Sneed-Reactivity/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_64bit_Loader.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

34 lines
2 KiB
Text

rule apt_CN_TwistedPanda_64bit_Loader {
meta:
author = "Check Point Research"
description = "Detect the 64bit Loader DLL used by TwistedPanda"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
date = "2022-04-14"
hash = "e0d4ef7190ff50e6ad2a2403c87cc37254498e8cc5a3b2b8798983b1b3cdc94f"
strings:
// 48 8D ?? ?? ?? ?? ?? ?? ?? lea rdx, ds:2[rdx*2]
// 48 8B C1 mov rax, rcx
// 48 81 ?? ?? ?? ?? ?? cmp rdx, 1000h
// 72 ?? jb short loc_7FFDF0BA1B48
$path_check = { 48 8D [6] 48 8B ?? 48 81 [5] 72 }
// 48 8B D0 mov rdx, rax ; lpBuffer
// 41 B8 F0 16 00 00 mov r8d, 16F0h ; nNumberOfBytesToRead
// 48 8B CF mov rcx, rdi ; hFile
// 48 8B D8 mov rbx, rax
// FF ?? ?? ?? ?? call cs:ReadFile
$shellcode_read = { 48 8B D0 41 B8 F0 16 00 00 48 8B CF 48 8B D8 FF}
// BA F0 16 00 00 mov edx, 16F0h ; dwSize
// 44 8D 4E 40 lea r9d, [rsi+40h] ; flProtect
// 33 C9 xor ecx, ecx ; lpAddress
// 41 B8 00 30 00 00 mov r8d, 3000h ; flAllocationType
// FF ?? ?? ?? ?? ?? call cs:VirtualAlloc
$shellcode_allocate = { BA F0 16 00 00 44 8D 4E 40 33 C9 41 B8 00 30 00 00 FF }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and $path_check and $shellcode_allocate and $shellcode_read
}