08e8d462fe
RED PILL 🔴 💊
206 lines
11 KiB
Text
206 lines
11 KiB
Text
rule explosive_exe
|
|
{
|
|
meta:
|
|
author = "Check Point Software Technologies Inc."
|
|
info = "Explosive EXE"
|
|
strings:
|
|
$MZ = "MZ"
|
|
$DLD_S = "DLD-S:"
|
|
$DLD_E = "DLD-E:"
|
|
condition:
|
|
$MZ at 0 and all of them
|
|
}
|
|
|
|
import "pe"
|
|
rule explosive_dll
|
|
|
|
{
|
|
meta:
|
|
author = "Check Point Software Technologies Inc."
|
|
info = "Explosive DLL"
|
|
reference = "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"
|
|
|
|
|
|
condition:
|
|
pe.DLL
|
|
and ( pe.exports("PathProcess") or pe.exports("_PathProcess@4") ) and
|
|
pe.exports("CON")
|
|
}
|
|
|
|
rule ZZ_breakwin_config {
|
|
meta:
|
|
description = "Detects the header of the encrypted config files, assuming known encryption key."
|
|
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
|
|
author = "Check Point Research"
|
|
date = "22-07-2021"
|
|
hash = "948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed"
|
|
hash = "2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22"
|
|
hash = "68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7"
|
|
strings:
|
|
$conf_header = {1A 69 45 47 5E 46 4A 06 03 E4 34 0B 06 1D ED 2F 02 15 02 E5 57 4D 59 59 D1 40 20 22}
|
|
condition:
|
|
$conf_header at 0
|
|
}
|
|
rule ZZ_breakwin_wiper {
|
|
meta:
|
|
description = "Detects the BreakWin wiper that was used in attacks in Syria"
|
|
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
|
|
author = "Check Point Research"
|
|
date = "22-07-2021"
|
|
hash = "2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b"
|
|
hash = "6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4"
|
|
hash = "d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e"
|
|
strings:
|
|
$debug_str_meteor_1 = "the program received an invalid number of arguments" wide
|
|
$debug_str_meteor_2 = "End interval logger. Resuming writing every log" wide
|
|
$debug_str_meteor_0 = "failed to initialize configuration from file" wide
|
|
$debug_str_meteor_3 = "Meteor is still alive." wide
|
|
$debug_str_meteor_4 = "Exiting main function because of some error" wide
|
|
$debug_str_meteor_5 = "Meteor has finished. This shouldn't be possible because of the is-alive loop." wide
|
|
$debug_str_meteor_6 = "Meteor has started." wide
|
|
$debug_str_meteor_7 = "Could not hide current console." wide
|
|
$debug_str_meteor_8 = "Could not get the window handle used by the console." wide
|
|
$debug_str_meteor_9 = "Failed to find base-64 data size" wide
|
|
$debug_str_meteor_10 = "Running locker thread" wide
|
|
$debug_str_meteor_11 = "Failed to encode wide-character string as Base64" wide
|
|
$debug_str_meteor_12 = "Wiper operation failed." wide
|
|
$debug_str_meteor_13 = "Screen saver disable failed." wide
|
|
$debug_str_meteor_14 = "Failed to generate password of length %s. Generating a default one." wide
|
|
$debug_str_meteor_15 = "Failed to delete boot configuration" wide
|
|
$debug_str_meteor_16 = "Could not delete all BCD entries." wide
|
|
$debug_str_meteor_17 = "Finished deleting BCD entries." wide
|
|
$debug_str_meteor_18 = "Failed to change lock screen" wide
|
|
$debug_str_meteor_19 = "Boot configuration deleted successfully" wide
|
|
$debug_str_meteor_20 = "Failed to kill all winlogon processes" wide
|
|
$debug_str_meteor_21 = "Changing passwords of all users to" wide
|
|
$debug_str_meteor_22 = "Failed to change the passwords of all users" wide
|
|
$debug_str_meteor_23 = "Failed to run the locker thread" wide
|
|
$debug_str_meteor_24 = "Screen saver disabled successfully." wide
|
|
$debug_str_meteor_25 = "Generating random password failed" wide
|
|
$debug_str_meteor_26 = "Locker installation failed" wide
|
|
$debug_str_meteor_27 = "Failed to set auto logon." wide
|
|
$debug_str_meteor_28 = "Failed to initialize interval logger. Using a dummy logger instead." wide
|
|
$debug_str_meteor_29 = "Succeeded setting auto logon for" wide
|
|
$debug_str_meteor_30 = "Failed disabling the first logon privacy settings user approval." wide
|
|
$debug_str_meteor_31 = "Failed disabling the first logon animation." wide
|
|
$debug_str_meteor_32 = "Waiting for new winlogon process" wide
|
|
$debug_str_meteor_33 = "Failed to isolate from domain" wide
|
|
$debug_str_meteor_34 = "Failed creating scheduled task for system with name %s." wide
|
|
$debug_str_meteor_35 = "Failed to get the new token of winlogon." wide
|
|
$debug_str_meteor_36 = "Failed adding new admin user." wide
|
|
$debug_str_meteor_37 = "Failed changing settings for the created new user." wide
|
|
$debug_str_meteor_38 = "Failed disabling recovery mode." wide
|
|
$debug_str_meteor_39 = "Logging off users on Windows version 8 or above" wide
|
|
$debug_str_meteor_40 = "Succeeded setting boot policy to ignore all errors." wide
|
|
$debug_str_meteor_41 = "Succeeded creating scheduled task for system with name" wide
|
|
$debug_str_meteor_42 = "Succeeded disabling recovery mode" wide
|
|
$debug_str_meteor_43 = "Failed to log off all sessions" wide
|
|
$debug_str_meteor_44 = "Failed to delete shadowcopies." wide
|
|
$debug_str_meteor_45 = "Failed logging off session: " wide
|
|
$debug_str_meteor_46 = "Failed setting boot policy to ignore all errors." wide
|
|
$debug_str_meteor_47 = "Successfully logged off all local sessions, except winlogon." wide
|
|
$debug_str_meteor_48 = "Succeeded creating scheduled task with name %s for user %s." wide
|
|
$debug_str_meteor_49 = "Killing all winlogon processes" wide
|
|
$debug_str_meteor_50 = "Logging off users in Windows 7" wide
|
|
$debug_str_meteor_51 = "Failed logging off all local sessions, except winlogon." wide
|
|
$debug_str_meteor_52 = "Failed creating scheduled task with name %s for user %s." wide
|
|
$debug_str_meteor_53 = "Succeeded deleting shadowcopies." wide
|
|
$debug_str_meteor_54 = "Logging off users in Windows XP" wide
|
|
$debug_str_meteor_55 = "Failed changing settings for the created new user." wide
|
|
$debug_str_meteor_56 = "Could not open file %s. error message: %s" wide
|
|
$debug_str_meteor_57 = "Could not write to file %s. error message: %s" wide
|
|
$debug_str_meteor_58 = "tCould not tell file pointer location on file %s." wide
|
|
$debug_str_meteor_59 = "Could not set file pointer location on file %s to offset %s." wide
|
|
$debug_str_meteor_60 = "Could not read from file %s. error message: %s" wide
|
|
$debug_str_meteor_61 = "Failed to wipe file %s" wide
|
|
$debug_str_meteor_62 = "attempted to access encrypted file in offset %s, but it only supports offset 0" wide
|
|
$debug_str_meteor_63 = "Failed to create thread. Error message: %s" wide
|
|
$debug_str_meteor_64 = "Failed to wipe file %s" wide
|
|
$debug_str_meteor_65 = "failed to get configuration value with key %s" wide
|
|
$debug_str_meteor_66 = "failed to parse the configuration from file %s" wide
|
|
$debug_str_meteor_67 = "Failed posting to server, received unknown exception" wide
|
|
$debug_str_meteor_68 = "Failed posting to server, received std::exception" wide
|
|
$debug_str_meteor_69 = "Skipping %s logs. Writing log number %s:" wide
|
|
$debug_str_meteor_70 = "Start interval logger. Writing logs with an interval of %s logs." wide
|
|
$debug_str_meteor_71 = "failed to write message to log file %s" wide
|
|
$debug_str_meteor_72 = "The log message is too big: %s/%s characters." wide
|
|
$debug_str_stardust_0 = "Stardust has started." wide
|
|
$debug_str_stardust_1 = "0Vy0qMGO" ascii wide
|
|
$debug_str_comet_0 = "Comet has started." wide
|
|
$debug_str_comet_1 = "Comet has finished." wide
|
|
$str_lock_my_pc = "Lock My PC 4" ascii wide
|
|
$config_entry_0 = "state_path" ascii
|
|
$config_entry_1 = "state_encryption_key" ascii
|
|
$config_entry_2 = "log_server_port" ascii
|
|
$config_entry_3 = "log_file_path" ascii
|
|
$config_entry_4 = "log_encryption_key" ascii
|
|
$config_entry_5 = "log_server_ip" ascii
|
|
$config_entry_6 = "processes_to_kill" ascii
|
|
$config_entry_7 = "process_termination_timeout" ascii
|
|
$config_entry_8 = "paths_to_wipe" ascii
|
|
$config_entry_9 = "wiping_stage_logger_interval" ascii
|
|
$config_entry_10 = "locker_exe_path" ascii
|
|
$config_entry_11 = "locker_background_image_jpg_path" ascii
|
|
$config_entry_12 = "auto_logon_path" ascii
|
|
$config_entry_13 = "locker_installer_path" ascii
|
|
$config_entry_14 = "locker_password_hash" ascii
|
|
$config_entry_15 = "users_password" ascii
|
|
$config_entry_16 = "locker_background_image_bmp_path" ascii
|
|
$config_entry_17 = "locker_registry_settings_files" ascii
|
|
$config_entry_18 = "cleanup_script_path" ascii
|
|
$config_entry_19 = "is_alive_loop_interval" ascii
|
|
$config_entry_20 = "cleanup_scheduled_task_name" ascii
|
|
$config_entry_21 = "self_scheduled_task_name" ascii
|
|
$encryption_asm = {33 D2 8B C3 F7 75 E8 8B 41 04 8B 4E 04 8A 04 02 02 C3 32 04 1F 88 45 F3 39 4E 08}
|
|
$random_string_generation = {33 D2 59 F7 F1 83 ?? ?? 08 66 0F BE 82 ?? ?? ?? 00 0F B7 C8 8B C7}
|
|
condition:
|
|
uint16(0) == 0x5A4D and
|
|
(
|
|
6 of them or
|
|
$encryption_asm or
|
|
$random_string_generation
|
|
)
|
|
}
|
|
rule ZZ_breakwin_stardust_vbs {
|
|
meta:
|
|
description = "Detect the VBS files that where found in the attacks on targets in Syria"
|
|
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
|
|
author = "Check Point Research"
|
|
date = "22-07-2021"
|
|
hash = "38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933"
|
|
hash = "62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0"
|
|
hash = "4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58"
|
|
hash = "eb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0"
|
|
hash = "5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad"
|
|
strings:
|
|
$url_template = "progress.php?hn=\" & CN & \"&dt=\" & DT & \"&st="
|
|
$compression_password_1 = "YWhZMFU1VlZGdGNFNWlhMVlVMnhTMWtOVlJVWWNGTk9iVTQxVW10V0ZFeFJUMD0r"
|
|
$compression_password_2 = "YWlvcyBqQCNAciNxIGpmc2FkKnIoOUZURjlVSjBSRjJRSlJGODlKSDIzRmloIG8"
|
|
$uninstall_kaspersky = "Shell.Run \"msiexec.exe /x \" & productcode & \" KLLOGIN="
|
|
$is_avp_running = "isProcessRunning(\".\", \"avp.exe\") Then"
|
|
condition:
|
|
any of them
|
|
}
|
|
rule ZZ_breakwin_meteor_batch_files {
|
|
meta:
|
|
description = "Detect the batch files used in the attacks"
|
|
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
|
|
author = "Check Point Research"
|
|
date = "22-07-2021"
|
|
strings:
|
|
$filename_0 = "mscap.bmp"
|
|
$filename_1 = "mscap.jpg"
|
|
$filename_2 = "msconf.conf"
|
|
$filename_3 = "msmachine.reg"
|
|
$filename_4 = "mssetup.exe"
|
|
$filename_5 = "msuser.reg"
|
|
$filename_6 = "msapp.exe"
|
|
$filename_7 = "bcd.rar"
|
|
$filename_8 = "bcd.bat"
|
|
$filename_9 = "msrun.bat"
|
|
$command_line_0 = "powershell -Command \"%exclude_command% '%defender_exclusion_folder%"
|
|
$command_line_1 = "start /b \"\" update.bat hackemall"
|
|
condition:
|
|
4 of ($filename_*) or
|
|
any of ($command_line_*)
|
|
}
|