Sneed-Reactivity/yara-Neo23x0/crime_kriskynote.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

64 lines
2.5 KiB
Text

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-03-03
Identifier: Kriskynote 03 March
*/
/* Rule Set ----------------------------------------------------------------- */
rule Kriskynote_Mar17_1 {
meta:
description = "Detects Kriskynote Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-03-03"
hash1 = "a19c4b615aa54207604b181873e614d84126b639fee2cce3ca9d5bd863f6f577"
hash2 = "62b41db0bf63fa45a2c2b0f5df8c2209a5d96bf2bddf82749595c66d30b7ec61"
id = "b1e5df0c-0112-5fee-85e9-cb0ca31f5234"
strings:
$s1 = "gzwrite64" fullword ascii
$opa1 = { e8 6b fd ff ff 83 f8 ff 74 65 83 7b 28 00 74 42 } /* Opcode */
$opb1 = { 8a 04 08 8b 8e a4 16 00 00 88 44 24 0c 66 c7 04 } /* Opcode */
$opb2 = { 89 4e 6c 89 46 74 e9 ad fc ff ff 8b 46 68 85 c0 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and $s1 and ($opa1 or all of ($opb*))
}
rule Kriskynote_Mar17_2 {
meta:
description = "Detects Kriskynote Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-03-03"
hash1 = "cb9a2f77868b28d98e4f9c1b27b7242fec2f2abbc91bfc21fe0573e472c5dfcb"
id = "704baf41-9718-537f-9456-381a9f42fb97"
strings:
$s1 = "fgjfcn8456fgjhfg89653wetwts" fullword ascii
$op0 = { 33 c0 80 34 30 03 40 3d e6 21 00 00 72 f4 b8 e6 } /* Opcode */
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and 1 of them )
}
rule Kriskynote_Mar17_3 {
meta:
description = "Detects Kriskynote Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-03-03"
hash1 = "fc838e07834994f25b3b271611e1014b3593278f0703a4a985fb4234936df492"
id = "647fac4c-2326-5a68-9890-8236022c1548"
strings:
$s1 = "rundll32 %s Check" fullword ascii
$s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs" fullword ascii
$s3 = "name=\"IsUserAdmin\"" fullword ascii
$s4 = "zok]\\\\\\ZZYYY666564444" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and 2 of them )
}