Sneed-Reactivity/yara-mikesxrs/Citizen Lab/between-hk-and-burma.yara
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

190 lines
4.1 KiB
Text

rule dubseven_file_set
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
desc = "Searches for service files loading UP007"
strings:
$file1 = "\\Microsoft\\Internet Explorer\\conhost.exe"
$file2 = "\\Microsoft\\Internet Explorer\\dll2.xor"
$file3 = "\\Microsoft\\Internet Explorer\\HOOK.DLL"
$file4 = "\\Microsoft\\Internet Explorer\\main.dll"
$file5 = "\\Microsoft\\Internet Explorer\\nvsvc.exe"
$file6 = "\\Microsoft\\Internet Explorer\\SBieDll.dll"
$file7 = "\\Microsoft\\Internet Explorer\\mon"
$file8 = "\\Microsoft\\Internet Explorer\\runas.exe"
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
//Just a few of these as they differ
3 of ($file*)
}
rule dubseven_dropper_registry_checks
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
desc = "Searches for registry keys checked for by the dropper"
strings:
$reg1 = "SOFTWARE\\360Safe\\Liveup"
$reg2 = "Software\\360safe"
$reg3 = "SOFTWARE\\kingsoft\\Antivirus"
$reg4 = "SOFTWARE\\Avira\\Avira Destop"
$reg5 = "SOFTWARE\\rising\\RAV"
$reg6 = "SOFTWARE\\JiangMin"
$reg7 = "SOFTWARE\\Micropoint\\Anti-Attack"
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
all of ($reg*)
}
rule dubseven_dropper_dialog_remains
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
desc = "Searches for related dialog remnants. How rude."
strings:
$dia1 = "fuckMessageBox 1.0" wide
$dia2 = "Rundll 1.0" wide
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
any of them
}
rule maindll_mutex
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
desc = "Matches on the maindll mutex"
strings:
$mutex = "h31415927tttt"
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$mutex
}
rule SLServer_dialog_remains
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
desc = "Searches for related dialog remnants."
strings:
$slserver = "SLServer" wide
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$slserver
}
rule SLServer_mutex
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
desc = "Searches for the mutex."
strings:
$mutex = "M&GX^DSF&DA@F"
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$mutex
}
rule SLServer_command_and_control
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
desc = "Searches for the C2 server."
strings:
$c2 = "safetyssl.security-centers.com"
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$c2
}
rule SLServer_campaign_code
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
desc = "Searches for the related campaign code."
strings:
$campaign = "wthkdoc0106"
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$campaign
}
rule SLServer_unknown_string
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
desc = "Searches for a unique string."
strings:
$string = "test-b7fa835a39"
condition:
//MZ header
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$string
}