Sneed-Reactivity/yara-mikesxrs/carbon black/PNG_dropper.yar

rule PNG_dropper:RU TR APT

{

meta:

      author = "CarbonBlack Threat Research"

      date = "2017-June-11"

      description = "Dropper tool that extracts payload from PNG resources"
      
      reference = "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/"

      yara_version = "3.5.0"

      exemplar_hashes = "3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3, 69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290, eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158 "

strings:

	$s1 = "GdipGetImageWidth"

	$s2 = "GdipGetImageHeight"

	$s3 = "GdipCreateBitmapFromStream"

	$s4 = "GdipCreateBitmapFromStreamICM"

	$s5 = "GdipBitmapLockBits"

	$s6 = "GdipBitmapUnlockBits"

	$s7 = "LockResource"

	$s8 = "LoadResource"

	$s9 = "ExpandEnvironmentStringsW"

	$s10 = "SetFileTime"

	$s11 = "memcmp"

	$s12 = "strlen"

	$s13 = "memcpy"

	$s14 = "memchr"

	$s15 = "memmove"

	$s16 = "ZwQueryValueKey"

	$s17 = "ZwQueryInformationProcess"

	$s18 = "FindNextFile"

	$s19 = "GetModuleHandle"

	$s20 = "VirtualFree"

	$PNG1 = {89 50 4E 47 [8] 49 48 44 52} //PNG Header

	$bin32_bit1 = {50 68 07 10 06 00 6A 07 8?} //BitmapLockBits_x86

	$bin64_bit1 = {41 B? 07 10 06 00} //BitmapLockBits_x64

	$bin64_bit2 = {41 B? 07 00 00 00}//BitmapLockBits_x64

	$bin32_virt1 = {6A 40 68 00 10 00 00 50 53} //VirtualAlloc_x86

	$bin64_virt1 = {40 41 B? 00 10 00 00}//VirtualAlloc_x64

   

condition:

    uint16(0) == 0x5A4D and // MZ header check

    filesize < 6MB and

    18 of ($s*) and

    (#PNG1 > 7) and

//checks for multiple PNG headers

       ((#bin32_bit1 > 1 and $bin32_virt1) or

//More than 1 of $bin32_bit and $bi32_virt1

       (for 1 of ($bin64_bit*) : (# > 2) and $bin64_virt1))

//1 of $bin64_bit - present more that 2 times and $bin64_Virt1

}