/* Yara Rule Set Author: Florian Roth Date: 2017-03-03 Identifier: Kriskynote 03 March */ /* Rule Set ----------------------------------------------------------------- */ rule Kriskynote_Mar17_1 { meta: description = "Detects Kriskynote Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-03-03" hash1 = "a19c4b615aa54207604b181873e614d84126b639fee2cce3ca9d5bd863f6f577" hash2 = "62b41db0bf63fa45a2c2b0f5df8c2209a5d96bf2bddf82749595c66d30b7ec61" id = "b1e5df0c-0112-5fee-85e9-cb0ca31f5234" strings: $s1 = "gzwrite64" fullword ascii $opa1 = { e8 6b fd ff ff 83 f8 ff 74 65 83 7b 28 00 74 42 } /* Opcode */ $opb1 = { 8a 04 08 8b 8e a4 16 00 00 88 44 24 0c 66 c7 04 } /* Opcode */ $opb2 = { 89 4e 6c 89 46 74 e9 ad fc ff ff 8b 46 68 85 c0 } /* Opcode */ condition: uint16(0) == 0x5a4d and filesize < 400KB and $s1 and ($opa1 or all of ($opb*)) } rule Kriskynote_Mar17_2 { meta: description = "Detects Kriskynote Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-03-03" hash1 = "cb9a2f77868b28d98e4f9c1b27b7242fec2f2abbc91bfc21fe0573e472c5dfcb" id = "704baf41-9718-537f-9456-381a9f42fb97" strings: $s1 = "fgjfcn8456fgjhfg89653wetwts" fullword ascii $op0 = { 33 c0 80 34 30 03 40 3d e6 21 00 00 72 f4 b8 e6 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 600KB and 1 of them ) } rule Kriskynote_Mar17_3 { meta: description = "Detects Kriskynote Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-03-03" hash1 = "fc838e07834994f25b3b271611e1014b3593278f0703a4a985fb4234936df492" id = "647fac4c-2326-5a68-9890-8236022c1548" strings: $s1 = "rundll32 %s Check" fullword ascii $s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs" fullword ascii $s3 = "name=\"IsUserAdmin\"" fullword ascii $s4 = "zok]\\\\\\ZZYYY666564444" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and 2 of them ) }