08e8d462fe
RED PILL 🔴 💊
100 lines
3.8 KiB
Text
100 lines
3.8 KiB
Text
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2018-08-24
|
|
Identifier: Lazarus - Operation Applejeus
|
|
Reference: https://securelist.com/operation-applejeus/87553/
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
import "pe"
|
|
|
|
rule APT_Lazarus_Aug18_Downloader_1 {
|
|
meta:
|
|
description = "Detects Lazarus Group Malware Downloadery"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://securelist.com/operation-applejeus/87553/"
|
|
date = "2018-08-24"
|
|
hash1 = "d555dcb6da4a6b87e256ef75c0150780b8a343c4a1e09935b0647f01d974d94d"
|
|
hash2 = "bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb"
|
|
hash3 = "e2199fc4e4b31f7e4c61f6d9038577633ed6ad787718ed7c39b36f316f38befd"
|
|
id = "f536db7b-b645-522f-b750-6431878d2e31"
|
|
strings:
|
|
$x1 = "H:\\DEV\\TManager\\" ascii
|
|
$x2 = "\\Release\\dloader.pdb" ascii
|
|
$x3 = "Z:\\jeus\\"
|
|
$x4 = "\\Debug\\dloader.pdb" ascii
|
|
$x5 = "Moz&Wie;#t/6T!2yW29ab@ad%Df324V$Yd" fullword ascii
|
|
|
|
$s1 = "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)" fullword ascii
|
|
$s2 = "Error protecting memory page" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 500KB and (
|
|
( 1 of ($x*) or 2 of them )
|
|
)
|
|
}
|
|
|
|
rule APT_Lazarus_Aug18_1 {
|
|
meta:
|
|
description = "Detects Lazarus Group Malware"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://securelist.com/operation-applejeus/87553/"
|
|
date = "2018-08-24"
|
|
hash1 = "ef400d73c6920ac811af401259e376458b498eb0084631386136747dfc3dcfa8"
|
|
hash2 = "1b8d3e69fc214cb7a08bef3c00124717f4b4d7fd6be65f2829e9fd337fc7c03c"
|
|
id = "fda4970a-2787-5e9c-9944-a6222145f4a7"
|
|
strings:
|
|
$s1 = "mws2_32.dll" fullword wide
|
|
$s2 = "%s.bat" fullword wide
|
|
$s3 = "%s%s%s \"%s > %s 2>&1\"" fullword wide
|
|
$s4 = "Microsoft Corporation. All rights reserved." fullword wide
|
|
$s5 = "ping 127.0.0.1 -n 3" fullword wide
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 500KB and (
|
|
pe.imphash() == "3af996e4f960108533e69b9033503f40" or
|
|
4 of them
|
|
)
|
|
}
|
|
|
|
rule APT_Lazarus_Aug18_2 {
|
|
meta:
|
|
description = "Detects Lazarus Group Malware"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://securelist.com/operation-applejeus/87553/"
|
|
date = "2018-08-24"
|
|
hash1 = "8ae766795cda6336fd5cad9e89199ea2a1939a35e03eb0e54c503b1029d870c4"
|
|
hash2 = "d3ef262bae0beb5d35841d131b3f89a9b71a941a86dab1913bda72b935744d2e"
|
|
id = "3c77d603-6443-5e78-8a8a-a89112619aa6"
|
|
strings:
|
|
$s1 = "vAdvapi32.dll" fullword wide
|
|
$s2 = "lws2_32.dll" fullword wide
|
|
$s3 = "%s %s > \"%s\" 2>&1" fullword wide
|
|
$s4 = "Not Service" fullword wide
|
|
$s5 = "ping 127.0.0.1 -n 3" fullword wide
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 600KB and (
|
|
4 of them
|
|
)
|
|
}
|
|
|
|
rule APT_FallChill_RC4_Keys {
|
|
meta:
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
description = "Detects FallChill RC4 keys"
|
|
reference = "https://securelist.com/operation-applejeus/87553/"
|
|
date = "2018-08-21"
|
|
id = "ead7d84c-91aa-58b0-af3b-1211b0bde864"
|
|
strings:
|
|
/* MOV POS 4BYTE-OF-KEY */
|
|
$cod0 = { c7 ?? ?? da e1 61 ff
|
|
c7 ?? ?? 0c 27 95 87
|
|
c7 ?? ?? 17 57 a4 d6
|
|
c7 ?? ?? ea e3 82 2b }
|
|
condition:
|
|
uint16(0) == 0x5a4d and 1 of them
|
|
}
|