YARA rules for CloudDuke
3 rules · scoped to tool · back to CloudDuke
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule CloudDuke_Malware {
meta:
description = "Detects CloudDuke Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.f-secure.com/weblog/archives/00002822.html"
date = "2015-07-22"
score = 60
hash1 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
hash2 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f"
hash3 = "1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7"
hash4 = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46"
hash5 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145"
hash6 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004"
hash7 = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e"
id = "902ef68b-7ed1-5622-b796-4e3bb2388124"
strings:
$s1 = "ProcDataWrap" fullword ascii
$s2 = "imagehlp.dll" fullword ascii
$s3 = "dnlibsh" fullword ascii
$s4 = "%ws_out%ws" fullword wide
$s5 = "Akernel32.dll" fullword wide
$op0 = { 0f b6 80 68 0e 41 00 0b c8 c1 e1 08 0f b6 c2 8b } /* Opcode */
$op1 = { 8b ce e8 f8 01 00 00 85 c0 74 41 83 7d f8 00 0f } /* Opcode */
$op2 = { e8 2f a2 ff ff 83 20 00 83 c8 ff 5f 5e 5d c3 55 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 720KB and 4 of ($s*) and 1 of ($op*)
}
rule MiniDionis_readerView {
meta:
description = "MiniDionis Malware - file readerView.exe / adobe.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
date = "2015-07-20"
/* Original Hash */
hash1 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145"
/* Derived Samples */
hash2 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004"
hash3 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f"
hash4 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
hash5 = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46"
hash6 = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e"
id = "dc8d4311-2a87-5c9b-95ff-52708f293f01"
strings:
$s1 = "%ws_out%ws" fullword wide /* score: '8.00' */
$s2 = "dnlibsh" fullword ascii /* score: '7.00' */
$op0 = { 0f b6 80 68 0e 41 00 0b c8 c1 e1 08 0f b6 c2 8b } /* Opcode */
$op1 = { 8b ce e8 f8 01 00 00 85 c0 74 41 83 7d f8 00 0f } /* Opcode */
$op2 = { e8 2f a2 ff ff 83 20 00 83 c8 ff 5f 5e 5d c3 55 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of ($s*) and 1 of ($op*)
}
rule MiniDionis_VBS_Dropped {
meta:
description = "Dropped File - 1.vbs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/"
date = "2015-07-21"
hash = "97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646"
id = "f0116861-4216-504a-a39b-463e7535a2b3"
strings:
$s1 = "Wscript.Sleep 5000" ascii
$s2 = "Set FSO = CreateObject(\"Scripting.FileSystemObject\")" ascii
$s3 = "Set WshShell = CreateObject(\"WScript.Shell\")" ascii
$s4 = "If(FSO.FileExists(\"" ascii
$s5 = "then FSO.DeleteFile(\".\\" ascii
condition:
filesize < 1KB and all of them and $s1 in (0..40)
}