08e8d462fe
RED PILL 🔴 💊
230 lines
12 KiB
Text
230 lines
12 KiB
Text
|
|
rule PoisonIvy_Sample_APT {
|
|
meta:
|
|
description = "Detects a PoisonIvy APT malware group"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
score = 70
|
|
reference = "VT Analysis"
|
|
date = "2015-06-03"
|
|
hash = "b874b76ff7b281c8baa80e4a71fc9be514093c70"
|
|
id = "8d3b8222-8949-57dc-99b7-092189416efd"
|
|
strings:
|
|
$s0 = "pidll.dll" fullword ascii /* score: '11.02' */
|
|
$s1 = "sens32.dll" fullword wide /* score: '11.015' */
|
|
$s3 = "FileDescription" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 19311 times */
|
|
$s4 = "OriginalFilename" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 19040 times */
|
|
$s5 = "ZwSetInformationProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 31 times */
|
|
$s9 = "Microsoft Media Device Service Provider" fullword wide /* score: '-3' */ /* Goodware String - occured 8 times */
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 47KB and all of them
|
|
}
|
|
|
|
|
|
rule PoisonIvy_Sample_APT_2 {
|
|
meta:
|
|
description = "Detects a PoisonIvy Malware"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
score = 70
|
|
reference = "VT Analysis"
|
|
date = "2015-06-03"
|
|
hash = "333f956bf3d5fc9b32183e8939d135bc0fcc5770"
|
|
id = "4d64ccd2-add8-5749-8178-f2c5336e1495"
|
|
strings:
|
|
$s0 = "pidll.dll" fullword ascii /* score: '11.02' */
|
|
$s1 = "sens32.dll" fullword wide /* score: '11.015' */
|
|
$s2 = "9.0.1.56" fullword wide /* score: '9.5' */
|
|
$s3 = "FileDescription" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 19311 times */
|
|
$s4 = "OriginalFilename" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 19040 times */
|
|
$s5 = "ZwSetInformationProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 31 times */
|
|
$s6 = "\"%=%14=" fullword ascii /* score: '4.5' */
|
|
$s7 = "091A1G1R1_1g1u1z1" fullword ascii /* score: '4' */ /* Goodware String - occured 1 times */
|
|
$s8 = "gHsMZz" fullword ascii /* score: '3.005' */
|
|
$s9 = "Microsoft Media Device Service Provider" fullword wide /* score: '-3' */ /* Goodware String - occured 8 times */
|
|
$s10 = "Copyright (C) Microsoft Corp." fullword wide /* score: '-7' */ /* Goodware String - occured 12 times */
|
|
$s11 = "MFC42.DLL" fullword ascii /* score: '-31' */ /* Goodware String - occured 36 times */
|
|
$s12 = "MSVCRT.dll" fullword ascii /* score: '-235' */ /* Goodware String - occured 240 times */
|
|
$s13 = "SpecialBuild" fullword wide /* score: '-1561' */ /* Goodware String - occured 1566 times */
|
|
$s14 = "PrivateBuild" fullword wide /* score: '-1585' */ /* Goodware String - occured 1590 times */
|
|
$s15 = "Comments" fullword wide /* score: '-2149' */ /* Goodware String - occured 2154 times */
|
|
$s16 = "040904b0" fullword wide /* score: '-2365' */ /* Goodware String - occured 2370 times */
|
|
$s17 = "LegalTrademarks" fullword wide /* score: '-3518' */ /* Goodware String - occured 3523 times */
|
|
$s18 = "CreateThread" fullword ascii /* score: '-3909' */ /* Goodware String - occured 3914 times */
|
|
$s19 = "ntdll.dll" fullword ascii /* score: '-4675' */ /* Goodware String - occured 4680 times */
|
|
$s20 = "_adjust_fdiv" ascii /* score: '-5450' */ /* Goodware String - occured 5455 times */
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 47KB and all of them
|
|
}
|
|
|
|
rule PoisonIvy_Sample_APT_3 {
|
|
meta:
|
|
description = "Detects a PoisonIvy Malware"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
score = 70
|
|
reference = "VT Analysis"
|
|
date = "2015-06-03"
|
|
hash = "df3e1668ac20edecc12f2c1a873667ea1a6c3d6a"
|
|
id = "e2e0bf75-7704-585f-b2b3-727d14946c76"
|
|
strings:
|
|
$s0 = "\\notepad.exe" ascii /* score: '11.025' */
|
|
$s1 = "\\RasAuto.dll" ascii /* score: '11.025' */
|
|
$s3 = "winlogon.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 13 times */
|
|
condition:
|
|
uint16(0) == 0x5a4d and all of them
|
|
}
|
|
|
|
|
|
rule PoisonIvy_Sample_APT_4 {
|
|
meta:
|
|
description = "Detects a PoisonIvy Sample APT"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
score = 70
|
|
reference = "VT Analysis"
|
|
date = "2015-06-03"
|
|
hash = "558f0f0b728b6da537e2666fbf32f3c9c7bd4c0c"
|
|
id = "02bf546b-99a2-5ffb-8ee7-7bb005ef953b"
|
|
strings:
|
|
$s0 = "Microsoft Software installation Service" fullword wide /* PEStudio Blacklist: strings */ /* score: '15.04' */
|
|
$s1 = "idll.dll" fullword ascii /* score: '11.02' */
|
|
$s2 = "mgmts.dll" fullword wide /* score: '11.0' */
|
|
$s3 = "Microsoft(R) Windows(R)" fullword wide /* score: '6.025' */
|
|
$s4 = "ServiceMain" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 322 times */
|
|
$s5 = "Software installation Service" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 3 times */
|
|
$s6 = "SetServiceStatus" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 741 times */
|
|
$s7 = "OriginalFilename" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 19040 times */
|
|
$s8 = "ZwSetInformationProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 31 times */
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 100KB and 7 of them
|
|
}
|
|
|
|
rule PoisonIvy_Sample_5 {
|
|
meta:
|
|
description = "Detects PoisonIvy RAT sample set"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
score = 70
|
|
reference = "VT Analysis"
|
|
date = "2015-06-03"
|
|
hash = "545e261b3b00d116a1d69201ece8ca78d9704eb2"
|
|
id = "61f7efd4-745a-5f06-a66d-b4b2a2ecc614"
|
|
strings:
|
|
$s0 = "Microsoft Software installation Service" fullword wide /* PEStudio Blacklist: strings */ /* score: '15.04' */
|
|
$s2 = "pidll.dll" fullword ascii /* score: '11.02' */
|
|
$s3 = "\\mspmsnsv.dll" ascii /* score: '11.005' */
|
|
$s4 = "\\sfc.exe" ascii /* score: '11.005' */
|
|
$s13 = "ServiceMain" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 322 times */
|
|
$s15 = "ZwSetInformationProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 31 times */
|
|
$s17 = "LookupPrivilegeValueA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 336 times */
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
|
}
|
|
|
|
|
|
rule PoisonIvy_Sample_6 {
|
|
meta:
|
|
description = "Detects PoisonIvy RAT sample set"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
score = 70
|
|
reference = "VT Analysis"
|
|
date = "2015-06-03"
|
|
hash1 = "8c2630ab9b56c00fd748a631098fa4339f46d42b"
|
|
hash2 = "36b4cbc834b2f93a8856ff0e03b7a6897fb59bd3"
|
|
id = "f364fad0-3684-5500-b21b-396f1e259217"
|
|
strings:
|
|
$x1 = "124.133.252.150" fullword ascii /* score: '9.5' */
|
|
$x3 = "http://124.133.254.171/up/up.asp?id=%08x&pcname=%s" fullword ascii /* score: '24.01' */
|
|
|
|
$z1 = "\\temp\\si.txt" ascii /* PEStudio Blacklist: strings */ /* score: '27.01' */
|
|
$z2 = "Daemon Dynamic Link Library" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.02' */
|
|
$z3 = "Microsoft Windows CTF Loader" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.03' */
|
|
$z4 = "\\tappmgmts.dll" ascii /* score: '11.005' */
|
|
$z5 = "\\appmgmts.dll" ascii /* score: '11.0' */
|
|
|
|
$s0 = "%USERPROFILE%\\AppData\\Local\\Temp\\Low\\ctfmon.log" fullword ascii /* PEStudio Blacklist: strings */ /* score: '43.015' */
|
|
$s1 = "%USERPROFILE%\\AppData\\Local\\Temp\\ctfmon.tmp" fullword ascii /* PEStudio Blacklist: strings */ /* score: '37.015' */
|
|
$s2 = "\\temp\\ctfmon.tmp" ascii /* PEStudio Blacklist: strings */ /* score: '28.01' */
|
|
$s3 = "SOFTWARE\\Classes\\http\\shell\\open\\commandV" fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.025' */
|
|
$s4 = "CONNECT %s:%i HTTP/1.0" fullword ascii /* PEStudio Blacklist: strings */ /* score: '19.02' */
|
|
$s5 = "start read histry key" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.04' */
|
|
$s6 = "Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"" fullword ascii /* score: '18.03' */
|
|
$s7 = "[password]%s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.025' */
|
|
$s8 = "Daemon.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.02' */
|
|
$s9 = "[username]%s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '12.035' */
|
|
$s10 = "advpack" fullword ascii /* score: '7.005' */
|
|
$s11 = "%s%2.2X" fullword ascii /* score: '7.0' */
|
|
$s12 = "advAPI32" fullword ascii /* score: '6.015' */
|
|
condition:
|
|
( uint16(0) == 0x5a4d and 1 of ($x*) ) or
|
|
( 8 of ($s*) ) or
|
|
( 1 of ($z*) and 3 of ($s*) )
|
|
}
|
|
|
|
rule PoisonIvy_Sample_7 {
|
|
meta:
|
|
description = "Detects PoisonIvy RAT sample set"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
score = 70
|
|
reference = "VT Analysis"
|
|
date = "2015-06-03"
|
|
hash = "9480cf544beeeb63ffd07442233eb5c5f0cf03b3"
|
|
id = "01224053-d95e-5144-981b-76cd7e57e1c3"
|
|
strings:
|
|
$s0 = "Microsoft Software installation Service" fullword wide /* PEStudio Blacklist: strings */ /* score: '15.04' */
|
|
$s2 = "pidll.dll" fullword ascii /* score: '11.02' */
|
|
$s10 = "ServiceMain" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 322 times */
|
|
$s11 = "ZwSetInformationProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 31 times */
|
|
$s12 = "Software installation Service" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 3 times */
|
|
$s13 = "Microsoft(R) Windows(R) Operating System" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 128 times */
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
|
}
|
|
|
|
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2016-04-22
|
|
Identifier:
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule PoisonIvy_RAT_ssMUIDLL {
|
|
meta:
|
|
description = "Detects PoisonIvy RAT DLL mentioned in Palo Alto Blog in April 2016"
|
|
author = "Florian Roth (Nextron Systems) (with the help of yarGen and Binarly)"
|
|
reference = "http://goo.gl/WiwtYT"
|
|
date = "2016-04-22"
|
|
hash1 = "7a424ad3f3106b87e8e82c7125834d7d8af8730a2a97485a639928f66d5f6bf4"
|
|
hash2 = "6eb7657603edb2b75ed01c004d88087abe24df9527b272605b8517a423557fe6"
|
|
hash3 = "2a6ef9dde178c4afe32fe676ff864162f104d85fac2439986de32366625dc083"
|
|
hash4 = "8b805f508879ecdc9bba711cfbdd570740c4825b969c1b4db980c134ac8fef1c"
|
|
hash5 = "ac99d4197e41802ff9f8852577955950332947534d8e2a0e3b6c1dd1715490d4"
|
|
id = "f2535b70-cf17-5435-9fc8-2dfdf70d95ac"
|
|
strings:
|
|
$s1 = "ssMUIDLL.dll" fullword ascii
|
|
|
|
// 0x10001f81 6a 00 push 0
|
|
// 0x10001f83 c6 07 e9 mov byte ptr [edi], 0xe9
|
|
// 0x10001f86 ff d6 call esi
|
|
$op1 = { 6a 00 c6 07 e9 ff d6 } // sample=e9ccf4e139bbbd114b67cc3cee260d1cb638c9d0 address=0x10001f81
|
|
// 0x100012a9 02 cb add cl, bl
|
|
// 0x100012ab 6a 00 push 0
|
|
// 0x100012ad 88 0f mov byte ptr [edi], cl
|
|
// 0x100012af ff d6 call esi
|
|
// 0x100012b1 47 inc edi
|
|
// 0x100012b2 ff 4d fc dec dword ptr [ebp - 4]
|
|
// 0x100012b5 75 ?? jne 0x10001290
|
|
$op2 = { 02 cb 6a 00 88 0f ff d6 47 ff 4d fc 75 } // sample=e9ccf4e139bbbd114b67cc3cee260d1cb638c9d0 address=0x100012a9
|
|
// 0x10001f93 6a 00 push 0
|
|
// 0x10001f95 88 7f 02 mov byte ptr [edi + 2], bh
|
|
// 0x10001f98 ff d6 call esi
|
|
$op3 = { 6a 00 88 7f 02 ff d6 } // sample=e9ccf4e139bbbd114b67cc3cee260d1cb638c9d0 address=0x10001f93
|
|
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 20KB and ( all of ($op*) ) ) or ( all of them )
|
|
}
|