Sneed-Reactivity/yara-mikesxrs/eset/SparklingGoblin.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

489 lines
13 KiB
Text

// For feedback or questions contact us at: github@eset.com
// https://github.com/eset/malware-ioc/
//
// These yara rules are provided to the community under the two-clause BSD
// license as follows:
//
// Copyright (c) 2021, ESET
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this
// list of conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice,
// this list of conditions and the following disclaimer in the documentation
// and/or other materials provided with the distribution.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
//
import "pe"
rule SparklingGoblin_ChaCha20Loader_RichHeader
{
meta:
author = "ESET Research"
copyright = "ESET Research"
description = "Rule matching ChaCha20 loaders rich header"
date = "2021-03-30"
reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
hash = "09FFE37A54BC4EBEBD8D56098E4C76232F35D821"
hash = "29B147B76BB0D9E09F7297487CB972E6A2905586"
hash = "33F2C3DE2457B758FC5824A2B253AD7C7C2E9E37"
hash = "45BEF297CE78521EAC6EE39E7603E18360E67C5A"
hash = "4CEC7CDC78D95C70555A153963064F216DAE8799"
hash = "4D4C1A062A0390B20732BA4D65317827F2339B80"
hash = "4F6949A4906B834E83FF951E135E0850FE49D5E4"
condition:
pe.rich_signature.length >= 104 and pe.rich_signature.length <= 112 and
pe.rich_signature.toolid(241, 40116) >= 5 and pe.rich_signature.toolid(241, 40116) <= 10 and
pe.rich_signature.toolid(147, 30729) == 11 and
pe.rich_signature.toolid(264, 24215) >= 15 and pe.rich_signature.toolid(264, 24215) <= 16
}
rule SparklingGoblin_ChaCha20
{
meta:
author = "ESET Research"
copyright = "ESET Research"
description = "SparklingGoblin ChaCha20 implementations"
date = "2021-05-20"
reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B"
hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F"
hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF"
hash = "4668302969FE122874FB2447A80378DCB671C86B"
hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B"
hash = "9CE7650F2C08C391A35D69956E171932D116B8BD"
hash = "91B32E030A1F286E7D502CA17E107D4BFBD7394A"
strings:
// 32-bits version
$chunk_1 = {
8B 4D ??
56
8B 75 ??
57
8B 7D ??
8B 04 BB
01 04 93
8B 04 B3
33 04 93
C1 C0 10
89 04 B3
01 04 8B
8B 04 BB
33 04 8B
C1 C0 0C
89 04 BB
01 04 93
8B 04 B3
33 04 93
C1 C0 08
89 04 B3
01 04 8B
8B 04 BB
33 04 8B
C1 C0 07
89 04 BB
}
// 64-bits version
$chunk_2 = {
03 4D ??
44 03 C0
03 55 ??
33 F1
45 33 D8
C1 C6 10
44 33 F2
41 C1 C3 10
41 03 FB
41 C1 C6 10
45 03 E6
41 03 DA
44 33 CB
44 03 EE
41 C1 C1 10
8B C7
33 45 ??
45 03 F9
C1 C0 0C
44 03 C0
45 33 D8
44 89 45 ??
41 C1 C3 08
41 03 FB
44 8B C7
44 33 C0
41 8B C5
33 45 ??
C1 C0 0C
03 C8
41 C1 C0 07
33 F1
89 4D ??
C1 C6 08
44 03 EE
41 8B CD
33 C8
41 8B C4
33 45 ??
C1 C0 0C
03 D0
C1 C1 07
44 33 F2
89 55 ??
41 C1 C6 08
45 03 E6
41 8B D4
33 D0
41 8B C7
41 33 C2
C1 C2 07
C1 C0 0C
03 D8
44 33 CB
41 C1 C1 08
45 03 F9
45 8B D7
44 33 D0
8B 45 ??
03 C1
41 C1 C2 07
44 33 C8
89 45 ??
41 C1 C1 10
45 03 E1
41 8B C4
33 C1
8B 4D ??
C1 C0 0C
03 C8
44 33 C9
89 4D ??
89 4D ??
41 C1 C1 08
45 03 E1
41 8B CC
33 C8
8B 45 ??
C1 C1 07
89 4D ??
89 4D ??
03 C2
41 03 D8
89 45 ??
41 33 C3
C1 C0 10
44 03 F8
41 8B CF
33 CA
8B 55 ??
}
$chunk_3 = {
C7 45 ?? 65 78 70 61
4C 8D 45 ??
C7 45 ?? 6E 64 20 33
4D 8B F9
C7 45 ?? 32 2D 62 79
4C 2B C1
C7 45 ?? 74 65 20 6B
}
$chunk_4 = {
0F B6 02
0F B6 4A ??
C1 E1 08
0B C8
0F B6 42 ??
C1 E1 08
0B C8
0F B6 42 ??
C1 E1 08
0B C8
41 89 0C 10
48 8D 52 ??
49 83 E9 01
}
// 64-bits version
$chunk_5 = {
03 4D ??
44 03 C0
03 55 ??
33 F1
41 33 F8
C1 C6 10
44 33 F2
C1 C7 10
44 03 DF
41 C1 C6 10
45 03 E6
44 03 CB
45 33 D1
44 03 EE
41 C1 C2 10
41 8B C3
33 45 ??
45 03 FA
C1 C0 0C
44 03 C0
41 33 F8
44 89 45 ??
C1 C7 08
44 03 DF
45 8B C3
44 33 C0
41 8B C5
33 45 ??
C1 C0 0C
03 C8
41 C1 C0 07
33 F1
89 4D ??
C1 C6 08
44 03 EE
41 8B CD
33 C8
41 8B C4
33 45 ??
C1 C0 0C
03 D0
C1 C1 07
44 33 F2
89 55 ??
41 C1 C6 08
45 03 E6
41 8B D4
33 D0
41 8B C7
33 C3
C1 C2 07
C1 C0 0C
44 03 C8
45 33 D1
41 C1 C2 08
45 03 FA
41 8B DF
33 D8
8B 45 ??
03 C1
C1 C3 07
44 33 D0
89 45 ??
41 C1 C2 10
45 03 E2
41 8B C4
33 C1
8B 4D ??
C1 C0 0C
03 C8
44 33 D1
89 4D ??
89 4D ??
41 C1 C2 08
45 03 E2
41 8B CC
33 C8
8B 45 ??
C1 C1 07
89 4D ??
89 4D ??
03 C2
45 03 C8
89 45 ??
33 C7
C1 C0 10
44 03 F8
41 8B CF
33 CA
8B 55 ??
C1 C1 0C
03 D1
8B FA
89 55 ??
33 F8
89 55 ??
8B 55 ??
03 D3
C1 C7 08
44 03 FF
41 8B C7
33 C1
C1 C0 07
89 45 ??
89 45 ??
8B C2
33 C6
C1 C0 10
44 03 D8
41 33 DB
C1 C3 0C
03 D3
8B F2
89 55 ??
33 F0
41 8B C1
41 33 C6
C1 C6 08
C1 C0 10
44 03 DE
44 03 E8
41 33 DB
41 8B CD
C1 C3 07
41 33 C8
44 8B 45 ??
C1 C1 0C
44 03 C9
45 8B F1
44 33 F0
41 C1 C6 08
45 03 EE
41 8B C5
33 C1
8B 4D ??
C1 C0 07
}
condition:
any of them and filesize < 450KB
}
rule SparklingGoblin_EtwEventWrite
{
meta:
author = "ESET Research"
copyright = "ESET Research"
description = "SparklingGoblin EtwEventWrite patching"
date = "2021-05-20"
reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B"
hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F"
hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF"
hash = "4668302969FE122874FB2447A80378DCB671C86B"
hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B"
hash = "9CE7650F2C08C391A35D69956E171932D116B8BD"
strings:
// 64-bits version
$chunk_1 = {
48 8D 0D ?? ?? ?? ??
C7 44 24 ?? 48 31 C0 C3
FF 15 ?? ?? ?? ??
48 8B C8
48 8D 15 ?? ?? ?? ??
FF 15 ?? ?? ?? ??
83 64 24 ?? 00
4C 8D 4C 24 ??
BF 04 00 00 00
48 8B C8
8B D7
48 8B D8
44 8D 47 ??
FF 15 ?? ?? ?? ??
44 8B C7
48 8D 54 24 ??
48 8B CB
E8 ?? ?? ?? ??
44 8B 44 24 ??
4C 8D 4C 24 ??
8B D7
48 8B CB
FF 15 ?? ?? ?? ??
48 8B 05 ?? ?? ?? ??
}
// 32-bits version
$chunk_2 = {
55
8B EC
51
51
57
68 08 1A 41 00
66 C7 45 ?? C2 14
C6 45 ?? 00
FF 15 ?? ?? ?? ??
68 10 1A 41 00
50
FF 15 ?? ?? ?? ??
83 65 ?? 00
8B F8
8D 45 ??
50
6A 40
6A 03
57
FF 15 ?? ?? ?? ??
6A 03
8D 45 ??
50
57
E8 ?? ?? ?? ??
83 C4 0C
8D 45 ??
50
FF 75 ??
6A 03
57
FF 15 ?? ?? ?? ??
}
// 64-bits version
$chunk_3 = {
48 8D 0D ?? ?? ?? ??
C7 44 24 ?? 48 31 C0 C3
FF 15 ?? ?? ?? ??
48 8B C8
48 8D 15 ?? ?? ?? ??
FF 15 ?? ?? ?? ??
}
condition:
any of them
}
rule SparklingGoblin_Mutex
{
meta:
author = "ESET Research"
copyright = "ESET Research"
description = "SparklingGoblin ChaCha20 loaders mutexes"
date = "2021-05-20"
reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B"
hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F"
hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF"
hash = "4668302969FE122874FB2447A80378DCB671C86B"
hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B"
hash = "9CE7650F2C08C391A35D69956E171932D116B8BD"
strings:
$mutex_1 = "kREwdFrOlvASgP4zWZyV89m6T2K0bIno"
$mutex_2 = "v5EPQFOImpTLaGZes3Nl1JSKHku8AyCw"
condition:
any of them
}