08e8d462fe
RED PILL 🔴 💊
489 lines
13 KiB
Text
489 lines
13 KiB
Text
// For feedback or questions contact us at: github@eset.com
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2021, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
import "pe"
|
|
rule SparklingGoblin_ChaCha20Loader_RichHeader
|
|
{
|
|
meta:
|
|
author = "ESET Research"
|
|
copyright = "ESET Research"
|
|
description = "Rule matching ChaCha20 loaders rich header"
|
|
date = "2021-03-30"
|
|
reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
|
|
hash = "09FFE37A54BC4EBEBD8D56098E4C76232F35D821"
|
|
hash = "29B147B76BB0D9E09F7297487CB972E6A2905586"
|
|
hash = "33F2C3DE2457B758FC5824A2B253AD7C7C2E9E37"
|
|
hash = "45BEF297CE78521EAC6EE39E7603E18360E67C5A"
|
|
hash = "4CEC7CDC78D95C70555A153963064F216DAE8799"
|
|
hash = "4D4C1A062A0390B20732BA4D65317827F2339B80"
|
|
hash = "4F6949A4906B834E83FF951E135E0850FE49D5E4"
|
|
|
|
condition:
|
|
pe.rich_signature.length >= 104 and pe.rich_signature.length <= 112 and
|
|
pe.rich_signature.toolid(241, 40116) >= 5 and pe.rich_signature.toolid(241, 40116) <= 10 and
|
|
pe.rich_signature.toolid(147, 30729) == 11 and
|
|
pe.rich_signature.toolid(264, 24215) >= 15 and pe.rich_signature.toolid(264, 24215) <= 16
|
|
}
|
|
|
|
rule SparklingGoblin_ChaCha20
|
|
{
|
|
meta:
|
|
author = "ESET Research"
|
|
copyright = "ESET Research"
|
|
description = "SparklingGoblin ChaCha20 implementations"
|
|
date = "2021-05-20"
|
|
reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
|
|
hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B"
|
|
hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F"
|
|
hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF"
|
|
hash = "4668302969FE122874FB2447A80378DCB671C86B"
|
|
hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B"
|
|
hash = "9CE7650F2C08C391A35D69956E171932D116B8BD"
|
|
hash = "91B32E030A1F286E7D502CA17E107D4BFBD7394A"
|
|
|
|
strings:
|
|
// 32-bits version
|
|
$chunk_1 = {
|
|
8B 4D ??
|
|
56
|
|
8B 75 ??
|
|
57
|
|
8B 7D ??
|
|
8B 04 BB
|
|
01 04 93
|
|
8B 04 B3
|
|
33 04 93
|
|
C1 C0 10
|
|
89 04 B3
|
|
01 04 8B
|
|
8B 04 BB
|
|
33 04 8B
|
|
C1 C0 0C
|
|
89 04 BB
|
|
01 04 93
|
|
8B 04 B3
|
|
33 04 93
|
|
C1 C0 08
|
|
89 04 B3
|
|
01 04 8B
|
|
8B 04 BB
|
|
33 04 8B
|
|
C1 C0 07
|
|
89 04 BB
|
|
}
|
|
// 64-bits version
|
|
$chunk_2 = {
|
|
03 4D ??
|
|
44 03 C0
|
|
03 55 ??
|
|
33 F1
|
|
45 33 D8
|
|
C1 C6 10
|
|
44 33 F2
|
|
41 C1 C3 10
|
|
41 03 FB
|
|
41 C1 C6 10
|
|
45 03 E6
|
|
41 03 DA
|
|
44 33 CB
|
|
44 03 EE
|
|
41 C1 C1 10
|
|
8B C7
|
|
33 45 ??
|
|
45 03 F9
|
|
C1 C0 0C
|
|
44 03 C0
|
|
45 33 D8
|
|
44 89 45 ??
|
|
41 C1 C3 08
|
|
41 03 FB
|
|
44 8B C7
|
|
44 33 C0
|
|
41 8B C5
|
|
33 45 ??
|
|
C1 C0 0C
|
|
03 C8
|
|
41 C1 C0 07
|
|
33 F1
|
|
89 4D ??
|
|
C1 C6 08
|
|
44 03 EE
|
|
41 8B CD
|
|
33 C8
|
|
41 8B C4
|
|
33 45 ??
|
|
C1 C0 0C
|
|
03 D0
|
|
C1 C1 07
|
|
44 33 F2
|
|
89 55 ??
|
|
41 C1 C6 08
|
|
45 03 E6
|
|
41 8B D4
|
|
33 D0
|
|
41 8B C7
|
|
41 33 C2
|
|
C1 C2 07
|
|
C1 C0 0C
|
|
03 D8
|
|
44 33 CB
|
|
41 C1 C1 08
|
|
45 03 F9
|
|
45 8B D7
|
|
44 33 D0
|
|
8B 45 ??
|
|
03 C1
|
|
41 C1 C2 07
|
|
44 33 C8
|
|
89 45 ??
|
|
41 C1 C1 10
|
|
45 03 E1
|
|
41 8B C4
|
|
33 C1
|
|
8B 4D ??
|
|
C1 C0 0C
|
|
03 C8
|
|
44 33 C9
|
|
89 4D ??
|
|
89 4D ??
|
|
41 C1 C1 08
|
|
45 03 E1
|
|
41 8B CC
|
|
33 C8
|
|
8B 45 ??
|
|
C1 C1 07
|
|
89 4D ??
|
|
89 4D ??
|
|
03 C2
|
|
41 03 D8
|
|
89 45 ??
|
|
41 33 C3
|
|
C1 C0 10
|
|
44 03 F8
|
|
41 8B CF
|
|
33 CA
|
|
8B 55 ??
|
|
}
|
|
$chunk_3 = {
|
|
C7 45 ?? 65 78 70 61
|
|
4C 8D 45 ??
|
|
C7 45 ?? 6E 64 20 33
|
|
4D 8B F9
|
|
C7 45 ?? 32 2D 62 79
|
|
4C 2B C1
|
|
C7 45 ?? 74 65 20 6B
|
|
}
|
|
$chunk_4 = {
|
|
0F B6 02
|
|
0F B6 4A ??
|
|
C1 E1 08
|
|
0B C8
|
|
0F B6 42 ??
|
|
C1 E1 08
|
|
0B C8
|
|
0F B6 42 ??
|
|
C1 E1 08
|
|
0B C8
|
|
41 89 0C 10
|
|
48 8D 52 ??
|
|
49 83 E9 01
|
|
}
|
|
// 64-bits version
|
|
$chunk_5 = {
|
|
03 4D ??
|
|
44 03 C0
|
|
03 55 ??
|
|
33 F1
|
|
41 33 F8
|
|
C1 C6 10
|
|
44 33 F2
|
|
C1 C7 10
|
|
44 03 DF
|
|
41 C1 C6 10
|
|
45 03 E6
|
|
44 03 CB
|
|
45 33 D1
|
|
44 03 EE
|
|
41 C1 C2 10
|
|
41 8B C3
|
|
33 45 ??
|
|
45 03 FA
|
|
C1 C0 0C
|
|
44 03 C0
|
|
41 33 F8
|
|
44 89 45 ??
|
|
C1 C7 08
|
|
44 03 DF
|
|
45 8B C3
|
|
44 33 C0
|
|
41 8B C5
|
|
33 45 ??
|
|
C1 C0 0C
|
|
03 C8
|
|
41 C1 C0 07
|
|
33 F1
|
|
89 4D ??
|
|
C1 C6 08
|
|
44 03 EE
|
|
41 8B CD
|
|
33 C8
|
|
41 8B C4
|
|
33 45 ??
|
|
C1 C0 0C
|
|
03 D0
|
|
C1 C1 07
|
|
44 33 F2
|
|
89 55 ??
|
|
41 C1 C6 08
|
|
45 03 E6
|
|
41 8B D4
|
|
33 D0
|
|
41 8B C7
|
|
33 C3
|
|
C1 C2 07
|
|
C1 C0 0C
|
|
44 03 C8
|
|
45 33 D1
|
|
41 C1 C2 08
|
|
45 03 FA
|
|
41 8B DF
|
|
33 D8
|
|
8B 45 ??
|
|
03 C1
|
|
C1 C3 07
|
|
44 33 D0
|
|
89 45 ??
|
|
41 C1 C2 10
|
|
45 03 E2
|
|
41 8B C4
|
|
33 C1
|
|
8B 4D ??
|
|
C1 C0 0C
|
|
03 C8
|
|
44 33 D1
|
|
89 4D ??
|
|
89 4D ??
|
|
41 C1 C2 08
|
|
45 03 E2
|
|
41 8B CC
|
|
33 C8
|
|
8B 45 ??
|
|
C1 C1 07
|
|
89 4D ??
|
|
89 4D ??
|
|
03 C2
|
|
45 03 C8
|
|
89 45 ??
|
|
33 C7
|
|
C1 C0 10
|
|
44 03 F8
|
|
41 8B CF
|
|
33 CA
|
|
8B 55 ??
|
|
C1 C1 0C
|
|
03 D1
|
|
8B FA
|
|
89 55 ??
|
|
33 F8
|
|
89 55 ??
|
|
8B 55 ??
|
|
03 D3
|
|
C1 C7 08
|
|
44 03 FF
|
|
41 8B C7
|
|
33 C1
|
|
C1 C0 07
|
|
89 45 ??
|
|
89 45 ??
|
|
8B C2
|
|
33 C6
|
|
C1 C0 10
|
|
44 03 D8
|
|
41 33 DB
|
|
C1 C3 0C
|
|
03 D3
|
|
8B F2
|
|
89 55 ??
|
|
33 F0
|
|
41 8B C1
|
|
41 33 C6
|
|
C1 C6 08
|
|
C1 C0 10
|
|
44 03 DE
|
|
44 03 E8
|
|
41 33 DB
|
|
41 8B CD
|
|
C1 C3 07
|
|
41 33 C8
|
|
44 8B 45 ??
|
|
C1 C1 0C
|
|
44 03 C9
|
|
45 8B F1
|
|
44 33 F0
|
|
41 C1 C6 08
|
|
45 03 EE
|
|
41 8B C5
|
|
33 C1
|
|
8B 4D ??
|
|
C1 C0 07
|
|
}
|
|
|
|
condition:
|
|
any of them and filesize < 450KB
|
|
|
|
}
|
|
|
|
rule SparklingGoblin_EtwEventWrite
|
|
{
|
|
meta:
|
|
author = "ESET Research"
|
|
copyright = "ESET Research"
|
|
description = "SparklingGoblin EtwEventWrite patching"
|
|
date = "2021-05-20"
|
|
reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
|
|
hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B"
|
|
hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F"
|
|
hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF"
|
|
hash = "4668302969FE122874FB2447A80378DCB671C86B"
|
|
hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B"
|
|
hash = "9CE7650F2C08C391A35D69956E171932D116B8BD"
|
|
|
|
strings:
|
|
// 64-bits version
|
|
$chunk_1 = {
|
|
48 8D 0D ?? ?? ?? ??
|
|
C7 44 24 ?? 48 31 C0 C3
|
|
FF 15 ?? ?? ?? ??
|
|
48 8B C8
|
|
48 8D 15 ?? ?? ?? ??
|
|
FF 15 ?? ?? ?? ??
|
|
83 64 24 ?? 00
|
|
4C 8D 4C 24 ??
|
|
BF 04 00 00 00
|
|
48 8B C8
|
|
8B D7
|
|
48 8B D8
|
|
44 8D 47 ??
|
|
FF 15 ?? ?? ?? ??
|
|
44 8B C7
|
|
48 8D 54 24 ??
|
|
48 8B CB
|
|
E8 ?? ?? ?? ??
|
|
44 8B 44 24 ??
|
|
4C 8D 4C 24 ??
|
|
8B D7
|
|
48 8B CB
|
|
FF 15 ?? ?? ?? ??
|
|
48 8B 05 ?? ?? ?? ??
|
|
}
|
|
// 32-bits version
|
|
$chunk_2 = {
|
|
55
|
|
8B EC
|
|
51
|
|
51
|
|
57
|
|
68 08 1A 41 00
|
|
66 C7 45 ?? C2 14
|
|
C6 45 ?? 00
|
|
FF 15 ?? ?? ?? ??
|
|
68 10 1A 41 00
|
|
50
|
|
FF 15 ?? ?? ?? ??
|
|
83 65 ?? 00
|
|
8B F8
|
|
8D 45 ??
|
|
50
|
|
6A 40
|
|
6A 03
|
|
57
|
|
FF 15 ?? ?? ?? ??
|
|
6A 03
|
|
8D 45 ??
|
|
50
|
|
57
|
|
E8 ?? ?? ?? ??
|
|
83 C4 0C
|
|
8D 45 ??
|
|
50
|
|
FF 75 ??
|
|
6A 03
|
|
57
|
|
FF 15 ?? ?? ?? ??
|
|
}
|
|
// 64-bits version
|
|
$chunk_3 = {
|
|
48 8D 0D ?? ?? ?? ??
|
|
C7 44 24 ?? 48 31 C0 C3
|
|
FF 15 ?? ?? ?? ??
|
|
48 8B C8
|
|
48 8D 15 ?? ?? ?? ??
|
|
FF 15 ?? ?? ?? ??
|
|
}
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule SparklingGoblin_Mutex
|
|
{
|
|
meta:
|
|
author = "ESET Research"
|
|
copyright = "ESET Research"
|
|
description = "SparklingGoblin ChaCha20 loaders mutexes"
|
|
date = "2021-05-20"
|
|
reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
|
|
hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B"
|
|
hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F"
|
|
hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF"
|
|
hash = "4668302969FE122874FB2447A80378DCB671C86B"
|
|
hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B"
|
|
hash = "9CE7650F2C08C391A35D69956E171932D116B8BD"
|
|
|
|
strings:
|
|
$mutex_1 = "kREwdFrOlvASgP4zWZyV89m6T2K0bIno"
|
|
$mutex_2 = "v5EPQFOImpTLaGZes3Nl1JSKHku8AyCw"
|
|
|
|
condition:
|
|
any of them
|
|
}
|