08e8d462fe
RED PILL 🔴 💊
116 lines
No EOL
5.1 KiB
Text
116 lines
No EOL
5.1 KiB
Text
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2017-10-18
|
|
Identifier: OilRig
|
|
Reference: https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule OilRig_Strings_Oct17 {
|
|
meta:
|
|
description = "Detects strings from OilRig malware and malicious scripts"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/"
|
|
date = "2017-10-18"
|
|
modified = "2022-12-21"
|
|
id = "edf7c7ca-0c58-5507-8d99-83078ff8947a"
|
|
strings:
|
|
$x1 = "%localappdata%\\srvHealth.exe" fullword wide ascii
|
|
$x2 = "%localappdata%\\srvBS.txt" fullword wide ascii
|
|
$x3 = "Agent Injector\\PolicyConverter\\Inner\\obj\\Release\\Inner.pdb" ascii
|
|
$x4 = "Agent Injector\\PolicyConverter\\Joiner\\obj\\Release\\Joiner.pdb" ascii
|
|
$s3 = ".LoadDll(\"Run\", arg, \"C:\\\\Windows\\\\" ascii
|
|
condition:
|
|
filesize < 800KB and 1 of them
|
|
}
|
|
|
|
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2017-10-18
|
|
Identifier: OilRig
|
|
Reference: https://goo.gl/JQVfFP
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
import "pe"
|
|
|
|
rule OilRig_ISMAgent_Campaign_Samples1 {
|
|
meta:
|
|
description = "Detects OilRig malware from Unit 42 report in October 2017"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://goo.gl/JQVfFP"
|
|
date = "2017-10-18"
|
|
hash1 = "119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc"
|
|
hash2 = "0ccb2117c34e3045a4d2c0d193f1963c8c0e8566617ed0a561546c932d1a5c0c"
|
|
id = "237fe7af-a2ab-51ae-bc96-3af46b08622a"
|
|
strings:
|
|
$s1 = "###$$$TVqQAAMAAAAEAAAA" ascii
|
|
$s2 = "C:\\Users\\J-Win-7-32-Vm\\Desktop\\error.jpg" fullword wide
|
|
$s3 = "$DATA = [System.Convert]::FromBase64String([IO.File]::ReadAllText('%Base%'));[io.file]::WriteAllBytes(" ascii
|
|
$s4 = " /c echo powershell > " fullword wide ascii
|
|
$s5 = "\\Libraries\\servicereset.exe" wide
|
|
$s6 = "%DestFolder%" fullword wide ascii
|
|
condition:
|
|
uint16(0) == 0xcfd0 and filesize < 3000KB and 2 of them
|
|
}
|
|
|
|
rule OilRig_ISMAgent_Campaign_Samples2 {
|
|
meta:
|
|
description = "Detects OilRig malware from Unit 42 report in October 2017"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://goo.gl/JQVfFP"
|
|
date = "2017-10-18"
|
|
hash1 = "fcad263d0fe2b418db05f47d4036f0b42aaf201c9b91281dfdcb3201b298e4f4"
|
|
hash2 = "33c187cfd9e3b68c3089c27ac64a519ccc951ccb3c74d75179c520f54f11f647"
|
|
id = "08771b23-1d0e-5da7-b42c-005ed257e2d1"
|
|
strings:
|
|
$x1 = "PolicyConverter.exe" fullword wide
|
|
$x2 = "SrvHealth.exe" fullword wide
|
|
$x3 = "srvBS.txt" fullword wide
|
|
|
|
$s1 = "{a3538ba3-5cf7-43f0-bc0e-9b53a98e1643}, PublicKeyToken=3e56350693f7355e" fullword wide
|
|
$s2 = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe" fullword wide
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 700KB and ( 2 of ($x*) or 3 of them )
|
|
}
|
|
|
|
rule OilRig_ISMAgent_Campaign_Samples3 {
|
|
meta:
|
|
description = "Detects OilRig malware from Unit 42 report in October 2017"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://goo.gl/JQVfFP"
|
|
date = "2017-10-18"
|
|
hash1 = "a9f1375da973b229eb649dc3c07484ae7513032b79665efe78c0e55a6e716821"
|
|
id = "e26510bd-d183-566a-a185-ebed7a81401c"
|
|
strings:
|
|
$x1 = "cmd /c schtasks /query /tn TimeUpdate > NUL 2>&1" ascii
|
|
$x2 = "schtasks /create /sc minute /mo 0002 /tn TimeUpdate /tr" fullword ascii
|
|
$x3 = "-c SampleDomain.com -m scheduleminutes" fullword ascii
|
|
$x4 = ".ntpupdateserver.com" fullword ascii
|
|
$x5 = ".msoffice365update.com" fullword ascii
|
|
|
|
$s1 = "out.exe" fullword ascii
|
|
$s2 = "\\Win32Project1\\Release\\Win32Project1.pdb" ascii
|
|
$s3 = "C:\\windows\\system32\\cmd.exe /c (" ascii
|
|
$s4 = "Content-Disposition: form-data; name=\"file\"; filename=\"a.a\"" fullword ascii
|
|
$s5 = "Agent configured successfully" fullword ascii
|
|
$s6 = "\\runlog*" ascii
|
|
$s7 = "can not specify username!!" fullword ascii
|
|
$s8 = "Agent can not be configured" fullword ascii
|
|
$s9 = "%08lX%04hX%04hX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX" fullword ascii
|
|
$s10 = "!!! can not create output file !!!" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 400KB and (
|
|
pe.imphash() == "538805ecd776b9a42e71aebf94fde1b1" or
|
|
pe.imphash() == "861ac226fbe8c99a2c43ff451e95da97" or
|
|
( 1 of ($x*) or 3 of them )
|
|
)
|
|
} |