Sneed-Reactivity/yara-Neo23x0/apt_olympic_destroyer.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

60 lines
2.7 KiB
Text

/*
Yara Rule Set
Author: Florian Roth
Date: 2018-02-12
Identifier: Olympic Destroyer
Reference: http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
*/
import "pe"
/* Rule Set ----------------------------------------------------------------- */
rule Destructive_Ransomware_Gen1 {
meta:
description = "Detects destructive malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
date = "2018-02-12"
hash1 = "ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85"
id = "3a7ce55e-fb28-577b-91bb-fe02d7b3d73c"
strings:
$x1 = "/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no" fullword wide
$x2 = "delete shadows /all /quiet" fullword wide
$x3 = "delete catalog -quiet" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 1 of them
}
rule OlympicDestroyer_Gen2 {
meta:
description = "Detects Olympic Destroyer malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
date = "2018-02-12"
hash1 = "d934cb8d0eadb93f8a57a9b8853c5db218d5db78c16a35f374e413884d915016"
hash2 = "3e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2"
hash3 = "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"
hash4 = "28858cc6e05225f7d156d1c6a21ed11188777fa0a752cb7b56038d79a88627cc"
id = "8d0cbb7b-6650-53ed-8d58-176f8b4af880"
strings:
$x1 = "cmd.exe /c (ping 0.0.0.0 > nul) && if exist %programdata%\\evtchk.txt" fullword wide
$x2 = "cmd.exe /c (echo strPath = Wscript.ScriptFullName & echo.Set FSO = CreateObject^(\"Scripting.FileSystemObject\"^)" wide
$x3 = "del %programdata%\\evtchk.txt" fullword wide
$x4 = "Pyeongchang2018.com\\svc_all_swd_installc" fullword ascii
$s1 = "<STARTCRED>" fullword wide
$s2 = "SELECT ds_cn FROM ds_computer" fullword wide
$s3 = "\\system32\\notepad.exe" wide
$s4 = "%s \\\\%s -u \"%s\" -p \"%s\" -accepteula -d %s %s \"%s\"" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and (
pe.imphash() == "fd7200dcd5c0d9d4d277a26d951210aa" or
pe.imphash() == "975087e9286238a80895b195efb3968d" or
pe.imphash() == "da1c2d7acfe54df797bfb1f470257bc3" or
1 of ($x*) or
3 of them
)
}