YARA rules for APT37
98 rules · scoped to actor · back to APT37
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Batch_Script_To_Run_PsExec {
meta:
author = "NCSC"
description = "Detects malicious batch file from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18"
id = "1fbeeec8-a5bd-569e-b435-c7d82d32e47b"
strings:
$ = "Tokens=1 delims=" ascii
$ = "SET ws=%1" ascii
$ = "Checking %ws%" ascii
$ = "%TEMP%\\%ws%ns.txt" ascii
$ = "ps.exe -accepteula" ascii
condition:
3 of them
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
id = "aaae200c-7ef1-52eb-be5b-36e0ad29ecef"
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}
rule Certutil_Decode_OR_Download {
meta:
description = "Certutil Decode"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
score = 40
date = "2017-08-29"
modified = "2026-04-01"
id = "63bdefd2-225a-56d5-b615-5e236c97f050"
strings:
$a1 = "certutil -decode " ascii wide
$a2 = "certutil -decode " ascii wide
$a3 = "certutil.exe -decode " ascii wide
$a4 = "certutil.exe -decode " ascii wide
$a5 = "certutil -urlcache -split -f http" ascii wide
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
$fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
$fp_doc = "https://docs.aws.amazon.com" ascii
condition:
filesize < 700KB
and 1 of ($a*)
and not 1 of ($fp*)
}
rule APT_Cloaked_CERTUTIL {
meta:
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-14"
modified = "2022-06-27"
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
strings:
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
$s5 = "certutil.pdb" fullword ascii
$s3 = "Password Token" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
and not filename contains "certutil"
and not filename contains "CertUtil"
and not filename contains "Certutil"
and not filepath contains "\\Bromium\\"
}
rule Binary_Drop_Certutil {
meta:
description = "Drop binary as base64 encoded cert trick"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}
rule Lazagne_PW_Dumper {
meta:
description = "Detects Lazagne PW Dumper"
author = "Markus Neis / Florian Roth"
reference = "https://github.com/AlessandroZ/LaZagne/releases/"
date = "2018-03-22"
score = 70
id = "1904029e-9336-5278-ae2e-4bc853316600"
strings:
$s1 = "Crypto.Hash" fullword ascii
$s2 = "laZagne" fullword ascii
$s3 = "impacket.winregistry" fullword ascii
condition:
3 of them
}
rule HKTL_Lazagne_PasswordDumper_Dec18_1 {
meta:
description = "Detects password dumper Lazagne often used by middle eastern threat groups"
author = "Florian Roth (Nextron Systems)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
reference = "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
date = "2018-12-11"
score = 85
hash1 = "1205f5845035e3ee30f5a1ced5500d8345246ef4900bcb4ba67ef72c0f79966c"
hash2 = "884e991d2066163e02472ea82d89b64e252537b28c58ad57d9d648b969de6a63"
hash3 = "bf8f30031769aa880cdbe22bc0be32691d9f7913af75a5b68f8426d4f0c7be50"
id = "bae48a4d-33b6-55b9-abf5-daf87e5da9e9"
strings:
$s1 = "softwares.opera(" ascii
$s2 = "softwares.mozilla(" ascii
$s3 = "config.dico(" ascii
$s4 = "softwares.chrome(" ascii
$s5 = "softwares.outlook(" ascii
condition:
uint16(0) == 0x5a4d and filesize < 17000KB and 1 of them
}
rule HKTL_Lazagne_Gen_18 {
meta:
description = "Detects Lazagne password extractor hacktool"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/AlessandroZ/LaZagne"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
date = "2018-12-11"
score = 80
hash1 = "51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf"
id = "034ea6d8-f5cf-5664-9ff9-24d19403093d"
strings:
$x1 = "lazagne.config.powershell_execute(" ascii
$x2 = "creddump7.win32." ascii
$x3 = "lazagne.softwares.windows.hashdump" ascii
$x4 = ".softwares.memory.libkeepass.common(" ascii
condition:
2 of them
}
rule Impacket_Keyword {
meta:
description = "Detects Impacket Keyword in Executable"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-08-04"
score = 60
hash1 = "9388c78ea6a78dbea307470c94848ae2481481f593d878da7763e649eaab4068"
hash2 = "2f6d95e0e15174cfe8e30aaa2c53c74fdd13f9231406b7103da1e099c08be409"
id = "a92962e6-1b05-583b-8b06-f226bdea88e2"
strings:
$s1 = "impacket.smb(" ascii
$s2 = "impacket.ntlm(" ascii
$s3 = "impacket.nmb(" ascii
condition:
(uint16(0) == 0x5a4d and filesize < 14000KB and 1 of them)
}
rule Impacket_Tools_tracer {
meta:
description = "Compiled Impacket Tools"
author = "Florian Roth"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
modified = "2021-07-15"
hash1 = "e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b"
strings:
$s1 = "btk85.dll" fullword ascii
$s2 = "btcl85.dll" fullword ascii
$s3 = "xtk\\unsupported.tcl" fullword ascii
$fp1 = "Linden Research Inc" wide
condition:
( uint16(0) == 0x5a4d and filesize < 21000KB and all of ($s*) )
and not 1 of ($fp*)
}
rule Impacket_Tools_wmiexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4"
id = "3c2c7edf-da71-53dc-9ddf-dfbf10838a27"
strings:
$s1 = "bwmiexec.exe.manifest" fullword ascii
$s2 = "swmiexec" fullword ascii
$s3 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and 2 of them )
}
rule Impacket_Tools_sniffer {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769"
id = "07051edc-91a8-59d6-87bf-dba98ef28588"
strings:
$s1 = "ssniffer" fullword ascii
$s2 = "impacket.dhcp(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule Impacket_Tools_mmcexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "263a1655a94b7920531e123a8c9737428f2988bf58156c62408e192d4b2a63fc"
id = "cca2082f-72a4-50c8-80b8-a9bed430dc4e"
strings:
$s1 = "smmcexec" fullword ascii
$s2 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 16000KB and all of them )
}
rule Impacket_Tools_ifmap {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "20a1f11788e6cc98a76dca2db4691963c054fc12a4d608ac41739b98f84b3613"
id = "e5461916-ec2b-5f65-b938-267483f50bb2"
strings:
$s1 = "bifmap.exe.manifest" fullword ascii
$s2 = "impacket.dcerpc.v5.epm(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule karmaSMB {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3"
id = "32c810c7-02e7-5203-b2ed-4e930b318cc0"
strings:
$s1 = "bkarmaSMB.exe.manifest" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule samrdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a"
id = "cd274719-c8cc-5882-8d75-192ad822c6b3"
strings:
$s2 = "bsamrdump.exe.manifest" fullword ascii
$s3 = "ssamrdump" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_rpcdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9"
id = "3f998aa6-c260-5fef-99ef-e8b4770c68c6"
strings:
$s1 = "srpcdump" fullword ascii
$s2 = "impacket.dcerpc.v5.epm(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_secretsdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d"
id = "c944d051-ea24-5595-abef-59e326ad56de"
strings:
$s1 = "ssecretsdump" fullword ascii
$s2 = "impacket.ese(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_esentutl {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "70d854953d3ebb2c252783a4a103ba0e596d6ab447f238af777fb37d2b64c0cd"
id = "1965e2b3-54be-553a-83d6-a0d4919414dd"
strings:
$s1 = "impacket.ese(" ascii
$s2 = "sesentutl" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 11000KB and all of them )
}
rule Impacket_Tools_opdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742"
id = "1bb0e747-e9b7-5a54-8052-428351be8d0d"
strings:
$s2 = "bopdump.exe.manifest" fullword ascii
$s3 = "sopdump" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_sniff {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699"
id = "07051edc-91a8-59d6-87bf-dba98ef28588"
strings:
$s1 = "ssniff" fullword ascii
$s2 = "impacket.eap(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule Impacket_Tools_smbexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2"
id = "02208817-2eab-54e2-90cf-44dbf5474607"
strings:
$s1 = "logging.config(" ascii
$s2 = "ssmbexec" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_goldenPac {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3"
id = "9894d16c-83fa-5e1d-9ca6-572deeec006a"
strings:
$s1 = "impacket.examples.serviceinstall(" ascii
$s2 = "bgoldenPac.exe" fullword ascii
$s3 = "json.scanner(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_netview {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6"
id = "1b9238d2-b9b1-5633-8481-05a3a97af5a6"
strings:
$s1 = "impacket.dcerpc.v5.wkst(" ascii
$s2 = "dummy_threading(" ascii
$s3 = "snetview" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_smbtorture {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7"
id = "4f9b55e2-93ce-5d08-a228-73233fb0a2c6"
strings:
$s1 = "impacket" fullword ascii
$s2 = "ssmbtorture" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_smbrelayx {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f"
id = "84abf3cf-841c-592d-a9d1-71d5e76eb43f"
strings:
$s1 = "impacket.examples.secretsdump" fullword ascii
$s2 = "impacket.examples.serviceinstall" fullword ascii
$s3 = "impacket.smbserver(" ascii
$s4 = "SimpleHTTPServer(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 18000KB and 3 of them )
}
rule Impacket_Tools_wmipersist {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086"
id = "29bda652-28f0-5ab6-9bc2-411f20ab0dda"
strings:
$s1 = "swmipersist" fullword ascii
$s2 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_lookupsid {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "47756725d7a752d3d3cfccfb02e7df4fa0769b72e008ae5c85c018be4cf35cc1"
id = "27f13397-b044-54b4-b5e8-c5f7ed374f59"
strings:
$s1 = "slookupsid" fullword ascii
$s2 = "impacket.dcerpc" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule Impacket_Tools_wmiquery {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094"
id = "e8bdf27a-9763-5947-854f-162f74ff53be"
strings:
$s1 = "swmiquery" fullword ascii
$s2 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_atexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "337bd5858aba0380e16ee9a9d8f0b3f5bfc10056ced4e75901207166689fbedc"
id = "4f02e304-69d4-5952-80be-793379bccac0"
strings:
$s1 = "batexec.exe.manifest" fullword ascii
$s2 = "satexec" fullword ascii
$s3 = "impacket.dcerpc" fullword ascii
$s4 = "# CSZq" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and 3 of them )
}
rule Impacket_Tools_Generic_1 {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
super_rule = 1
hash1 = "4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3"
hash2 = "d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3"
hash3 = "2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1"
hash4 = "ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6"
hash5 = "e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742"
hash6 = "27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364"
hash7 = "dc85a3944fcb8cc0991be100859c4e1bf84062f7428c4dc27c71e08d88383c98"
hash8 = "0f7f0d8afb230c31fe6cf349c4012b430fc3d6722289938f7e33ea15b2996e1b"
hash9 = "21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9"
hash10 = "4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a"
hash11 = "47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d"
hash12 = "7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2"
hash13 = "9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f"
hash14 = "d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7"
hash15 = "8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699"
hash16 = "efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769"
hash17 = "e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b"
hash18 = "19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4"
hash19 = "2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086"
hash20 = "202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094"
id = "d2ce6426-d165-5569-a992-268f05622653"
strings:
$s1 = "bpywintypes27.dll" fullword ascii
$s2 = "hZFtPC" fullword ascii
$s3 = "impacket" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 21000KB and all of ($s*) ) or ( all of them )
}
rule Impacket_Lateral_Movement {
meta:
description = "Detects Impacket Network Aktivity for Lateral Movement"
author = "Markus Neis"
reference = "https://github.com/CoreSecurity/impacket"
date = "2018-03-22"
score = 60
id = "44db234c-ac81-5d21-bc2a-8cfd88807c0d"
strings:
$s1 = "impacket.dcerpc.v5.transport(" ascii
$s2 = "impacket.smbconnection(" ascii
$s3 = "impacket.dcerpc.v5.ndr(" ascii
$s4 = "impacket.spnego(" ascii
$s5 = "impacket.smb(" ascii
$s6 = "impacket.ntlm(" ascii
$s7 = "impacket.nmb(" ascii
condition:
uint16(0) == 0x5a4d and filesize < 14000KB and 2 of them
}
rule HackTool_PY_ImpacketObfuscation_1
{
meta:
date = "2020-12-01"
modified = "2020-12-01"
description = "smbexec"
md5 = "0b1e512afe24c31531d6db6b47bac8ee"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "992d1132-3136-5e1b-a1ef-dcdf36ebf0f5"
strings:
$s1 = "class CMDEXEC" nocase
$s2 = "class RemoteShell" nocase
$s3 = "self.services_names"
$s4 = "import random"
$s6 = /self\.__shell[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]%CoMSpEC%[\x09\x20]{1,32}\/q[\x09\x20]{1,32}\/K [\x22\x27]/ nocase
$s7 = /self\.__serviceName[\x09\x20]{0,32}=[\x09\x20]{0,32}self\.services_names\[random\.randint\([\x09\x20]{0,32}0[\x09\x20]{0,32},[\x09\x20]{0,32}len\(self\.services_names\)[\x09\x20]{0,32}-[\x09\x20]{0,32}1\)\]/
condition:
all of them
}
rule HackTool_PY_ImpacketObfuscation_2
{
meta:
description = "Detects FireEye's wmiexec impacket obfuscation"
date = "2020-12-01"
modified = "2020-12-01"
md5 = "f3dd8aa567a01098a8a610529d892485"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "f1059f66-eaff-5866-bafb-c94236cf96a0"
strings:
$s1 = "import random"
$s2 = "class WMIEXEC" nocase
$s3 = "class RemoteShell" nocase
$s4 = /=[\x09\x20]{0,32}str\(int\(time\.time\(\)\)[\x09\x20]{0,32}-[\x09\x20]{0,32}random\.randint\(\d{1,10}[\x09\x20]{0,32},[\x09\x20]{0,32}\d{1,10}\)\)[\x09\x20]{0,32}\+[\x09\x20]{0,32}str\(uuid\.uuid4\(\)\)\.split\([\x22\x27]\-[\x22\x27]\)\[0\]/
$s5 = /self\.__shell[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]cmd.exe[\x09\x20]{1,32}\/q[\x09\x20]{1,32}\/K [\x22\x27]/ nocase
condition:
all of them
}
rule APT_NK_Methodology_Artificial_UserAgent_IE_Win7 {
meta:
author = "Steve Miller aka @stvemillertime"
description = "Detects hard-coded User-Agent string that has been present in several APT37 malware families."
hash1 = "e63efbf8624a531bb435b7446dbbfc25"
score = 45
id = "a747c908-7af7-5c29-8386-a71db7648061"
strings:
$a1 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
$a2 = {4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 3b 20 54 72 69 64 65 6e 74 2f 37 2e 30 3b 20 72 76 3a 31 31 2e 30 29 20 6c 69 6b 65 20 47 65 63 6b 6f 00 00 00 00}
$fp1 = "Esumsoft" wide
$fp2 = "Acunetix" wide ascii
$fp3 = "TASER SYNC" ascii
condition:
uint16(0) == 0x5A4D and all of ($a*) and not 1 of ($fp*)
}
rule HvS_APT37_smb_scanner {
meta:
description = "Unknown smb login scanner used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Marc Stroebel"
date = "2020-12-15"
reference1 = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
reference2 = "https://www.hybrid-analysis.com/sample/d16163526242508d6961f061aaffe3ae5321bd64d8ceb6b2788f1570757595fc?environmentId=2"
id = "89a5cc32-f151-583d-823d-692de2c2b084"
strings:
$s1 = "Scan.exe StartIP EndIP ThreadCount logfilePath [Username Password Deep]" fullword ascii
$s2 = "%s - %s:(Username - %s / Password - %s" fullword ascii
$s3 = "Load mpr.dll Error " fullword ascii
$s4 = "Load Netapi32.dll Error " fullword ascii
$s5 = "%s U/P not Correct! - %d" fullword ascii
$s6 = "GetNetWorkInfo Version 1.0" fullword wide
$s7 = "Hello World!" fullword wide
$s8 = "%s Error: %ld" fullword ascii
$s9 = "%s U/P Correct!" fullword ascii
$s10 = "%s --------" fullword ascii
$s11 = "%s%-30s%I64d" fullword ascii
$s12 = "%s%-30s(DIR)" fullword ascii
$s13 = "%04d-%02d-%02d %02d:%02d" fullword ascii
$s14 = "Share: Local Path: Uses: Descriptor:" fullword ascii
$s15 = "Share: Type: Remark:" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (10 of them)
}
rule HvS_APT37_cred_tool {
meta:
description = "Unknown cred tool used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Markus Poelloth"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
id = "e830025a-f2ac-55b1-aca3-ded9dba83a67"
strings:
$s1 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>" fullword ascii
$s2 = "Domain Login" fullword ascii
$s3 = "IEShims_GetOriginatingThreadContext" fullword ascii
$s4 = " Type Descriptor'" fullword ascii
$s5 = "User: %s" fullword ascii
$s6 = "Pass: %s" fullword ascii
$s7 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
$s8 = "E@c:\\u" fullword ascii
condition:
filesize < 500KB and 7 of them
}
rule HvS_APT37_RAT_loader {
meta:
description = "BLINDINGCAN RAT loader named iconcash.db used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Marc Stroebel"
date = "2020-12-15"
hash = "b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9"
reference1 = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
reference2 = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
id = "6c3e8465-d607-59bf-85fc-5abbef71fb1c"
condition:
(pe.version_info["OriginalFilename"] contains "MFC_DLL.dll") and
(pe.exports("SMain") and pe.exports("SMainW") )
}
rule HvS_APT37_webshell_img_thumbs_asp {
meta:
description = "Webshell named img.asp, thumbs.asp or thumb.asp used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "94d2448d3794ae3f29678a7337473d259b5cfd1c7f703fe53ee6c84dd10a48ef"
id = "e45d4507-81de-5f72-9ce2-4f0e3e5c62b1"
strings:
$s1 = "strMsg = \"E : F\"" fullword ascii
$s2 = "strMsg = \"S : \" & Len(fileData)" fullword ascii
$s3 = "Left(workDir, InStrRev(workDir, \"/\")) & \"video\""
$a1 = "Server.CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
$a2 = "Dim tmpPath, workDir" fullword ascii
$a3 = "Dim objFSO, objTextStream" fullword ascii
$a4 = "workDir = Request.ServerVariables(\"URL\")" fullword ascii
$a5 = "InStrRev(workDir, \"/\")" ascii
$g1 = "WriteFile = 0" fullword ascii
$g2 = "fileData = Request.Form(\"fp\")" fullword ascii
$g3 = "fileName = Request.Form(\"fr\")" fullword ascii
$g4 = "Err.Clear()" fullword ascii
$g5 = "Option Explicit" fullword ascii
condition:
filesize < 2KB and (( 1 of ($s*) ) or (3 of ($a*)) or (5 of ($g*)))
}
rule HvS_APT37_webshell_template_query_asp {
meta:
description = "Webshell named template-query.aspimg.asp used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "961a66d01c86fa5982e0538215b17fb9fae2991331dfea812b8c031e2ceb0d90"
id = "dc006b46-4c51-59cd-8b7d-adbfec86cd2e"
strings:
$g1 = "server.scripttimeout=600" fullword ascii
$g2 = "response.buffer=true" fullword ascii
$g3 = "response.expires=-1" fullword ascii
$g4 = "session.timeout=600" fullword ascii
$a1 = "redhat hacker" ascii
$a2 = "want_pre.asp" ascii
$a3 = "vgo=\"admin\"" ascii
$a4 = "ywc=false" ascii
$s1 = "public br,ygv,gbc,ydo,yka,wzd,sod,vmd" fullword ascii
condition:
filesize > 70KB and filesize < 200KB and (( 1 of ($s*) ) or (2 of ($a*)) or (3 of ($g*)))
}
rule HvS_APT37_webshell_controllers_asp {
meta:
description = "Webshell named controllers.asp or inc-basket-offer.asp used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "829462fc6d84aae04a962dfc919d0a392265fbf255eab399980d2b021e385517"
id = "82370415-30f4-514d-8806-e2daced96f07"
strings:
$s0 = "<%@Language=VBScript.Encode" ascii
// Case permutations of the word SeRvEr encoded with the Microsoft Script Encoder followed by .scriptrimeOut
$x1 = { 64 7F 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x2 = { 64 7F 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x3 = { 64 7F 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x4 = { 64 7F 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x5 = { 64 7F 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x6 = { 64 7F 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x7 = { 64 7F 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x8 = { 64 41 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x9 = { 64 41 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x10 = { 64 41 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x11 = { 64 41 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x12 = { 64 7F 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x13 = { 64 41 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x14 = { 64 41 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x15 = { 64 41 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x16 = { 64 41 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x17 = { 64 41 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x18 = { 64 41 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x19 = { 64 41 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x20 = { 64 41 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x21 = { 64 41 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x22 = { 64 41 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x23 = { 64 7F 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x24 = { 64 41 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x25 = { 64 41 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x26 = { 6A 7F 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x27 = { 6A 7F 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x28 = { 6A 7F 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x29 = { 6A 7F 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x30 = { 6A 7F 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x31 = { 6A 7F 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x32 = { 6A 7F 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x33 = { 6A 7F 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x34 = { 64 7F 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x35 = { 6A 7F 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x36 = { 6A 7F 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x37 = { 6A 7F 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x38 = { 6A 7F 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x39 = { 6A 7F 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x40 = { 6A 7F 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x41 = { 6A 7F 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x42 = { 6A 7F 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x43 = { 6A 41 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x44 = { 6A 41 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x45 = { 64 7F 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x46 = { 6A 41 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x47 = { 6A 41 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x48 = { 6A 41 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x49 = { 6A 41 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x50 = { 6A 41 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x51 = { 6A 41 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x52 = { 6A 41 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x53 = { 6A 41 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x54 = { 6A 41 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x55 = { 6A 41 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x56 = { 64 7F 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x57 = { 6A 41 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x58 = { 6A 41 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x59 = { 6A 41 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x60 = { 6A 41 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x61 = { 64 7F 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x62 = { 64 7F 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x63 = { 64 7F 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x64 = { 64 7F 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
condition:
filesize > 50KB and filesize < 200KB and ( $s0 and 1 of ($x*) )
}
rule Scarcruft_malware_Feb18_1 {
meta:
description = "Detects Scarcruft malware - February 2018"
author = "Florian rootpath"
reference = "https://twitter.com/craiu/status/959477129795731458"
date = "2018-02-03"
score = 90
id = "43a87f2a-cf60-5035-8d40-c360a789a1ac"
strings:
$x1 = "d:\\HighSchool\\version 13\\2ndBD\\T+M\\" ascii
$x2 = "cmd.exe /C ping 0.1.1.2" wide
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them
}
rule APT_NK_Scarcruft_RUBY_Shellcode_XOR_Routine {
meta:
author = "S2WLAB_TALON_JACK2"
description = "Detects Ruby ShellCode XOR routine used by ScarCruft APT group"
type = "APT"
version = "0.1"
date = "2021-05-20"
reference = "https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48"
id = "c393f2db-8ade-5083-9cec-f62f23056f8b"
strings:
/*
8B 4C 18 08 mov ecx, [eax+ebx+8]
C1 C7 0D rol edi, 0Dh
40 inc eax
F6 C7 01 test bh, 1
74 06 jz short loc_D0
81 F7 97 EA AE 78 xor edi, 78AEEA97h
*/
$hex1 = {C1 C7 0D 40 F6 C7 01 74 ?? 81 F7}
/*
41 C1 C2 0D rol r10d, 0Dh
41 8B C2 mov eax, r10d
44 8B CA mov r9d, edx
41 8B CA mov ecx, r10d
41 81 F2 97 EA AE 78 xor r10d, 78AEEA97h
*/
$hex2 = {41 C1 C2 0D 41 8B C2 44 8B CA 41 8B CA 41 81 F2}
condition:
1 of them
}
rule APT_NK_Scarcruft_evolved_ROKRAT {
meta:
author = "S2WLAB_TALON_JACK2"
description = "Detects RokRAT malware used by ScarCruft APT group"
type = "APT"
version = "0.1"
date = "2021-07-09"
reference = "https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48"
id = "53cabf41-0154-5372-b667-60d8a7cb9806"
strings:
/*
0x140130f25 C744242032311223 mov dword ptr [rsp + 0x20], 0x23123132
0x140130f2d C744242434455667 mov dword ptr [rsp + 0x24], 0x67564534
0x140130f35 C744242878899AAB mov dword ptr [rsp + 0x28], 0xab9a8978
0x140130f3d C744242C0CBDCEDF mov dword ptr [rsp + 0x2c], 0xdfcebd0c
0x140130f45 C745F02B7EA516 mov dword ptr [rbp - 0x10], 0x16a57e2b
0x140130f4c C745F428AED2A6 mov dword ptr [rbp - 0xc], 0xa6d2ae28
0x140130f53 C745F8ABF71588 mov dword ptr [rbp - 8], 0x8815f7ab
0x140130f5a C745FC09CF4F3C mov dword ptr [rbp - 4], 0x3c4fcf09
*/
$AES_IV_KEY = {
C7 44 24 ?? 32 31 12 23
C7 44 24 ?? 34 45 56 67
C7 44 24 ?? 78 89 9A AB
C7 44 24 ?? 0C BD CE DF
C7 45 ?? 2B 7E A5 16
C7 45 ?? 28 AE D2 A6
C7 45 ?? AB F7 15 88
C7 45 ?? 09 CF 4F 3C
}
/*
0x14012b637 80E90F sub cl, 0xf
0x14012b63a 80F1C8 xor cl, 0xc8
0x14012b63d 8848FF mov byte ptr [rax - 1], cl
0x14012b640 4883EA01 sub rdx, 1
*/
$url_deocde = {
80 E9 0F
80 F1 C8
88 48 ??
48 83 EA 01 }
condition:
uint16(0) == 0x5A4D and
any of them
}
rule FreeMilk_APT_Mal_1 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
hash1 = "34478d6692f8c28332751b31fd695b799d4ab36a8c12f7b728e2cb99ae2efcd9"
hash2 = "35273d6c25665a19ac14d469e1436223202be655ee19b5b247cb1afef626c9f2"
hash3 = "0f82ea2f92c7e906ee9ffbbd8212be6a8545b9bb0200eda09cce0ba9d7cb1313"
id = "eff37dba-d4a9-5e3d-9452-49f04ddcbe0b"
strings:
$x1 = "\\milk\\Release\\milk.pdb" ascii
$x2 = "E:\\BIG_POOH\\Project\\" ascii
$x3 = "Windows-KB271854-x86.exe" fullword wide
$s1 = "Windows-KB275122-x86.exe" fullword wide
$s2 = "\\wsatra.tmp" wide
$s3 = "%s\\Rar0tmpExtra%d.rtf" fullword wide
$s4 = "\"%s\" help" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 300KB and (
pe.imphash() == "108aa007b3d1b4817ff4c04d9b254b39" or
1 of ($x*) or
4 of them
)
}
rule FreeMilk_APT_Mal_2 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
hash1 = "7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df"
id = "ef5f400c-16f8-5374-af16-c8530ddb87ee"
strings:
$s1 = "failed to take the screenshot. err: %d" fullword ascii
$s2 = "runsample" fullword wide
$s3 = "%s%02X%02X%02X%02X%02X%02X:" fullword wide
$s4 = "win-%d.%d.%d-%d" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and (
pe.imphash() == "b86f7d2c1c182ec4c074ae1e16b7a3f5" or
all of them
)
}
rule FreeMilk_APT_Mal_3 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
hash1 = "ef40f7ddff404d1193e025081780e32f88883fa4dd496f4189084d772a435cb2"
id = "152781f0-756b-50ab-b588-4af5fa4ce419"
strings:
$s1 = "CMD.EXE /C \"%s\"" fullword wide
$s2 = "\\command\\start.exe" wide
$s3 = ".bat;.com;.cmd;.exe" fullword wide
$s4 = "Unexpected failure opening HKCR key: %d" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and all of them )
}
rule FreeMilk_APT_Mal_4 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
hash1 = "99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5"
id = "44f919f7-8eda-5e70-88d5-9e81a761192c"
strings:
$x1 = "base64Encoded=\"TVqQAAMAAAAE" ascii
$s1 = "SOFTWARE\\Clients\\StartMenuInternet\\firefox.exe\\shell\\open\\command" fullword wide
$s2 = "'Wscript.echo \"Base64 encoded: \" + base64Encoded" fullword ascii
$s3 = "\\Google\\Chrome\\User Data\\Default\\Login Data" ascii
$s4 = "outFile=sysDir&\"\\rundll32.exe\"" fullword ascii
$s5 = "set shell = WScript.CreateObject(\"WScript.Shell\")" fullword ascii
$s6 = "command =outFile &\" sysupdate\"" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and (
( pe.exports("getUpdate") and pe.number_of_exports == 1 ) or
1 of ($x*) or
3 of them
)
}