YARA rules for Naikon
142 rules · scoped to actor · back to Naikon
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule IronTiger_PlugX_FastProxy
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
description = "Iron Tiger Malware - PlugX FastProxy"
reference = "http://goo.gl/T5fSJC"
id = "14e05823-6288-5f02-8060-add51084c446"
strings:
$str1 = "SAFEPROXY HTServerTimer Quit!" wide ascii
$str2 = "Useage: %s pid" wide ascii
$str3 = "%s PORT[%d] TO PORT[%d] SUCCESS!" wide ascii
$str4 = "p0: port for listener" wide ascii
$str5 = "\\users\\whg\\desktop\\plug\\" wide ascii
$str6 = "[+Y] cwnd : %3d, fligth:" wide ascii
condition:
uint16(0) == 0x5a4d and (any of ($str*))
}
rule IronTiger_PlugX_Server
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
description = "Iron Tiger Malware - PlugX Server"
reference = "http://goo.gl/T5fSJC"
id = "38011a23-3ed7-5f58-a814-2551526b27f3"
strings:
$str1 = "\\UnitFrmManagerKeyLog.pas" wide ascii
$str2 = "\\UnitFrmManagerRegister.pas" wide ascii
$str3 = "Input Name..." wide ascii
$str4 = "New Value#" wide ascii
$str5 = "TThreadRControl.Execute SEH!!!" wide ascii
$str6 = "\\UnitFrmRControl.pas" wide ascii
$str7 = "OnSocket(event is error)!" wide ascii
$str8 = "Make 3F Version Ok!!!" wide ascii
$str9 = "PELEASE DO NOT CHANGE THE DOCAMENT" wide ascii
$str10 = "Press [Ok] Continue Run, Press [Cancel] Exit" wide ascii
condition:
uint16(0) == 0x5a4d and (2 of ($str*))
}
rule APT_Area1_SSF_PlugX {
meta:
description = "Detects send tool used in phishing campaign reported by Area 1 in December 2018"
reference = "https://cdn.area1security.com/reports/Area-1-Security-PhishingDiplomacy.pdf"
date = "2018-12-19"
author = "Area 1"
id = "a5b4e781-f0d1-55df-926c-2d321aa48139"
strings:
$feature_call = { 8b 0? 56 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ??
6a 07 6a ff ff d0 8b f0 85 f6 74 14 }
$keylogger_reg = { 8b 4d 08 6a 0c 6a 01 8d 55 f4 52 c7 45 f4 01 00 06 00
c7 45 f8 00 01 00 00 89 4d fc ff d0 85 c0 75 1d }
$file_op = { 55 8b ec 83 ec 20 0f b7 56 18 8b 46 10 66 8b 4e 14 89 45 e4
8d 44 32 10 66 89 4d f0 0f b7 4e 1a 57 89 45 e8 33 ff 8d 45 e0 8d 54
31 10 50 89 7d e0 89 55 ec c7 45 fa ?? ?? ?? ?? 89 7d f2 89 7d f6 ff
15 1c 43 02 10 }
$ver_cmp = { 0f b6 8d b0 fe ff ff 0f b6 95 b4 fe ff ff 66 c1 e1 08 0f b7
c1 0b c2 3d 02 05 00 00 7f 2c }
$regedit = { c7 06 23 01 12 20 c7 46 04 01 90 00 00 89 5e 0c 89 5e 08 e8
51 fb ff ff 8b 4d 08 8b 50 38 68 30 75 00 00 56 51 ff d2 }
$get_device_caps = { 8b 1d ?? ?? ?? ?? 6a 08 50 ff d3 0f b7 56 12 8b c8 0f af ca
b8 1f 85 eb 51 f7 e9 c1 fa 05 8b c2 c1 e8 1f 03 c2 89 45 f8 8b 45 f0 6a 0a 50 ff d3
0f b7 56 14 8b c8 0f af ca b8 1f 85 eb 51 }
condition:
3 of them
}
rule Codoso_PlugX_3 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3"
id = "55066812-3a8e-5099-afb4-ff7a59f1ccb2"
strings:
$s1 = "Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password." fullword wide
$s2 = "mcs.exe" fullword ascii
$s3 = "McAltLib.dll" fullword ascii
$s4 = "WinRAR self-extracting archive" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1200KB and all of them
}
rule Codoso_PlugX_2 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb"
id = "0402a0ff-5664-52db-a739-51c5181853f8"
strings:
$s1 = "%TEMP%\\HID" fullword wide
$s2 = "%s\\hid.dll" fullword wide
$s3 = "%s\\SOUNDMAN.exe" fullword wide
$s4 = "\"%s\\SOUNDMAN.exe\" %d %d" fullword wide
$s5 = "%s\\HID.dllx" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) or all of them
}
rule Codoso_PGV_PVID_4 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
hash2 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761"
hash3 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1"
hash4 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
hash5 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
id = "c1c753a6-77b6-5bfb-89f9-16127c264fd0"
strings:
$x1 = "dropper, Version 1.0" fullword wide
$x2 = "dropper" fullword wide
$x3 = "DROPPER" fullword wide
$x4 = "About dropper" fullword wide
$s1 = "Microsoft Windows Manager Utility" fullword wide
$s2 = "SYSTEM\\CurrentControlSet\\Services\\" ascii /* Goodware String - occured 9 times */
$s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" fullword ascii /* Goodware String - occured 10 times */
$s4 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3" ascii /* Goodware String - occured 46 times */
$s5 = "<supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"></supportedOS>" fullword ascii /* Goodware String - occured 65 times */
condition:
uint16(0) == 0x5a4d and filesize < 900KB and 2 of ($x*) and 2 of ($s*)
}
rule Codoso_PlugX_1 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "0b8cbc9b4761ab35acce2aa12ba2c0a283afd596b565705514fd802c8b1e144b"
hash2 = "448711bd3f689ceebb736d25253233ac244d48cb766834b8f974c2e9d4b462e8"
hash3 = "fd22547497ce52049083092429eeff0599d0b11fe61186e91c91e1f76b518fe2"
id = "af777818-5cff-5571-b5e9-0f5a4c8b08ff"
strings:
$s1 = "GETPASSWORD1" fullword ascii
$s2 = "NvSmartMax.dll" fullword ascii
$s3 = "LICENSEDLG" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of them
}
rule Dropper_DeploysMalwareViaSideLoading {
meta:
description = "Detects a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX"
author = "USG"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
true_positive = "5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. "
id = "2e7cdedd-2358-5d71-a3ec-73dec442d840"
strings:
$UniqueString = {2e 6c 6e 6b [0-14] 61 76 70 75 69 2e 65 78 65} // ".lnk" near "avpui.exe"
$PsuedoRandomStringGenerator = {b9 1a [0-6] f7 f9 46 80 c2 41 88 54 35 8b 83 fe 64} // Unique function that generates a 100 character pseudo random string.
condition:
any of them
}
rule PLUGX_RedLeaves {
meta:
author = "US-CERT Code Analysis Team"
date = "03.04.2017"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
incident = "10118538"
date = "2017-04-03"
MD5_1 = "598FF82EA4FB52717ACAFB227C83D474"
MD5_2 = "7D10708A518B26CC8C3CBFBAA224E032"
MD5_3 = "AF406D35C77B1E0DF17F839E36BCE630"
MD5_4 = "6EB9E889B091A5647F6095DCD4DE7C83"
MD5_5 = "566291B277534B63EAFC938CDAAB8A399E41AF7D"
description = "Detects specific RedLeaves and PlugX binaries"
id = "ede8ad8f-31cf-5314-9777-bddd60e499f2"
strings:
$s0 = { 80343057403D2FD0010072F433C08BFF80343024403D2FD0010072F4 }
$s1 = "C:\\Users\\user\\Desktop\\my_OK_2014\\bit9\\runsna\\Release\\runsna.pdb"
$s2 = "d:\\work\\plug4.0(shellcode)"
$s3 = "\\shellcode\\shellcode\\XSetting.h"
$s4 = { 42AFF4276A45AA58474D4C4BE03D5B395566BEBCBDEDE9972872C5C4C5498228 }
$s5 = { 8AD32AD002D180C23830140E413BCB7CEF6A006A006A00566A006A00 }
$s6 = { EB055F8BC7EB05E8F6FFFFFF558BEC81ECC8040000535657 }
$s7 = { 8A043233C932043983C10288043283F90A7CF242890D18AA00103BD37CE2891514AA00106A006A006A0056 }
$s8 = { 293537675A402A333557B05E04D09CB05EB3ADA4A4A40ED0B7DAB7935F5B5B08 }
$s9 = "RedLeavesCMDSimulatorMutex"
condition:
$s0 or $s1 or $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8 or $s9
}
rule PlugX_J16_Gen {
meta:
description = "Detects PlugX Malware samples from June 2016"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "VT Research"
date = "2016-06-08"
id = "13ef1e80-7090-5a1e-bca7-8d3de0dc2247"
strings:
$x1 = "%WINDIR%\\SYSTEM32\\SERVICES.EXE" fullword wide
$x2 = "\\\\.\\PIPE\\RUN_AS_USER(%d)" fullword wide
$x3 = "LdrLoadShellcode" fullword ascii
$x4 = "Protocol:[%4s], Host: [%s:%d], Proxy: [%d:%s:%d:%s:%s]" fullword ascii
$s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent\\Post Platform" fullword wide
$s2 = "%s\\msiexec.exe %d %d" fullword wide
$s3 = "l%s\\sysprep\\CRYPTBASE.DLL" fullword wide
$s4 = "%s\\msiexec.exe UAC" fullword wide
$s5 = "CRYPTBASE.DLL" fullword wide
$s6 = "%ALLUSERSPROFILE%\\SxS" fullword wide
$s7 = "%s\\sysprep\\sysprep.exe" fullword wide
$s8 = "\\\\.\\pipe\\a%d" fullword wide
$s9 = "\\\\.\\pipe\\b%d" fullword wide
$s10 = "EName:%s,EAddr:0x%p,ECode:0x%p,EAX:%p,EBX:%p,ECX:%p,EDX:%p,ESI:%p,EDI:%p,EBP:%p,ESP:%p,EIP:%p" fullword ascii
$s11 = "Mozilla/4.0 (compatible; MSIE " fullword wide
$s12 = "; Windows NT %d.%d" fullword wide
$s13 = "SOFTWARE\\Microsoft\\Internet Explorer\\Version Vector" fullword wide
$s14 = "\\bug.log" wide
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( 1 of ($x*) or 4 of ($s*) ) ) or ( 8 of them )
}
rule PlugX_J16_Gen2 {
meta:
description = "Detects PlugX Malware Samples from June 2016"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "VT Research"
date = "2016-06-08"
id = "28e9cbb9-cd60-555d-b033-4e2bf293adf2"
strings:
$s1 = "XPlugKeyLogger.cpp" fullword ascii
$s2 = "XPlugProcess.cpp" fullword ascii
$s4 = "XPlgLoader.cpp" fullword ascii
$s5 = "XPlugPortMap.cpp" fullword ascii
$s8 = "XPlugShell.cpp" fullword ascii
$s11 = "file: %s, line: %d, error: [%d]%s" fullword ascii
$s12 = "XInstall.cpp" fullword ascii
$s13 = "XPlugTelnet.cpp" fullword ascii
$s14 = "XInstallUAC.cpp" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( 2 of ($s*) ) ) or ( 5 of them )
}
rule PAExec {
meta:
description = "Detects remote access tool PAEXec (like PsExec) - file PAExec.exe"
author = "Florian Roth (Nextron Systems)"
reference = "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/"
date = "2017-03-27"
score = 40
hash1 = "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc"
id = "ee564534-b921-5639-a7ed-5da79d6bf86a"
strings:
$x1 = "Ex: -rlo C:\\Temp\\PAExec.log" fullword ascii
$x2 = "Can't enumProcesses - Failed to get token for Local System." fullword wide
$x3 = "PAExec %s - Execute Programs Remotely" fullword wide
$x4 = "\\\\%s\\pipe\\PAExecIn%s%u" fullword wide
$x5 = "\\\\.\\pipe\\PAExecIn%s%u" fullword wide
$x6 = "%%SystemRoot%%\\%s.exe" fullword wide
$x7 = "in replacement for PsExec, so the command-line usage is identical, with " fullword ascii
$x8 = "\\\\%s\\ADMIN$\\PAExec_Move%u.dat" fullword wide
condition:
(uint16(0) == 0x5a4d and filesize < 600KB and 1 of ($x*)) or (3 of them)
}
rule APT_Cloaked_PsExec
{
meta:
description = "Looks like a cloaked PsExec. This may be APT group activity."
date = "2014-07-18"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
id = "e389bb76-0d1d-5e0e-9f79-a3117c919da3"
strings:
$s0 = "psexesvc.exe" wide fullword
$s1 = "Sysinternals PsExec" wide fullword
condition:
uint16(0) == 0x5a4d and $s0 and $s1
and not filename matches /(psexec.exe|PSEXESVC.EXE|PsExec64.exe)$/is
and not filepath matches /RECYCLE.BIN\\S-1/
}
rule PAExec_Cloaked {
meta:
description = "Detects a renamed remote access tool PAEXec (like PsExec)"
author = "Florian Roth (Nextron Systems)"
reference = "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/"
date = "2017-03-27"
score = 70
hash1 = "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc"
id = "fad8417b-bbdb-5a4e-8324-660e27cb39f8"
strings:
$x1 = "Ex: -rlo C:\\Temp\\PAExec.log" fullword ascii
$x2 = "Can't enumProcesses - Failed to get token for Local System." fullword wide
$x3 = "PAExec %s - Execute Programs Remotely" fullword wide
$x4 = "\\\\%s\\pipe\\PAExecIn%s%u" fullword wide
$x5 = "\\\\.\\pipe\\PAExecIn%s%u" fullword wide
$x6 = "%%SystemRoot%%\\%s.exe" fullword wide
$x7 = "in replacement for PsExec, so the command-line usage is identical, with " fullword ascii
$x8 = "\\\\%s\\ADMIN$\\PAExec_Move%u.dat" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and 1 of ($x*) )
and not filename == "paexec.exe"
and not filename == "PAExec.exe"
and not filename == "PAEXEC.EXE"
and not filename matches /Install/
and not filename matches /uninstall/
}
rule Impacket_Tools_psexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364"
id = "5e8d0964-7e6a-5ff6-b9db-e37f997c3e05"
strings:
$s1 = "impacket.examples.serviceinstall(" ascii
$s2 = "spsexec" fullword ascii
$s3 = "impacket.examples.remcomsvc(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and 2 of them )
}
rule Empire_Invoke_PsExec {
meta:
description = "Detects Empire component - file Invoke-PsExec.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
id = "19aaec3e-3e8f-5d7d-9c70-a212756c0300"
strings:
$s1 = "Invoke-PsExecCmd" fullword ascii
$s2 = "\"[*] Executing service .EXE" fullword ascii
$s3 = "$cmd = \"%COMSPEC% /C echo $Command ^> %systemroot%\\Temp\\" ascii
condition:
( uint16(0) == 0x7566 and filesize < 50KB and 1 of them ) or all of them
}
rule Batch_Script_To_Run_PsExec {
meta:
author = "NCSC"
description = "Detects malicious batch file from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18"
id = "1fbeeec8-a5bd-569e-b435-c7d82d32e47b"
strings:
$ = "Tokens=1 delims=" ascii
$ = "SET ws=%1" ascii
$ = "Checking %ws%" ascii
$ = "%TEMP%\\%ws%ns.txt" ascii
$ = "ps.exe -accepteula" ascii
condition:
3 of them
}
rule ONHAT_Proxy_Hacktool {
meta:
description = "Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/p32Ozf"
date = "2016-05-12"
score = 100
hash1 = "30b2de0a802a65b4db3a14593126301e6949c1249e68056158b2cc74798bac97"
hash2 = "94bda24559713c7b8be91368c5016fc7679121fea5d565d3d11b2bb5d5529340"
hash3 = "a26e75fec3b9f7d5a1c3d0ce1e89e4b0befb7a601da0c69a4cf96301921771dd"
hash4 = "c202e9d5b99f6137c7c07305c7314e55f52bae832d460c44efc8f2a90ff03615"
hash5 = "dded62ad85c0bdd68bcc96f88d8ba42d5ad0ef999911ebdea3f561a4491ebbc6"
hash6 = "f0954774c91603fc2595f0ba0727b9af4e80f6f9be7bb629e7fb6ba4309ed4ea"
hash7 = "f3906be01d51e2e1ae9b03cd09702b6e0794b9c9fd7dc04024f897e96bb13232"
hash8 = "f65ae9ccf988a06a152f27a4c0d7992100a2d9d23d80efe8d8c2a5c9bd78a3a7"
id = "cb18a5b0-dbbd-5dd3-af66-21b8302df6de"
strings:
$s1 = "INVALID PARAMETERS. TYPE ONHAT.EXE -h FOR HELP INFORMATION." fullword ascii
$s2 = "[ONHAT] LISTENS (S, %d.%d.%d.%d, %d) ERROR." fullword ascii
$s3 = "[ONHAT] CONNECTS (T, %d.%d.%d.%d, %d.%d.%d.%d, %d) ERROR." fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 80KB and ( 1 of ($s*) ) ) or ( 2 of them )
}
rule HKTL_htran_go {
meta:
author = "Jeff Beley"
hash1 = "4acbefb9f7907c52438ebb3070888ddc8cddfe9e3849c9d0196173a422b9035f"
description = "Detects go based htran variant"
date = "2019-01-09"
id = "bd9409e3-3d4c-57d6-af60-b6d6bd93d46b"
strings:
$s1 = "https://github.com/cw1997/NATBypass" fullword ascii
$s2 = "-slave ip1:port1 ip2:port2" fullword ascii
$s3 = "-tran port1 ip:port2" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 7000KB and 1 of them
}
rule DeepPanda_htran_exe {
meta:
description = "Hack Deep Panda - htran-exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2015/02/08"
hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"
id = "2a551e82-aff1-5a77-bc5e-d06e49dca8bc"
strings:
$s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
$s2 = "\\Release\\htran.pdb" ascii
$s3 = "[SERVER]connection to %s:%d error" fullword ascii
$s4 = "-tran <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s8 = "======================== htran V%s =======================" fullword ascii
$s11 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s15 = "[+] OK! I Closed The Two Socket." fullword ascii
$s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii
condition:
1 of them
}
rule CN_Honker_lcx_lcx {
meta:
description = "Sample from CN Honker Pentest Toolset - HTRAN - file lcx.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "0c8779849d53d0772bbaa1cedeca150c543ebf38"
id = "6c2e1e85-6387-5be2-b7b2-5ae8a5cca6df"
strings:
$s1 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "=========== Code by lion & bkbll" ascii
$s3 = "Welcome to [url]http://www.cnhonker.com[/url] " ascii
$s4 = "-tran <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "[+] Start Transmit (%s:%d <-> %s:%d) ......" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 30KB and 1 of them
}
rule CN_Honker_Htran_V2_40_htran20 {
meta:
description = "Sample from CN Honker Pentest Toolset - file htran20.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "b992bf5b04d362ed3757e90e57bc5d6b2a04e65c"
id = "9dd1ab4b-108e-55be-b94d-2868ce00855e"
strings:
$s1 = "%s -slave ConnectHost ConnectPort TransmitHost TransmitPort" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Enter Your Socks Type No: [0.BindPort 1.ConnectBack 2.Listen]:" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "[SERVER]connection to %s:%d error" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "%s -connect ConnectHost [ConnectPort] Default:%d" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "[+] got, ip:%s, port:%d" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "[-] There is a error...Create a new connection." fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
rule CN_Honker_HTran2_4 {
meta:
description = "Sample from CN Honker Pentest Toolset - file HTran2.4.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "524f986692f55620013ab5a06bf942382e64d38a"
id = "21cb5ec5-900d-5092-8c2b-2d951289957c"
strings:
$s1 = "Enter Your Socks Type No: [0.BindPort 1.ConnectBack 2.Listen]:" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "[+] New connection %s:%d !!" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 180KB and all of them
}
rule CN_Honker__lcx_HTran2_4_htran20 {
meta:
description = "Sample from CN Honker Pentest Toolset - from files lcx.exe, HTran2.4.exe, htran20.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
super_rule = 1
hash0 = "0c8779849d53d0772bbaa1cedeca150c543ebf38"
hash1 = "524f986692f55620013ab5a06bf942382e64d38a"
hash2 = "b992bf5b04d362ed3757e90e57bc5d6b2a04e65c"
id = "c6851e7b-ab64-5578-896e-4d92fb3b2000"
strings:
$s1 = "[SERVER]connection to %s:%d error" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "[+] OK! I Closed The Two Socket." fullword ascii /* PEStudio Blacklist: strings */
$s3 = "[+] Start Transmit (%s:%d <-> %s:%d) ......" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 440KB and all of them
}
rule IronPanda_Malware_Htran {
meta:
description = "Iron Panda Malware Htran"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7"
id = "7215f0da-9367-59b4-a78b-aeeebc4f2b69"
strings:
$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
$s2 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
$s3 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s4 = "[-] ERROR: Must supply logfile name." fullword ascii
$s5 = "[SERVER]connection to %s:%d error" fullword ascii
$s6 = "[+] Make a Connection to %s:%d...." fullword ascii
$s7 = "[+] Waiting another Client on port:%d...." fullword ascii
$s8 = "[+] Accept a Client on port %d from %s" fullword ascii
$s9 = "[+] Make a Connection to %s:%d ......" fullword ascii
$s10 = "cmshared_get_ptr_from_atom" fullword ascii
$s11 = "_cmshared_get_ptr_from_atom" ascii
$s12 = "[+] OK! I Closed The Two Socket." fullword ascii
$s13 = "[-] TransmitPort invalid." fullword ascii
$s14 = "[+] Waiting for Client on port:%d ......" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 125KB and 3 of them )
or
5 of them
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
id = "aaae200c-7ef1-52eb-be5b-36e0ad29ecef"
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}
rule Certutil_Decode_OR_Download {
meta:
description = "Certutil Decode"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
score = 40
date = "2017-08-29"
modified = "2026-04-01"
id = "63bdefd2-225a-56d5-b615-5e236c97f050"
strings:
$a1 = "certutil -decode " ascii wide
$a2 = "certutil -decode " ascii wide
$a3 = "certutil.exe -decode " ascii wide
$a4 = "certutil.exe -decode " ascii wide
$a5 = "certutil -urlcache -split -f http" ascii wide
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
$fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
$fp_doc = "https://docs.aws.amazon.com" ascii
condition:
filesize < 700KB
and 1 of ($a*)
and not 1 of ($fp*)
}
rule APT_Cloaked_CERTUTIL {
meta:
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-14"
modified = "2022-06-27"
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
strings:
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
$s5 = "certutil.pdb" fullword ascii
$s3 = "Password Token" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
and not filename contains "certutil"
and not filename contains "CertUtil"
and not filename contains "Certutil"
and not filepath contains "\\Bromium\\"
}
rule Binary_Drop_Certutil {
meta:
description = "Drop binary as base64 encoded cert trick"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}
rule Lazagne_PW_Dumper {
meta:
description = "Detects Lazagne PW Dumper"
author = "Markus Neis / Florian Roth"
reference = "https://github.com/AlessandroZ/LaZagne/releases/"
date = "2018-03-22"
score = 70
id = "1904029e-9336-5278-ae2e-4bc853316600"
strings:
$s1 = "Crypto.Hash" fullword ascii
$s2 = "laZagne" fullword ascii
$s3 = "impacket.winregistry" fullword ascii
condition:
3 of them
}
rule HKTL_Lazagne_PasswordDumper_Dec18_1 {
meta:
description = "Detects password dumper Lazagne often used by middle eastern threat groups"
author = "Florian Roth (Nextron Systems)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
reference = "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
date = "2018-12-11"
score = 85
hash1 = "1205f5845035e3ee30f5a1ced5500d8345246ef4900bcb4ba67ef72c0f79966c"
hash2 = "884e991d2066163e02472ea82d89b64e252537b28c58ad57d9d648b969de6a63"
hash3 = "bf8f30031769aa880cdbe22bc0be32691d9f7913af75a5b68f8426d4f0c7be50"
id = "bae48a4d-33b6-55b9-abf5-daf87e5da9e9"
strings:
$s1 = "softwares.opera(" ascii
$s2 = "softwares.mozilla(" ascii
$s3 = "config.dico(" ascii
$s4 = "softwares.chrome(" ascii
$s5 = "softwares.outlook(" ascii
condition:
uint16(0) == 0x5a4d and filesize < 17000KB and 1 of them
}
rule HKTL_Lazagne_Gen_18 {
meta:
description = "Detects Lazagne password extractor hacktool"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/AlessandroZ/LaZagne"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
date = "2018-12-11"
score = 80
hash1 = "51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf"
id = "034ea6d8-f5cf-5664-9ff9-24d19403093d"
strings:
$x1 = "lazagne.config.powershell_execute(" ascii
$x2 = "creddump7.win32." ascii
$x3 = "lazagne.softwares.windows.hashdump" ascii
$x4 = ".softwares.memory.libkeepass.common(" ascii
condition:
2 of them
}
rule MAL_Backdoor_Naikon_APT_Sample1 {
meta:
description = "Detects backdoors related to the Naikon APT"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/7vHyvh"
date = "2015-05-14"
modified = "2023-01-06"
hash = "d5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba"
hash = "f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96"
id = "ba79285b-7c7f-5b19-837e-6696e50a2866"
strings:
$x0 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii
$x1 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii
$x2 = "greensky27.vicp.net" fullword ascii
$x3 = "\\tempvxd.vxd.dll" wide
$x5 = "otna.vicp.net" fullword ascii
$s1 = "User-Agent: webclient" fullword ascii
$s2 = "\\User.ini" ascii
$s3 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" ascii
$s4 = "\\UserProfile.dll" wide
$s5 = "Connection:Keep-Alive: %d" fullword ascii
$s6 = "Referer: http://%s:%d/" ascii
$s7 = "%s %s %s %d %d %d " fullword ascii
$s8 = "%s--%s" fullword wide
$s9 = "Run File Success!" fullword wide
$s10 = "DRIVE_REMOTE" fullword wide
$s11 = "ProxyEnable" fullword wide
$s12 = "\\cmd.exe" wide
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and
(
1 of ($x*) or 7 of ($s*)
)
}
rule APT30_Generic_H {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "2a4c8752f3e7fde0139421b8d5713b29c720685d"
hash2 = "4350e906d590dca5fcc90ed3215467524e0a4e3d"
id = "1908e985-9634-51dc-8972-53afa13c26a3"
strings:
$s0 = "\\Temp1020.txt" ascii
$s1 = "Xmd.Txe" fullword ascii
$s2 = "\\Internet Exp1orer" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_2 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "0359ffbef6a752ee1a54447b26e272f4a5a35167"
id = "821a2de9-48c4-58d8-acc4-1e25025ab5cf"
strings:
$s0 = "ForZRLnkWordDlg.EXE" fullword wide
$s1 = "ForZRLnkWordDlg Microsoft " fullword wide
$s9 = "ForZRLnkWordDlg 1.0 " fullword wide
$s11 = "ForZRLnkWordDlg" fullword wide
$s12 = " (C) 2011" fullword wide
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_3 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "d0320144e65c9af0052f8dee0419e8deed91b61b"
id = "62e81385-26f5-545d-92ff-6604ff4d0186"
strings:
$s5 = "Software\\Mic" ascii
$s6 = "HHOSTR" ascii
$s9 = "ThEugh" fullword ascii
$s10 = "Moziea/" ascii
$s12 = "%s%s(X-" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_C {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "8667f635fe089c5e2c666b3fe22eaf3ff8590a69"
hash2 = "0c4fcef3b583d0ffffc2b14b9297d3a4"
hash3 = "37aee58655f5859e60ece6b249107b87"
hash4 = "4154548e1f8e9e7eb39d48a4cd75bcd1"
hash5 = "a2e0203e665976a13cdffb4416917250"
hash6 = "b4ae0004094b37a40978ef06f311a75e"
hash7 = "e39756bc99ee1b05e5ee92a1cdd5faf4"
id = "25ec8d54-9875-5bf5-abc9-296f18f3c5e5"
strings:
$s0 = "MYUSER32.dll" fullword ascii
$s1 = "MYADVAPI32.dll" fullword ascii
$s2 = "MYWSOCK32.dll" fullword ascii
$s3 = "MYMSVCRT.dll" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_4 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "75367d8b506031df5923c2d8d7f1b9f643a123cd"
id = "e5c6afde-0ab5-54ed-8d18-5ad477a527d7"
strings:
$s0 = "GetStartupIn" ascii
$s1 = "enMutex" ascii
$s2 = "tpsvimi" ascii
$s3 = "reateProcesy" ascii
$s5 = "FreeLibr1y*S" ascii
$s6 = "foAModuleHand" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_5 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "1a2dd2a0555dc746333e7c956c58f7c4cdbabd4b"
id = "bdbebe44-7423-5793-8a42-4f9b70de2231"
strings:
$s0 = "Version 4.7.3001" fullword wide
$s1 = "Copyright (c) Microsoft Corporation 2004" fullword wide
$s3 = "Microsoft(R) is a registered trademark of Microsoft Corporation in the U" wide
$s7 = "msmsgs" fullword wide
$s10 = "----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_6 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "00e69b059ad6b51b76bc476a115325449d10b4c0"
id = "2f19809c-09fc-51bf-9a20-6b95099a92dd"
strings:
$s0 = "GreateProcessA" fullword ascii
$s1 = "Ternel32.dll" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_7 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "868d1f4c106a08bd2e5af4f23139f0e0cd798fba"
id = "612732d9-8df5-5388-b299-2da4f8118435"
strings:
$s0 = "datain" fullword ascii
$s3 = "C:\\Prog" ascii
$s4 = "$LDDATA$" ascii
$s5 = "Maybe a Encrypted Flash" fullword ascii
$s6 = "Jean-loup Gailly" ascii
$s8 = "deflate 1.1.3 Copyright" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_E {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "1dbb584e19499e26398fb0a7aa2a01b7"
hash2 = "572c9cd4388699347c0b2edb7c6f5e25"
hash3 = "8ff473bedbcc77df2c49a91167b1abeb"
hash4 = "a813eba27b2166620bd75029cc1f04b0"
hash5 = "b5546842e08950bc17a438d785b5a019"
id = "69e76a59-3529-541d-9017-07e6d67fbda4"
strings:
$s0 = "Nkfvtyvn}" ascii
$s6 = "----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_8 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "9531e21652143b8b129ab8c023dc05fef2a17cc3"
id = "5053c2db-32a9-58ae-9a72-eb16ef14168e"
strings:
$s0 = "ateProcessA" ascii
$s1 = "Ternel32.dllFQ" fullword ascii
$s2 = "StartupInfoAModuleHand" fullword ascii
$s3 = "OpenMutex" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_B {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "0fcb4ffe2eb391421ec876286c9ddb6c"
hash2 = "29395c528693b69233c1c12bef8a64b3"
hash3 = "4c6b21e98ca03e0ef0910e07cef45dac"
hash4 = "550459b31d8dabaad1923565b7e50242"
hash5 = "65232a8d555d7c4f7bc0d7c5da08c593"
hash6 = "853a20f5fc6d16202828df132c41a061"
hash7 = "ed151602dea80f39173c2f7b1dd58e06"
id = "df3b8896-7229-5b3b-ad2f-774b0cea167c"
strings:
$s2 = "Moziea/4.0" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_I {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "fe211c7a081c1dac46e3935f7c614549"
hash2 = "8c9db773d387bf9b3f2b6a532e4c937c"
id = "55046e1a-731a-5418-9a7a-4fe1611c77d0"
strings:
$s0 = "Copyright 2012 Google Inc. All rights reserved." fullword wide
$s1 = "(Prxy%c-%s:%u)" fullword ascii
$s2 = "Google Inc." fullword wide
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_9 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "442bf8690401a2087a340ce4a48151c39101652f"
id = "bf24bb57-aff9-579c-b8a2-265a6d2a06d0"
strings:
$s0 = "\\Windo" ascii
$s2 = "oHHOSTR" ascii
$s3 = "Softwa]\\Mic" ascii
$s4 = "Startup'T" ascii
$s6 = "Ora\\%^" ascii
$s7 = "\\Ohttp=r" ascii
$s17 = "help32Snapshot0L" ascii
$s18 = "TimUmoveH" ascii
$s20 = "WideChc[lobalAl" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_10 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "eb518cda3c4f4e6938aaaee07f1f7db8ee91c901"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "Version 4.7.3001" fullword wide
$s1 = "Copyright (c) Microsoft Corporation 2004" fullword wide
$s2 = "Microsoft(R) is a registered trademark of Microsoft Corporation in the U" wide
$s3 = "!! Use Connect Method !!" fullword ascii
$s4 = "(Prxy%c-%s:%u)" fullword ascii
$s5 = "msmsgs" fullword wide
$s18 = "(Prxy-No)" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_11 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "59066d5d1ee3ad918111ed6fcaf8513537ff49a6"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "System\\CurrentControlSet\\control\\ComputerName\\ComputerName" fullword ascii
$s1 = "msofscan.exe" fullword wide
$s2 = "Mozilla/4.0 (compatible; MSIE 5.0; Win32)" fullword ascii
$s3 = "Microsoft? is a registered trademark of Microsoft Corporation." fullword wide
$s4 = "Windows XP Professional x64 Edition or Windows Server 2003" fullword ascii
$s9 = "NetEagle_Scout - " fullword ascii
$s10 = "Server 4.0, Enterprise Edition" fullword ascii
$s11 = "Windows 3.1(Win32s)" fullword ascii
$s12 = "%s%s%s %s" fullword ascii
$s13 = "Server 4.0" fullword ascii
$s15 = "Windows Millennium Edition" fullword ascii
$s16 = "msofscan" fullword wide
$s17 = "Eagle-Norton360-OfficeScan" fullword ascii
$s18 = "Workstation 4.0" fullword ascii
$s19 = "2003 Microsoft Office system" fullword wide
condition:
filesize < 250KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_12 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "b02b5720ff0f73f01eb2ba029a58b645c987c4bc"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "Richic" fullword ascii
$s1 = "Accept: image/gif, */*" fullword ascii
$s2 = "----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" fullword ascii
condition:
filesize < 250KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_13 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "a359f705a833c4a4254443b87645fd579aa94bcf"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "msofscan.exe" fullword wide
$s1 = "Microsoft? is a registered trademark of Microsoft Corporation." fullword wide
$s2 = "Microsoft Office Word Plugin Scan" fullword wide
$s3 = "? 2006 Microsoft Corporation. All rights reserved." fullword wide
$s4 = "msofscan" fullword wide
$s6 = "2003 Microsoft Office system" fullword wide
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}