/* FIVE EYES ------------------------------------------------------------------------------- */
rule FiveEyes_QUERTY_Malwareqwerty_20121 {
meta:
description = "FiveEyes QUERTY Malware - file 20121.xml"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "8263fb58350f3b1d3c4220a602421232d5e40726"
id = "bf30bdbb-0153-5ae2-bf42-4bd9e4a2f088"
strings:
$s0 = "20121_cmdDef.xml" fullword ascii
$s1 = "20121.dll" fullword ascii
$s2 = "\"Reserved for future use.\"" fullword ascii
$s3 = "" fullword ascii
$s5 = "" fullword ascii
$s6 = "" fullword ascii
$s7 = "" fullword ascii
$s8 = "" fullword ascii
$s9 = "" fullword ascii
$s10 = "" fullword ascii
condition:
9 of them
}
rule FiveEyes_QUERTY_Malwaresig_20123_sys {
meta:
description = "FiveEyes QUERTY Malware - file 20123.sys.bin"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "a0f0087bd1f8234d5e847363d7e15be8a3e6f099"
id = "0d0e3642-f5d4-59b2-8e56-a7c999e34775"
strings:
$s0 = "20123.dll" fullword ascii
$s1 = "kbdclass.sys" fullword wide
$s2 = "IoFreeMdl" fullword ascii
$s3 = "ntoskrnl.exe" fullword ascii
$s4 = "KfReleaseSpinLock" fullword ascii
condition:
all of them
}
rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef {
meta:
description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd"
id = "88a29288-9db5-5437-9efe-cdb823a2b928"
strings:
$s0 = "Keystroke Collector" fullword ascii
$s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys." fullword ascii
$s2 = "" fullword ascii
$s3 = "" fullword ascii
$s4 = "20121" fullword ascii
$s5 = "System or Administrator (if Administrator, I think the DriverIns" ascii
$s6 = "Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64" ascii
$s7 = "plugin/Collection" fullword ascii
$s8 = "None" fullword ascii
$s9 = "0" fullword ascii
$s10 = "E_QwertyKM" fullword ascii
$s11 = "" fullword ascii
$s12 = "" fullword ascii
$s13 = "1" fullword ascii
$s14 = "None" fullword ascii
$s15 = "Erebus" fullword ascii
$s16 = "" fullword ascii
$s17 = "None" fullword ascii
$s18 = "" fullword ascii
$s19 = "U_HookManager v1.0, Kernel Covert Store v1.0" fullword ascii
$s20 = "20123_cmdDef.xml" fullword ascii
$s2 = "20123.sys" fullword ascii
$s3 = "/bin/i686-pc-win32/debug" fullword ascii
$s5 = "" fullword ascii
$s6 = "" fullword ascii
$s7 = "" fullword ascii
$s8 = "" fullword ascii
$s9 = "" fullword ascii
$s10 = "" fullword ascii
$s11 = "" fullword ascii
condition:
9 of them
}
rule FiveEyes_QUERTY_Malwaresig_20120_dll {
meta:
description = "FiveEyes QUERTY Malware - file 20120.dll.bin"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "6811bfa3b8cda5147440918f83c40237183dbd25"
id = "d23ac7bf-3e0c-5b59-a9dc-1ae0a4ae9c02"
strings:
$s0 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.txt" wide
$s1 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.xml" wide
$s2 = "Failed to send the EQwerty_driverStatusCommand to the implant." fullword ascii
$s3 = "- Log Used (number of windows) - %d" fullword wide
$s4 = "- Log Limit (number of windows) - %d" fullword wide
$s5 = "Process or User Default Language" fullword wide
$s6 = "Windows 98/Me, Windows NT 4.0 and later: Vietnamese" fullword wide
$s7 = "- Logging of keystrokes is switched ON" fullword wide
$s8 = "- Logging of keystrokes is switched OFF" fullword wide
$s9 = "Qwerty is currently logging active windows with titles containing the fo" wide
$s10 = "Windows 95, Windows NT 4.0 only: Korean (Johab)" fullword wide
$s11 = "FAILED to get Qwerty Status" fullword wide
$s12 = "- Successfully retrieved Log from Implant." fullword wide
$s13 = "- Logging of all Windows is toggled ON" fullword wide
$s14 = "- Logging of all Windows is toggled OFF" fullword wide
$s15 = "Qwerty FAILED to retrieve window list." fullword wide
$s16 = "- UNSUCCESSFUL Log Retrieval from Implant." fullword wide
$s17 = "The implant failed to return a valid status" fullword ascii
$s18 = "- Log files were NOT generated!" fullword wide
$s19 = "Windows 2000/XP: Armenian. This is Unicode only." fullword wide
$s20 = "- This machine is using a PS/2 Keyboard - Continue on using QWERTY" fullword wide
condition:
10 of them
}
rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef {
meta:
description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "cda9ceaf0a39d6b8211ce96307302a53dfbd71ea"
id = "dfa0693e-4e4c-59c8-9e51-e221aefd8662"
strings:
$s0 = "This PPC gets the current keystroke log." fullword ascii
$s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii
$s2 = "This command will remove the WindowTitle corresponding to the given window title" ascii
$s3 = "This command will return the current status of the Keyboard Logger (Whether it i" ascii
$s4 = "This command Toggles logging of all Keys. If allkeys is toggled all keystrokes w" ascii
$s5 = "Turn logging of all keys on|off" fullword ascii
$s6 = "Get Keystroke Log" fullword ascii
$s7 = "Keystroke Logger Lp Plugin" fullword ascii
$s8 = "display help for this function" fullword ascii
$s9 = "This command will switch ON Logging of keys. All keys taht are entered to a acti" ascii
$s10 = "Set the log limit (in number of windows)" fullword ascii
$s11 = "qwgetlog" fullword ascii
$s12 = "qwgetlog" fullword ascii
$s13 = "The title of the Window whose keys you wish to Log once it becomes a" ascii
$s14 = "This command will switch OFF Logging of keys. No keystrokes will be captured" fullword ascii
$s15 = "The title of the Window whose keys you no longer whish to log" fullword ascii
$s17 = "" fullword ascii
$s18 = "" fullword ascii
$s19 = "" fullword ascii
$s20 = "" fullword ascii
condition:
10 of them
}
rule FiveEyes_QUERTY_Malwareqwerty_20120 {
meta:
description = "FiveEyes QUERTY Malware - file 20120.xml"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "597082f05bfd3225587d480c30f54a7a1326a892"
id = "503c71de-1bc5-5690-944c-a60917a4da09"
strings:
$s0 = "20120_cmdDef.xml" fullword ascii
$s1 = "20120.dll" fullword ascii
$s2 = "\"Reserved for future use.\"" fullword ascii
$s3 = "" fullword ascii
$s5 = "" fullword ascii
$s6 = "" fullword ascii
$s7 = "" fullword ascii
$s8 = "" fullword ascii
$s9 = "" fullword ascii
$s10 = "" fullword ascii
condition:
all of them
}
rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef {
meta:
description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "64ac06aa4e8d93ea6063eade7ce9687b1d035907"
id = "2deb73f7-372e-5d29-a077-431ab1967d93"
strings:
$s0 = "Keystroke Logger Plugin." fullword ascii
$s1 = "Failed to get File Time" fullword ascii
$s2 = "Keystroke Logger Plugin." fullword ascii
$s3 = "Failed to set File Time" fullword ascii
$s4 = "" fullword ascii
$s5 = "" fullword ascii
$s6 = "" fullword ascii
$s7 = "20120" fullword ascii
$s8 = "No Comms. with Driver" fullword ascii
$s9 = "" fullword ascii
$s10 = "Invalid File Size" fullword ascii
$s11 = "Windows (User/Win32)" fullword ascii
$s12 = "File Size Mismatch" fullword ascii
$s13 = "plugin/Utility" fullword ascii
$s14 = "None" fullword ascii
$s15 = "None" fullword ascii
$s16 = "E_QwertyIM" fullword ascii
$s17 = "None" fullword ascii
$s18 = "0" fullword ascii
$s19 = "00001002
" fullword ascii
$s20 = "00001001
" fullword ascii
condition:
12 of them
}