Sneed-Reactivity/yara-mikesxrs/NCCGroup/Sakula.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

121 lines
4.3 KiB
Text

rule malware_sakula_xorloop {
meta:
description = "XOR loops from Sakula malware"
author = "David Cannings/NCCGroup"
reference = "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula"
md5 = "fc6497fe708dbda9355139721b6181e7"
strings:
$mz = "MZ"
// XOR decode loop (non-null, non-key byte only)
$opcodes_decode_loop01 = { 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B }
// XOR decode
$opcodes_decode_loop02 = { 8B 45 08 8D 0C 02 8A 01 84 C0 74 08 3C ?? 74 04 34 ?? 88 01 }
condition:
$mz at 0 and any of ($opcodes*)
}
rule malware_sakula_memory {
meta:
description = "Sakula malware - strings after unpacking (memory rule)"
author = "David Cannings/NCCGroup"
reference = "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula"
md5 = "b3852b9e7f2b8954be447121bb6b65c3"
strings:
$str01 = "cmd.exe /c ping 127.0.0.1 & del \"%s\""
$str02 = "cmd.exe /c rundll32 \"%s\" Play \"%s\""
$str03 = "Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+SV1)"
$str04 = "cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c \"%s\""
$str05 = "Self Process Id:%d"
$str06 = "%d_%d_%d_%s"
$str07 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
$str08 = "cmd.exe /c rundll32 \"%s\" ActiveQvaw \"%s\""
// Encode loop, operations: rol 1; xor ??;
$opcodes01 = { 83 F9 00 74 0E 31 C0 8A 03 D0 C0 34 ?? 88 03 49 43 EB ED }
// Encode loop, single byte XOR
$opcodes02 = { 31 C0 8A 04 13 32 01 83 F8 00 75 0E 83 FA 00 74 04 49 4A }
condition:
4 of them
}
rule malware_sakula_shellcode {
meta:
description = "Sakula shellcode - taken from decoded setup.msi but may not be unique enough to identify Sakula"
author = "David Cannings/NCCGroup"
reference = "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula"
strings:
/*
55 push ebp
89 E5 mov ebp, esp
E8 00 00 00 00 call $+5
58 pop eax
83 C0 06 add eax, 6
C9 leave
C3 retn
*/
// Get EIP technique (may not be unique enough to identify Sakula)
// Note this only appears in memory or decoded files
$opcodes01 = { 55 89 E5 E8 00 00 00 00 58 83 C0 06 C9 C3 }
/*
8B 5E 3C mov ebx, [esi+3Ch] ; Offset to PE header
8B 5C 1E 78 mov ebx, [esi+ebx+78h] ; Length of headers
8B 4C 1E 20 mov ecx, [esi+ebx+20h] ; Number of data directories
53 push ebx
8B 5C 1E 24 mov ebx, [esi+ebx+24h] ; Export table
01 F3 add ebx, esi
*/
// Export parser
$opcodes02 = { 8B 5E 3C 8B 5C 1E 78 8B 4C 1E 20 53 8B 5C 1E 24 01 F3 }
condition:
any of them
}
rule malware_sakula_loader {
meta:
description = "A small DLL loader (~6KiB) for Sakula malware"
author = "David Cannings/NCCGroup"
reference = "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula"
md5 = "58d56d6e2cafca33e5a9303a36228ef6"
strings:
/*
59 pop ecx
5B pop ebx
6A 69 push 'i'
68 70 2E 6D 73 push 'sm.p'
68 73 65 74 75 push 'utes'
54 push esp ; Source
FF 35 04 20 00 10 push ds:lpFileName ; Dest
E8 29 1F 00 00 call strcat
*/
// String stacking for 'setup.msi'
$opcodes_string_stack01 = { 6A 69 68 70 2E 6D 73 68 73 65 74 75 }
/*
48 dec eax
83 F8 00 cmp eax, 0
0F 84 B2 00 00 00 jz loc_10001171
8A 18 mov bl, [eax]
80 F3 5C xor bl, 5Ch
80 FB 00 cmp bl, 0
*/
$opcodes_decode_loop = { 48 83 F8 00 0F ?? ?? ?? ?? ?? 8A 18 80 F3 ?? 80 FB 00 }
// Generic toolmarks from the compiler
$str01 = "Win32 Program!"
$str02 = "GoLink, GoAsm www.GoDevTool.com"
condition:
1 of ($opcodes*) and 1 of ($str*)
}