50 lines
No EOL
1.4 KiB
Text
50 lines
No EOL
1.4 KiB
Text
import "pe"
|
|
|
|
rule APT20140414_1NT
|
|
{
|
|
meta:
|
|
author = "phbiohazard"
|
|
reference = "https://github.com/phbiohazard/Yara"
|
|
strings:
|
|
$dpi1 = {47 45 54 20 2f}
|
|
$dpi2 = {2F 74 61 73 6B 73 3F 76 65 72 73 69 6F 6E 3D}
|
|
$dpi3 = {26 67 72 6F 75 70 3D}
|
|
$dpi4 = {26 63 6C 69 65 6E 74 3D}
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule APT20140414_1PE
|
|
{
|
|
meta:
|
|
author = "phbiohazard"
|
|
reference = "https://github.com/phbiohazard/Yara"
|
|
|
|
strings:
|
|
$genep1 = {04 01 68 9b 1a 40 00 6a 01 6a 00 6a 00 ff 15 0c}
|
|
$genep2 = {e9 3d 87 f8 ff bb d6 fb 04 8a 10 5c d2 70 d9 cb}
|
|
$genep3 = {57 56 8b f0 e8 70 fd ff ff 5e e8 6e 01 00 00 5f}
|
|
$contep1 = {e9 02 47 83 c6 02 89 f2 83 f9 00}
|
|
$contep2 = {e5 44 75 c1 8b 36 0c 44 4d c9 31 8b 8a d7 88 d8}
|
|
$contep3 = {9c d1 d4 52 7b c5 99 29 1c d7 46 c5 f9 8c f8 e2}
|
|
$contep4 = {e8 ef e4 bb 00 5d c3}
|
|
condition:
|
|
$genep1 and $contep1 and $contep2 or ($genep2 at pe.entry_point and ($contep3 in (pe.entry_point..pe.entry_point + 65))) or ($genep3 at pe.entry_point and ($contep4 in (pe.entry_point..pe.entry_point + 26)))
|
|
|
|
}
|
|
|
|
rule ID2015032010000026
|
|
{
|
|
meta:
|
|
author = "mbl"
|
|
info = "IOC detection - Version 1.0"
|
|
reference = "https://github.com/phbiohazard/Yara"
|
|
strings:
|
|
$genep1 = {4D 5A 90 00 03 00}
|
|
$contep1 = {4D D0 FF EB 22 C7 85 78 FF FF FF 1C 00 00 00 EB}
|
|
$contep2 = {2F 77 77 77 2E 74 68 61 77 74 65 2E 63 6F 6D 2F}
|
|
|
|
condition:
|
|
$genep1 and ($contep1 in (0x5d90..0x5d9f) and $contep2 in (0x27e70..0x27e7f))
|
|
|
|
} |