Sneed-Reactivity/yara-mikesxrs/Checkpoint/lyceum_dotnet_dns_backdoor.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

29 lines
1.1 KiB
Text

rule lyceum_dotnet_dns_backdoor
{
meta:
author = "CPR"
reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
hash1 = "8199f14502e80581000bd5b3bda250ee"
hash2 = "d79687676d2d152aec4143c852bdbc4a"
hash3 = "bcb465cc2257e5777bab431690ca5039"
hash4 = "2bc2abefc1a721908bc805894b62227d"
hash5 = "37a1514a7a5f9b2c6786096129a30721"
strings:
$log1 = "MSG SIZE rcvd" wide
$log2 = "Empty output" wide
$log3 = "Big Output. lines: " wide
$com1 = "Enddd" wide
$com2 = "uploaddd" wide
$com3 = "downloaddd" wide
$dga = "trailers.apple.com" wide
$replace1 = "BackSlashh" wide
$replace2 = "QuotationMarkk" wide
$re_pattern = "60\\s+IN\\s+TXT" wide
$func1 = "comRun"
$func2 = "PlaceDot"
$func3 = "sendAns"
$heijden1 = "Heijden.DNS"
$heijden2 = "DnsHeijden"
condition:
uint16(0)==0x5a4d and (all of ($log*) or all of ($com*) or all of ($replace*) or all of ($func*) or (any of ($heijden*) and $re_pattern and $dga))
}