YARA rules for Duqu / Duqu 2.0
12 rules · scoped to actor · back to Duqu / Duqu 2.0
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Duqu1_5_modules {
meta:
author = "Silas Cutler (havex@chronicle.security)"
desc = "Detection for Duqu 1.5 modules"
hash = "bb3961e2b473c22c3d5939adeb86819eb846ccd07f5736abb5e897918580aace"
reference = "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0"
id = "7239f5e1-c08f-566c-8998-f7dacc2c4a29"
strings:
$c1 = "%s(%d)disk(%d)fdisk(%d)"
$c2 = "\\Device\\Floppy%d" wide
$c3 = "BrokenAudio" wide
$m1 = { 81 3F E9 18 4B 7E}
$m2 = { 81 BC 18 F8 04 00 00 B3 20 EA B4 }
condition:
all of them
}
rule APT_apt_duqu2_loaders {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Duqu 2.0 samples"
last_modified = "2015-06-09"
version = "1.0"
id = "22db52c2-18e7-537e-a9c5-38ccfd3a0d30"
strings:
$a1 = "{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide
$a2 = "\\\\.\\pipe\\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide
$a4 = "\\\\.\\pipe\\{AB6172ED-8105-4996-9D2A-597B5F827501}" wide
$a5 = "Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" wide
$a8 = "SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" wide
$a9 = "SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" wide
$a7 = "SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" wide
$b1 = "MSI.dll"
$b2 = "msi.dll"
$b3 = "StartAction"
$c1 = "msisvc_32@" wide
$c2 = "PROP=" wide
$c3 = "-Embedding" wide
$c4 = "S:(ML;;NW;;;LW)" wide
$d1 = "NameTypeBinaryDataCustomActionActionSourceTargetInstallExecuteSequenceConditionSequencePropertyValueMicrosoftManufacturer" nocase
$d2 = {2E 3F 41 56 3F 24 5F 42 69 6E 64 40 24 30 30 58 55 3F 24 5F 50 6D 66 5F 77 72 61 70 40 50 38 43 4C 52 ?? 40 40 41 45 58 58 5A 58 56 31 40 24 24 24 56 40 73 74 64 40 40 51 41 56 43 4C 52 ?? 40 40 40 73 74 64 40 40}
condition:
( (uint16(0) == 0x5a4d) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) ) and filesize < 100000 )
or
( (uint32(0) == 0xe011cfd0) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) or (any of ($d*)) ) and filesize < 20000000 )
}
rule APT_apt_duqu2_drivers {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Duqu 2.0 drivers"
last_modified = "2015-06-09"
version = "1.0"
id = "714d5151-9f80-582e-a628-1de9d83a072d"
strings:
$a1 = "\\DosDevices\\port_optimizer" wide nocase
$a2 = "romanian.antihacker"
$a3 = "PortOptimizerTermSrv" wide
$a4 = "ugly.gorilla1"
$b1 = "NdisIMCopySendCompletePerPacketInfo"
$b2 = "NdisReEnumerateProtocolBindings"
$b3 = "NdisOpenProtocolConfiguration"
condition:
uint16(0) == 0x5A4D and (any of ($a*) ) and (2 of ($b*)) and filesize < 100000
}
rule Duqu2_Generic1 {
meta:
description = "Kaspersky APT Report - Duqu2 Sample - Generic Rule"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/7yKyOj"
date = "2015-06-10"
super_rule = 1
hash0 = "3f9168facb13429105a749d35569d1e91465d313"
hash1 = "0a574234615fb2382d85cd6d1a250d6c437afecc"
hash2 = "38447ed1d5e3454fe17699f86c0039f30cc64cde"
hash3 = "5282d073ee1b3f6ce32222ccc2f6066e2ca9c172"
hash4 = "edfca3f0196788f7fde22bd92a8817a957c10c52"
hash5 = "6a4ffa6ca4d6fde8a30b6c8739785f4bd2b5c415"
hash6 = "00170bf9983e70e8dd4f7afe3a92ce1d12664467"
hash7 = "32f8689fd18c723339414618817edec6239b18f3"
hash8 = "f860acec9920bc009a1ad5991f3d5871c2613672"
hash9 = "413ba509e41c526373f991d1244bc7c7637d3e13"
hash10 = "29cd99a9b6d11a09615b3f9ef63f1f3cffe7ead8"
hash11 = "dfe1cb775719b529138e054e7246717304db00b1"
id = "0e03eda5-d65b-5400-aceb-bc37559d9a6e"
strings:
$s0 = "Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" fullword wide
$s1 = "SetSecurityDescriptorSacl" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 189 times */
$s2 = "msisvc_32@" fullword wide
$s3 = "CompareStringA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 1392 times */
$s4 = "GetCommandLineW" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 1680 times */
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}
rule APT_Kaspersky_Duqu2_procexp {
meta:
description = "Kaspersky APT Report - Duqu2 Sample - Malicious MSI"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/7yKyOj"
date = "2015-06-10"
hash1 = "2422835716066b6bcecb045ddd4f1fbc9486667a"
hash2 = "b120620b5d82b05fee2c2153ceaf305807fa9f79"
hash3 = "288ebfe21a71f83b5575dfcc92242579fb13910d"
id = "d7fd48d5-2416-5eff-a751-ece09ce27767"
strings:
$x1 = "svcmsi_32.dll" fullword wide
$x2 = "msi3_32.dll" fullword wide
$x3 = "msi4_32.dll" fullword wide
$x4 = "MSI.dll" fullword ascii
$s1 = "SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" fullword wide
$s2 = "Sysinternals installer" fullword wide /* PEStudio Blacklist: strings */
$s3 = "Process Explorer" fullword wide /* PEStudio Blacklist: strings */ /* Goodware String - occured 5 times */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) ) and ( all of ($s*) )
}
rule APT_Kaspersky_Duqu2_SamsungPrint {
meta:
description = "Kaspersky APT Report - Duqu2 Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/7yKyOj"
date = "2015-06-10"
hash = "ce39f41eb4506805efca7993d3b0b506ab6776ca"
id = "cc4bc00e-f38b-577f-8f00-637c0549894c"
strings:
$s0 = "Installer for printer drivers and applications" fullword wide /* PEStudio Blacklist: strings */
$s1 = "msi4_32.dll" fullword wide
$s2 = "HASHVAL" fullword wide
$s3 = "SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" fullword wide
$s4 = "ca.dll" fullword ascii
$s5 = "Samsung Electronics Co., Ltd." fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 82KB and all of them
}
rule APT_Kaspersky_Duqu2_msi3_32 {
meta:
description = "Kaspersky APT Report - Duqu2 Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/7yKyOj"
date = "2015-06-10"
hash = "53d9ef9e0267f10cc10f78331a9e491b3211046b"
id = "6cbea2e7-f406-57cf-b9c8-9d84b1480035"
strings:
$s0 = "ProcessUserAccounts" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "SELECT `UserName`, `Password`, `Attributes` FROM `CustomUserAccounts`" fullword wide /* PEStudio Blacklist: strings */
$s2 = "SELECT `UserName` FROM `CustomUserAccounts`" fullword wide /* PEStudio Blacklist: strings */
$s3 = "SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" fullword wide
$s4 = "msi3_32.dll" fullword wide
$s5 = "RunDLL" fullword ascii
$s6 = "MSI Custom Action v3" fullword wide
$s7 = "msi3_32" fullword wide
$s8 = "Operating System" fullword wide /* PEStudio Blacklist: strings */ /* Goodware String - occured 9203 times */
condition:
uint16(0) == 0x5a4d and filesize < 72KB and all of them
}
rule Duqu2_Sample1 {
meta:
description = "Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"
score = 80
hash1 = "6b146e3a59025d7085127b552494e8aaf76450a19c249bfed0b4c09f328e564f"
hash2 = "8e97c371633d285cd8fc842f4582705052a9409149ee67d97de545030787a192"
hash3 = "2796a119171328e91648a73d95eb297edc220e8768f4bbba5fb7237122a988fc"
hash4 = "5559fcc93eef38a1c22db66a3e0f9e9f026c99e741cc8b1a4980d166f2696188"
id = "39ba04f1-df45-5513-ab8f-12097a79cdc7"
strings:
$x1 = "SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" fullword wide
$s2 = "MSI.dll" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 40KB and $x1 ) or ( all of them )
}
rule Duqu2_Sample2 {
meta:
description = "Detects Duqu2 Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"
score = 80
hash1 = "d12cd9490fd75e192ea053a05e869ed2f3f9748bf1563e6e496e7153fb4e6c98"
hash2 = "5ba187106567e8d036edd5ddb6763f89774c158d2a571e15d76572d8604c22a0"
hash3 = "6e09e1a4f56ea736ff21ad5e188845615b57e1a5168f4bdaebe7ddc634912de9"
hash4 = "c16410c49dc40a371be22773f420b7dd3cfd4d8205cf39909ad9a6f26f55718e"
hash5 = "2ecb26021d21fcef3d8bba63de0c888499110a2b78e4caa6fa07a2b27d87f71b"
hash6 = "2c9c3ddd4d93e687eb095444cef7668b21636b364bff55de953bdd1df40071da"
id = "a32f54a3-8656-5592-ac40-17330bfca319"
strings:
$s1 = "=<=Q=W=a=g=p=v=|=" fullword ascii
$s2 = ">#>(>.>3>=>]>d>p>" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 50KB and all of ($s*)
}
rule Duqu2_Sample3 {
meta:
description = "Detects Duqu2 Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"
score = 80
hash1 = "2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69"
id = "c558445f-fbe3-57db-80f7-09a87b097921"
strings:
$s1 = "SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 50KB and $s1 )
}
rule Duqu2_Sample4 {
meta:
description = "Detects Duqu2 Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"
score = 80
hash1 = "3536df7379660d931256b3cf49be810c0d931c3957c464d75e4cba78ba3b92e3"
id = "8c5ca68d-762c-5d2e-8d37-f58dc66bcae2"
strings:
$x1 = "SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" fullword wide
$s2 = "SELECT `UserName`, `Password`, `Attributes` FROM `CustomUserAccounts`" fullword wide
$s3 = "SELECT `UserName` FROM `CustomUserAccounts`" fullword wide
$s4 = "ProcessUserAccounts" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 30KB and 1 of ($x*) ) or ( all of them )
}
rule Duqu2_UAs {
meta:
description = "Detects Duqu2 Executable based on the specific UAs in the file"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"
score = 80
hash1 = "52fe506928b0262f10de31e783af8540b6a0b232b15749d647847488acd0e17a"
hash2 = "81cdbe905392155a1ba8b687a02e65d611b60aac938e470a76ef518e8cffd74d"
id = "d82f6351-fab0-5324-850f-dd40a172fceb"
strings:
$x1 = "Mozilla/5.0 (Windows NT 6.1; U; ru; rv:5.0.1.6) Gecko/20110501 Firefox/5.0.1 Firefox/5.0.1" fullword wide
$x2 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7xs5D9rRDFpg2g" fullword wide
$x3 = "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; FDM; .NET CLR 1.1.4322)" fullword wide
$x4 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 800KB and all of them )
}