YARA rules for Matryoshka
9 rules · scoped to tool · back to Matryoshka
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule WiltedTulip_matryoshka_Injector {
meta:
description = "Detects hack tool used in Operation Wilted Tulip"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.clearskysec.com/tulip"
date = "2017-07-23"
hash1 = "c41e97b3b22a3f0264f10af2e71e3db44e53c6633d0d690ac4d2f8f5005708ed"
hash2 = "b93b5d6716a4f8eee450d9f374d0294d1800784bc99c6934246570e4baffe509"
id = "e4cf2a31-33c8-5db1-84ca-f63b65a0a0a3"
strings:
$s1 = "Injector.dll" fullword ascii
$s2 = "ReflectiveLoader" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) or
(
pe.exports("__dec") and
pe.exports("_check") and
pe.exports("_dec") and
pe.exports("start") and
pe.exports("test")
)
}
rule WiltedTulip_Matryoshka_RAT {
meta:
description = "Detects Matryoshka RAT used in Operation Wilted Tulip"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.clearskysec.com/tulip"
date = "2017-07-23"
hash1 = "6f208473df0d31987a4999eeea04d24b069fdb6a8245150aa91dfdc063cd64ab"
hash2 = "6cc1f4ecd28b833c978c8e21a20a002459b4a6c21a4fbaad637111aa9d5b1a32"
id = "e851e212-bb71-55c9-9bc1-0041bb04bef5"
strings:
$s1 = "%S:\\Users\\public" fullword wide
$s2 = "ntuser.dat.swp" fullword wide
$s3 = "Job Save / Load Config" fullword wide
$s4 = ".?AVPSCL_CLASS_JOB_SAVE_CONFIG@@" fullword ascii
$s5 = "winupdate64.com" fullword ascii
$s6 = "Job Save KeyLogger" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and 3 of them )
}
rule APT_Dropper_Win64_MATRYOSHKA_1
{
meta:
date = "2020-12-02"
modified = "2020-12-02"
description = "matryoshka_dropper.rs"
md5 = "edcd58ba5b1b87705e95089002312281"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "1406aafd-6217-51ef-b3af-107ee88f9c99"
strings:
$sb1 = { 8D 8D [4] E8 [4] 49 89 D0 C6 [2-6] 01 C6 [2-6] 01 [0-8] C7 44 24 ?? 0E 00 00 00 4C 8D 0D [4] 48 8D 8D [4] 48 89 C2 E8 [4] C6 [2-6] 01 C6 [2-6] 01 48 89 E9 48 8D 95 [4] E8 [4] 83 [2] 01 0F 8? [4] 48 01 F3 48 29 F7 48 [2] 08 48 89 85 [4] C6 [2-6] 01 C6 [2-6] 01 C6 [2-6] 01 48 8D 8D [4] 48 89 DA 49 89 F8 E8 }
$sb2 = { 0F 29 45 ?? 48 C7 45 ?? 00 00 00 00 0F 29 45 ?? 0F 29 45 ?? 0F 29 45 ?? 0F 29 45 ?? 0F 29 45 ?? 0F 29 45 ?? 48 C7 45 ?? 00 00 00 00 C7 45 ?? 68 00 00 00 48 8B [2] 48 8D [2] 48 89 [3] 48 89 [3] 0F 11 44 24 ?? C7 44 24 ?? 08 00 00 0C C7 44 24 ?? 00 00 00 00 31 ?? 48 89 ?? 31 ?? 45 31 ?? 45 31 ?? E8 [4] 83 F8 01 }
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
rule APT_Dropper_Win_MATRYOSHKA_1
{
meta:
date = "2020-12-02"
modified = "2020-12-02"
description = "matryoshka_dropper.rs"
md5 = "edcd58ba5b1b87705e95089002312281"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "7fd305c7-0b1b-5d91-b968-7f1fb0a8ae47"
strings:
$s1 = "\x00matryoshka.exe\x00"
$s2 = "\x00Unable to write data\x00"
$s3 = "\x00Error while spawning process. NTStatus: \x0a\x00"
$s4 = "\x00.execmdstart/Cfailed to execute process\x00"
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule APT_Loader_Win_MATRYOSHKA_1
{
meta:
date = "2020-12-02"
modified = "2020-12-02"
description = "matryoshka_process_hollow.rs"
md5 = "44887551a47ae272d7873a354d24042d"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "c07fb67e-ded5-593d-b5dc-d0e2c3b5a352"
strings:
$s1 = "ZwQueryInformationProcess" fullword
$s2 = "WriteProcessMemory" fullword
$s3 = "CreateProcessW" fullword
$s4 = "WriteProcessMemory" fullword
$s5 = "\x00Invalid NT Signature!\x00"
$s6 = "\x00Error while creating and mapping section. NTStatus: "
$s7 = "\x00Error no process information - NTSTATUS:"
$s8 = "\x00Error while erasing pe header. NTStatus: "
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
rule APT_Loader_Win64_MATRYOSHKA_1
{
meta:
date = "2020-12-02"
modified = "2020-12-02"
description = "matryoshka_process_hollow.rs"
md5 = "44887551a47ae272d7873a354d24042d"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "69919a80-8ed1-5b8c-911a-ceb75570f11f"
strings:
$sb1 = { 48 8B 45 ?? 48 89 85 [0-64] C7 45 ?? 00 00 00 00 31 ?? E8 [4-64] BA 00 10 00 00 [0-32] 41 B8 04 00 00 00 E8 [4] 83 F8 01 [2-32] BA [4] E8 }
$sb2 = { E8 [4] 83 F8 01 [2-64] 41 B9 00 10 00 00 [0-32] E8 [4] 83 F8 01 [2-32] 3D 4D 5A 00 00 [0-32] 48 63 ?? 3C [0-32] 50 45 00 00 [4-64] 0F B7 [2] 18 81 ?? 0B 01 00 00 [2-32] 81 ?? 0B 02 00 00 [2-32] 8B [2] 28 }
$sb3 = { 66 C7 45 ?? 48 B8 48 C7 45 ?? 00 00 00 00 66 C7 45 ?? FF E0 [0-64] 41 B9 40 00 00 00 [0-32] E8 [4] 83 F8 01 }
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
rule APT_Builder_Win64_MATRYOSHKA_1
{
meta:
date = "2020-12-02"
modified = "2020-12-02"
description = "Detects builder matryoshka_pe_to_shellcode.rs"
md5 = "8d949c34def898f0f32544e43117c057"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "0afcf13e-5cd3-5c1c-897e-b6d0c283ab0f"
strings:
$sb1 = { 4D 5A 45 52 [0-32] E8 [0-32] 00 00 00 00 [0-32] 5B 48 83 EB 09 53 48 81 [0-32] C3 [0-32] FF D3 [0-32] C3 }
$ss1 = "\x00Stub Size: "
$ss2 = "\x00Executable Size: "
$ss3 = "\x00[+] Writing out to file"
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
rule APT_Builder_PY_MATRYOSHKA_1
{
meta:
description = "Detects FireEye's Python MATRYOSHKA tool"
date = "2020-12-02"
modified = "2020-12-02"
md5 = "25a97f6dba87ef9906a62c1a305ee1dd"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "0135f3bb-28b3-5fc4-85a2-b12c46c8bc45"
strings:
$s1 = ".pop(0)])"
$s2 = "[1].replace('unsigned char buf[] = \"'"
$s3 = "binascii.hexlify(f.read()).decode("
$s4 = "os.system(\"cargo build {0} --bin {1}\".format("
$s5 = "shutil.which('rustc')"
$s6 = "~/.cargo/bin"
$s7 = /[\x22\x27]\\\\x[\x22\x27]\.join\(\[\w{1,64}\[\w{1,64}:\w{1,64}[\x09\x20]{0,32}\+[\x09\x20]{0,32}2\]/
condition:
all of them
}
rule APT_Loader_Win64_MATRYOSHKA_2
{
meta:
date = "2020-12-02"
modified = "2020-12-02"
description = "matryoshka.rs"
md5 = "7f8102b789303b7861a03290c79feba0"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "25f916bc-6ee1-5175-903c-4266b0a086e1"
strings:
$sb1 = { 4D [2] 00 49 [2] 08 B? 02 00 00 00 31 ?? E8 [4] 48 89 ?? 48 89 ?? 4C 89 ?? 49 89 ?? E8 [4] 4C 89 ?? 48 89 ?? E8 [4] 83 [2] 01 0F 84 [4] 48 89 ?? 48 8B [2] 48 8B [2] 48 89 [5] 48 89 [5] 48 89 [5] 41 B? [4] 4C 89 ?? 31 ?? E8 [4] C7 45 [5] 48 89 ?? 4C 89 ?? E8 [4] 85 C0 }
$sb2 = { 4C [2] 0F 83 [4] 41 0F [3] 01 41 32 [2] 00 48 8B [5] 48 3B [5] 75 ?? 41 B? 01 00 00 00 4C 89 ?? E8 [4] E9 }
$si1 = "CreateToolhelp32Snapshot" fullword
$si2 = "Process32Next" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}