Sneed-Reactivity/yara-mikesxrs/Florian Roth/apt_putterpanda.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

258 lines
No EOL
14 KiB
Text

rule APT_Malware_PutterPanda_Rel {
meta:
description = "Detects an APT malware related to PutterPanda"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
hash = "5367e183df155e3133d916f7080ef973f7741d34"
strings:
$x0 = "app.stream-media.net" fullword ascii /* score: '12.03' */
$x1 = "File %s does'nt exist or is forbidden to acess!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.035' */
$s6 = "GetProcessAddresss of pHttpQueryInfoA Failed!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '32.02' */
$s7 = "Connect %s error!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.04' */
$s9 = "Download file %s successfully!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.03' */
$s10 = "index.tmp" fullword ascii /* score: '14.03' */
$s11 = "Execute PE Successfully" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.03' */
$s13 = "aa/22/success.xml" fullword ascii /* score: '12.005' */
$s16 = "aa/22/index.asp" fullword ascii /* score: '11.02' */
$s18 = "File %s a Non-Pe File" fullword ascii /* score: '8.04' */
$s19 = "SendRequset error!" fullword ascii /* score: '8.04' */
$s20 = "filelist[%d]=%s" fullword ascii /* score: '7.015' */
condition:
( uint16(0) == 0x5a4d and 1 of ($x*) ) or ( 4 of ($s*) )
}
rule APT_Malware_PutterPanda_Rel_2 {
meta:
description = "APT Malware related to PutterPanda Group"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
hash = "f97e01ee04970d1fc4d988a9e9f0f223ef2a6381"
strings:
$s0 = "http://update.konamidata.com/test/zl/sophos/td/result/rz.dat?" fullword ascii /* PEStudio Blacklist: strings */ /* score: '28.01' */
$s1 = "http://update.konamidata.com/test/zl/sophos/td/index.dat?" fullword ascii /* PEStudio Blacklist: strings */ /* score: '28.01' */
$s2 = "Mozilla/4.0 (Compatible; MSIE 6.0;)" fullword ascii /* PEStudio Blacklist: agent */ /* score: '20.03' */
$s3 = "Internet connect error:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.035' */
$s4 = "Proxy-Authorization:Basic" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.02' */
$s5 = "HttpQueryInfo failed:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.015' */
$s6 = "read file error:%d" fullword ascii /* score: '11.04' */
$s7 = "downdll.dll" fullword ascii /* score: '11.025' */
$s8 = "rz.dat" fullword ascii /* score: '10.005' */
$s9 = "Invalid url" fullword ascii /* PEStudio Blacklist: strings */ /* score: '9.03' */
$s10 = "Create file failed" fullword ascii /* score: '8.045' */
$s11 = "myAgent" fullword ascii /* score: '8.025' */
$s12 = "%s%s%d%d" fullword ascii /* score: '8.005' */
$s13 = "down file success" fullword ascii /* score: '7.035' */
$s15 = "error!" fullword ascii /* score: '6.04' */
$s18 = "Avaliable data:%u bytes" fullword ascii /* score: '5.025' */
condition:
uint16(0) == 0x5a4d and 6 of them
}
rule APT_Malware_PutterPanda_PSAPI {
meta:
description = "Detects a malware related to Putter Panda"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
hash = "f93a7945a33145bb6c106a51f08d8f44eab1cdf5"
strings:
$s0 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */ /* score: '12.03' */
$s1 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '8.045' */
$s2 = "psapi.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 54 times */
$s3 = "urlmon.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 471 times */
$s4 = "WinHttpGetProxyForUrl" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 179 times */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule APT_Malware_PutterPanda_WUAUCLT {
meta:
description = "Detects a malware related to Putter Panda"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
hash = "fd5ca5a2d444865fa8320337467313e4026b9f78"
strings:
$x0 = "WUAUCLT.EXE" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */
$x1 = "%s\\tmp%d.exe" fullword ascii /* score: '14.01' */
$x2 = "Microsoft Corporation. All rights reserved." fullword wide /* score: '8.04' */
$s1 = "Microsoft Windows Operating System" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 4 times */
$s2 = "InternetQueryOptionA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 166 times */
$s3 = "LookupPrivilegeValueA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 336 times */
$s4 = "WNetEnumResourceA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 29 times */
$s5 = "HttpSendRequestExA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 87 times */
$s6 = "PSAPI.DLL" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 420 times */
$s7 = "Microsoft(R) Windows(R) Operating System" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 128 times */
$s8 = "CreatePipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 222 times */
$s9 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 410 times */
condition:
all of ($x*) or
(1 of ($x*) and all of ($s*) )
}
rule APT_Malware_PutterPanda_Gen1 {
meta:
description = "Detects a malware "
author = "YarGen Rule Generator"
reference = "not set"
date = "2015-06-03"
super_rule = 1
hash0 = "bf1d385e637326a63c4d2f253dc211e6a5436b6a"
hash1 = "76459bcbe072f9c29bb9703bc72c7cd46a692796"
hash2 = "e105a7a3a011275002aec4b930c722e6a7ef52ad"
strings:
$s1 = "%s%duserid=%dthreadid=%dgroupid=%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '22.02' */
$s2 = "ssdpsvc.dll" fullword ascii /* score: '11.00' */
$s3 = "Fail %s " fullword ascii /* score: '10.04' */
$s4 = "%s%dpara1=%dpara2=%dpara3=%d" fullword ascii /* score: '10.01' */
$s5 = "LsaServiceInit" fullword ascii /* score: '7.03' */
$s6 = "%-8d Fs %-12s Bs " fullword ascii /* score: '5.04' */
$s7 = "Microsoft DH SChannel Cryptographic Provider" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5.00' */ /* Goodware String - occured 5 times */
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 5 of them
}
rule Malware_MsUpdater_String_in_EXE {
meta:
description = "MSUpdater String in Executable"
author = "Florian Roth"
score = 50
reference = "VT Analysis"
date = "2015-06-03"
hash = "b1a2043b7658af4d4c9395fa77fde18ccaf549bb"
strings:
$x1 = "msupdate.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */
// $x2 = "msupdate" fullword wide /* PEStudio Blacklist: strings */ /* score: '13.01' */
$x3 = "msupdater.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '20.02' */
$x4 = "msupdater32.exe" fullword ascii
$x5 = "msupdater32.exe" fullword wide
$x6 = "msupdate.pif" fullword ascii
$fp1 = "_msupdate_" wide /* False Positive */
$fp2 = "_msupdate_" ascii /* False Positive */
$fp3 = "/kies" wide
condition:
uint16(0) == 0x5a4d and filesize < 500KB and ( 1 of ($x*) ) and not ( 1 of ($fp*) )
}
rule APT_Malware_PutterPanda_MsUpdater_3 {
meta:
description = "Detects Malware related to PutterPanda - MSUpdater"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
hash = "464149ff23f9c7f4ab2f5cadb76a4f41f969bed0"
strings:
$s0 = "msupdater.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '20.02' */
$s1 = "Explorer.exe \"" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.05' */
$s2 = "FAVORITES.DAT" fullword ascii /* score: '11.02' */
$s4 = "COMSPEC" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.82' */ /* Goodware String - occured 178 times */
condition:
uint16(0) == 0x5a4d and 3 of them
}
rule APT_Malware_PutterPanda_MsUpdater_1 {
meta:
description = "Detects Malware related to PutterPanda - MSUpdater"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
hash = "b55072b67543f58c096571c841a560c53d72f01a"
strings:
$x0 = "msupdate.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */
$x1 = "msupdate" fullword wide /* PEStudio Blacklist: strings */ /* score: '13.01' */
$s1 = "Microsoft Corporation. All rights reserved." fullword wide /* score: '8.04' */
$s2 = "Automatic Updates" fullword wide /* PEStudio Blacklist: strings */ /* score: '4.98' */ /* Goodware String - occured 22 times */
$s3 = "VirtualProtectEx" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.93' */ /* Goodware String - occured 68 times */
$s4 = "Invalid parameter" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.93' */ /* Goodware String - occured 69 times */
$s5 = "VirtualAllocEx" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 95 times */
$s6 = "WriteProcessMemory" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.87' */ /* Goodware String - occured 131 times */
condition:
( uint16(0) == 0x5a4d and 1 of ($x*) and 4 of ($s*) ) or
( 1 of ($x*) and all of ($s*) )
}
rule APT_Malware_PutterPanda_MsUpdater_2 {
meta:
description = "Detects Malware related to PutterPanda - MSUpdater"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
hash = "365b5537e3495f8ecfabe2597399b1f1226879b1"
strings:
$s0 = "winsta0\\default" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.99' */ /* Goodware String - occured 6 times */
$s1 = "EXPLORER.EXE" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.98' */ /* Goodware String - occured 22 times */
$s2 = "WNetEnumResourceA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.97' */ /* Goodware String - occured 29 times */
$s3 = "explorer.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.97' */ /* Goodware String - occured 31 times */
$s4 = "CreateProcessAsUserA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 86 times */
$s5 = "HttpSendRequestExA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 87 times */
$s6 = "HttpEndRequestA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 91 times */
$s7 = "GetModuleBaseNameA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.88' */ /* Goodware String - occured 121 times */
$s8 = "GetModuleFileNameExA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.86' */ /* Goodware String - occured 144 times */
$s9 = "HttpSendRequestA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.85' */ /* Goodware String - occured 154 times */
$s10 = "HttpOpenRequestA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.84' */ /* Goodware String - occured 159 times */
$s11 = "InternetConnectA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.82' */ /* Goodware String - occured 183 times */
$s12 = "Process32Next" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.80' */ /* Goodware String - occured 204 times */
$s13 = "Process32First" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.79' */ /* Goodware String - occured 210 times */
$s14 = "CreatePipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.78' */ /* Goodware String - occured 222 times */
$s15 = "EnumProcesses" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.73' */ /* Goodware String - occured 273 times */
$s16 = "LookupPrivilegeValueA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.66' */ /* Goodware String - occured 336 times */
$s17 = "PeekNamedPipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.65' */ /* Goodware String - occured 347 times */
$s18 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.59' */ /* Goodware String - occured 410 times */
$s19 = "PSAPI.DLL" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.58' */ /* Goodware String - occured 420 times */
$s20 = "SPSSSQ" fullword ascii /* score: '4.51' */
condition:
uint16(0) == 0x5a4d and filesize < 220KB and all of them
}
rule APT_Malware_PutterPanda_Gen4 {
meta:
description = "Detects Malware related to PutterPanda"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
super_rule = 1
hash0 = "71a8378fa8e06bcf8ee9f019c807c6bfc58dca0c"
hash1 = "8fdd6e5ed9d69d560b6fdd5910f80e0914893552"
hash2 = "3c4a762175326b37035a9192a981f7f4cc2aa5f0"
hash3 = "598430b3a9b5576f03cc4aed6dc2cd8a43324e1e"
hash4 = "6522b81b38747f4aa09c98fdaedaed4b00b21689"
strings:
$x1 = "rz.dat" fullword ascii /* score: '10.00' */
$s0 = "Mozilla/4.0 (Compatible; MSIE 6.0;)" fullword ascii /* PEStudio Blacklist: agent */ /* score: '20.03' */
$s1 = "Internet connect error:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.04' */
$s2 = "Proxy-Authorization:Basic " fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.02' */
$s5 = "Invalid url" fullword ascii /* PEStudio Blacklist: strings */ /* score: '9.03' */
$s6 = "Create file failed" fullword ascii /* score: '8.04' */
$s7 = "myAgent" fullword ascii /* score: '8.03' */
$z1 = "%s%s%d%d" fullword ascii /* score: '8.00' */
$z2 = "HttpQueryInfo failed:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.02' */
$z3 = "read file error:%d" fullword ascii /* score: '11.04' */
$z4 = "down file success" fullword ascii /* score: '7.04' */
$z5 = "kPStoreCreateInstance" fullword ascii /* score: '5.03' */
$z6 = "Avaliable data:%u bytes" fullword ascii /* score: '5.03' */
$z7 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" fullword ascii /* PEStudio Blacklist: guid */ /* score: '5.00' */ /* Goodware String - occured 2 times */
condition:
filesize < 300KB and
(
( uint16(0) == 0x5a4d and $x1 and 3 of ($s*) ) or
( 3 of ($s*) and 4 of ($z*) )
)
}