37 lines
1.6 KiB
Text
37 lines
1.6 KiB
Text
import "pe"
|
|
|
|
rule Mal_Infostealer_Win32_Jupyter_InfoStealer_Module
|
|
{
|
|
meta:
|
|
description = "Detects Jupter infostealer module"
|
|
reference = "https://blogs.blackberry.com/en/2022/01/threat-thursday-jupyter-infostealer-is-a-master-of-disguise"
|
|
author = "BlackBerry Threat Research Team"
|
|
date = "2021-11-08"
|
|
license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
|
|
|
|
strings:
|
|
$d1 = "WebRequest" nocase
|
|
$d2 = "HttpWebRequest" nocase
|
|
$d3 = "WebResponse" nocase
|
|
$d4 = "GetResponseStream" nocase
|
|
$d5 = "GetResponse" nocase
|
|
$d6 = "IsInRole" nocase
|
|
$d7 = "get_UTF8" nocase
|
|
$d8 = "FromBase64String" nocase
|
|
$d9 = "get_OSVersion" nocase
|
|
$d10 = "GetFiles" nocase
|
|
$d11 = "GetExtension" nocase
|
|
$d12 = "get_Current" nocase
|
|
$d13 = "GetEnumerator" nocase
|
|
|
|
$j1 = { 6C 6F 67 69 6E 73 } // logins
|
|
$j2 = { 43 00 6F 00 6F 00 6B 00 69 00 65 00 73 } // C.o.o.k.i.e.s
|
|
$j3 = { 00 6C 00 6F 00 67 00 69 00 6E 00 73 00 2E 00 6A 00 73 00 6F 00 6E 00 } // .l.o.g.i.n.s...j.s.o.n.
|
|
$j4 = { 00 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 } // .c.o.o.k.i.e.s...s.q.l.i.t.e.
|
|
|
|
condition:
|
|
// DotNet
|
|
pe.imports("mscoree.dll", "_CorDllMain") and
|
|
12 of ($d*) and
|
|
2 of ($j*)
|
|
}
|