65 67 ?? ?? 65 67 65 64 65 67 ?? ?? 65 66 65 67 65 61 ?? ?? ?? ?? 65 61 65 67 65 61 ?? ?? ?? ?? 65 60 65 64 65 67 ?? ?? } + $s102 = { 66 67 66 67 66 64 ?? ?? 66 64 66 67 66 64 ?? ?? 66 65 66 64 66 62 ?? ?? ?? ?? 66 62 66 64 66 62 ?? ?? ?? ?? 66 63 66 67 66 64 ?? ?? } + $s103 = { 67 66 67 66 67 65 ?? ?? 67 65 67 66 67 65 ?? ?? 67 64 67 65 67 63 ?? ?? ?? ?? 67 63 67 65 67 63 ?? ?? ?? ?? 67 62 67 66 67 65 ?? ?? } + $s104 = { 68 69 68 69 68 6A ?? ?? 68 6A 68 69 68 6A ?? ?? 68 6B 68 6A 68 6C ?? ?? ?? ?? 68 6C 68 6A 68 6C ?? ?? ?? ?? 68 6D 68 69 68 6A ?? ?? } + $s105 = { 69 68 69 68 69 6B ?? ?? 69 6B 69 68 69 6B ?? ?? 69 6A 69 6B 69 6D ?? ?? ?? ?? 69 6D 69 6B 69 6D ?? ?? ?? ?? 69 6C 69 68 69 6B ?? ?? } + $s106 = { 6A 6B 6A 6B 6A 68 ?? ?? 6A 68 6A 6B 6A 68 ?? ?? 6A 69 6A 68 6A 6E ?? ?? ?? ?? 6A 6E 6A 68 6A 6E ?? ?? ?? ?? 6A 6F 6A 6B 6A 68 ?? ?? } + $s107 = { 6B 6A 6B 6A 6B 69 ?? ?? 6B 69 6B 6A 6B 69 ?? ?? 6B 68 6B 69 6B 6F ?? ?? ?? ?? 6B 6F 6B 69 6B 6F ?? ?? ?? ?? 6B 6E 6B 6A 6B 69 ?? ?? } + $s108 = { 6C 6D 6C 6D 6C 6E ?? ?? 6C 6E 6C 6D 6C 6E ?? ?? 6C 6F 6C 6E 6C 68 ?? ?? ?? ?? 6C 68 6C 6E 6C 68 ?? ?? ?? ?? 6C 69 6C 6D 6C 6E ?? ?? } + $s109 = { 6D 6C 6D 6C 6D 6F ?? ?? 6D 6F 6D 6C 6D 6F ?? ?? 6D 6E 6D 6F 6D 69 ?? ?? ?? ?? 6D 69 6D 6F 6D 69 ?? ?? ?? ?? 6D 68 6D 6C 6D 6F ?? ?? } + $s110 = { 6E 6F 6E 6F 6E 6C ?? ?? 6E 6C 6E 6F 6E 6C ?? ?? 6E 6D 6E 6C 6E 6A ?? ?? ?? ?? 6E 6A 6E 6C 6E 6A ?? ?? ?? ?? 6E 6B 6E 6F 6E 6C ?? ?? } + $s111 = { 6F 6E 6F 6E 6F 6D ?? ?? 6F 6D 6F 6E 6F 6D ?? ?? 6F 6C 6F 6D 6F 6B ?? ?? ?? ?? 6F 6B 6F 6D 6F 6B ?? ?? ?? ?? 6F 6A 6F 6E 6F 6D ?? ?? } + $s112 = { 70 71 70 71 70 72 ?? ?? 70 72 70 71 70 72 ?? ?? 70 73 70 72 70 74 ?? ?? ?? ?? 70 74 70 72 70 74 ?? ?? ?? ?? 70 75 70 71 70 72 ?? ?? } + $s113 = { 71 70 71 70 71 73 ?? ?? 71 73 71 70 71 73 ?? ?? 71 72 71 73 71 75 ?? ?? ?? ?? 71 75 71 73 71 75 ?? ?? ?? ?? 71 74 71 70 71 73 ?? ?? } + $s114 = { 72 73 72 73 72 70 ?? ?? 72 70 72 73 72 70 ?? ?? 72 71 72 70 72 76 ?? ?? ?? ?? 72 76 72 70 72 76 ?? ?? ?? ?? 72 77 72 73 72 70 ?? ?? } + $s115 = { 73 72 73 72 73 71 ?? ?? 73 71 73 72 73 71 ?? ?? 73 70 73 71 73 77 ?? ?? ?? ?? 73 77 73 71 73 77 ?? ?? ?? ?? 73 76 73 72 73 71 ?? ?? } + $s116 = { 74 75 74 75 74 76 ?? ?? 74 76 74 75 74 76 ?? ?? 74 77 74 76 74 70 ?? ?? ?? ?? 74 70 74 76 74 70 ?? ?? ?? ?? 74 71 74 75 74 76 ?? ?? } + $s117 = { 75 74 75 74 75 77 ?? ?? 75 77 75 74 75 77 ?? ?? 75 76 75 77 75 71 ?? ?? ?? ?? 75 71 75 77 75 71 ?? ?? ?? ?? 75 70 75 74 75 77 ?? ?? } + $s118 = { 76 77 76 77 76 74 ?? ?? 76 74 76 77 76 74 ?? ?? 76 75 76 74 76 72 ?? ?? ?? ?? 76 72 76 74 76 72 ?? ?? ?? ?? 76 73 76 77 76 74 ?? ?? } + $s119 = { 77 76 77 76 77 75 ?? ?? 77 75 77 76 77 75 ?? ?? 77 74 77 75 77 73 ?? ?? ?? ?? 77 73 77 75 77 73 ?? ?? ?? ?? 77 72 77 76 77 75 ?? ?? } + $s120 = { 78 79 78 79 78 7A ?? ?? 78 7A 78 79 78 7A ?? ?? 78 7B 78 7A 78 7C ?? ?? ?? ?? 78 7C 78 7A 78 7C ?? ?? ?? ?? 78 7D 78 79 78 7A ?? ?? } + $s121 = { 79 78 79 78 79 7B ?? ?? 79 7B 79 78 79 7B ?? ?? 79 7A 79 7B 79 7D ?? ?? ?? ?? 79 7D 79 7B 79 7D ?? ?? ?? ?? 79 7C 79 78 79 7B ?? ?? } + $s122 = { 7A 7B 7A 7B 7A 78 ?? ?? 7A 78 7A 7B 7A 78 ?? ?? 7A 79 7A 78 7A 7E ?? ?? ?? ?? 7A 7E 7A 78 7A 7E ?? ?? ?? ?? 7A 7F 7A 7B 7A 78 ?? ?? } + $s123 = { 7B 7A 7B 7A 7B 79 ?? ?? 7B 79 7B 7A 7B 79 ?? ?? 7B 78 7B 79 7B 7F ?? ?? ?? ?? 7B 7F 7B 79 7B 7F ?? ?? ?? ?? 7B 7E 7B 7A 7B 79 ?? ?? } + $s124 = { 7C 7D 7C 7D 7C 7E ?? ?? 7C 7E 7C 7D 7C 7E ?? ?? 7C 7F 7C 7E 7C 78 ?? ?? ?? ?? 7C 78 7C 7E 7C 78 ?? ?? ?? ?? 7C 79 7C 7D 7C 7E ?? ?? } + $s125 = { 7D 7C 7D 7C 7D 7F ?? ?? 7D 7F 7D 7C 7D 7F ?? ?? 7D 7E 7D 7F 7D 79 ?? ?? ?? ?? 7D 79 7D 7F 7D 79 ?? ?? ?? ?? 7D 78 7D 7C 7D 7F ?? ?? } + $s126 = { 7E 7F 7E 7F 7E 7C ?? ?? 7E 7C 7E 7F 7E 7C ?? ?? 7E 7D 7E 7C 7E 7A ?? ?? ?? ?? 7E 7A 7E 7C 7E 7A ?? ?? ?? ?? 7E 7B 7E 7F 7E 7C ?? ?? } + $s127 = { 7F 7E 7F 7E 7F 7D ?? ?? 7F 7D 7F 7E 7F 7D ?? ?? 7F 7C 7F 7D 7F 7B ?? ?? ?? ?? 7F 7B 7F 7D 7F 7B ?? ?? ?? ?? 7F 7A 7F 7E 7F 7D ?? ?? } + $s128 = { 80 81 80 81 80 82 ?? ?? 80 82 80 81 80 82 ?? ?? 80 83 80 82 80 84 ?? ?? ?? ?? 80 84 80 82 80 84 ?? ?? ?? ?? 80 85 80 81 80 82 ?? ?? } + $s129 = { 81 80 81 80 81 83 ?? ?? 81 83 81 80 81 83 ?? ?? 81 82 81 83 81 85 ?? ?? ?? ?? 81 85 81 83 81 85 ?? ?? ?? ?? 81 84 81 80 81 83 ?? ?? } + $s130 = { 82 83 82 83 82 80 ?? ?? 82 80 82 83 82 80 ?? ?? 82 81 82 80 82 86 ?? ?? ?? ?? 82 86 82 80 82 86 ?? ?? ?? ?? 82 87 82 83 82 80 ?? ?? } + $s131 = { 83 82 83 82 83 81 ?? ?? 83 81 83 82 83 81 ?? ?? 83 80 83 81 83 87 ?? ?? ?? ?? 83 87 83 81 83 87 ?? ?? ?? ?? 83 86 83 82 83 81 ?? ?? } + $s132 = { 84 85 84 85 84 86 ?? ?? 84 86 84 85 84 86 ?? ?? 84 87 84 86 84 80 ?? ?? ?? ?? 84 80 84 86 84 80 ?? ?? ?? ?? 84 81 84 85 84 86 ?? ?? } + $s133 = { 85 84 85 84 85 87 ?? ?? 85 87 85 84 85 87 ?? ?? 85 86 85 87 85 81 ?? ?? ?? ?? 85 81 85 87 85 81 ?? ?? ?? ?? 85 80 85 84 85 87 ?? ?? } + $s134 = { 86 87 86 87 86 84 ?? ?? 86 84 86 87 86 84 ?? ?? 86 85 86 84 86 82 ?? ?? ?? ?? 86 82 86 84 86 82 ?? ?? ?? ?? 86 83 86 87 86 84 ?? ?? } + $s135 = { 87 86 87 86 87 85 ?? ?? 87 85 87 86 87 85 ?? ?? 87 84 87 85 87 83 ?? ?? ?? ?? 87 83 87 85 87 83 ?? ?? ?? ?? 87 82 87 86 87 85 ?? ?? } + $s136 = { 88 89 88 89 88 8A ?? ?? 88 8A 88 89 88 8A ?? ?? 88 8B 88 8A 88 8C ?? ?? ?? ?? 88 8C 88 8A 88 8C ?? ?? ?? ?? 88 8D 88 89 88 8A ?? ?? } + $s137 = { 89 88 89 88 89 8B ?? ?? 89 8B 89 88 89 8B ?? ?? 89 8A 89 8B 89 8D ?? ?? ?? ?? 89 8D 89 8B 89 8D ?? ?? ?? ?? 89 8C 89 88 89 8B ?? ?? } + $s138 = { 8A 8B 8A 8B 8A 88 ?? ?? 8A 88 8A 8B 8A 88 ?? ?? 8A 89 8A 88 8A 8E ?? ?? ?? ?? 8A 8E 8A 88 8A 8E ?? ?? ?? ?? 8A 8F 8A 8B 8A 88 ?? ?? } + $s139 = { 8B 8A 8B 8A 8B 89 ?? ?? 8B 89 8B 8A 8B 89 ?? ?? 8B 88 8B 89 8B 8F ?? ?? ?? ?? 8B 8F 8B 89 8B 8F ?? ?? ?? ?? 8B 8E 8B 8A 8B 89 ?? ?? } + $s140 = { 8C 8D 8C 8D 8C 8E ?? ?? 8C 8E 8C 8D 8C 8E ?? ?? 8C 8F 8C 8E 8C 88 ?? ?? ?? ?? 8C 88 8C 8E 8C 88 ?? ?? ?? ?? 8C 89 8C 8D 8C 8E ?? ?? } + $s141 = { 8D 8C 8D 8C 8D 8F ?? ?? 8D 8F 8D 8C 8D 8F ?? ?? 8D 8E 8D 8F 8D 89 ?? ?? ?? ?? 8D 89 8D 8F 8D 89 ?? ?? ?? ?? 8D 88 8D 8C 8D 8F ?? ?? } + $s142 = { 8E 8F 8E 8F 8E 8C ?? ?? 8E 8C 8E 8F 8E 8C ?? ?? 8E 8D 8E 8C 8E 8A ?? ?? ?? ?? 8E 8A 8E 8C 8E 8A ?? ?? ?? ?? 8E 8B 8E 8F 8E 8C ?? ?? } + $s143 = { 8F 8E 8F 8E 8F 8D ?? ?? 8F 8D 8F 8E 8F 8D ?? ?? 8F 8C 8F 8D 8F 8B ?? ?? ?? ?? 8F 8B 8F 8D 8F 8B ?? ?? ?? ?? 8F 8A 8F 8E 8F 8D ?? ?? } + $s144 = { 90 91 90 91 90 92 ?? ?? 90 92 90 91 90 92 ?? ?? 90 93 90 92 90 94 ?? ?? ?? ?? 90 94 90 92 90 94 ?? ?? ?? ?? 90 95 90 91 90 92 ?? ?? } + $s145 = { 91 90 91 90 91 93 ?? ?? 91 93 91 90 91 93 ?? ?? 91 92 91 93 91 95 ?? ?? ?? ?? 91 95 91 93 91 95 ?? ?? ?? ?? 91 94 91 90 91 93 ?? ?? } + $s146 = { 92 93 92 93 92 90 ?? ?? 92 90 92 93 92 90 ?? ?? 92 91 92 90 92 96 ?? ?? ?? ?? 92 96 92 90 92 96 ?? ?? ?? ?? 92 97 92 93 92 90 ?? ?? } + $s147 = { 93 92 93 92 93 91 ?? ?? 93 91 93 92 93 91 ?? ?? 93 90 93 91 93 97 ?? ?? ?? ?? 93 97 93 91 93 97 ?? ?? ?? ?? 93 96 93 92 93 91 ?? ?? } + $s148 = { 94 95 94 95 94 96 ?? ?? 94 96 94 95 94 96 ?? ?? 94 97 94 96 94 90 ?? ?? ?? ?? 94 90 94 96 94 90 ?? ?? ?? ?? 94 91 94 95 94 96 ?? ?? } + $s149 = { 95 94 95 94 95 97 ?? ?? 95 97 95 94 95 97 ?? ?? 95 96 95 97 95 91 ?? ?? ?? ?? 95 91 95 97 95 91 ?? ?? ?? ?? 95 90 95 94 95 97 ?? ?? } + $s150 = { 96 97 96 97 96 94 ?? ?? 96 94 96 97 96 94 ?? ?? 96 95 96 94 96 92 ?? ?? ?? ?? 96 92 96 94 96 92 ?? ?? ?? ?? 96 93 96 97 96 94 ?? ?? } + $s151 = { 97 96 97 96 97 95 ?? ?? 97 95 97 96 97 95 ?? ?? 97 94 97 95 97 93 ?? ?? ?? ?? 97 93 97 95 97 93 ?? ?? ?? ?? 97 92 97 96 97 95 ?? ?? } + $s152 = { 98 99 98 99 98 9A ?? ?? 98 9A 98 99 98 9A ?? ?? 98 9B 98 9A 98 9C ?? ?? ?? ?? 98 9C 98 9A 98 9C ?? ?? ?? ?? 98 9D 98 99 98 9A ?? ?? } + $s153 = { 99 98 99 98 99 9B ?? ?? 99 9B 99 98 99 9B ?? ?? 99 9A 99 9B 99 9D ?? ?? ?? ?? 99 9D 99 9B 99 9D ?? ?? ?? ?? 99 9C 99 98 99 9B ?? ?? } + $s154 = { 9A 9B 9A 9B 9A 98 ?? ?? 9A 98 9A 9B 9A 98 ?? ?? 9A 99 9A 98 9A 9E ?? ?? ?? ?? 9A 9E 9A 98 9A 9E ?? ?? ?? ?? 9A 9F 9A 9B 9A 98 ?? ?? } + $s155 = { 9B 9A 9B 9A 9B 99 ?? ?? 9B 99 9B 9A 9B 99 ?? ?? 9B 98 9B 99 9B 9F ?? ?? ?? ?? 9B 9F 9B 99 9B 9F ?? ?? ?? ?? 9B 9E 9B 9A 9B 99 ?? ?? } + $s156 = { 9C 9D 9C 9D 9C 9E ?? ?? 9C 9E 9C 9D 9C 9E ?? ?? 9C 9F 9C 9E 9C 98 ?? ?? ?? ?? 9C 98 9C 9E 9C 98 ?? ?? ?? ?? 9C 99 9C 9D 9C 9E ?? ?? } + $s157 = { 9D 9C 9D 9C 9D 9F ?? ?? 9D 9F 9D 9C 9D 9F ?? ?? 9D 9E 9D 9F 9D 99 ?? ?? ?? ?? 9D 99 9D 9F 9D 99 ?? ?? ?? ?? 9D 98 9D 9C 9D 9F ?? ?? } + $s158 = { 9E 9F 9E 9F 9E 9C ?? ?? 9E 9C 9E 9F 9E 9C ?? ?? 9E 9D 9E 9C 9E 9A ?? ?? ?? ?? 9E 9A 9E 9C 9E 9A ?? ?? ?? ?? 9E 9B 9E 9F 9E 9C ?? ?? } + $s159 = { 9F 9E 9F 9E 9F 9D ?? ?? 9F 9D 9F 9E 9F 9D ?? ?? 9F 9C 9F 9D 9F 9B ?? ?? ?? ?? 9F 9B 9F 9D 9F 9B ?? ?? ?? ?? 9F 9A 9F 9E 9F 9D ?? ?? } + $s160 = { A0 A1 A0 A1 A0 A2 ?? ?? A0 A2 A0 A1 A0 A2 ?? ?? A0 A3 A0 A2 A0 A4 ?? ?? ?? ?? A0 A4 A0 A2 A0 A4 ?? ?? ?? ?? A0 A5 A0 A1 A0 A2 ?? ?? } + $s161 = { A1 A0 A1 A0 A1 A3 ?? ?? A1 A3 A1 A0 A1 A3 ?? ?? A1 A2 A1 A3 A1 A5 ?? ?? ?? ?? A1 A5 A1 A3 A1 A5 ?? ?? ?? ?? A1 A4 A1 A0 A1 A3 ?? ?? } + $s162 = { A2 A3 A2 A3 A2 A0 ?? ?? A2 A0 A2 A3 A2 A0 ?? ?? A2 A1 A2 A0 A2 A6 ?? ?? ?? ?? A2 A6 A2 A0 A2 A6 ?? ?? ?? ?? A2 A7 A2 A3 A2 A0 ?? ?? } + $s163 = { A3 A2 A3 A2 A3 A1 ?? ?? A3 A1 A3 A2 A3 A1 ?? ?? A3 A0 A3 A1 A3 A7 ?? ?? ?? ?? A3 A7 A3 A1 A3 A7 ?? ?? ?? ?? A3 A6 A3 A2 A3 A1 ?? ?? } + $s164 = { A4 A5 A4 A5 A4 A6 ?? ?? A4 A6 A4 A5 A4 A6 ?? ?? A4 A7 A4 A6 A4 A0 ?? ?? ?? ?? A4 A0 A4 A6 A4 A0 ?? ?? ?? ?? A4 A1 A4 A5 A4 A6 ?? ?? } + $s165 = { A5 A4 A5 A4 A5 A7 ?? ?? A5 A7 A5 A4 A5 A7 ?? ?? A5 A6 A5 A7 A5 A1 ?? ?? ?? ?? A5 A1 A5 A7 A5 A1 ?? ?? ?? ?? A5 A0 A5 A4 A5 A7 ?? ?? } + $s166 = { A6 A7 A6 A7 A6 A4 ?? ?? A6 A4 A6 A7 A6 A4 ?? ?? A6 A5 A6 A4 A6 A2 ?? ?? ?? ?? A6 A2 A6 A4 A6 A2 ?? ?? ?? ?? A6 A3 A6 A7 A6 A4 ?? ?? } + $s167 = { A7 A6 A7 A6 A7 A5 ?? ?? A7 A5 A7 A6 A7 A5 ?? ?? A7 A4 A7 A5 A7 A3 ?? ?? ?? ?? A7 A3 A7 A5 A7 A3 ?? ?? ?? ?? A7 A2 A7 A6 A7 A5 ?? ?? } + $s168 = { A8 A9 A8 A9 A8 AA ?? ?? A8 AA A8 A9 A8 AA ?? ?? A8 AB A8 AA A8 AC ?? ?? ?? ?? A8 AC A8 AA A8 AC ?? ?? ?? ?? A8 AD A8 A9 A8 AA ?? ?? } + $s169 = { A9 A8 A9 A8 A9 AB ?? ?? A9 AB A9 A8 A9 AB ?? ?? A9 AA A9 AB A9 AD ?? ?? ?? ?? A9 AD A9 AB A9 AD ?? ?? ?? ?? A9 AC A9 A8 A9 AB ?? ?? } + $s170 = { AA AB AA AB AA A8 ?? ?? AA A8 AA AB AA A8 ?? ?? AA A9 AA A8 AA AE ?? ?? ?? ?? AA AE AA A8 AA AE ?? ?? ?? ?? AA AF AA AB AA A8 ?? ?? } + $s171 = { AB AA AB AA AB A9 ?? ?? AB A9 AB AA AB A9 ?? ?? AB A8 AB A9 AB AF ?? ?? ?? ?? AB AF AB A9 AB AF ?? ?? ?? ?? AB AE AB AA AB A9 ?? ?? } + $s172 = { AC AD AC AD AC AE ?? ?? AC AE AC AD AC AE ?? ?? AC AF AC AE AC A8 ?? ?? ?? ?? AC A8 AC AE AC A8 ?? ?? ?? ?? AC A9 AC AD AC AE ?? ?? } + $s173 = { AD AC AD AC AD AF ?? ?? AD AF AD AC AD AF ?? ?? AD AE AD AF AD A9 ?? ?? ?? ?? AD A9 AD AF AD A9 ?? ?? ?? ?? AD A8 AD AC AD AF ?? ?? } + $s174 = { AE AF AE AF AE AC ?? ?? AE AC AE AF AE AC ?? ?? AE AD AE AC AE AA ?? ?? ?? ?? AE AA AE AC AE AA ?? ?? ?? ?? AE AB AE AF AE AC ?? ?? } + $s175 = { AF AE AF AE AF AD ?? ?? AF AD AF AE AF AD ?? ?? AF AC AF AD AF AB ?? ?? ?? ?? AF AB AF AD AF AB ?? ?? ?? ?? AF AA AF AE AF AD ?? ?? } + $s176 = { B0 B1 B0 B1 B0 B2 ?? ?? B0 B2 B0 B1 B0 B2 ?? ?? B0 B3 B0 B2 B0 B4 ?? ?? ?? ?? B0 B4 B0 B2 B0 B4 ?? ?? ?? ?? B0 B5 B0 B1 B0 B2 ?? ?? } + $s177 = { B1 B0 B1 B0 B1 B3 ?? ?? B1 B3 B1 B0 B1 B3 ?? ?? B1 B2 B1 B3 B1 B5 ?? ?? ?? ?? B1 B5 B1 B3 B1 B5 ?? ?? ?? ?? B1 B4 B1 B0 B1 B3 ?? ?? } + $s178 = { B2 B3 B2 B3 B2 B0 ?? ?? B2 B0 B2 B3 B2 B0 ?? ?? B2 B1 B2 B0 B2 B6 ?? ?? ?? ?? B2 B6 B2 B0 B2 B6 ?? ?? ?? ?? B2 B7 B2 B3 B2 B0 ?? ?? } + $s179 = { B3 B2 B3 B2 B3 B1 ?? ?? B3 B1 B3 B2 B3 B1 ?? ?? B3 B0 B3 B1 B3 B7 ?? ?? ?? ?? B3 B7 B3 B1 B3 B7 ?? ?? ?? ?? B3 B6 B3 B2 B3 B1 ?? ?? } + $s180 = { B4 B5 B4 B5 B4 B6 ?? ?? B4 B6 B4 B5 B4 B6 ?? ?? B4 B7 B4 B6 B4 B0 ?? ?? ?? ?? B4 B0 B4 B6 B4 B0 ?? ?? ?? ?? B4 B1 B4 B5 B4 B6 ?? ?? } + $s181 = { B5 B4 B5 B4 B5 B7 ?? ?? B5 B7 B5 B4 B5 B7 ?? ?? B5 B6 B5 B7 B5 B1 ?? ?? ?? ?? B5 B1 B5 B7 B5 B1 ?? ?? ?? ?? B5 B0 B5 B4 B5 B7 ?? ?? } + $s182 = { B6 B7 B6 B7 B6 B4 ?? ?? B6 B4 B6 B7 B6 B4 ?? ?? B6 B5 B6 B4 B6 B2 ?? ?? ?? ?? B6 B2 B6 B4 B6 B2 ?? ?? ?? ?? B6 B3 B6 B7 B6 B4 ?? ?? } + $s183 = { B7 B6 B7 B6 B7 B5 ?? ?? B7 B5 B7 B6 B7 B5 ?? ?? B7 B4 B7 B5 B7 B3 ?? ?? ?? ?? B7 B3 B7 B5 B7 B3 ?? ?? ?? ?? B7 B2 B7 B6 B7 B5 ?? ?? } + $s184 = { B8 B9 B8 B9 B8 BA ?? ?? B8 BA B8 B9 B8 BA ?? ?? B8 BB B8 BA B8 BC ?? ?? ?? ?? B8 BC B8 BA B8 BC ?? ?? ?? ?? B8 BD B8 B9 B8 BA ?? ?? } + $s185 = { B9 B8 B9 B8 B9 BB ?? ?? B9 BB B9 B8 B9 BB ?? ?? B9 BA B9 BB B9 BD ?? ?? ?? ?? B9 BD B9 BB B9 BD ?? ?? ?? ?? B9 BC B9 B8 B9 BB ?? ?? } + $s186 = { BA BB BA BB BA B8 ?? ?? BA B8 BA BB BA B8 ?? ?? BA B9 BA B8 BA BE ?? ?? ?? ?? BA BE BA B8 BA BE ?? ?? ?? ?? BA BF BA BB BA B8 ?? ?? } + $s187 = { BB BA BB BA BB B9 ?? ?? BB B9 BB BA BB B9 ?? ?? BB B8 BB B9 BB BF ?? ?? ?? ?? BB BF BB B9 BB BF ?? ?? ?? ?? BB BE BB BA BB B9 ?? ?? } + $s188 = { BC BD BC BD BC BE ?? ?? BC BE BC BD BC BE ?? ?? BC BF BC BE BC B8 ?? ?? ?? ?? BC B8 BC BE BC B8 ?? ?? ?? ?? BC B9 BC BD BC BE ?? ?? } + $s189 = { BD BC BD BC BD BF ?? ?? BD BF BD BC BD BF ?? ?? BD BE BD BF BD B9 ?? ?? ?? ?? BD B9 BD BF BD B9 ?? ?? ?? ?? BD B8 BD BC BD BF ?? ?? } + $s190 = { BE BF BE BF BE BC ?? ?? BE BC BE BF BE BC ?? ?? BE BD BE BC BE BA ?? ?? ?? ?? BE BA BE BC BE BA ?? ?? ?? ?? BE BB BE BF BE BC ?? ?? } + $s191 = { BF BE BF BE BF BD ?? ?? BF BD BF BE BF BD ?? ?? BF BC BF BD BF BB ?? ?? ?? ?? BF BB BF BD BF BB ?? ?? ?? ?? BF BA BF BE BF BD ?? ?? } + $s192 = { C0 C1 C0 C1 C0 C2 ?? ?? C0 C2 C0 C1 C0 C2 ?? ?? C0 C3 C0 C2 C0 C4 ?? ?? ?? ?? C0 C4 C0 C2 C0 C4 ?? ?? ?? ?? C0 C5 C0 C1 C0 C2 ?? ?? } + $s193 = { C1 C0 C1 C0 C1 C3 ?? ?? C1 C3 C1 C0 C1 C3 ?? ?? C1 C2 C1 C3 C1 C5 ?? ?? ?? ?? C1 C5 C1 C3 C1 C5 ?? ?? ?? ?? C1 C4 C1 C0 C1 C3 ?? ?? } + $s194 = { C2 C3 C2 C3 C2 C0 ?? ?? C2 C0 C2 C3 C2 C0 ?? ?? C2 C1 C2 C0 C2 C6 ?? ?? ?? ?? C2 C6 C2 C0 C2 C6 ?? ?? ?? ?? C2 C7 C2 C3 C2 C0 ?? ?? } + $s195 = { C3 C2 C3 C2 C3 C1 ?? ?? C3 C1 C3 C2 C3 C1 ?? ?? C3 C0 C3 C1 C3 C7 ?? ?? ?? ?? C3 C7 C3 C1 C3 C7 ?? ?? ?? ?? C3 C6 C3 C2 C3 C1 ?? ?? } + $s196 = { C4 C5 C4 C5 C4 C6 ?? ?? C4 C6 C4 C5 C4 C6 ?? ?? C4 C7 C4 C6 C4 C0 ?? ?? ?? ?? C4 C0 C4 C6 C4 C0 ?? ?? ?? ?? C4 C1 C4 C5 C4 C6 ?? ?? } + $s197 = { C5 C4 C5 C4 C5 C7 ?? ?? C5 C7 C5 C4 C5 C7 ?? ?? C5 C6 C5 C7 C5 C1 ?? ?? ?? ?? C5 C1 C5 C7 C5 C1 ?? ?? ?? ?? C5 C0 C5 C4 C5 C7 ?? ?? } + $s198 = { C6 C7 C6 C7 C6 C4 ?? ?? C6 C4 C6 C7 C6 C4 ?? ?? C6 C5 C6 C4 C6 C2 ?? ?? ?? ?? C6 C2 C6 C4 C6 C2 ?? ?? ?? ?? C6 C3 C6 C7 C6 C4 ?? ?? } + $s199 = { C7 C6 C7 C6 C7 C5 ?? ?? C7 C5 C7 C6 C7 C5 ?? ?? C7 C4 C7 C5 C7 C3 ?? ?? ?? ?? C7 C3 C7 C5 C7 C3 ?? ?? ?? ?? C7 C2 C7 C6 C7 C5 ?? ?? } + $s200 = { C8 C9 C8 C9 C8 CA ?? ?? C8 CA C8 C9 C8 CA ?? ?? C8 CB C8 CA C8 CC ?? ?? ?? ?? C8 CC C8 CA C8 CC ?? ?? ?? ?? C8 CD C8 C9 C8 CA ?? ?? } + $s201 = { C9 C8 C9 C8 C9 CB ?? ?? C9 CB C9 C8 C9 CB ?? ?? C9 CA C9 CB C9 CD ?? ?? ?? ?? C9 CD C9 CB C9 CD ?? ?? ?? ?? C9 CC C9 C8 C9 CB ?? ?? } + $s202 = { CA CB CA CB CA C8 ?? ?? CA C8 CA CB CA C8 ?? ?? CA C9 CA C8 CA CE ?? ?? ?? ?? CA CE CA C8 CA CE ?? ?? ?? ?? CA CF CA CB CA C8 ?? ?? } + $s203 = { CB CA CB CA CB C9 ?? ?? CB C9 CB CA CB C9 ?? ?? CB C8 CB C9 CB CF ?? ?? ?? ?? CB CF CB C9 CB CF ?? ?? ?? ?? CB CE CB CA CB C9 ?? ?? } + $s204 = { CC CD CC CD CC CE ?? ?? CC CE CC CD CC CE ?? ?? CC CF CC CE CC C8 ?? ?? ?? ?? CC C8 CC CE CC C8 ?? ?? ?? ?? CC C9 CC CD CC CE ?? ?? } + $s205 = { CD CC CD CC CD CF ?? ?? CD CF CD CC CD CF ?? ?? CD CE CD CF CD C9 ?? ?? ?? ?? CD C9 CD CF CD C9 ?? ?? ?? ?? CD C8 CD CC CD CF ?? ?? } + $s206 = { CE CF CE CF CE CC ?? ?? CE CC CE CF CE CC ?? ?? CE CD CE CC CE CA ?? ?? ?? ?? CE CA CE CC CE CA ?? ?? ?? ?? CE CB CE CF CE CC ?? ?? } + $s207 = { CF CE CF CE CF CD ?? ?? CF CD CF CE CF CD ?? ?? CF CC CF CD CF CB ?? ?? ?? ?? CF CB CF CD CF CB ?? ?? ?? ?? CF CA CF CE CF CD ?? ?? } + $s208 = { D0 D1 D0 D1 D0 D2 ?? ?? D0 D2 D0 D1 D0 D2 ?? ?? D0 D3 D0 D2 D0 D4 ?? ?? ?? ?? D0 D4 D0 D2 D0 D4 ?? ?? ?? ?? D0 D5 D0 D1 D0 D2 ?? ?? } + $s209 = { D1 D0 D1 D0 D1 D3 ?? ?? D1 D3 D1 D0 D1 D3 ?? ?? D1 D2 D1 D3 D1 D5 ?? ?? ?? ?? D1 D5 D1 D3 D1 D5 ?? ?? ?? ?? D1 D4 D1 D0 D1 D3 ?? ?? } + $s210 = { D2 D3 D2 D3 D2 D0 ?? ?? D2 D0 D2 D3 D2 D0 ?? ?? D2 D1 D2 D0 D2 D6 ?? ?? ?? ?? D2 D6 D2 D0 D2 D6 ?? ?? ?? ?? D2 D7 D2 D3 D2 D0 ?? ?? } + $s211 = { D3 D2 D3 D2 D3 D1 ?? ?? D3 D1 D3 D2 D3 D1 ?? ?? D3 D0 D3 D1 D3 D7 ?? ?? ?? ?? D3 D7 D3 D1 D3 D7 ?? ?? ?? ?? D3 D6 D3 D2 D3 D1 ?? ?? } + $s212 = { D4 D5 D4 D5 D4 D6 ?? ?? D4 D6 D4 D5 D4 D6 ?? ?? D4 D7 D4 D6 D4 D0 ?? ?? ?? ?? D4 D0 D4 D6 D4 D0 ?? ?? ?? ?? D4 D1 D4 D5 D4 D6 ?? ?? } + $s213 = { D5 D4 D5 D4 D5 D7 ?? ?? D5 D7 D5 D4 D5 D7 ?? ?? D5 D6 D5 D7 D5 D1 ?? ?? ?? ?? D5 D1 D5 D7 D5 D1 ?? ?? ?? ?? D5 D0 D5 D4 D5 D7 ?? ?? } + $s214 = { D6 D7 D6 D7 D6 D4 ?? ?? D6 D4 D6 D7 D6 D4 ?? ?? D6 D5 D6 D4 D6 D2 ?? ?? ?? ?? D6 D2 D6 D4 D6 D2 ?? ?? ?? ?? D6 D3 D6 D7 D6 D4 ?? ?? } + $s215 = { D7 D6 D7 D6 D7 D5 ?? ?? D7 D5 D7 D6 D7 D5 ?? ?? D7 D4 D7 D5 D7 D3 ?? ?? ?? ?? D7 D3 D7 D5 D7 D3 ?? ?? ?? ?? D7 D2 D7 D6 D7 D5 ?? ?? } + $s216 = { D8 D9 D8 D9 D8 DA ?? ?? D8 DA D8 D9 D8 DA ?? ?? D8 DB D8 DA D8 DC ?? ?? ?? ?? D8 DC D8 DA D8 DC ?? ?? ?? ?? D8 DD D8 D9 D8 DA ?? ?? } + $s217 = { D9 D8 D9 D8 D9 DB ?? ?? D9 DB D9 D8 D9 DB ?? ?? D9 DA D9 DB D9 DD ?? ?? ?? ?? D9 DD D9 DB D9 DD ?? ?? ?? ?? D9 DC D9 D8 D9 DB ?? ?? } + $s218 = { DA DB DA DB DA D8 ?? ?? DA D8 DA DB DA D8 ?? ?? DA D9 DA D8 DA DE ?? ?? ?? ?? DA DE DA D8 DA DE ?? ?? ?? ?? DA DF DA DB DA D8 ?? ?? } + $s219 = { DB DA DB DA DB D9 ?? ?? DB D9 DB DA DB D9 ?? ?? DB D8 DB D9 DB DF ?? ?? ?? ?? DB DF DB D9 DB DF ?? ?? ?? ?? DB DE DB DA DB D9 ?? ?? } + $s220 = { DC DD DC DD DC DE ?? ?? DC DE DC DD DC DE ?? ?? DC DF DC DE DC D8 ?? ?? ?? ?? DC D8 DC DE DC D8 ?? ?? ?? ?? DC D9 DC DD DC DE ?? ?? } + $s221 = { DD DC DD DC DD DF ?? ?? DD DF DD DC DD DF ?? ?? DD DE DD DF DD D9 ?? ?? ?? ?? DD D9 DD DF DD D9 ?? ?? ?? ?? DD D8 DD DC DD DF ?? ?? } + $s222 = { DE DF DE DF DE DC ?? ?? DE DC DE DF DE DC ?? ?? DE DD DE DC DE DA ?? ?? ?? ?? DE DA DE DC DE DA ?? ?? ?? ?? DE DB DE DF DE DC ?? ?? } + $s223 = { DF DE DF DE DF DD ?? ?? DF DD DF DE DF DD ?? ?? DF DC DF DD DF DB ?? ?? ?? ?? DF DB DF DD DF DB ?? ?? ?? ?? DF DA DF DE DF DD ?? ?? } + $s224 = { E0 E1 E0 E1 E0 E2 ?? ?? E0 E2 E0 E1 E0 E2 ?? ?? E0 E3 E0 E2 E0 E4 ?? ?? ?? ?? E0 E4 E0 E2 E0 E4 ?? ?? ?? ?? E0 E5 E0 E1 E0 E2 ?? ?? } + $s225 = { E1 E0 E1 E0 E1 E3 ?? ?? E1 E3 E1 E0 E1 E3 ?? ?? E1 E2 E1 E3 E1 E5 ?? ?? ?? ?? E1 E5 E1 E3 E1 E5 ?? ?? ?? ?? E1 E4 E1 E0 E1 E3 ?? ?? } + $s226 = { E2 E3 E2 E3 E2 E0 ?? ?? E2 E0 E2 E3 E2 E0 ?? ?? E2 E1 E2 E0 E2 E6 ?? ?? ?? ?? E2 E6 E2 E0 E2 E6 ?? ?? ?? ?? E2 E7 E2 E3 E2 E0 ?? ?? } + $s227 = { E3 E2 E3 E2 E3 E1 ?? ?? E3 E1 E3 E2 E3 E1 ?? ?? E3 E0 E3 E1 E3 E7 ?? ?? ?? ?? E3 E7 E3 E1 E3 E7 ?? ?? ?? ?? E3 E6 E3 E2 E3 E1 ?? ?? } + $s228 = { E4 E5 E4 E5 E4 E6 ?? ?? E4 E6 E4 E5 E4 E6 ?? ?? E4 E7 E4 E6 E4 E0 ?? ?? ?? ?? E4 E0 E4 E6 E4 E0 ?? ?? ?? ?? E4 E1 E4 E5 E4 E6 ?? ?? } + $s229 = { E5 E4 E5 E4 E5 E7 ?? ?? E5 E7 E5 E4 E5 E7 ?? ?? E5 E6 E5 E7 E5 E1 ?? ?? ?? ?? E5 E1 E5 E7 E5 E1 ?? ?? ?? ?? E5 E0 E5 E4 E5 E7 ?? ?? } + $s230 = { E6 E7 E6 E7 E6 E4 ?? ?? E6 E4 E6 E7 E6 E4 ?? ?? E6 E5 E6 E4 E6 E2 ?? ?? ?? ?? E6 E2 E6 E4 E6 E2 ?? ?? ?? ?? E6 E3 E6 E7 E6 E4 ?? ?? } + $s231 = { E7 E6 E7 E6 E7 E5 ?? ?? E7 E5 E7 E6 E7 E5 ?? ?? E7 E4 E7 E5 E7 E3 ?? ?? ?? ?? E7 E3 E7 E5 E7 E3 ?? ?? ?? ?? E7 E2 E7 E6 E7 E5 ?? ?? } + $s232 = { E8 E9 E8 E9 E8 EA ?? ?? E8 EA E8 E9 E8 EA ?? ?? E8 EB E8 EA E8 EC ?? ?? ?? ?? E8 EC E8 EA E8 EC ?? ?? ?? ?? E8 ED E8 E9 E8 EA ?? ?? } + $s233 = { E9 E8 E9 E8 E9 EB ?? ?? E9 EB E9 E8 E9 EB ?? ?? E9 EA E9 EB E9 ED ?? ?? ?? ?? E9 ED E9 EB E9 ED ?? ?? ?? ?? E9 EC E9 E8 E9 EB ?? ?? } + $s234 = { EA EB EA EB EA E8 ?? ?? EA E8 EA EB EA E8 ?? ?? EA E9 EA E8 EA EE ?? ?? ?? ?? EA EE EA E8 EA EE ?? ?? ?? ?? EA EF EA EB EA E8 ?? ?? } + $s235 = { EB EA EB EA EB E9 ?? ?? EB E9 EB EA EB E9 ?? ?? EB E8 EB E9 EB EF ?? ?? ?? ?? EB EF EB E9 EB EF ?? ?? ?? ?? EB EE EB EA EB E9 ?? ?? } + $s236 = { EC ED EC ED EC EE ?? ?? EC EE EC ED EC EE ?? ?? EC EF EC EE EC E8 ?? ?? ?? ?? EC E8 EC EE EC E8 ?? ?? ?? ?? EC E9 EC ED EC EE ?? ?? } + $s237 = { ED EC ED EC ED EF ?? ?? ED EF ED EC ED EF ?? ?? ED EE ED EF ED E9 ?? ?? ?? ?? ED E9 ED EF ED E9 ?? ?? ?? ?? ED E8 ED EC ED EF ?? ?? } + $s238 = { EE EF EE EF EE EC ?? ?? EE EC EE EF EE EC ?? ?? EE ED EE EC EE EA ?? ?? ?? ?? EE EA EE EC EE EA ?? ?? ?? ?? EE EB EE EF EE EC ?? ?? } + $s239 = { EF EE EF EE EF ED ?? ?? EF ED EF EE EF ED ?? ?? EF EC EF ED EF EB ?? ?? ?? ?? EF EB EF ED EF EB ?? ?? ?? ?? EF EA EF EE EF ED ?? ?? } + $s240 = { F0 F1 F0 F1 F0 F2 ?? ?? F0 F2 F0 F1 F0 F2 ?? ?? F0 F3 F0 F2 F0 F4 ?? ?? ?? ?? F0 F4 F0 F2 F0 F4 ?? ?? ?? ?? F0 F5 F0 F1 F0 F2 ?? ?? } + $s241 = { F1 F0 F1 F0 F1 F3 ?? ?? F1 F3 F1 F0 F1 F3 ?? ?? F1 F2 F1 F3 F1 F5 ?? ?? ?? ?? F1 F5 F1 F3 F1 F5 ?? ?? ?? ?? F1 F4 F1 F0 F1 F3 ?? ?? } + $s242 = { F2 F3 F2 F3 F2 F0 ?? ?? F2 F0 F2 F3 F2 F0 ?? ?? F2 F1 F2 F0 F2 F6 ?? ?? ?? ?? F2 F6 F2 F0 F2 F6 ?? ?? ?? ?? F2 F7 F2 F3 F2 F0 ?? ?? } + $s243 = { F3 F2 F3 F2 F3 F1 ?? ?? F3 F1 F3 F2 F3 F1 ?? ?? F3 F0 F3 F1 F3 F7 ?? ?? ?? ?? F3 F7 F3 F1 F3 F7 ?? ?? ?? ?? F3 F6 F3 F2 F3 F1 ?? ?? } + $s244 = { F4 F5 F4 F5 F4 F6 ?? ?? F4 F6 F4 F5 F4 F6 ?? ?? F4 F7 F4 F6 F4 F0 ?? ?? ?? ?? F4 F0 F4 F6 F4 F0 ?? ?? ?? ?? F4 F1 F4 F5 F4 F6 ?? ?? } + $s245 = { F5 F4 F5 F4 F5 F7 ?? ?? F5 F7 F5 F4 F5 F7 ?? ?? F5 F6 F5 F7 F5 F1 ?? ?? ?? ?? F5 F1 F5 F7 F5 F1 ?? ?? ?? ?? F5 F0 F5 F4 F5 F7 ?? ?? } + $s246 = { F6 F7 F6 F7 F6 F4 ?? ?? F6 F4 F6 F7 F6 F4 ?? ?? F6 F5 F6 F4 F6 F2 ?? ?? ?? ?? F6 F2 F6 F4 F6 F2 ?? ?? ?? ?? F6 F3 F6 F7 F6 F4 ?? ?? } + $s247 = { F7 F6 F7 F6 F7 F5 ?? ?? F7 F5 F7 F6 F7 F5 ?? ?? F7 F4 F7 F5 F7 F3 ?? ?? ?? ?? F7 F3 F7 F5 F7 F3 ?? ?? ?? ?? F7 F2 F7 F6 F7 F5 ?? ?? } + $s248 = { F8 F9 F8 F9 F8 FA ?? ?? F8 FA F8 F9 F8 FA ?? ?? F8 FB F8 FA F8 FC ?? ?? ?? ?? F8 FC F8 FA F8 FC ?? ?? ?? ?? F8 FD F8 F9 F8 FA ?? ?? } + $s249 = { F9 F8 F9 F8 F9 FB ?? ?? F9 FB F9 F8 F9 FB ?? ?? F9 FA F9 FB F9 FD ?? ?? ?? ?? F9 FD F9 FB F9 FD ?? ?? ?? ?? F9 FC F9 F8 F9 FB ?? ?? } + $s250 = { FA FB FA FB FA F8 ?? ?? FA F8 FA FB FA F8 ?? ?? FA F9 FA F8 FA FE ?? ?? ?? ?? FA FE FA F8 FA FE ?? ?? ?? ?? FA FF FA FB FA F8 ?? ?? } + $s251 = { FB FA FB FA FB F9 ?? ?? FB F9 FB FA FB F9 ?? ?? FB F8 FB F9 FB FF ?? ?? ?? ?? FB FF FB F9 FB FF ?? ?? ?? ?? FB FE FB FA FB F9 ?? ?? } + $s252 = { FC FD FC FD FC FE ?? ?? FC FE FC FD FC FE ?? ?? FC FF FC FE FC F8 ?? ?? ?? ?? FC F8 FC FE FC F8 ?? ?? ?? ?? FC F9 FC FD FC FE ?? ?? } + $s253 = { FD FC FD FC FD FF ?? ?? FD FF FD FC FD FF ?? ?? FD FE FD FF FD F9 ?? ?? ?? ?? FD F9 FD FF FD F9 ?? ?? ?? ?? FD F8 FD FC FD FF ?? ?? } + $s254 = { FE FF FE FF FE FC ?? ?? FE FC FE FF FE FC ?? ?? FE FD FE FC FE FA ?? ?? ?? ?? FE FA FE FC FE FA ?? ?? ?? ?? FE FB FE FF FE FC ?? ?? } + $s255 = { FF FE FF FE FF FD ?? ?? FF FD FF FE FF FD ?? ?? FF FC FF FD FF FB ?? ?? ?? ?? FF FB FF FD FF FB ?? ?? ?? ?? FF FA FF FE FF FD ?? ?? } + + $fp1 = "ICSharpCode.Decompiler" wide + condition: + any of ($s*) and not 1 of ($fp*) +} + +rule CobaltStrike_MZ_Launcher { + meta: + description = "Detects CobaltStrike MZ header ReflectiveLoader launcher" + author = "yara@s3c.za.net" + date = "2021-07-08" + id = "461a4741-11c5-53d9-b8e1-52d64cfe755b" + strings: + $mz_launcher = { 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D } + condition: + $mz_launcher +} + +rule CobaltStrike_Unmodifed_Beacon { + meta: + description = "Detects unmodified CobaltStrike beacon DLL" + author = "yara@s3c.za.net" + date = "2019-08-16" + id = "8eeb03f9-9698-5a46-b45b-224d5c3f3df7" + strings: + $loader_export = "ReflectiveLoader" + $exportname = "beacon.dll" + condition: + all of them +} diff --git a/yara-Neo23x0/apt_codoso.yar b/yara-Neo23x0/apt_codoso.yar new file mode 100644 index 0000000..a5746fb --- /dev/null +++ b/yara-Neo23x0/apt_codoso.yar @@ -0,0 +1,367 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2016-01-30 + Identifier: Codoso + Comment: Reduced signature set for LOKI integration +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +rule Codoso_PlugX_3 { + meta: + description = "Detects Codoso APT PlugX Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + hash = "74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3" + id = "55066812-3a8e-5099-afb4-ff7a59f1ccb2" + strings: + $s1 = "Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password." fullword wide + $s2 = "mcs.exe" fullword ascii + $s3 = "McAltLib.dll" fullword ascii + $s4 = "WinRAR self-extracting archive" fullword wide + condition: + uint16(0) == 0x5a4d and filesize < 1200KB and all of them +} +rule Codoso_PlugX_2 { + meta: + description = "Detects Codoso APT PlugX Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + hash = "b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb" + id = "0402a0ff-5664-52db-a739-51c5181853f8" + strings: + $s1 = "%TEMP%\\HID" fullword wide + $s2 = "%s\\hid.dll" fullword wide + $s3 = "%s\\SOUNDMAN.exe" fullword wide + $s4 = "\"%s\\SOUNDMAN.exe\" %d %d" fullword wide + $s5 = "%s\\HID.dllx" fullword wide + condition: + ( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) or all of them +} +rule Codoso_CustomTCP_4 { + meta: + description = "Detects Codoso APT CustomTCP Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + hash1 = "ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0" + hash2 = "130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8" + hash3 = "3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa" + hash4 = "02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13" + id = "b6ed6939-db0c-5a47-8839-3337d1bc1f6c" + strings: + $x1 = "varus_service_x86.dll" fullword ascii + + $s1 = "/s %s /p %d /st %d /rt %d" fullword ascii + $s2 = "net start %%1" fullword ascii + $s3 = "ping 127.1 > nul" fullword ascii + $s4 = "McInitMISPAlertEx" fullword ascii + $s5 = "sc start %%1" fullword ascii + $s6 = "net stop %%1" fullword ascii + $s7 = "WorkerRun" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 400KB and 5 of them ) or + ( $x1 and 2 of ($s*) ) +} +rule Codoso_CustomTCP_3 { + meta: + description = "Detects Codoso APT CustomTCP Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + hash = "d66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090" + id = "b6ed6939-db0c-5a47-8839-3337d1bc1f6c" + strings: + $s1 = "DnsApi.dll" fullword ascii + $s2 = "softWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\%s" ascii + $s3 = "CONNECT %s:%d hTTP/1.1" ascii + $s4 = "CONNECT %s:%d HTTp/1.1" ascii + $s5 = "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0;)" ascii + $s6 = "iphlpapi.dll" ascii + $s7 = "%systemroot%\\Web\\" ascii + $s8 = "Proxy-Authorization: Negotiate %s" ascii + $s9 = "CLSID\\{%s}\\InprocServer32" ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 500KB and 5 of them ) or 7 of them +} +rule Codoso_CustomTCP_2 { + meta: + description = "Detects Codoso APT CustomTCP Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + hash = "3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3" + id = "b6ed6939-db0c-5a47-8839-3337d1bc1f6c" + strings: + $s1 = "varus_service_x86.dll" fullword ascii + $s2 = "/s %s /p %d /st %d /rt %d" fullword ascii + $s3 = "net start %%1" fullword ascii + $s4 = "ping 127.1 > nul" fullword ascii + $s5 = "McInitMISPAlertEx" fullword ascii + $s6 = "sc start %%1" fullword ascii + $s7 = "B_WKNDNSK^" fullword ascii + $s8 = "net stop %%1" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 406KB and all of them +} +rule Codoso_PGV_PVID_6 { + meta: + description = "Detects Codoso APT PGV_PVID Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + hash = "4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f" + id = "6d1d8490-fdcb-5263-ae00-0b436e822fc3" + strings: + $s0 = "rundll32 \"%s\",%s" fullword ascii + $s1 = "/c ping 127.%d & del \"%s\"" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 6000KB and all of them +} +rule Codoso_Gh0st_3 { + meta: + description = "Detects Codoso APT Gh0st Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + hash = "bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd" + id = "55fb17c5-ee11-55be-9af3-e9fe8d6160b5" + strings: + $x1 = "RunMeByDLL32" fullword ascii + + $s1 = "svchost.dll" fullword wide + $s2 = "server.dll" fullword ascii + $s3 = "Copyright ? 2008" fullword wide + $s4 = "testsupdate33" fullword ascii + $s5 = "Device Protect Application" fullword wide + $s6 = "MSVCP60.DLL" fullword ascii /* Goodware String - occured 1 times */ + $s7 = "mail-news.eicp.net" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 195KB and $x1 or 4 of them +} +rule Codoso_Gh0st_2 { + meta: + description = "Detects Codoso APT Gh0st Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + hash = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841" + id = "5643d028-2a76-5bce-bf2f-8be706ab1fd5" + strings: + $s0 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii + $s1 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii + $s13 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide + $s14 = "%s -r debug 1" fullword ascii + $s15 = "\\\\.\\keymmdrv1" fullword ascii + $s17 = "RunMeByDLL32" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 500KB and 1 of them +} +rule Codoso_CustomTCP { + meta: + description = "Codoso CustomTCP Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + hash = "b95d7f56a686a05398198d317c805924c36f3abacbb1b9e3f590ec0d59f845d8" + id = "b6ed6939-db0c-5a47-8839-3337d1bc1f6c" + strings: + $s4 = "wnyglw" fullword ascii + $s5 = "WorkerRun" fullword ascii + $s7 = "boazdcd" fullword ascii + $s8 = "wayflw" fullword ascii + $s9 = "CODETABL" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 405KB and all of them +} + +/* Super Rules ------------------------------------------------------------- */ + +rule Codoso_PGV_PVID_5 { + meta: + description = "Detects Codoso APT PGV PVID Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + super_rule = 1 + hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" + hash2 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" + id = "0202d82c-c1f8-59f7-96b6-b21f21c1dc69" + strings: + $s1 = "/c del %s >> NUL" fullword ascii + $s2 = "%s%s.manifest" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 500KB and all of them +} +rule Codoso_Gh0st_1 { + meta: + description = "Detects Codoso APT Gh0st Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + super_rule = 1 + hash1 = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841" + hash2 = "7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8" + hash3 = "d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297" + id = "24d9e64c-4b35-5737-92ae-8ec391d494c7" + strings: + $x1 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii + $x2 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii + $x3 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide + $x4 = "\\\\.\\keymmdrv1" fullword ascii + + $s1 = "spideragent.exe" fullword ascii + $s2 = "AVGIDSAgent.exe" fullword ascii + $s3 = "kavsvc.exe" fullword ascii + $s4 = "mspaint.exe" fullword ascii + $s5 = "kav.exe" fullword ascii + $s6 = "avp.exe" fullword ascii + $s7 = "NAV.exe" fullword ascii + + $c1 = "Elevation:Administrator!new:" wide + $c2 = "Global\\RUNDLL32EXITEVENT_NAME{12845-8654-543}" fullword ascii + $c3 = "\\sysprep\\sysprep.exe" wide + $c4 = "\\sysprep\\CRYPTBASE.dll" wide + $c5 = "Global\\TERMINATEEVENT_NAME{12845-8654-542}" fullword ascii + $c6 = "ConsentPromptBehaviorAdmin" fullword ascii + $c7 = "\\sysprep" wide + $c8 = "Global\\UN{5FFC0C8B-8BE5-49d5-B9F2-BCDC8976EE10}" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 1000KB and ( 4 of ($s*) or 4 of ($c*) ) or + 1 of ($x*) or + 6 of ($c*) +} +rule Codoso_PGV_PVID_4 { + meta: + description = "Detects Codoso APT PlugX Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + super_rule = 1 + hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" + hash2 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761" + hash3 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1" + hash4 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3" + hash5 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" + id = "c1c753a6-77b6-5bfb-89f9-16127c264fd0" + strings: + $x1 = "dropper, Version 1.0" fullword wide + $x2 = "dropper" fullword wide + $x3 = "DROPPER" fullword wide + $x4 = "About dropper" fullword wide + + $s1 = "Microsoft Windows Manager Utility" fullword wide + $s2 = "SYSTEM\\CurrentControlSet\\Services\\" ascii /* Goodware String - occured 9 times */ + $s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" fullword ascii /* Goodware String - occured 10 times */ + $s4 = "" fullword ascii /* Goodware String - occured 65 times */ + condition: + uint16(0) == 0x5a4d and filesize < 900KB and 2 of ($x*) and 2 of ($s*) +} +rule Codoso_PlugX_1 { + meta: + description = "Detects Codoso APT PlugX Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + super_rule = 1 + hash1 = "0b8cbc9b4761ab35acce2aa12ba2c0a283afd596b565705514fd802c8b1e144b" + hash2 = "448711bd3f689ceebb736d25253233ac244d48cb766834b8f974c2e9d4b462e8" + hash3 = "fd22547497ce52049083092429eeff0599d0b11fe61186e91c91e1f76b518fe2" + id = "af777818-5cff-5571-b5e9-0f5a4c8b08ff" + strings: + $s1 = "GETPASSWORD1" fullword ascii + $s2 = "NvSmartMax.dll" fullword ascii + $s3 = "LICENSEDLG" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 800KB and all of them +} +rule Codoso_PGV_PVID_3 { + meta: + description = "Detects Codoso APT PGV PVID Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + super_rule = 1 + hash1 = "126fbdcfed1dfb31865d4b18db2fb963f49df838bf66922fea0c37e06666aee1" + hash2 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" + hash3 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761" + hash4 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1" + hash5 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3" + hash6 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" + id = "08003dba-1201-5f74-9edd-ea321bb26e99" + strings: + $x1 = "Copyright (C) Microsoft Corporation. All rights reserved.(C) 2012" fullword wide + condition: + $x1 +} +rule Codoso_PGV_PVID_2 { + meta: + description = "Detects Codoso APT PGV PVID Malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + super_rule = 1 + hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" + hash2 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3" + hash3 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" + id = "e4c00806-3092-5ec2-844f-b638c31fa6a5" + strings: + $s0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii + $s1 = "regsvr32.exe /s \"%s\"" fullword ascii + $s2 = "Help and Support" fullword ascii + $s3 = "netsvcs" fullword ascii + $s9 = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" fullword ascii /* Goodware String - occured 4 times */ + $s10 = "winlogon" fullword ascii /* Goodware String - occured 4 times */ + $s11 = "System\\CurrentControlSet\\Services" fullword ascii /* Goodware String - occured 11 times */ + condition: + uint16(0) == 0x5a4d and filesize < 907KB and all of them +} + +rule Codoso_PGV_PVID_1 { + meta: + description = "Detects Codoso APT PGV PVID Malware" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + date = "2016-01-30" + super_rule = 1 + hash1 = "41a936b0d1fd90dffb2f6d0bcaf4ad0536f93ca7591f7b75b0cd1af8804d0824" + hash2 = "58334eb7fed37e3104d8235d918aa5b7856f33ea52a74cf90a5ef5542a404ac3" + hash3 = "934b87ddceabb2063b5e5bc4f964628fe0c63b63bb2346b105ece19915384fc7" + hash4 = "ce91ea20aa2e6af79508dd0a40ab0981f463b4d2714de55e66d228c579578266" + hash5 = "e770a298ae819bba1c70d0c9a2e02e4680d3cdba22d558d21caaa74e3970adf1" + id = "9487773a-01d9-558e-8866-b8a8650996ba" + strings: + $x1 = "DRIVERS\\ipinip.sys" fullword wide + + $s1 = "TsWorkSpaces.dll" fullword ascii + $s2 = "%SystemRoot%\\System32\\wiaservc.dll" fullword wide + $s3 = "/selfservice/microsites/search.php?%016I64d" fullword ascii + $s4 = "/solutions/company-size/smb/index.htm?%016I64d" fullword ascii + $s5 = "Microsoft Chart ActiveX Control" fullword wide + $s6 = "MSChartCtrl.ocx" fullword wide + $s7 = "{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}" fullword ascii + $s8 = "WUServiceMain" fullword ascii /* Goodware String - occured 2 times */ + $s9 = "Cookie: pgv_pvid=" ascii + condition: + ( uint16(0) == 0x5a4d and ( 1 of ($x*) or 3 of them ) ) or + 5 of them +} diff --git a/yara-Neo23x0/apt_coreimpact_agent.yar b/yara-Neo23x0/apt_coreimpact_agent.yar new file mode 100644 index 0000000..2dacfe8 --- /dev/null +++ b/yara-Neo23x0/apt_coreimpact_agent.yar @@ -0,0 +1,27 @@ +/* + Core Impact Agent known from RocketKitten and WoolenGoldfish APT +*/ + + +rule CoreImpact_sysdll_exe { + meta: + description = "Detects a malware sysdll.exe from the Rocket Kitten APT" + author = "Florian Roth (Nextron Systems)" + score = 70 + date = "27.12.2014" + modified = "2023-01-06" + hash = "f89a4d4ae5cca6d69a5256c96111e707" + id = "bac55c00-5d14-59ca-8597-f52b4577be0c" + strings: + $s0 = "d:\\nightly\\sandbox_avg10_vc9_SP1_2011\\source\\avg10\\avg9_all_vs90\\bin\\Rele" ascii + + $s1 = "Mozilla/5.0" fullword ascii + $s3 = "index.php?c=%s&r=%lx" fullword ascii + $s4 = "index.php?c=%s&r=%x" fullword ascii + $s5 = "127.0.0.1" fullword ascii + $s6 = "/info.dat" ascii + $s7 = "needroot" fullword ascii + $s8 = "./plugins/" ascii + condition: + $s0 or 6 of them +} diff --git a/yara-Neo23x0/apt_danti_svcmondr.yar b/yara-Neo23x0/apt_danti_svcmondr.yar new file mode 100644 index 0000000..ac08d44 --- /dev/null +++ b/yara-Neo23x0/apt_danti_svcmondr.yar @@ -0,0 +1,77 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2016-05-25 + Identifier: Kaspersky Report on threats involving CVE-2015-2545 +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +rule Mal_Dropper_httpEXE_from_CAB { + meta: + description = "Detects a dropper from a CAB file mentioned in the article" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/13Wgy1" + date = "2016-05-25" + score = 60 + hash1 = "9e7e5f70c4b32a4d5e8c798c26671843e76bb4bd5967056a822e982ed36e047b" + id = "f67c13e9-67e7-56aa-8ced-55e9bb814971" + strings: + $s1 = "029.Hdl" fullword ascii + $s2 = "http.exe" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) ) ) +} + +rule Mal_http_EXE { + meta: + description = "Detects trojan from APT report named http.exe" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/13Wgy1" + date = "2016-05-25" + modified = "2023-01-27" + score = 80 + hash1 = "ad191d1d18841f0c5e48a5a1c9072709e2dd6359a6f6d427e0de59cfcd1d9666" + id = "bcae9920-56ea-54a1-857b-70c275090e19" + strings: + $x1 = "Content-Disposition: form-data; name=\"file1\"; filename=\"%s\"" fullword ascii + $x2 = "%ALLUSERSPROFILE%\\Accessories\\wordpade.exe" fullword ascii + $x3 = "\\dumps.dat" ascii + $x4 = "\\wordpade.exe" ascii + $x5 = "\\%s|%s|4|%d|%4d-%02d-%02d %02d:%02d:%02d|" ascii + $x6 = "\\%s|%s|5|%d|%4d-%02d-%02d %02d:%02d:%02d|" ascii + $x7 = "cKaNBh9fnmXgJcSBxx5nFS+8s7abcQ==" fullword ascii + $x8 = "cKaNBhFLn1nXMcCR0RlbMQ==" fullword ascii /* base64: pKY1[1 */ + + $s1 = "SELECT * FROM moz_logins;" fullword ascii + $s2 = "makescr.dat" fullword ascii + $s3 = "%s\\Mozilla\\Firefox\\profiles.ini" fullword ascii + $s4 = "?moz-proxy://" ascii + $s5 = "[%s-%s] Title: %s" fullword ascii + $s6 = "Cforeign key mismatch - \"%w\" referencing \"%w\"" fullword ascii + $s7 = "Windows 95 SR2" fullword ascii + $s8 = "\\|%s|0|0|" ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) and 2 of ($s*) ) ) or ( 3 of ($x*) ) +} + +rule Mal_PotPlayer_DLL { + meta: + description = "Detects a malicious PotPlayer.dll" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/13Wgy1" + date = "2016-05-25" + score = 70 + hash1 = "705409bc11fb45fa3c4e2fa9dd35af7d4613e52a713d9c6ea6bc4baff49aa74a" + id = "71d34266-63e0-5a97-9a80-952be917641a" + strings: + $x1 = "C:\\Users\\john\\Desktop\\PotPlayer\\Release\\PotPlayer.pdb" fullword ascii + + $s3 = "PotPlayer.dll" fullword ascii + $s4 = "\\update.dat" ascii + condition: + uint16(0) == 0x5a4d and filesize < 200KB and $x1 or all of ($s*) +} diff --git a/yara-Neo23x0/apt_darkcaracal.yar b/yara-Neo23x0/apt_darkcaracal.yar new file mode 100644 index 0000000..d9339bd --- /dev/null +++ b/yara-Neo23x0/apt_darkcaracal.yar @@ -0,0 +1,30 @@ + +/* + Yara Rule Set + Author: Florian Roth + Date: 2018-01-22 + Identifier: Dark Caracal + Reference: https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +rule MiniRAT_Gen_1 { + meta: + description = "Detects Mini RAT malware" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news" + date = "2018-01-22" + hash1 = "091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b" + hash2 = "b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d" + hash3 = "ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2" + hash4 = "ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790" + hash5 = "675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd" + id = "65d89762-2fd0-5c6a-b706-92d77a03089a" + strings: + $x1 = "\\Mini rat\\" ascii + $x2 = "\\Projects\\ali\\Clever Components v7\\" ascii + condition: + uint16(0) == 0x5a4d and filesize < 7000KB and 1 of them +} diff --git a/yara-Neo23x0/apt_darkhydrus.yar b/yara-Neo23x0/apt_darkhydrus.yar new file mode 100644 index 0000000..4dada98 --- /dev/null +++ b/yara-Neo23x0/apt_darkhydrus.yar @@ -0,0 +1,91 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2018-07-28 + Identifier: DarkHydrus + Reference: https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/ +*/ + +/* Rule Set ----------------------------------------------------------------- */ + +import "pe" + +rule APT_DarkHydrus_Jul18_1 { + meta: + description = "Detects strings found in malware samples in APT report in DarkHydrus" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" + date = "2018-07-28" + hash1 = "99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c" + id = "fbd001c0-43c9-5429-84d6-7f62eadd8ff3" + strings: + $x1 = "Z:\\devcenter\\aggressor\\" ascii + condition: + uint16(0) == 0x5a4d and filesize < 600KB and ( + pe.imphash() == "d3666d1cde4790b22b44ec35976687fb" or + 1 of them + ) +} + +rule APT_DarkHydrus_Jul18_2 { + meta: + description = "Detects strings found in malware samples in APT report in DarkHydrus" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" + date = "2018-07-28" + hash1 = "b2571e3b4afbce56da8faa726b726eb465f2e5e5ed74cf3b172b5dd80460ad81" + id = "1a21cbbf-f7e1-56eb-973b-35c1a811e210" + strings: + $s4 = "windir" fullword ascii /* Goodware String - occured 47 times */ + $s6 = "temp.dll" fullword ascii /* Goodware String - occured 3 times */ + $s7 = "libgcj-12.dll" fullword ascii /* Goodware String - occured 3 times */ + $s8 = "%s\\System32\\%s" fullword ascii /* Goodware String - occured 4 times */ + $s9 = "StartW" fullword ascii /* Goodware String - occured 5 times */ + condition: + uint16(0) == 0x5a4d and filesize < 40KB and all of them +} + +rule APT_DarkHydrus_Jul18_3 { + meta: + description = "Detects strings found in malware samples in APT report in DarkHydrus" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" + date = "2018-07-28" + hash1 = "c8b3d4b6acce6b6655e17255ef7a214651b7fc4e43f9964df24556343393a1a3" + id = "1f766b49-3173-5f8a-ba52-a9ce9000be79" + strings: + $s2 = "Ws2_32.dll" fullword ascii + $s3 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 100KB and ( + pe.imphash() == "478eacfbe2b201dabe63be53f34148a5" or + all of them + ) +} + +rule HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5 { + meta: + description = "Detects strings found in CobaltStrike shellcode" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" + date = "2018-07-28" + modified = "2021-06-17" + hash1 = "cec36e8ed65ac6f250c05b4a17c09f58bb80c19b73169aaf40fa15c8d3a9a6a1" + id = "d52536b8-dd6b-59be-8761-d22b6a279114" + strings: + $x1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + + $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii + $s2 = "libgcj-12.dll" fullword ascii /* Goodware String - occured 3 times */ + condition: + uint16(0) == 0x5a4d and filesize < 900KB and ( + pe.imphash() == "829da329ce140d873b4a8bde2cbfaa7e" or + all of ($s*) or + $x1 + ) +} + diff --git a/yara-Neo23x0/apt_deeppanda.yar b/yara-Neo23x0/apt_deeppanda.yar new file mode 100644 index 0000000..66d9b5d --- /dev/null +++ b/yara-Neo23x0/apt_deeppanda.yar @@ -0,0 +1,90 @@ +/* Deep Panda APT */ + +rule DeepPanda_sl_txt_packed { + meta: + description = "Hack Deep Panda - ScanLine sl-txt-packed" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + date = "2015/02/08" + hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34" + id = "7a335810-2bf9-5a0b-bef4-1bade65a0f00" + strings: + $s0 = "Command line port scanner" fullword wide + $s1 = "sl.exe" fullword wide + $s2 = "CPports.txt" fullword ascii + $s3 = ",GET / HTTP/.}" fullword ascii + $s4 = "Foundstone Inc." fullword wide + $s9 = " 2002 Foundstone Inc." fullword wide + $s15 = ", Inc. 2002" fullword ascii + $s20 = "ICMP Time" fullword ascii + condition: + all of them +} + +rule DeepPanda_lot1 { + meta: + description = "Hack Deep Panda - lot1.tmp-pwdump" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + date = "2015/02/08" + hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1" + id = "c72120a5-8637-580c-9856-e070dfb6df94" + strings: + $s0 = "Unable to open target process: %d, pid %d" fullword ascii + $s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii + $s2 = "Target: Failed to load SAM functions." fullword ascii + $s5 = "Error writing the test file %s, skipping this share" fullword ascii + $s6 = "Failed to create service (%s/%s), error %d" fullword ascii + $s8 = "Service start failed: %d (%s/%s)" fullword ascii + $s12 = "PwDump.exe" fullword ascii + $s13 = "GetAvailableWriteableShare returned an error of %ld" fullword ascii + $s14 = ":\\\\.\\pipe\\%s" fullword ascii + $s15 = "Couldn't copy %s to destination %s. (Error %d)" fullword ascii + $s16 = "dump logon session" fullword ascii + $s17 = "Timed out waiting to get our pipe back" fullword ascii + $s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii + $s20 = "%s\\%s.exe" fullword ascii + condition: + 10 of them +} + +rule DeepPanda_htran_exe { + meta: + description = "Hack Deep Panda - htran-exe" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + date = "2015/02/08" + hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9" + id = "2a551e82-aff1-5a77-bc5e-d06e49dca8bc" + strings: + $s0 = "%s -