22 lines
1.1 KiB
Text
22 lines
1.1 KiB
Text
|
|
rule MAL_APT_Operation_ShadowHammer_MalSetup {
|
|
meta:
|
|
description = "Detects a malicious file used by BARIUM group in Operation ShadowHammer"
|
|
date = "2019-03-25"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
score = 80
|
|
hash1 = "ac0711afee5a157d084251f3443a40965fc63c57955e3a241df866cfc7315223"
|
|
hash2 = "9acd43af36f2d38077258cb2ace42d6737b43be499367e90037f4605318325f8"
|
|
hash3 = "bca9583263f92c55ba191140668d8299ef6b760a1e940bddb0a7580ce68fef82"
|
|
hash4 = "c299b6dd210ab5779f3abd9d10544f9cae31cd5c6afc92c0fc16c8f43def7596"
|
|
hash5 = "6aedfef62e7a8ab7b8ab3ff57708a55afa1a2a6765f86d581bc99c738a68fc74"
|
|
hash6 = "cfbec77180bd67cceb2e17e64f8a8beec5e8875f47c41936b67a60093e07fcfd"
|
|
reference = "https://securelist.com/operation-shadowhammer/89992/"
|
|
id = "000f840a-848d-5f82-84bf-70690efbd4de"
|
|
strings:
|
|
$x1 = "\\AsusShellCode\\Release" ascii
|
|
$x2 = "\\AsusShellCode\\Debug"
|
|
condition:
|
|
uint16(0) == 0x5a4d and 1 of them
|
|
}
|