08e8d462fe
RED PILL 🔴 💊
190 lines
4.1 KiB
Text
190 lines
4.1 KiB
Text
rule dubseven_file_set
|
|
{
|
|
meta:
|
|
author = "Matt Brooks, @cmatthewbrooks"
|
|
desc = "Searches for service files loading UP007"
|
|
|
|
strings:
|
|
$file1 = "\\Microsoft\\Internet Explorer\\conhost.exe"
|
|
$file2 = "\\Microsoft\\Internet Explorer\\dll2.xor"
|
|
$file3 = "\\Microsoft\\Internet Explorer\\HOOK.DLL"
|
|
$file4 = "\\Microsoft\\Internet Explorer\\main.dll"
|
|
$file5 = "\\Microsoft\\Internet Explorer\\nvsvc.exe"
|
|
$file6 = "\\Microsoft\\Internet Explorer\\SBieDll.dll"
|
|
$file7 = "\\Microsoft\\Internet Explorer\\mon"
|
|
$file8 = "\\Microsoft\\Internet Explorer\\runas.exe"
|
|
|
|
condition:
|
|
//MZ header
|
|
uint16(0) == 0x5A4D and
|
|
|
|
//PE signature
|
|
uint32(uint32(0x3C)) == 0x00004550 and
|
|
|
|
//Just a few of these as they differ
|
|
3 of ($file*)
|
|
}
|
|
|
|
rule dubseven_dropper_registry_checks
|
|
{
|
|
meta:
|
|
author = "Matt Brooks, @cmatthewbrooks"
|
|
desc = "Searches for registry keys checked for by the dropper"
|
|
|
|
strings:
|
|
$reg1 = "SOFTWARE\\360Safe\\Liveup"
|
|
$reg2 = "Software\\360safe"
|
|
$reg3 = "SOFTWARE\\kingsoft\\Antivirus"
|
|
$reg4 = "SOFTWARE\\Avira\\Avira Destop"
|
|
$reg5 = "SOFTWARE\\rising\\RAV"
|
|
$reg6 = "SOFTWARE\\JiangMin"
|
|
$reg7 = "SOFTWARE\\Micropoint\\Anti-Attack"
|
|
|
|
condition:
|
|
//MZ header
|
|
uint16(0) == 0x5A4D and
|
|
|
|
//PE signature
|
|
uint32(uint32(0x3C)) == 0x00004550 and
|
|
|
|
all of ($reg*)
|
|
}
|
|
|
|
rule dubseven_dropper_dialog_remains
|
|
{
|
|
meta:
|
|
author = "Matt Brooks, @cmatthewbrooks"
|
|
desc = "Searches for related dialog remnants. How rude."
|
|
|
|
strings:
|
|
$dia1 = "fuckMessageBox 1.0" wide
|
|
$dia2 = "Rundll 1.0" wide
|
|
|
|
condition:
|
|
//MZ header
|
|
uint16(0) == 0x5A4D and
|
|
|
|
//PE signature
|
|
uint32(uint32(0x3C)) == 0x00004550 and
|
|
|
|
any of them
|
|
}
|
|
|
|
|
|
rule maindll_mutex
|
|
{
|
|
meta:
|
|
author = "Matt Brooks, @cmatthewbrooks"
|
|
desc = "Matches on the maindll mutex"
|
|
|
|
strings:
|
|
$mutex = "h31415927tttt"
|
|
|
|
condition:
|
|
//MZ header
|
|
uint16(0) == 0x5A4D and
|
|
|
|
//PE signature
|
|
uint32(uint32(0x3C)) == 0x00004550 and
|
|
|
|
$mutex
|
|
}
|
|
|
|
|
|
rule SLServer_dialog_remains
|
|
{
|
|
meta:
|
|
author = "Matt Brooks, @cmatthewbrooks"
|
|
desc = "Searches for related dialog remnants."
|
|
|
|
strings:
|
|
$slserver = "SLServer" wide
|
|
|
|
condition:
|
|
//MZ header
|
|
uint16(0) == 0x5A4D and
|
|
|
|
//PE signature
|
|
uint32(uint32(0x3C)) == 0x00004550 and
|
|
|
|
$slserver
|
|
}
|
|
|
|
rule SLServer_mutex
|
|
{
|
|
meta:
|
|
author = "Matt Brooks, @cmatthewbrooks"
|
|
desc = "Searches for the mutex."
|
|
|
|
strings:
|
|
$mutex = "M&GX^DSF&DA@F"
|
|
|
|
condition:
|
|
//MZ header
|
|
uint16(0) == 0x5A4D and
|
|
|
|
//PE signature
|
|
uint32(uint32(0x3C)) == 0x00004550 and
|
|
|
|
$mutex
|
|
}
|
|
|
|
rule SLServer_command_and_control
|
|
{
|
|
meta:
|
|
author = "Matt Brooks, @cmatthewbrooks"
|
|
desc = "Searches for the C2 server."
|
|
|
|
strings:
|
|
$c2 = "safetyssl.security-centers.com"
|
|
|
|
condition:
|
|
//MZ header
|
|
uint16(0) == 0x5A4D and
|
|
|
|
//PE signature
|
|
uint32(uint32(0x3C)) == 0x00004550 and
|
|
|
|
$c2
|
|
}
|
|
|
|
rule SLServer_campaign_code
|
|
{
|
|
meta:
|
|
author = "Matt Brooks, @cmatthewbrooks"
|
|
desc = "Searches for the related campaign code."
|
|
|
|
strings:
|
|
$campaign = "wthkdoc0106"
|
|
|
|
condition:
|
|
//MZ header
|
|
uint16(0) == 0x5A4D and
|
|
|
|
//PE signature
|
|
uint32(uint32(0x3C)) == 0x00004550 and
|
|
|
|
$campaign
|
|
}
|
|
|
|
rule SLServer_unknown_string
|
|
{
|
|
meta:
|
|
author = "Matt Brooks, @cmatthewbrooks"
|
|
desc = "Searches for a unique string."
|
|
|
|
strings:
|
|
$string = "test-b7fa835a39"
|
|
|
|
condition:
|
|
//MZ header
|
|
uint16(0) == 0x5A4D and
|
|
|
|
//PE signature
|
|
uint32(uint32(0x3C)) == 0x00004550 and
|
|
|
|
$string
|
|
}
|
|
|
|
|
|
|