YARA rules for ROKRAT
5 rules · scoped to tool · back to ROKRAT
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule ROKRAT_Malware {
meta:
description = "Detects ROKRAT Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html"
date = "2017-04-03"
modified = "2021-09-14"
hash1 = "051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00"
hash2 = "cd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c"
id = "52e7e144-b704-5254-9a0f-928fbc96f877"
strings:
$x1 = "c:\\users\\appdata\\local\\svchost.exe" fullword ascii
$x2 = "c:\\temp\\episode3.mp4" fullword ascii
$x3 = "MAC-SIL-TED-FOO-YIM-LAN-WAN-SEC-BIL-TAB" ascii
$x4 = "c:\\temp\\%d.tmp" ascii fullword
$s1 = "%s%s%04d%02d%02d%02d%02d%02d.jar" fullword ascii
$s2 = "\\Aboard\\Acm%c%c%c.exe" ascii
$a1 = "ython" ascii fullword
$a2 = "iddler" ascii fullword
$a3 = "egmon" ascii fullword
$a6 = "iresha" ascii fullword
condition:
uint16(0) == 0x5a4d and filesize < 25000KB and ( 1 of ($x*) or ( 5 of them ) )
}
rule ROKRAT_Dropper_Nov17 {
meta:
description = "Detects dropper for ROKRAT malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html"
date = "2017-11-28"
hash1 = "eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14"
hash2 = "a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037"
id = "4f3156a2-6b1b-5c65-b8fa-84c0b739d703"
condition:
uint16(0) == 0x5a4d and filesize < 2500KB and
pe.imphash() == "c6187b1b5f4433318748457719dd6f39"
}
rule ROKRAT_Nov17_1 {
meta:
description = "Detects ROKRAT malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-11-28"
id = "6bf3653b-1f96-5060-b6fd-82ccc83fad77"
strings:
$s1 = "\\T+M\\Result\\DocPrint.pdb" ascii
$s2 = "d:\\HighSchool\\version 13\\2ndBD" ascii
$s3 = "e:\\Happy\\Work\\Source\\version" ascii
$x1 = "\\appdata\\local\\svchost.exe" ascii
$x2 = "c:\\temp\\esoftscrap.jpg" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and 1 of them )
}
rule APT_RUBY_RokRat_Loader : InkySquid
{
meta:
author = "threatintel@volexity.com"
description = "Ruby loader seen loading the ROKRAT malware family."
date = "2021-06-22"
hash1 = "5bc52f6c1c0d0131cee30b4f192ce738ad70bcb56e84180f464a5125d1a784b2"
license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt"
reference = "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/"
id = "69d09560-a769-55d3-a442-e37f10453cde"
strings:
$magic1 = "'https://update.microsoft.com/driverupdate?id=" ascii wide
$magic2 = "sVHZv1mCNYDO0AzI';" ascii wide
$magic3 = "firoffset..scupd.size" ascii wide
$magic4 = /alias UrlFilter[0-9]{2,5} eval;"/
// Original: 'Fiddle::Pointer' (Reversed)
$s1 = "clRnbp9GU6oTZsRGZpZ"
$s2 = "RmlkZGxlOjpQb2ludGVy"
$s3 = "yVGdul2bQpjOlxGZklmR"
$s4 = "XZ05WavBlO6UGbkRWaG"
condition:
any of ($magic*) or
any of ($s*)
}
rule APT_PY_BlueLight_Loader : InkySquid
{
meta:
author = "threatintel@volexity.com"
description = "Python Loader used to execute the BLUELIGHT malware family."
date = "2021-06-22"
hash1 = "80269413be6ad51b8b19631b2f5559c9572842e789bbce031babe6e879d2e120"
license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt"
reference = "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/"
id = "f8da3e40-c3b0-5b7f-8ece-81874993d8cd"
strings:
$s1 = "\"\".join(chr(ord(" ascii
$s2 = "import ctypes " ascii
$s3 = "ctypes.CFUNCTYPE(ctypes.c_int)" ascii
$s4 = "ctypes.memmove" ascii
$s5 = "python ended" ascii
condition:
all of them
}
rule APT_NK_Scarcruft_evolved_ROKRAT {
meta:
author = "S2WLAB_TALON_JACK2"
description = "Detects RokRAT malware used by ScarCruft APT group"
type = "APT"
version = "0.1"
date = "2021-07-09"
reference = "https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48"
id = "53cabf41-0154-5372-b667-60d8a7cb9806"
strings:
/*
0x140130f25 C744242032311223 mov dword ptr [rsp + 0x20], 0x23123132
0x140130f2d C744242434455667 mov dword ptr [rsp + 0x24], 0x67564534
0x140130f35 C744242878899AAB mov dword ptr [rsp + 0x28], 0xab9a8978
0x140130f3d C744242C0CBDCEDF mov dword ptr [rsp + 0x2c], 0xdfcebd0c
0x140130f45 C745F02B7EA516 mov dword ptr [rbp - 0x10], 0x16a57e2b
0x140130f4c C745F428AED2A6 mov dword ptr [rbp - 0xc], 0xa6d2ae28
0x140130f53 C745F8ABF71588 mov dword ptr [rbp - 8], 0x8815f7ab
0x140130f5a C745FC09CF4F3C mov dword ptr [rbp - 4], 0x3c4fcf09
*/
$AES_IV_KEY = {
C7 44 24 ?? 32 31 12 23
C7 44 24 ?? 34 45 56 67
C7 44 24 ?? 78 89 9A AB
C7 44 24 ?? 0C BD CE DF
C7 45 ?? 2B 7E A5 16
C7 45 ?? 28 AE D2 A6
C7 45 ?? AB F7 15 88
C7 45 ?? 09 CF 4F 3C
}
/*
0x14012b637 80E90F sub cl, 0xf
0x14012b63a 80F1C8 xor cl, 0xc8
0x14012b63d 8848FF mov byte ptr [rax - 1], cl
0x14012b640 4883EA01 sub rdx, 1
*/
$url_deocde = {
80 E9 0F
80 F1 C8
88 48 ??
48 83 EA 01 }
condition:
uint16(0) == 0x5A4D and
any of them
}