49 lines
No EOL
1.7 KiB
Text
49 lines
No EOL
1.7 KiB
Text
rule blackenergy3_api_encode
|
|
{
|
|
meta:
|
|
author = "Mike Schladt"
|
|
date = "2015-06-08"
|
|
description = "matches api name encoding function for be3 persistence dll"
|
|
md5 = "46649163C659CBA8A7D0D4075329EFA3"
|
|
reference = "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
|
|
|
|
strings:
|
|
$api_encode = {8B C2 C1 E8 09 32 E0 32 C4 32 E0 0F C8 66 8B CA 66 D1 E9 8A E1 33 C9 8A EA 66 D1 E9 8A C1 8B CA D1 E9 0F C9 0A C1 33 C9 8A 0B 33 C1 8B D0 43 EB CA}
|
|
|
|
condition:
|
|
$api_encode
|
|
|
|
}
|
|
|
|
rule blackenergy3_push_bytes
|
|
{
|
|
meta:
|
|
author = "Mike Schladt"
|
|
date = "2015-06-08"
|
|
description = "matches push bytes used for api calls in be3 core files"
|
|
md5 = "46649163C659CBA8A7D0D4075329EFA3"
|
|
md5_2 = "78387651dd9608fcdf6bfb9df8b84db4"
|
|
reference = "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
|
|
|
|
strings:
|
|
$push_4byte_1 = {68 EE EA C0 1F}
|
|
$push_4byte_2 = {68 49 F3 A5 2C}
|
|
$push_4byte_3 = {68 6B 43 59 4E}
|
|
$push_4byte_4 = {68 E6 4B 59 4E}
|
|
$push_4byte_5 = {68 6C 91 BA 4F}
|
|
$push_4byte_6 = {68 8A 86 39 56}
|
|
$push_4byte_7 = {68 9E 6D BD 5C}
|
|
$push_4byte_8 = {68 FE 6A 7A 69}
|
|
$push_4byte_9 = {68 A1 B0 5C 72}
|
|
$push_4byte_10 = {68 60 A2 8A 76}
|
|
$push_4byte_11 = {68 67 95 CD 77}
|
|
$push_4byte_12 = {68 EB 3D 03 84}
|
|
$push_4byte_13 = {68 19 2B 90 95}
|
|
$push_4byte_14 = {68 62 67 8D A4}
|
|
$push_4byte_15 = {68 AF 02 91 AB}
|
|
$push_4byte_16 = {68 26 80 AC C8}
|
|
|
|
condition:
|
|
all of them
|
|
|
|
} |