rule apt_duqu2_drivers { meta: copyright = "Kaspersky Lab" description = "Rule to detect Duqu 2.0 drivers" last_modified = "2015-06-09" version = "1.0" Reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/" strings: $a1="\\DosDevices\\port_optimizer" wide nocase $a2="romanian.antihacker" $a3="PortOptimizerTermSrv" wide $a4="ugly.gorilla1" $b1="NdisIMCopySendCompletePerPacketInfo" $b2="NdisReEnumerateProtocolBindings" $b3="NdisOpenProtocolConfiguration" condition: uint16(0) == 0x5A4D and (any of ($a*) ) and (2 of ($b*)) and filesize < 100000 } rule apt_duqu2_loaders { meta: copyright = "Kaspersky Lab" description = "Rule to detect Duqu 2.0 samples" last_modified = "2015-06-09" version = "1.0" Reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/" strings: $a1="{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide $a2="\\\\.\\pipe\\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide $a4="\\\\.\\pipe\\{AB6172ED-8105-4996-9D2A-597B5F827501}" wide $a5="Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" wide $a8="SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" wide $a9="SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" wide $a7="SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" wide $b1="MSI.dll" $b2="msi.dll" $b3="StartAction" $c1="msisvc_32@" wide $c2="PROP=" wide $c3="-Embedding" wide $c4="S:(ML;;NW;;;LW)" wide $d1 = "NameTypeBinaryDataCustomActionActionSourceTargetInstallExecuteSequenceConditionSequencePropertyValueMicrosoftManufacturer" nocase $d2 = {2E 3F 41 56 3F 24 5F 42 69 6E 64 40 24 30 30 58 55 3F 24 5F 50 6D 66 5F 77 72 61 70 40 50 38 43 4C 52 ?? 40 40 41 45 58 58 5A 58 56 31 40 24 24 24 56 40 73 74 64 40 40 51 41 56 43 4C 52 ?? 40 40 40 73 74 64 40 40} condition: ( (uint16(0) == 0x5a4d) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) ) and filesize < 100000 ) or ( (uint32(0) == 0xe011cfd0) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) or (any of ($d*)) ) and filesize < 20000000 ) } rule apt_equation_exploitlib_mutexes { meta: copyright = "Kaspersky Lab" description = "Rule to detect Equation group's Exploitation library" version = "1.0" last_modified = "2015-02-16" reference = "https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" strings: $mz="MZ" $a1="prkMtx" wide $a2="cnFormSyncExFBC" wide $a3="cnFormVoidFBC" wide $a4="cnFormSyncExFBC" $a5="cnFormVoidFBC" condition: (($mz at 0) and any of ($a*)) } rule apt_equation_doublefantasy_genericresource { meta: copyright = "Kaspersky Lab" description = "Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW" version = "1.0" last_modified = "2015-02-16" reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" strings: $mz="MZ" $a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00} $a2="yyyyyyyyyyyyyyyy" $a3="002" condition: (($mz at 0) and all of ($a*)) and filesize < 500000 } rule apt_equation_equationlaser_runtimeclasses { meta: copyright = "Kaspersky Lab" description = "Rule to detect the EquationLaser malware" version = "1.0" last_modified = "2015-02-16" reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" strings: $a1="?a73957838_2@@YAXXZ" $a2="?a84884@@YAXXZ" $a3="?b823838_9839@@YAXXZ" $a4="?e747383_94@@YAXXZ" $a5="?e83834@@YAXXZ" $a6="?e929348_827@@YAXXZ" condition: any of them } rule apt_equation_cryptotable : crypto { meta: copyright = "Kaspersky Lab" description = "Rule to detect the crypto library used in Equation group malware" version = "1.0" last_modified = "2015-02-16" reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" strings: $a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1} condition: $a } rule apt_hellsing_implantstrings { meta: version = "1.0" filetype = "PE" author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab" date = "2015-04-07" description = "detection for Hellsing implants" strings: $mz="MZ" $a1="the file uploaded failed !" $a2="ping 127.0.0.1" $b1="the file downloaded failed !" $b2="common.asp" $c="xweber_server.exe" $d="action=" $debugpath1="d:\\Hellsing\\release\\msger\\" nocase $debugpath2="d:\\hellsing\\sys\\xrat\\" nocase $debugpath3="D:\\Hellsing\\release\\exe\\" nocase $debugpath4="d:\\hellsing\\sys\\xkat\\" nocase $debugpath5="e:\\Hellsing\\release\\clare" nocase $debugpath6="e:\\Hellsing\\release\\irene\\" nocase $debugpath7="d:\\hellsing\\sys\\irene\\" nocase $e="msger_server.dll" $f="ServiceMain" condition: ($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000 } rule apt_hellsing_installer { meta: version = "1.0" filetype = "PE" author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab" date = "2015-04-07" description = "detection for Hellsing xweber/msger installers" strings: $mz="MZ" $cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\"" $a1="xweber_install_uac.exe" $a2="system32\\cmd.exe" wide $a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y=" $a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g=" $a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw==" $a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide $a10="%SystemRoot%\\system32\\cmd.exe" wide $a11="msger_install.dll" $a12={00 65 78 2E 64 6C 6C 00} condition: ($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000 } rule apt_hellsing_irene { meta: version = "1.0" filetype = "PE" author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab" date = "2015-04-07" description = "detection for Hellsing msger irene installer" strings: $mz="MZ" $a1="\\Drivers\\usbmgr.tmp" wide $a2="\\Drivers\\usbmgr.sys" wide $a3="common_loadDriver CreateFile error! " $a4="common_loadDriver StartService error && GetLastError():%d! " $a5="irene" wide $a6="aPLib v0.43 - the smaller the better" condition: ($mz at 0) and (4 of ($a*)) and filesize < 500000 } rule apt_hellsing_msgertype2 { meta: version = "1.0" filetype = "PE" author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab" date = "2015-04-07" description = "detection for Hellsing msger type 2 implants" strings: $mz="MZ" $a1="%s\\system\\%d.txt" $a2="_msger" $a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s" $a4="http://%s/data/%s.1000001000" $a5="/lib/common.asp?action=user_upload&file=" $a6="%02X-%02X-%02X-%02X-%02X-%02X" condition: ($mz at 0) and (4 of ($a*)) and filesize < 500000 } rule apt_hellsing_proxytool { meta: version = "1.0" filetype = "PE" author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab" date = "2015-04-07" description = "detection for Hellsing proxy testing tool" strings: $mz="MZ" $a1="PROXY_INFO: automatic proxy url => %s " $a2="PROXY_INFO: connection type => %d " $a3="PROXY_INFO: proxy server => %s " $a4="PROXY_INFO: bypass list => %s " $a5="InternetQueryOption failed with GetLastError() %d" $a6="D:\\Hellsing\\release\\exe\\exe\\" nocase condition: ($mz at 0) and (2 of ($a*)) and filesize < 300000 } rule apt_hellsing_xkat { meta: version = "1.0" filetype = "PE" author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab" date = "2015-04-07" description = "detection for Hellsing xKat tool" strings: $mz="MZ" $a1="\\Dbgv.sys" $a2="XKAT_BIN" $a3="release sys file error." $a4="driver_load error. " $a5="driver_create error." $a6="delete file:%s error." $a7="delete file:%s ok." $a8="kill pid:%d error." $a9="kill pid:%d ok." $a10="-pid-delete" $a11="kill and delete pid:%d error." $a12="kill and delete pid:%d ok." condition: ($mz at 0) and (6 of ($a*)) and filesize < 300000 } rule apt_regin_2013_64bit_stage1 { meta: copyright = "Kaspersky Lab" description = "Rule to detect Regin 64 bit stage 1 loaders" version = "1.0" last_modified = "2014-11-18" filename="wshnetc.dll" md5="bddf5afbea2d0eed77f2ad4e9a4f044d" filename="wsharp.dll" md5="c053a0a3f1edcbbfc9b51bc640e808ce" Reference = "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" strings: $mz="MZ" $a1="PRIVHEAD" $a2="\\\\.\\PhysicalDrive%d" $a3="ZwDeviceIoControlFile" condition: ($mz at 0) and (all of ($a*)) and filesize < 100000 } rule apt_regin_dispatcher_disp_dll { meta: copyright = "Kaspersky Lab" description = "Rule to detect Regin disp.dll dispatcher" version = "1.0" last_modified = "2014-11-18" Reference = "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" strings: $mz="MZ" $string1="shit" $string2="disp.dll" $string3="255.255.255.255" $string4="StackWalk64" $string5="imagehlp.dll" condition: ($mz at 0) and (all of ($string*)) } rule apt_regin_vfs { meta: copyright = "Kaspersky Lab" description = "Rule to detect Regin VFSes" version = "1.0" last_modified = "2014-11-18" Reference = "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" strings: $a1={00 02 00 08 00 08 03 F6 D7 F3 52} $a2={00 10 F0 FF F0 FF 11 C7 7F E8 52} $a3={00 04 00 10 00 10 03 C2 D3 1C 93} $a4={00 04 00 10 C8 00 04 C8 93 06 D8} condition: ($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0) } rule exploit_Silverlight_Toropov_Generic_XAP { meta: author = "Kaspersky Lab" filetype = "Win32 EXE" date = "2015-07-23" version = "1.0" Reference = "https://securelist.com/blog/research/73255/the-mysterious-case-of-cve-2016-0034-the-hunt-for-a-microsoft-silverlight-0-day/" strings: $b2="Can't find Payload() address" ascii wide $b3="/SilverApp1;compoent/App.xaml" ascii wide $b4="Can't allocate ums after buf[]" ascii wide $b5="------------ START ------------" condition: ((2 of ($b*)) ) } import "pe" rule xdedic_packed_syscan { meta: author = "Kaspersky Lab" company = "Kaspersky Lab" reference = "https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdf" strings: $a1 = "SysScan.exe" nocase ascii wide condition: uint16(0) == 0x5A4D and any of ($a*) and filesize > 1000000 and filesize <1200000 and pe.number_of_sections == 13 and pe.version_info["FileVersion"] contains "1.3.4." } rule xDedic_SysScan_unpacked { meta: author = " Kaspersky Lab" maltype = "crimeware" type ="crimeware" filetype = "Win32 EXE" date = "2016-03-14" reference = "https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdf" version = "1.0" hash = "fac495be1c71012682ebb27092060b43" hash = "e8cc69231e209db7968397e8a244d104" hash = "a53847a51561a7e76fd034043b9aa36d" hash = "e8691fa5872c528cd8e72b82e7880e98" hash = "F661b50d45400e7052a2427919e2f777" strings: $a1="/c ping -n 2 127.0.0.1 & del \"SysScan.exe\"" ascii wide $a2="SysScan DEBUG Mode!!!" ascii wide $a3="This rechecking? (set 0/1 or press enter key)" ascii wide $a4="http://37.49.224.144:8189/manual_result" ascii wide $b1="Checker end work!" ascii wide $b2="Trying send result..." ascii wide condition: ((uint16(0) == 0x5A4D)) and (filesize < 5000000) and ((any of ($a*)) or (all of ($b*))) } import "pe" import "math" rule apt_ProjectSauron_pipe_backdoor { meta: copyright = "Kaspersky Lab" description = "Rule to detect ProjectSauron pipe backdoors" version = "1.0" reference = "https://securelist.com/blog/" strings: $a1 = "CreateNamedPipeW" fullword ascii $a2 = "SetSecurityDescriptorDacl" fullword ascii $a3 = "GetOverlappedResult" fullword ascii $a4 = "TerminateThread" fullword ascii $a5 = "%s%s%X" fullword wide condition: uint16(0) == 0x5A4D and (all of ($a*)) and filesize < 100000 } rule apt_ProjectSauron_encrypted_LSA { meta: copyright = "Kaspersky Lab" description = "Rule to detect ProjectSauron encrypted LSA samples" version = "1.0" reference = "https://securelist.com/blog/" strings: $a1 = "EFEB0A9C6ABA4CF5958F41DB6A31929776C643DEDC65CC9B67AB8B0066FF2492" fullword ascii $a2 = "\\Device\\NdisRaw_" fullword ascii $a3 = "\\\\.\\GLOBALROOT\\Device\\{8EDB44DC-86F0-4E0E-8068-BD2CABA4057A}" fullword wide $a4 = "Global\\{a07f6ba7-8383-4104-a154-e582e85a32eb}" fullword wide $a5 = "Missing function %S::#%d" fullword wide $a6 = {8945D08D8598FEFFFF2BD08945D88D45BC83C20450C745C0030000008975C48955DCFF55FC8BF88D8F0000003A83F90977305333DB53FF15} $a7 = {488D4C24304889442450488D452044886424304889442460488D4520C7442434030000002BD848897C243844896C244083C308895C246841FFD68D880000003A8BD883F909772DFF} condition: uint16(0) == 0x5A4D and (any of ($a*) or ( pe.exports("InitializeChangeNotify") and pe.exports("PasswordChangeNotify") and math.entropy(0x400, filesize) >= 7.5 )) and filesize < 1000000 } rule apt_ProjectSauron_encrypted_SSPI { meta: copyright = "Kaspersky Lab" description = "Rule to detect encrypted ProjectSauron SSPI samples" version = "1.0" reference = "https://securelist.com/blog/" condition: uint16(0) == 0x5A4D and filesize < 1000000 and pe.exports("InitSecurityInterfaceA") and pe.characteristics & pe.DLL and (pe.machine == pe.MACHINE_AMD64 or pe.machine == pe.MACHINE_IA64) and math.entropy(0x400, filesize) >= 7.5 } rule apt_ProjectSauron_MyTrampoline { meta: copyright = "Kaspersky Lab" description = "Rule to detect ProjectSauron MyTrampoline module" version = "1.0" reference = "https://securelist.com/blog/" strings: $a1 = ":\\System Volume Information\\{" wide $a2 = "\\\\.\\PhysicalDrive%d" wide $a3 = "DMWndClassX%d" $b1 = "{774476DF-C00F-4e3a-BF4A-6D8618CFA532}" ascii wide $b2 = "{820C02A4-578A-4750-A409-62C98F5E9237}" ascii wide condition: uint16(0) == 0x5A4D and filesize < 5000000 and (all of ($a*) or any of ($b*)) } rule apt_ProjectSauron_encrypted_container { meta: copyright = "Kaspersky Lab" description = "Rule to detect ProjectSauron samples encrypted container" version = "1.0" reference = "https://securelist.com/blog/" strings: $vfs_header = {02 AA 02 C1 02 0?} $salt = {91 0A E0 CC 0D FE CE 36 78 48 9B 9C 97 F7 F5 55} condition: uint16(0) == 0x5A4D and ((@vfs_header < 0x4000) or $salt) and math.entropy(0x400, filesize) >= 6.5 and (filesize > 0x400) and filesize < 10000000 } rule apt_ProjectSauron_encryption { meta: copyright = "Kaspersky Lab" description = "Rule to detect ProjectSauron string encryption" version = "1.0" reference = "https://securelist.com/blog/" strings: $a1 = {81??02AA02C175??8B??0685} $a2 = {918D9A94CDCC939A93939BD18B9AB8DE9C908DAF8D9B9BBE8C8C9AFF} $a3 = {803E225775??807E019F75??807E02BE75??807E0309} condition: filesize < 5000000 and any of ($a*) } rule apt_ProjectSauron_generic_pipe_backdoor { meta: copyright = "Kaspersky Lab" description = "Rule to detect ProjectSauron generic pipe backdoors" version = "1.0" reference = "https://securelist.com/blog/" strings: $a = { C7 [2-3] 32 32 32 32 E8 } $b = { 42 12 67 6B } $c = { 25 31 5F 73 } $d = "rand" $e = "WS2_32" condition: uint16(0) == 0x5A4D and (all of them) and filesize < 400000 }