/* Yara Rule Set Author: Florian Roth Date: 2016-06-10 Identifier: Dubnium */ /* Rule Set ----------------------------------------------------------------- */ rule Dubnium_Sample_1 { meta: description = "Detects sample mentioned in the Dubnium Report" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" hash1 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba" id = "377ecbaa-9324-562e-a973-0276d44f3feb" strings: $key1 = "3b840e20e9555e9fb031c4ba1f1747ce25cc1d0ff664be676b9b4a90641ff194" fullword ascii $key2 = "90631f686a8c3dbc0703ffa353bc1fdf35774568ac62406f98a13ed8f47595fd" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2000KB and all of them } rule Dubnium_Sample_2 { meta: description = "Detects sample mentioned in the Dubnium Report" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" hash1 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b" id = "894dc893-25fc-5fdc-9f69-8085b94e1af1" strings: $x1 = ":*:::D:\\:c:~:" fullword ascii $s2 = "SPMUVR" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) } rule Dubnium_Sample_3 { meta: description = "Detects sample mentioned in the Dubnium Report" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" hash1 = "caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8" hash2 = "e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5" hash3 = "a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827" id = "66f66139-88df-5ba9-a3fc-ba4fc98ce3f9" strings: $x1 = "copy /y \"%s\" \"%s\" " fullword ascii $x2 = "del /f \"%s\" " fullword ascii $s1 = "del /f /ah \"%s\" " fullword ascii $s2 = "if exist \"%s\" goto Rept " fullword ascii $s3 = "\\*.*.lnk" ascii $s4 = "Dropped" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2000KB and 5 of them } rule Dubnium_Sample_5 { meta: description = "Detects sample mentioned in the Dubnium Report" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" super_rule = 1 hash1 = "16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b" hash2 = "1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8" hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf" hash4 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b" hash5 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0" hash6 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba" hash7 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9" hash8 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f" hash9 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b" id = "09c1aeee-9437-54e9-967f-3c2fcc0736ed" strings: $s1 = "$innn[i$[i$^i[e[mdi[m$jf1Wehn[^Whl[^iin_hf$11mahZijnjbi[^[W[f1n$dej$[hn]1[W1ni1l[ic1j[mZjchl$$^he[[j[a[1_iWc[e[" fullword ascii $s2 = "h$YWdh[$ij7^e$n[[_[h[i[[[\\][1$1[[j1W1[1cjm1[$[k1ZW_$$ncn[[Inbnnc[I9enanid[fZCX" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 9000KB and all of them } rule Dubnium_Sample_6 { meta: description = "Detects sample mentioned in the Dubnium Report" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" super_rule = 1 hash1 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b" hash2 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0" hash3 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba" id = "43366f1a-784d-515e-a8e9-3e924f2abfd8" strings: $s1 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&()`~-_=+[{]{;',." fullword ascii $s2 = "e_$0[bW\\RZY\\jb\\ZY[nimiRc[jRZ]" fullword ascii $s3 = "f_RIdJ0W9RFb[$Fbc9[k_?Wn" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 4000KB and all of them } rule Dubnium_Sample_7 { meta: description = "Detects sample mentioned in the Dubnium Report" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" super_rule = 1 hash1 = "16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b" hash2 = "1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8" hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf" hash4 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b" hash5 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0" hash6 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9" hash7 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f" hash8 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b" id = "6712bd5f-6bbc-5ca0-9fc7-b2013b8f8147" strings: $s1 = "hWI[$lZ![nJ_[[lk[8Ihlo8ZiIl[[[$Ynk[f_8[88WWWJW[YWnl$$Z[ilf!$IZ$!W>Wl![W!k!$l!WoW8$nj8![8n_I^$[>_n[ZY[[Xhn_c!nnfK[!Z" fullword ascii $s2 = "[i_^])[$n!]Wj^,h[,!WZmk^o$dZ[h[e!&W!l[$nd[d&)^Z\\^[[iWh][[[jPYO[g$$e&n\\,Wfg$[