YARA rules for Naikon
142 rules · scoped to actor · back to Naikon
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule APT30_Sample_14 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "b0740175d20eab79a5d62cdbe0ee1a89212a8472"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "AdobeReader.exe" fullword wide
$s4 = "10.1.7.27" fullword wide
$s5 = "Copyright 1984-2012 Adobe Systems Incorporated and its licensors. All ri" wide
$s8 = "Adobe Reader" fullword wide
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_15 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "7a8576804a2bbe4e5d05d1718f90b6a4332df027"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "\\Windo" ascii
$s2 = "HHOSTR" ascii
$s3 = "Softwa]\\Mic" ascii
$s4 = "Startup'T" fullword ascii
$s17 = "help32Snapshot0L" fullword ascii
$s18 = "TimUmoveH" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_16 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "066d06ac08b48d3382d46bbeda6ad411b6d6130e"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "\\Temp1020.txt" ascii
$s1 = "cmcbqyjs" fullword ascii
$s2 = "SPVSWh\\" fullword ascii
$s4 = "PSShxw@" fullword ascii
$s5 = "VWhHw@" fullword ascii
$s7 = "SVWhHw@" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_A {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "9f49aa1090fa478b9857e15695be4a89f8f3e594"
hash2 = "396116cfb51cee090822913942f6ccf81856c2fb"
hash3 = "fef9c3b4b35c226501f7d60816bb00331a904d5b"
hash4 = "7c9a13f1fdd6452fb6d62067f958bfc5fec1d24e"
hash5 = "5257ba027abe3a2cf397bfcae87b13ab9c1e9019"
id = "6b851d94-d3bd-5c76-8fd0-adb42b3fab73"
strings:
$s5 = "WPVWhhiA" fullword ascii
$s6 = "VPWVhhiA" fullword ascii
$s11 = "VPhhiA" fullword ascii
$s12 = "uUhXiA" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_17 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "c3aa52ff1d19e8fc6704777caf7c5bd120056845"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s1 = "Nkfvtyvn}]ty}ztU" fullword ascii
$s4 = "IEXPL0RE" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_18 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "355436a16d7a2eba8a284b63bb252a8bb1644751"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "w.km-nyc.com" fullword ascii
$s1 = "tscv.exe" fullword ascii
$s2 = "Exit/app.htm" ascii
$s3 = "UBD:\\D" ascii
$s4 = "LastError" ascii
$s5 = "MicrosoftHaveAck" ascii
$s7 = "HHOSTR" ascii
$s20 = "XPL0RE." ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_G {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "1612b392d6145bfb0c43f8a48d78c75f"
hash = "53f1358cbc298da96ec56e9a08851b4b"
hash = "c2acc9fc9b0f050ec2103d3ba9cb11c0"
hash = "f18be055fae2490221c926e2ad55ab11"
id = "34269de3-4559-58a5-a621-0ad72857dc9e"
strings:
$s0 = "%s\\%s\\%s=%s" fullword ascii
$s1 = "Copy File %s OK!" fullword ascii
$s2 = "%s Space:%uM,FreeSpace:%uM" fullword ascii
$s4 = "open=%s" fullword ascii
$s5 = "Maybe a Encrypted Flash Disk" fullword ascii
$s12 = "%04u-%02u-%02u %02u:%02u:%02u" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_19 {
meta:
description = "FireEye APT30 Report Sample"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/03"
modified = "2023-01-06"
score = 75
hash = "cfa438449715b61bffa20130df8af778ef011e15"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "C:\\Program Files\\Common Files\\System\\wab32" fullword ascii
$s1 = "%s,Volume:%s,Type:%s,TotalSize:%uMB,FreeSize:%uMB" fullword ascii
$s2 = "\\TEMP\\" ascii
$s3 = "\\Temporary Internet Files\\" ascii
$s5 = "%s TotalSize:%u Bytes" fullword ascii
$s6 = "This Disk Maybe a Encrypted Flash Disk!" fullword ascii
$s7 = "User:%-32s" fullword ascii
$s8 = "\\Desktop\\" ascii
$s9 = "%s.%u_%u" fullword ascii
$s10 = "Nick:%-32s" fullword ascii
$s11 = "E-mail:%-32s" fullword ascii
$s13 = "%04u-%02u-%02u %02u:%02u:%02u" fullword ascii
$s14 = "Type:%-8s" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and 8 of them
}
rule APT30_Generic_E_v2 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "eca53a9f6251ddf438508b28d8a483f91b99a3fd"
id = "40897687-fb17-568e-9907-e9588a53bbe0"
strings:
$s0 = "Nkfvtyvn}duf_Z}{Ys" fullword ascii
$s1 = "Nkfvtyvn}*Zrswru1i" fullword ascii
$s2 = "Nkfvtyvn}duf_Z}{V" fullword ascii
$s3 = "Nkfvtyvn}*ZrswrumT\\b" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_20 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "b1c37632e604a5d1f430c9351f87eb9e8ea911c0"
id = "91246101-246b-5da9-9e55-7f361d1f6437"
strings:
$s0 = "dizhi.gif" fullword ascii
$s2 = "Mozilla/u" ascii
$s3 = "XicrosoftHaveAck" ascii
$s4 = "flyeagles" ascii
$s10 = "iexplore." ascii
$s13 = "WindowsGV" fullword ascii
$s16 = "CatePipe" fullword ascii
$s17 = "'QWERTY:/webpage3" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_21 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "d315daa61126616a79a8582145777d8a1565c615"
id = "72005b40-91f7-5661-9478-8680f999b245"
strings:
$s0 = "Service.dll" fullword ascii
$s1 = "(%s:%s %s)" fullword ascii
$s2 = "%s \"%s\",%s %s" fullword ascii
$s5 = "Proxy-%s:%u" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_22 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "0d17a58c24753e5f8fd5276f62c8c7394d8e1481"
id = "6c1b3dd2-4383-51a2-9185-2365a4d1e784"
strings:
$s1 = "(\\TEMP" fullword ascii
$s2 = "Windows\\Cur" fullword ascii
$s3 = "LSSAS.exeJ" fullword ascii
$s4 = "QC:\\WINDOWS" fullword ascii
$s5 = "System Volume" fullword ascii
$s8 = "PROGRAM FILE" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_F {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "09010917cd00dc8ddd21aeb066877aa2"
hash2 = "4c10a1efed25b828e4785d9526507fbc"
hash3 = "b7b282c9e3eca888cbdb5a856e07e8bd"
hash4 = "df1799845b51300b03072c6569ab96d5"
id = "cff8b921-9afc-5a52-84cb-825de33fc86e"
strings:
$s0 = "\\~zlzl.exe" ascii
$s2 = "\\Internet Exp1orer" ascii
$s3 = "NodAndKabIsExcellent" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_23 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "9865e24aadb4480bd3c182e50e0e53316546fc01"
id = "9366dd34-9967-5b40-935e-4b0d8f2f5e9e"
strings:
$s0 = "hostid" ascii
$s1 = "\\Window" ascii
$s2 = "%u:%u%s" fullword ascii
$s5 = "S2tware\\Mic" ascii
$s6 = "la/4.0 (compa" ascii
$s7 = "NameACKernel" fullword ascii
$s12 = "ToWideChc[lo" fullword ascii
$s14 = "help32SnapshotfL" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_24 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "572caa09f2b600daa941c60db1fc410bef8d1771"
id = "aed2201d-b557-56ec-aa53-fff5b1e17dbd"
strings:
$s1 = "dizhi.gif" fullword ascii
$s3 = "Mozilla/4.0" fullword ascii
$s4 = "lyeagles" fullword ascii
$s6 = "HHOSTR" ascii
$s7 = "#MicrosoftHaveAck7" ascii
$s8 = "iexplore." fullword ascii
$s17 = "ModuleH" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_25 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "44a21c8b3147fabc668fee968b62783aa9d90351"
id = "8b2f2ba2-e9cc-5b3c-8af9-4217d662bc3f"
strings:
$s1 = "C:\\WINDOWS" fullword ascii
$s2 = "aragua" fullword ascii
$s4 = "\\driver32\\7$" ascii
$s8 = "System V" fullword ascii
$s9 = "Compu~r" fullword ascii
$s10 = "PROGRAM L" fullword ascii
$s18 = "GPRTMAX" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_26 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "e26588113417bf68cb0c479638c9cd99a48e846d"
id = "aa80a142-c8fc-504e-b475-e9838607bec6"
strings:
$s1 = "forcegue" fullword ascii
$s3 = "Windows\\Cur" fullword ascii
$s4 = "System Id" fullword ascii
$s5 = "Software\\Mic" fullword ascii
$s6 = "utiBy0ToWideCh&$a" fullword ascii
$s10 = "ModuleH" fullword ascii
$s15 = "PeekNamed6G" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_D {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "35dfb55f419f476a54241f46e624a1a4"
hash2 = "4fffcbdd4804f6952e0daf2d67507946"
hash3 = "597805832d45d522c4882f21db800ecf"
hash4 = "6bd422d56e85024e67cc12207e330984"
hash5 = "82e13f3031130bd9d567c46a9c71ef2b"
hash6 = "b79d87ff6de654130da95c73f66c15fa"
id = "9b8d8a60-a357-5cfd-8ff1-6264144ad7be"
strings:
$s0 = "Windows Security Service Feedback" fullword wide
$s1 = "wssfmgr.exe" fullword wide
$s2 = "\\rb.htm" ascii
$s3 = "rb.htm" fullword ascii
$s4 = "cook5" ascii
$s5 = "5, 4, 2600, 0" fullword wide
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_27 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "959573261ca1d7e5ddcd19447475b2139ca24fe1"
id = "22815745-086f-59ee-aac1-f35e49aa5835"
strings:
$s0 = "Mozilla/4.0" fullword ascii
$s1 = "dizhi.gif" fullword ascii
$s5 = "oftHaveAck+" ascii
$s10 = "HlobalAl" fullword ascii
$s13 = "$NtRND1$" fullword ascii
$s14 = "_NStartup" ascii
$s16 = "GXSYSTEM" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_28 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "e62a63307deead5c9fcca6b9a2d51fb0"
hash2 = "5b590798da581c894d8a87964763aa8b"
id = "1bc8c68f-ebbb-58b1-92aa-5954318096a0"
strings:
$s0 = "www.flyeagles.com" fullword ascii
$s1 = "iexplore.exe" fullword ascii
$s2 = "www.km-nyc.com" fullword ascii
$s3 = "cmdLine.exe" fullword ascii
$s4 = "Software\\Microsoft\\CurrentNetInf" fullword ascii
$s5 = "/dizhi.gif" ascii
$s6 = "/connect.gif" ascii
$s7 = "USBTest.sys" fullword ascii
$s8 = "/ver.htm" fullword ascii
$s11 = "\\netscv.exe" ascii
$s12 = "/app.htm" fullword ascii
$s13 = "\\netsvc.exe" ascii
$s14 = "/exe.htm" fullword ascii
$s18 = "MicrosoftHaveAck" fullword ascii
$s19 = "MicrosoftHaveExit" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and 7 of them
}
rule APT30_Sample_29 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "44492c53715d7c79895904543843a321491cb23a"
id = "24334885-fcb4-5a13-82e8-c8465f97361e"
strings:
$s0 = "LSSAS.exe" fullword ascii
$s1 = "Software\\Microsoft\\FlashDiskInf" fullword ascii
$s2 = ".petite" fullword ascii
$s3 = "MicrosoftFlashExit" fullword ascii
$s4 = "MicrosoftFlashHaveExit" fullword ascii
$s5 = "MicrosoftFlashHaveAck" fullword ascii
$s6 = "\\driver32" ascii
$s7 = "MicrosoftFlashZJ" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_30 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "3b684fa40b4f096e99fbf535962c7da5cf0b4528"
id = "787b288a-6fb4-5483-af76-933651ec6d58"
strings:
$s0 = "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" fullword wide
$s3 = "RnhwtxtkyLRRMf{jJ}ny" fullword ascii
$s4 = "RnhwtxtkyLRRJ}ny" fullword ascii
$s5 = "ZRLDownloadToFileA" fullword ascii
$s9 = "5.1.2600.2180" fullword wide
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_31 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "8b4271167655787be1988574446125eae5043aca"
id = "9333870b-7eaa-54dd-a801-7292708fb592"
strings:
$s0 = "\\ZJRsv.tem" ascii
$s1 = "forceguest" fullword ascii
$s4 = "\\$NtUninstallKB570317$" ascii
$s8 = "[Can'tGetIP]" fullword ascii
$s14 = "QWERTY:,`/" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_J {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "49aca228674651cba776be727bdb7e60"
hash2 = "5c7a6b3d1b85fad17333e02608844703"
hash3 = "649fa64127fef1305ba141dd58fb83a5"
hash4 = "9982fd829c0048c8f89620691316763a"
hash5 = "baff5262ae01a9217b10fcd5dad9d1d5"
hash6 = "9982fd829c0048c8f89620691316763a"
id = "64a5106e-d7f3-5c68-a14e-410149a1bb9e"
strings:
$s0 = "Launcher.EXE" fullword wide
$s1 = "Symantec Security Technologies" fullword wide
$s2 = "\\Symantec LiveUpdate.lnk" ascii
$s3 = "Symantec Service Framework" fullword wide
$s4 = "\\ccSvcHst.exe" ascii
$s5 = "\\wssfmgr.exe" ascii
$s6 = "Symantec Corporation" fullword wide
$s7 = "\\5.1.0.29" ascii
$s8 = "\\Engine" ascii
$s9 = "Copyright (C) 2000-2010 Symantec Corporation. All rights reserved." fullword wide
$s10 = "Symantec LiveUpdate" fullword ascii
$s11 = "\\Norton360" ascii
$s15 = "BinRes" fullword ascii
$s16 = "\\readme.lz" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Microfost {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "57169cb4b8ef7a0d7ebd7aa039d1a1efd6eb639e"
id = "19231001-1da3-5be6-8275-03c9fc7c6377"
strings:
$s1 = "Copyright (c) 2007 Microfost All Rights Reserved" fullword wide
$s2 = "Microfost" fullword wide
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_K {
meta:
description = "FireEye APT30 Report Sample"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/03"
modified = "2023-01-06"
score = 75
hash = "142bc01ad412799a7f9ffed994069fecbd5a2f93"
id = "49629825-4233-5d74-b763-b2500536eb90"
strings:
$x1 = "Maybe a Encrypted Flash" fullword ascii
$s0 = "C:\\Program Files\\Common Files\\System\\wab32" fullword ascii
$s1 = "\\TEMP\\" ascii
$s2 = "\\Temporary Internet Files\\" ascii
$s5 = "%s Size:%u Bytes" fullword ascii
$s7 = "$.DATA$" fullword ascii
$s10 = "? Size:%u By s" fullword ascii
$s12 = "Maybe a Encrypted Flash" fullword ascii
$s14 = "Name:%-32s" fullword ascii
$s15 = "NickName:%-32s" fullword ascii
$s19 = "Email:%-32s" fullword ascii
$s21 = "C:\\Prog" ascii
$s22 = "$LDDATA$" ascii
$s31 = "Copy File %s OK!" fullword ascii
$s32 = "%s Space:%uM,FreeSpace:%uM" fullword ascii
$s34 = "open=%s" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and ( all of ($x*) and 3 of ($s*) )
}
rule APT30_Sample_33 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "72c568ee2dd75406858c0294ccfcf86ad0e390e4"
id = "be6afc4a-97fe-56ba-b057-e21415f9833d"
strings:
$s0 = "Version 4.7.3001" fullword wide
$s1 = "msmsgr.exe" fullword wide
$s2 = "MYUSER32.dll" fullword ascii
$s3 = "MYADVAPI32.dll" fullword ascii
$s4 = "CeleWare.NET1" fullword ascii
$s6 = "MYMSVCRT.dll" fullword ascii
$s7 = "Microsoft(R) is a registered trademark of Microsoft Corporation in the" wide
$s8 = "WWW.CeleWare.NET1" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and 6 of them
}
rule APT30_Sample_34 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "216868edbcdd067bd2a9cce4f132d33ba9c0d818"
id = "a4802e13-4151-5f17-ba91-dcf9ef6b52bb"
strings:
$s0 = "dizhi.gif" ascii
$s1 = "eagles.vip.nse" ascii
$s4 = "o%S:S0" ascii
$s5 = "la/4.0" ascii
$s6 = "s#!<4!2>s02==<'s1" ascii
$s7 = "HlobalAl" ascii
$s9 = "vcMicrosoftHaveAck7" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_35 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "df48a7cd6c4a8f78f5847bad3776abc0458499a6"
id = "8a30720b-06da-5a82-8bab-bf06121afd68"
strings:
$s0 = "WhBoyIEXPLORE.EXE.exe" fullword ascii
$s5 = "Startup>A" fullword ascii
$s18 = "olhelp32Snapshot" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_1 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "8cea83299af8f5ec6c278247e649c9d91d4cf3bc"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "#hostid" fullword ascii
$s1 = "\\Windows\\C" ascii
$s5 = "TimUmove" fullword ascii
$s6 = "Moziea/4.0 (c" fullword ascii
$s7 = "StartupNA" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_1 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
super_rule = 1
hash0 = "aaa5c64200ff0818c56ebe4c88bcc1143216c536"
hash1 = "cb4263cab467845dae9fae427e3bbeb31c6a14c2"
hash2 = "b69b95db8a55a050d6d6c0cba13d73975b8219ca"
hash3 = "5c29e21bbe8873778f9363258f5e570dddcadeb9"
hash4 = "d5cb07d178963f2dea2c754d261185ecc94e09d6"
hash5 = "626dcdd7357e1f8329e9137d0f9883f57ec5c163"
hash6 = "843997b36ed80d3aeea3c822cb5dc446b6bfa7b9"
id = "4d21f402-24da-5e38-9225-a1461e61802f"
strings:
$s0 = "%s\\%s.txt" fullword
$s1 = "\\ldsysinfo.txt"
$s4 = "(Extended Wansung)" fullword
$s6 = "Computer Name:" fullword
$s7 = "%s %uKB %04u-%02u-%02u %02u:%02u" fullword
$s8 = "ASSAMESE" fullword
$s9 = "BELARUSIAN" fullword
$s10 = "(PR China)" fullword
$s14 = "(French)" fullword
$s15 = "AdvancedServer" fullword
$s16 = "DataCenterServer" fullword
$s18 = "(Finland)" fullword
$s19 = "%s %04u-%02u-%02u %02u:%02u" fullword
$s20 = "(Chile)" fullword
condition:
filesize < 250KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_2 {
meta:
description = "FireEye APT30 Report Sample - from many files"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
super_rule = 1
hash0 = "aba8b9fa213e5e2f1f0404d13fecc20ea8651b57"
hash1 = "7f11f5c9475240e5dd2eea7726c9229972cffc1f"
hash2 = "94d3f91d1e50ecea729617729013c3d143bf2c3e"
hash3 = "7e516ec04f28c76d67b8111ddfe58bbd628362cc"
hash4 = "6b27bc0b0460b0a25b45d897ed4f399106c284d9"
hash5 = "6df5b4b3da0964153bad22fb1f69483ae8316655"
hash6 = "b68bce61dfd8763c3003480ba4066b3cb1ef126e"
hash7 = "cc124682246d098740cfa7d20aede850d49b6597"
hash8 = "1ef415bca310575944934fc97b0aa720943ba512"
hash9 = "0559ab9356dcc869da18b2c96f48b76478c472b3"
hash10 = "f15272042a4f9324ad5de884bd50f4072f4bdde3"
hash11 = "1d93d5f5463cdf85e3c22c56ed1381957f4efaac"
hash12 = "b6f1fb0f8a2fb92a3c60e154f24cfbca1984529f"
hash13 = "9967a99a1b627ddb6899919e32a0f544ea498b48"
hash14 = "95a3c812ca0ad104f045b26c483495129bcf37ca"
hash15 = "bde9a72b2113d18b4fa537cc080d8d8ba1a231e8"
hash16 = "ce1f53e06feab1e92f07ed544c288bf39c6fce19"
hash17 = "72dae031d885dbf492c0232dd1c792ab4785a2dc"
hash18 = "a2ccba46e40d0fb0dd3e1dba160ecbb5440862ec"
hash19 = "c8007b59b2d495029cdf5b7b8fc8a5a1f7aa7611"
hash20 = "9c6f470e2f326a055065b2501077c89f748db763"
hash21 = "af3e232559ef69bdf2ee9cd96434dcec58afbe5a"
hash22 = "e72e67ba32946c2702b7662c510cc1242cffe802"
hash23 = "8fc0b1618b61dce5f18eba01809301cb7f021b35"
hash24 = "6a8159da055dac928ba7c98ea1cdbe6dfb4a3c22"
hash25 = "47463412daf0b0a410d3ccbb7ea294db5ff42311"
hash26 = "e6efa0ccfddda7d7d689efeb28894c04ebc72be2"
hash27 = "43a3fc9a4fee43252e9a570492e4efe33043e710"
hash28 = "7406ebef11ca9f97c101b37f417901c70ab514b1"
hash29 = "53ed9b22084f89b4b595938e320f20efe65e0409"
id = "60d7d661-50e8-5a9b-8366-eda8ff8ad9d4"
strings:
$s0 = "%s\\%s\\KB985109.log" fullword
$s1 = "%s\\%s\\KB989109.log" fullword
$s2 = "Opera.exe" fullword wide
$s3 = "%s:All online success on %u!" fullword
$s4 = "%s:list online success on %u!" fullword
$s5 = "%s:All online fail!" fullword
$s6 = "Copyright Opera Software 1995-" wide
$s7 = "%s:list online fail!" fullword
$s8 = "OnlineTmp.txt" fullword
$s9 = "Opera Internet Browser" fullword wide
$s12 = "Opera Software" fullword wide
$s15 = "Check lan have done!!!" fullword
$s16 = "List End." fullword
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_3 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
super_rule = 1
hash0 = "b90ac3e58ed472829e2562023e6e892d2d61ac44"
hash1 = "342036ace2e9e6d504b0dec6399e4fa92de46c12"
hash2 = "5cdf397dfd9eb66ff5ff636777f6982c1254a37a"
strings:
$s0 = "Acrobat.exe" fullword wide
$s14 = "********************************" fullword
$s16 = "FFFF:>>>>>>>>>>>>>>>>>@" fullword
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule apt_hellsing_implantstrings {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing implants"
id = "00aa5885-ae79-5d68-8587-13d3e8965630"
strings:
$a1 = "the file uploaded failed !"
$a2 = "ping 127.0.0.1"
$b1 = "the file downloaded failed !"
$b2 = "common.asp"
$c = "xweber_server.exe"
$d = "action="
$debugpath1 = "d:\\Hellsing\\release\\msger\\" nocase
$debugpath2 = "d:\\hellsing\\sys\\xrat\\" nocase
$debugpath3 = "D:\\Hellsing\\release\\exe\\" nocase
$debugpath4 = "d:\\hellsing\\sys\\xkat\\" nocase
$debugpath5 = "e:\\Hellsing\\release\\clare" nocase
$debugpath6 = "e:\\Hellsing\\release\\irene\\" nocase
$debugpath7 = "d:\\hellsing\\sys\\irene\\" nocase
$e = "msger_server.dll"
$f = "ServiceMain"
condition:
uint16(0) == 0x5a4d and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
}
rule apt_hellsing_installer {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing xweber/msger installers"
id = "0aca838e-813a-59ee-8a04-7d2f4e854075"
strings:
$cmd = "cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
$a1 = "xweber_install_uac.exe"
$a2 = "system32\\cmd.exe" wide
$a4 = "S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y="
$a5 = "S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg="
$a6 = "7dqm2ODf5N/Y2N/m6+br3dnZpunl44g=" $a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw=="
$a8 = "vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSINjl2tyI"
$a9 = "C:\\Windows\\System32\\sysprep\\sysprep.exe" wide
$a10 = "%SystemRoot%\\system32\\cmd.exe" wide
$a11 = "msger_install.dll"
$a12 = {00 65 78 2E 64 6C 6C 00}
condition:
uint16(0) == 0x5a4d and ($cmd and (2 of ($a*))) and filesize < 500000
}
rule apt_hellsing_proxytool {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing proxy testing tool"
id = "54454f07-11a9-5456-b489-9a9610e53123"
strings:
$a1 = "PROXY_INFO: automatic proxy url => %s"
$a2 = "PROXY_INFO: connection type => %d"
$a3 = "PROXY_INFO: proxy server => %s"
$a4 = "PROXY_INFO: bypass list => %s"
$a5 = "InternetQueryOption failed with GetLastError() %d"
$a6 = "D:\\Hellsing\\release\\exe\\exe\\" nocase
condition:
uint16(0) == 0x5a4d and (2 of ($a*)) and filesize < 300000
}
rule apt_hellsing_xkat {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing xKat tool"
id = "c831ce04-8fb2-5790-8aaf-c88b370835ac"
strings:
$a1 = "\\Dbgv.sys" $a2="XKAT_BIN" $a3="release sys file error."
$a4 = "driver_load error. "
$a5 = "driver_create error."
$a6 = "delete file:%s error."
$a7 = "delete file:%s ok."
$a8 = "kill pid:%d error."
$a9 = "kill pid:%d ok."
$a10 = "-pid-delete"
$a11 = "kill and delete pid:%d error."
$a12 = "kill and delete pid:%d ok."
condition:
uint16(0) == 0x5a4d and (6 of ($a*)) and filesize < 300000
}
rule apt_hellsing_msgertype2 {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing msger type 2 implants"
id = "98f151de-c1c2-56c1-8c64-5d1f437e0742"
strings:
$a1 = "%s\\system\\%d.txt"
$a2 = "_msger"
$a3 = "http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
$a4 = "http://%s/data/%s.1000001000"
$a5 = "/lib/common.asp?action=user_upload&file="
$a6 = "%02X-%02X-%02X-%02X-%02X-%02X"
condition:
uint16(0) == 0x5a4d and (4 of ($a*)) and filesize < 500000
}
rule apt_hellsing_irene {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing msger irene installer"
id = "b57d1a10-4e5c-511f-b98c-8ce7d766c227"
strings:
$a1 = "\\Drivers\\usbmgr.tmp" wide
$a2 = "\\Drivers\\usbmgr.sys" wide
$a3 = "common_loadDriver CreateFile error!"
$a4 = "common_loadDriver StartService error && GetLastError():%d!"
$a5 = "irene" wide
$a6 = "aPLib v0.43 - the smaller the better"
condition:
uint16(0) == 0x5a4d and (4 of ($a*)) and filesize < 500000
}
rule Unit78020_Malware_1 {
meta:
description = "Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
date = "2015-09-24"
hash = "a93d01f1cc2d18ced2f3b2b78319aadc112f611ab8911ae9e55e13557c1c791a"
id = "0374de68-98cb-5cb8-a936-fe7845de9330"
strings:
$s1 = "%ProgramFiles%\\Internet Explorer\\iexplore.exe" fullword ascii
$s2 = "msictl.exe" fullword ascii
$s3 = "127.0.0.1:8080" fullword ascii
$s4 = "mshtml.dat" fullword ascii
$s5 = "msisvc" fullword ascii
$s6 = "NOKIAN95/WEB" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 160KB and 4 of them
}
rule Unit78020_Malware_Gen2 {
meta:
description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
date = "2015-09-24"
super_rule = 1
hash1 = "76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd"
hash2 = "7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af"
hash3 = "981e2fa1ae4145359036b46e8b53cc5da37dd2311204859761bd91572f025e8a"
id = "9492b1f8-c2a9-5e3b-ad62-fbc3d99392b3"
strings:
$s0 = "-GetModuleFileNameExW" fullword ascii
$s1 = "\\MSN Talk Start.lnk" wide
$s2 = ":SeDebugPrivilege" fullword wide
$s3 = "WinMM Version 1.0" fullword wide
$s4 = "dwError1 = %d" fullword ascii
$s5 = "*Can't Get" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
rule Unit78020_Malware_Gen3 {
meta:
description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
date = "2015-09-24"
super_rule = 1
hash1 = "2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac"
hash2 = "5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2"
id = "e26f386e-e98c-5005-9343-1873d2e35a1f"
strings:
$x1 = "GET http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii
$x2 = "POST http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii
$x3 = "J:\\chong\\" ascii
$s1 = "User-Agent: Netscape" fullword ascii
$s2 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" fullword ascii
$s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\User Shell Folders" fullword wide
$s4 = "J:\\chong\\nod\\Release\\SslMM.exe" fullword ascii
$s5 = "MM.exe" fullword ascii
$s6 = "network.proxy.ssl" fullword wide
$s7 = "PeekNamePipe" fullword ascii
$s8 = "Host: %ws:%d" fullword ascii
$s9 = "GET %dHTTP/1.1" fullword ascii
$s10 = "SCHANNEL.DLL" fullword ascii /* Goodware String - occured 6 times */
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 1 of ($x*) ) or
4 of ($s*)
}