08e8d462fe
RED PILL 🔴 💊
107 lines
4.3 KiB
Text
107 lines
4.3 KiB
Text
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2017-10-03
|
|
Identifier: APT17 Oct 10
|
|
Reference: https://goo.gl/puVc9q
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
import "pe"
|
|
|
|
rule APT17_Malware_Oct17_1 {
|
|
meta:
|
|
description = "Detects APT17 malware"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://goo.gl/puVc9q"
|
|
date = "2017-10-03"
|
|
hash1 = "dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83"
|
|
id = "457312d8-5bfe-5282-9ace-2f169278569c"
|
|
strings:
|
|
$s1 = "\\spool\\prtprocs\\w32x86\\localspl.dll" ascii
|
|
$s2 = "\\spool\\prtprocs\\x64\\localspl.dll" ascii
|
|
$s3 = "\\msvcrt.dll" ascii
|
|
$s4 = "\\TSMSISrv.dll" ascii
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 500KB and all of them )
|
|
}
|
|
|
|
rule APT17_Malware_Oct17_2 {
|
|
meta:
|
|
description = "Detects APT17 malware"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://goo.gl/puVc9q"
|
|
date = "2017-10-03"
|
|
hash1 = "20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27"
|
|
id = "9f21514a-168b-5158-8322-60fa8499b11a"
|
|
strings:
|
|
$x1 = "Cookie: __xsptplus=%s" fullword ascii
|
|
$x2 = "http://services.fiveemotions.co.jp" fullword ascii
|
|
$x3 = "http://%s/ja-JP/2015/%d/%d/%d%d%d%d%d%d%d%d.gif" fullword ascii
|
|
|
|
$s1 = "FoxHTTPClient_EXE_x86.exe" fullword ascii
|
|
$s2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.3072" ascii
|
|
$s3 = "hWritePipe2 Error:%d" fullword ascii
|
|
$s4 = "Not Support This Function!" fullword ascii
|
|
$s5 = "Global\\PnP_No_Management" fullword ascii
|
|
$s6 = "Content-Type: image/x-png" fullword ascii
|
|
$s7 = "Accept-Language: ja-JP" fullword ascii
|
|
$s8 = "IISCMD Error:%d" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 100KB and (
|
|
pe.exports("_foo@0") or
|
|
1 of ($x*) or
|
|
6 of them
|
|
)
|
|
}
|
|
|
|
rule APT17_Unsigned_Symantec_Binary_EFA {
|
|
meta:
|
|
description = "Detects APT17 malware"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://goo.gl/puVc9q"
|
|
date = "2017-10-03"
|
|
hash1 = "128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f"
|
|
id = "56eec517-8b00-5cb5-9806-249e50f53b99"
|
|
strings:
|
|
$s1 = "Copyright (c) 2007 - 2011 Symantec Corporation" fullword wide
|
|
$s2 = "\\\\.\\SYMEFA" fullword wide
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 200KB and all of them and pe.number_of_signatures == 0 )
|
|
}
|
|
|
|
rule APT17_Malware_Oct17_Gen {
|
|
meta:
|
|
description = "Detects APT17 malware"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://goo.gl/puVc9q"
|
|
date = "2017-10-03"
|
|
hash1 = "0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2"
|
|
hash2 = "07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d"
|
|
hash3 = "ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550"
|
|
id = "c2156e68-d5b5-5bd7-858c-2d5e90199287"
|
|
strings:
|
|
$x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)" fullword ascii
|
|
$x2 = "http://%s/imgres?q=A380&hl=en-US&sa=X&biw=1440&bih=809&tbm=isus&tbnid=aLW4-J8Q1lmYBM" ascii
|
|
|
|
$s1 = "hWritePipe2 Error:%d" fullword ascii
|
|
$s2 = "Not Support This Function!" fullword ascii
|
|
$s3 = "Cookie: SESSIONID=%s" fullword ascii
|
|
$s4 = "http://0.0.0.0/1" fullword ascii
|
|
$s5 = "Content-Type: image/x-png" fullword ascii
|
|
$s6 = "Accept-Language: en-US" fullword ascii
|
|
$s7 = "IISCMD Error:%d" fullword ascii
|
|
$s8 = "[IISEND=0x%08X][Recv:] 0x%08X %s" fullword ascii
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 200KB and (
|
|
pe.imphash() == "414bbd566b700ea021cfae3ad8f4d9b9" or
|
|
1 of ($x*) or
|
|
6 of them
|
|
)
|
|
)
|
|
}
|