Sneed-Group/Sneed-Reactivity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Sneed-Reactivity/yara-Neo23x0/apt_slingshot.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK 
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

144 lines
5.8 KiB
Text
Raw Blame History

/*
Yara Rule Set
Author: Florian Roth
Date: 2018-03-09
Identifier: Slingshot APT
Reference: https://securelist.com/apt-slingshot/84312/
*/
import "pe"
rule Slingshot_APT_Spork_Downloader {
meta:
description = "Detects malware from Slingshot APT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/apt-slingshot/84312/"
date = "2018-03-09"
id = "21e02f78-40d8-5b56-b747-3f2a7a692259"
strings:
$s1 = "Usage: spork -c IP:PORT" fullword ascii wide
$s2 = "connect-back IP address and port number"
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them
}
rule Slingshot_APT_Minisling {
meta:
description = "Detects malware from Slingshot APT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/apt-slingshot/84312/"
date = "2018-03-09"
id = "99f9d5a1-b29f-52f7-9aec-02df4a51a756"
strings:
$s1 = "{6D29520B-F138-442e-B29F-A4E7140F33DE}" fullword ascii wide
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them
}
rule Slingshot_APT_Ring0_Loader {
meta:
description = "Detects malware from Slingshot APT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/apt-slingshot/84312/"
date = "2018-03-09"
id = "b5301a45-a4ec-5e56-a990-bc6300ee6365"
strings:
$s1 = " -> Missing element in DataDir -- cannot install" ascii
$s2 = " -> Primary loader not present in the DataDir" ascii
$s3 = "\\\\.\\amxpci" fullword ascii
$s4 = " -> [Goad] ERROR in CreateFile:" fullword ascii
$s5 = "\\\\.\\Sandra" fullword ascii
$s6 = " -> [Sandra] RingZeroCode" fullword ascii
$s7 = " -> [Sandra] Value from IOCTL_RDMSR:" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them
}
rule Slingshot_APT_Malware_1 {
meta:
description = "Detects malware from Slingshot APT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/apt-slingshot/84312/"
date = "2018-03-09"
hash1 = "4b250304e28648574b441831bf579b844e8e1fda941fb7f86a7ea7c4291bbca6"
id = "72f4a52b-c70b-511f-acf5-6d680a95c7d6"
strings:
$s1 = "SlingDll.dll" fullword ascii
$s2 = "BogusDll." ascii
$s3 = "smsvcrt -h 0x%p" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 700KB and (
pe.imphash() == "7ead4bb0d752003ce7c062adb7ffc51a" or
pe.exports("WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW0000") or
1 of them
)
}
rule Slingshot_APT_Malware_2 {
meta:
description = "Detects malware from Slingshot APT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/apt-slingshot/84312/"
date = "2018-03-09"
hash1 = "2a51ef6d115daa648ddd57d1e4480f5a18daf40986bfde32aab19349aa010e67"
id = "b85d3d81-0148-5ea0-9eff-d9bb63e3e75b"
strings:
$x1 = "\\\\?\\c:\\RECYCLER\\S-1-5-21-2225084468-623340172-1005306204-500\\INFO5" fullword wide
$x_slingshot = {09 46 BE 57 42 DD 70 35 5E }
$s1 = "Opening service %s for stop access failed.#" fullword wide
$s2 = "LanMan setting <%s> is ignored because system has a higher value already." fullword wide
$s3 = "\\DosDevices\\amxpci" wide
$s4 = "lNTLMqSpPD" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 900KB and ( 1 of ($x*) or 4 of them )
}
rule Slingshot_APT_Malware_3 {
meta:
description = "Detects malware from Slingshot APT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/apt-slingshot/84312/"
date = "2018-03-09"
hash1 = "fa513c65cded25a7992e2b0ab03c5dd5c6d0fc2282cd64a1e11a387a3341ce18"
id = "4ef1f9a6-3d80-545e-8ac3-c6d46c71fca1"
strings:
$a1 = "chmhlpr.dll" fullword ascii
$s2 = "%hc%hc%hc%hc" fullword ascii
$s3 = "%hc%hc%hc=" fullword ascii
$s4 = "%hc%hc==" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and (
pe.imphash() == "2f3b3df466e24e0792e0e90d668856bc" or
pe.exports("dll_u") or
( $a1 and 2 of ($s*) )
)
}
rule Slingshot_APT_Malware_4 {
meta:
description = "Detects malware from Slingshot APT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/apt-slingshot/84312/"
date = "2018-03-09"
hash1 = "38c4f5320b03cbaf5c14997ea321507730a8c16906e5906cbf458139c91d5945"
id = "0f957330-1834-550f-ba5d-fb2bf0dfba7f"
strings:
$x1 = "Ss -a 4104 -s 257092 -o 8 -l 406016 -r 4096 -z 315440" fullword wide
$s1 = "Slingshot" fullword ascii
$s2 = "\\\\?\\e:\\$Recycle.Bin\\" wide
$s3 = "LineRecs.reloc" fullword ascii
$s4 = "EXITGNG" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and (
$x1 or 2 of them
)
}
Reference in a new issue View git blame Copy permalink