YARA rules for BS2005
2 rules · scoped to tool · back to BS2005
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule APT15_Malware_Mar18_BS2005 {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"
hash1 = "750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b"
id = "700bbe14-d79e-5a35-aab3-31eacd5bd950"
strings:
$x1 = "AAAAKQAASCMAABi+AABnhEBj8vep7VRoAEPRWLweGc0/eiDrXGajJXRxbXsTXAcZAABK4QAAPWwAACzWAAByrg==" fullword ascii
$x2 = "AAAAKQAASCMAABi+AABnhKv3kXJJousn5YzkjGF46eE3G8ZGse4B9uoqJo8Q2oF0AABK4QAAPWwAACzWAAByrg==" fullword ascii
$a1 = "http://%s/content.html?id=%s" fullword ascii
$a2 = "http://%s/main.php?ssid=%s" fullword ascii
$a3 = "http://%s/webmail.php?id=%s" fullword ascii
$a9 = "http://%s/error.html?tab=%s" fullword ascii
$s1 = "%s\\~tmp.txt" fullword ascii
$s2 = "%s /C %s >>\"%s\" 2>&1" fullword ascii
$s3 = "DisableFirstRunCustomize" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (
1 of ($x*) or
2 of them
)
}
rule malware_apt15_bs2005{
meta:
author = "Ahmed Zaki"
md5 = "ed21ce2beee56f0a0b1c5a62a80c128b"
description = "APT15 bs2005"
strings:
$ = "%s&%s&%s&%s" wide ascii
$ = "%s\\%s" wide ascii fullword
$ = "WarOnPostRedirect" wide ascii fullword
$ = "WarnonZoneCrossing" wide ascii fullword
$ = "^^^^^" wide ascii fullword
$ = /"?%s\s*"?\s*\/C\s*"?%s\s*>\s*\\?"?%s\\(\w+\.\w+)?"\s*2>&1\s*"?/
$ ="IEharden" wide ascii fullword
$ ="DEPOff" wide ascii fullword
$ ="ShownVerifyBalloon" wide ascii fullword
$ ="IEHardenIENoWarn" wide ascii fullword
condition:
( uint16(0) == 0x5A4D and 5 of them ) or
( uint16(0) == 0x5A4D and 3 of them and
( pe.imports("advapi32.dll", "CryptDecrypt") and pe.imports("advapi32.dll", "CryptEncrypt") and
pe.imports("ole32.dll", "CoCreateInstance")
)
)
}