YARA rules for BadPatch
2 rules · scoped to tool · back to BadPatch
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule WinAgent_BadPatch_1 {
meta:
description = "Detects samples mentioned in BadPatch report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/RvDwwA"
date = "2017-10-20"
hash1 = "285998bce9692e46652529685775aa05e3a5cb93ee4e65d021d2231256e92813"
id = "732792ed-cb70-5b69-8457-f54177e4609e"
strings:
$x1 = "J:\\newPatch\\downloader\\" wide
$x2 = "L:\\rashed\\New code\\" wide
$x3 = ":\\newPatch\\last version\\" wide
$x4 = "\\Microsoft\\Microsoft\\Microsoft1.log" wide
$x5 = "\\Microsoft\\Microsoft\\Microsoft.log" wide
$x6 = "\\Microsoft\\newPP.exe" wide
$x7 = " (this is probably a proxy server error)." fullword wide
$x8 = " :Old - update patch and check anti-virus.. " fullword wide
$x9 = "PatchNotExit-- download now.. " fullword wide
$x10 = "PatchNotExit-- Check Version" fullword wide
$x11 = "PatchNotExit-- Version Patch" fullword wide
$s1 = "downloader " fullword wide
$s2 = "DelDownloadFile" fullword ascii
$s3 = "downloadFile" fullword ascii
$s4 = "downloadUpdate" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( 1 of ($x*) or 4 of them ) )
}
rule WinAgent_BadPatch_2 {
meta:
description = "Detects samples mentioned in BadPatch report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/RvDwwA"
date = "2017-10-20"
hash1 = "106deff16a93c4a4624fe96e3274e1432921c56d5a430834775e5b98861c00ea"
hash2 = "ece76fdf7e33d05a757ef5ed020140d9367c7319022a889923bbfacccb58f4d7"
hash3 = "cf53fc8c9ce4e5797cc5ac6f71d4cbc0f2b15f2ed43f38048a5273f40bc09876"
hash4 = "802a39b22dfacdc2325f8a839377c903b4a7957503106ce6f7aed67e824b82c2"
hash5 = "278dba3857367824fc2d693b7d96cef4f06cb7fdc52260b1c804b9c90d43646d"
hash6 = "2941f75da0574c21e4772f015ef38bb623dd4d0c81c263523d431b0114dd847e"
hash7 = "46f3afae22e83344e4311482a9987ed851b2de282e8127f64d5901ac945713c0"
hash8 = "27752bbb01abc6abf50e1da3a59fefcce59618016619d68690e71ad9d4a3c247"
hash9 = "050610cfb3d3100841685826273546c829335a5f4e2e4260461b88367ad9502c"
id = "648528f0-351c-527e-b516-2c8cae9fb4a3"
strings:
$s1 = "myAction=shell_result&serialNumber=" fullword wide
$s2 = "\\Appdata\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.*" wide
$s3 = "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" wide
$s4 = "\\Appdata\\Local\\Google\\Chrome\\User Data\\Default\\Cookies.*" wide
$s5 = "newSHELL[" fullword wide
$s6 = "\\file1.txt" wide
$s7 = "myAction=newGIF&serialNumber=" fullword wide
$s8 = "\\Storege1" wide
$s9 = "\\Microsoft\\mac.txt" wide
$s10 = "spytube____:" fullword ascii
$s11 = "0D0700045F5C5B0312045A04041F40014B1D11004A1F19074A141100011200154B031C04" fullword wide
$s12 = "16161A1000012B162503151851065A1A0007" fullword wide
$s13 = "-- SysFile...." fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 700KB and 3 of them )
}