08e8d462fe
RED PILL 🔴 💊
36 lines
2 KiB
Text
36 lines
2 KiB
Text
rule apt_CN_TwistedPanda_droppers {
|
|
meta:
|
|
author = "Check Point Research"
|
|
description = "Detect droppers used by TwistedPanda"
|
|
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
|
|
date = "2022-04-14"
|
|
hash = "59dea38da6e515af45d6df68f8959601e2bbf0302e35b7989e741e9aba2f0291"
|
|
hash = "8b04479fdf22892cdfebd6e6fbed180701e036806ed0ddbe79f0b29f73449248"
|
|
hash = "f29a0cda6e56fc0e26efa3b6628c6bcaa0819a3275a10e9da2a8517778152d66"
|
|
|
|
strings:
|
|
// 81 FA ?? ?? ?? ?? cmp edx, 4BED1896h
|
|
// 75 ?? jnz short loc_140001829
|
|
// E8 ?? ?? ?? ?? call sub_1400019D0
|
|
// 48 89 05 ?? ?? ?? ?? mov cs:qword_14001ED38, rax
|
|
// E? ?? ?? ?? ?? jmp loc_1400018DD
|
|
$switch_control = { 81 FA [4] 75 ?? E8 [4] 48 89 05 [4] E? }
|
|
// 41 0F ?? ?? movsx edx, byte ptr [r9]
|
|
// 44 ?? ?? or r8d, edx
|
|
// 41 ?? ?? 03 rol r8d, 3
|
|
// 41 81 ?? ?? ?? ?? ?? xor r8d, 0EF112233h
|
|
// 41 ?? ?? mov eax, r10d
|
|
$byte_manipulation = { 41 0F [2] 44 [2] 41 [2] 03 41 81 [5] 41 }
|
|
// %public%
|
|
$stack_strings_1 = { 25 00 70 00 }
|
|
$stack_strings_2 = { 75 00 62 00 }
|
|
$stack_strings_3 = { 6C 00 69 00 }
|
|
$stack_strings_4 = { 63 00 25 00 }
|
|
condition:
|
|
// MZ signature at offset 0 and ...
|
|
uint16(0) == 0x5A4D and
|
|
|
|
// ... PE signature at offset stored in MZ header at 0x3C
|
|
uint32(uint32(0x3C)) == 0x00004550 and
|
|
filesize < 3000KB and #switch_control > 8 and all of ($stack_strings_*) and $byte_manipulation
|
|
}
|