08e8d462fe
RED PILL 🔴 💊
255 lines
9.3 KiB
Text
255 lines
9.3 KiB
Text
// Stantinko yara rules
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2017, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
import "pe"
|
|
|
|
rule beds_plugin {
|
|
|
|
meta:
|
|
Author = "Frédéric Vachon"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko BEDS' plugins"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
condition:
|
|
pe.exports("CheckDLLStatus") and
|
|
pe.exports("GetPluginData") and
|
|
pe.exports("InitializePlugin") and
|
|
pe.exports("IsReleased") and
|
|
pe.exports("ReleaseDLL")
|
|
}
|
|
|
|
rule beds_dropper {
|
|
|
|
meta:
|
|
Author = "Frédéric Vachon"
|
|
Date = "2017-07-17"
|
|
Description = "BEDS dropper"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
condition:
|
|
pe.imphash() == "a7ead4ef90d9981e25728e824a1ba3ef"
|
|
|
|
}
|
|
|
|
rule facebook_bot {
|
|
|
|
meta:
|
|
Author = "Frédéric Vachon"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko's Facebook bot"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "m_upload_pic&return_uri=https%3A%2F%2Fm.facebook.com%2Fprofile.php" fullword ascii
|
|
$s2 = "D:\\work\\brut\\cms\\facebook\\facebookbot\\Release\\facebookbot.pdb" fullword ascii
|
|
$s3 = "https%3A%2F%2Fm.facebook.com%2Fcomment%2Freplies%2F%3Fctoken%3D" fullword ascii
|
|
$s4 = "reg_fb_gate=https%3A%2F%2Fm.facebook.com%2Freg" fullword ascii
|
|
$s5 = "reg_fb_ref=https%3A%2F%2Fm.facebook.com%2Freg%2F" fullword ascii
|
|
$s6 = "&return_uri_error=https%3A%2F%2Fm.facebook.com%2Fprofile.php" fullword ascii
|
|
|
|
$x1 = "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36" fullword ascii
|
|
$x2 = "registration@facebookmail.com" fullword ascii
|
|
$x3 = "https://m.facebook.com/profile.php?mds=" fullword ascii
|
|
$x4 = "https://upload.facebook.com/_mupload_/composer/?profile&domain=" fullword ascii
|
|
$x5 = "http://staticxx.facebook.com/connect/xd_arbiter.php?version=42#cb=ff43b202c" fullword ascii
|
|
$x6 = "https://upload.facebook.com/_mupload_/photo/x/saveunpublished/" fullword ascii
|
|
$x7 = "m.facebook.com&ref=m_upload_pic&waterfall_source=" fullword ascii
|
|
$x8 = "payload.commentID" fullword ascii
|
|
$x9 = "profile.login" fullword ascii
|
|
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($s*) or 3 of ($x*) ) ) or ( all of them )
|
|
}
|
|
|
|
rule pds_plugins {
|
|
|
|
meta:
|
|
Author = "Frédéric Vachon"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko PDS' plugins"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "std::_Vector_val<CHTTPPostItem *,std::allocator<CHTTPPostItem *> >" fullword ascii
|
|
$s2 = "std::_Vector_val<CHTTPHeader *,std::allocator<CHTTPHeader *> >" fullword ascii
|
|
$s3 = "std::vector<CHTTPHeader *,std::allocator<CHTTPHeader *> >" fullword ascii
|
|
$s4 = "std::vector<CHTTPPostItem *,std::allocator<CHTTPPostItem *> >" fullword ascii
|
|
$s5 = "CHTTPHeaderManager" fullword ascii
|
|
$s6 = "CHTTPPostItemManager *" fullword ascii
|
|
$s7 = "CHTTPHeaderManager *" fullword ascii
|
|
$s8 = "CHTTPPostItemManager" fullword ascii
|
|
$s9 = "CHTTPHeader" fullword ascii
|
|
$s10 = "CHTTPPostItem" fullword ascii
|
|
$s11 = "std::vector<CCookie *,std::allocator<CCookie *> >" fullword ascii
|
|
$s12 = "std::_Vector_val<CCookie *,std::allocator<CCookie *> >" fullword ascii
|
|
$s13 = "CCookieManager *" fullword ascii
|
|
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 1000KB and ( 2 of ($s*) ) )
|
|
}
|
|
|
|
rule stantinko_pdb {
|
|
|
|
meta:
|
|
Author = "Frédéric Vachon"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko malware family PDB path"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "D:\\work\\service\\service\\" ascii
|
|
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule stantinko_droppers {
|
|
|
|
meta:
|
|
Author = "Marc-Etienne M.Léveillé"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko droppers"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
// Bytes from the encrypted payload
|
|
$s1 = {55 8B EC 83 EC 08 53 56 BE 80 F4 45 00 57 81 EE 80 0E 41 00 56 E8 6D 23 00 00 56 8B D8 68 80 0E 41 00 53 89 5D F8 E8 65 73 00 00 8B 0D FC F5 45}
|
|
|
|
// Keys to decrypt payload
|
|
$s2 = {7E 5E 7F 8C 08 46 00 00 AB 57 1A BB 91 5C 00 00 FA CC FD 76 90 3A 00 00}
|
|
|
|
condition:
|
|
uint16(0) == 0x5A4D and 1 of them
|
|
}
|
|
|
|
rule stantinko_d3d {
|
|
|
|
meta:
|
|
Author = "Marc-Etienne M.Léveillé"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko d3dadapter component"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
condition:
|
|
pe.exports("EntryPoint") and
|
|
pe.exports("ServiceMain") and
|
|
pe.imports("WININET.DLL", "HttpAddRequestHeadersA")
|
|
}
|
|
|
|
rule stantinko_ihctrl32 {
|
|
|
|
meta:
|
|
Author = "Marc-Etienne M.Léveillé"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko ihctrl32 component"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "ihctrl32.dll"
|
|
$s2 = "win32_hlp"
|
|
$s3 = "Ihctrl32Main"
|
|
$s4 = "I%citi%c%size%s%c%ci%s"
|
|
$s5 = "Global\\Intel_hctrl32"
|
|
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule stantinko_wsaudio {
|
|
|
|
meta:
|
|
Author = "Marc-Etienne M.Léveillé"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko wsaudio component"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
// Export
|
|
$s1 = "GetInterface"
|
|
$s2 = "wsaudio.dll"
|
|
|
|
// Event name
|
|
$s3 = "Global\\Wsaudio_Initialize"
|
|
$s4 = "SOFTWARE\\Classes\\%s.FieldListCtrl.1\\"
|
|
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule stantinko_ghstore {
|
|
|
|
meta:
|
|
Author = "Marc-Etienne M.Léveillé"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko ghstore component"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "G%cost%sSt%c%s%s%ce%sr" wide
|
|
$s2 = "%cho%ct%sS%sa%c%s%crve%c" wide
|
|
$s3 = "Par%c%ce%c%c%s" wide
|
|
$s4 = "S%c%curity%c%s%c%s" wide
|
|
$s5 = "Sys%c%s%c%c%su%c%s%clS%c%s%serv%s%ces" wide
|
|
|
|
condition:
|
|
3 of them
|
|
}
|