32 lines
1.1 KiB
Text
32 lines
1.1 KiB
Text
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2018-02-26
|
|
Identifier: IceFog
|
|
Reference: https://twitter.com/ClearskySec/status/968104465818669057
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule IceFog_Malware_Feb18_1 {
|
|
meta:
|
|
description = "Detects IceFog malware"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://twitter.com/ClearskySec/status/968104465818669057"
|
|
date = "2018-02-26"
|
|
modified = "2023-01-06"
|
|
hash1 = "480373cffc4e60aa5be2954a156e37d689b92e6e33969958230f2ce59d30b9ec"
|
|
id = "ce8e3a9b-9f4b-534c-983d-bb5490da5768"
|
|
strings:
|
|
$s1 = "cmd /c %c%s%c" fullword ascii
|
|
$s2 = "temp.bat" fullword ascii
|
|
$s3 = "c:\\windows\\debug\\wia\\help" fullword wide
|
|
$s4 = "/getorder.aspx?hostname=" fullword wide
|
|
$s5 = "\\filecfg_temp.dat" wide
|
|
$s6 = "Unknown operating system " fullword wide
|
|
$s7 = "kastygost.compress.to" fullword wide
|
|
$s8 = "/downloads/" wide
|
|
$s9 = "\\key.dat" wide
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 2000KB and 4 of them
|
|
}
|