08e8d462fe
RED PILL 🔴 💊
136 lines
5.3 KiB
Text
136 lines
5.3 KiB
Text
/*
|
|
YARA Rule Set
|
|
Author: Florian Roth
|
|
Date: 2019-05-31
|
|
Identifier: Nansh0u
|
|
Reference: https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
|
|
License = CC BY-NC 4.0 https://creativecommons.org/licenses/by-nc/4.0/
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
|
|
import "pe"
|
|
|
|
rule MAL_XMR_Miner_May19_1 : HIGHVOL {
|
|
meta:
|
|
description = "Detects Monero Crypto Coin Miner"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
|
|
date = "2019-05-31"
|
|
score = 85
|
|
hash1 = "d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc"
|
|
id = "233d1d47-de67-55a9-ae7e-46b5dd34e6ce"
|
|
strings:
|
|
$x1 = "donate.ssl.xmrig.com" fullword ascii
|
|
$x2 = "* COMMANDS 'h' hashrate, 'p' pause, 'r' resume" fullword ascii
|
|
|
|
$s1 = "[%s] login error code: %d" fullword ascii
|
|
$s2 = "\\\\?\\pipe\\uv\\%p-%lu" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 14000KB and (
|
|
pe.imphash() == "25d9618d1e16608cd5d14d8ad6e1f98e" or
|
|
1 of ($x*) or
|
|
2 of them
|
|
)
|
|
}
|
|
|
|
rule HKTL_CN_ProcHook_May19_1 {
|
|
meta:
|
|
description = "Detects hacktool used by Chinese threat groups"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
|
|
date = "2019-05-31"
|
|
hash1 = "02ebdc1ff6075c15a44711ccd88be9d6d1b47607fea17bef7e5e17f8da35293e"
|
|
id = "ae4e2613-8254-5ea6-af88-2f08ebe4da33"
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 300KB and
|
|
pe.imphash() == "343d580dd50ee724746a5c28f752b709"
|
|
}
|
|
|
|
|
|
rule SUSP_PDB_CN_Threat_Actor_May19_1 {
|
|
meta:
|
|
description = "Detects PDB path user name used by Chinese threat actors"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
|
|
date = "2019-05-31"
|
|
score = 65
|
|
hash1 = "01c3882e8141a25abe37bb826ab115c52fd3d109c4a1b898c0c78cee8dac94b4"
|
|
id = "fc6969ed-5fc1-5b3b-9659-c6fc1c9e2f9c"
|
|
strings:
|
|
$x1 = "C:\\Users\\zcg\\Desktop\\" ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 400KB and 1 of them
|
|
}
|
|
|
|
rule MAL_Ramnit_May19_1 {
|
|
meta:
|
|
description = "Detects Ramnit malware"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
|
|
date = "2019-05-31"
|
|
hash1 = "d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3"
|
|
id = "f8fa3557-556e-5680-9f1a-2ecf118ade75"
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 300KB
|
|
and pe.imphash() == "500cd02578808f964519eb2c85153046"
|
|
}
|
|
|
|
rule MAL_Parite_Malware_May19_1 {
|
|
meta:
|
|
description = "Detects Parite malware"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
|
|
date = "2019-05-31"
|
|
score = 80
|
|
hash1 = "c9d8852745e81f3bfc09c0a3570d018ae8298af675e3c6ee81ba5b594ff6abb8"
|
|
hash2 = "8d47b08504dcf694928e12a6aa372e7fa65d0d6744429e808ff8e225aefa5af2"
|
|
hash3 = "285e3f21dd1721af2352196628bada81050e4829fb1bb3f8757a45c221737319"
|
|
hash4 = "b987dcc752d9ceb3b0e6cd4370c28567be44b789e8ed8a90c41aa439437321c5"
|
|
id = "f4c9da17-9894-5243-828a-827accb0bac5"
|
|
strings:
|
|
$s1 = "taskkill /im cmd.exe /f" fullword ascii
|
|
$s2 = "LOADERX64.dll" fullword ascii
|
|
|
|
$x1 = "\\dllhot.exe" ascii
|
|
$x2 = "dllhot.exe --auto --any --forever --keepalive" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 10000KB and ( 1 of ($x*) or 2 of them )
|
|
}
|
|
|
|
rule MAL_Parite_Malware_May19_2 {
|
|
meta:
|
|
description = "Detects Parite malware based on Imphash"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
|
|
date = "2019-05-31"
|
|
hash1 = "c9d8852745e81f3bfc09c0a3570d018ae8298af675e3c6ee81ba5b594ff6abb8"
|
|
hash2 = "8d47b08504dcf694928e12a6aa372e7fa65d0d6744429e808ff8e225aefa5af2"
|
|
hash3 = "285e3f21dd1721af2352196628bada81050e4829fb1bb3f8757a45c221737319"
|
|
hash4 = "b987dcc752d9ceb3b0e6cd4370c28567be44b789e8ed8a90c41aa439437321c5"
|
|
id = "33970268-610c-5abf-9e9e-83dae0c81064"
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 18000KB and (
|
|
pe.imphash() == "b132a2719be01a6ef87d9939d785e19e" or
|
|
pe.imphash() == "78f4f885323ffee9f8fa011455d0523d"
|
|
)
|
|
}
|
|
|
|
rule EXPL_Strings_CVE_POC_May19_1 {
|
|
meta:
|
|
description = "Detects strings used in CVE POC noticed in May 2019"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
|
|
date = "2019-05-31"
|
|
score = 80
|
|
hash1 = "01c3882e8141a25abe37bb826ab115c52fd3d109c4a1b898c0c78cee8dac94b4"
|
|
id = "df11e0b1-e907-5a24-a3e7-0e78acb379f7"
|
|
strings:
|
|
$x1 = "\\Debug\\poc_cve_20" ascii
|
|
$x2 = "\\Release\\poc_cve_20" ascii
|
|
$x3 = "alloc fake fail: %x!" fullword ascii
|
|
$x4 = "Allocate fake tagWnd fail!" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 400KB and 1 of them
|
|
}
|