YARA rules for RawDisk
5 rules · scoped to tool · back to RawDisk
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6"
hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a"
date = "2024-08-07"
score = 40
id = "13de286c-92f2-5677-86ee-99c70a338c8e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c0064006f005300200043006f00720070006f0072006100740069006f006e } /* CompanyName EldoSCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c0020003100300036 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* InternalName elrawdsksys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200610077004400690073006b } /* ProductName RawDisk */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* OriginalFilename elrawdsksys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d0032003000310031002c00200045006c0064006f005300200043006f00720070006f0072006100740069006f006e0020 } /* LegalCopyright CopyrightCEldoSCorporation */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
rule MAL_ME_RawDisk_Agent_Jan20_1 {
meta:
description = "Detects suspicious malware using ElRawDisk"
author = "Florian Roth (Nextron Systems)"
reference = "Saudi National Cybersecurity Authority - Destructive Attack DUSTMAN"
date = "2020-01-02"
modified = "2022-12-21"
hash1 = "44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2"
id = "0efaae51-1407-5039-9e5a-9c2f13d6a971"
strings:
$x1 = "\\drv\\agent.plain.pdb" ascii
$x2 = " ************** Down With Saudi Kingdom, Down With Bin Salman ************** " fullword ascii
$s1 = ".?AVERDError@@" fullword ascii
$s2 = "b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d" fullword wide
$s3 = "\\\\?\\ElRawDisk" fullword wide
$s4 = "\\??\\c:" wide
$op1 = { e9 3d ff ff ff 33 c0 48 89 05 0d ff 00 00 48 8b }
$op2 = { 0f b6 0c 01 88 48 34 48 8b 8d a8 }
condition:
uint16(0) == 0x5a4d and filesize <= 2000KB and ( 1 of ($x*) or 4 of them )
}
rule MAL_ME_RawDisk_Agent_Jan20_2 {
meta:
description = "Detects suspicious malware using ElRawDisk"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/jfslowik/status/1212501454549741568?s=09"
date = "2020-01-02"
modified = "2022-12-21"
hash1 = "44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2"
id = "9817fb22-7bed-5869-aa92-66c458b81c7f"
strings:
$x1 = "\\Release\\Dustman.pdb" ascii
$x2 = "/c agent.exe A" fullword ascii
$s1 = "C:\\windows\\system32\\cmd.exe" fullword ascii
$s2 = "The Magic Word!" fullword ascii
$s3 = "Software\\Oracle\\VirtualBox" fullword wide
$s4 = "\\assistant.sys" wide
$s5 = "Down With Bin Salman" fullword wide
$sc1 = { 00 5C 00 5C 00 2E 00 5C 00 25 00 73 }
$op1 = { 49 81 c6 ff ff ff 7f 4c 89 b4 24 98 }
condition:
uint16(0) == 0x5a4d and filesize <= 3000KB and ( 1 of ($x*) or 3 of them )
}
rule EldoS_RawDisk {
meta:
description = "EldoS Rawdisk Device Driver (Commercial raw disk access driver - used in Operation Shamoon 2.0)"
author = "Florian Roth (Nextron Systems) (with Binar.ly)"
reference = "https://goo.gl/jKIfGB"
date = "2016-12-01"
modified = "2023-01-27"
score = 50
hash1 = "47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34"
hash2 = "394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b"
id = "8a43f425-86b7-5a05-b7c3-13c78aa905f8"
strings:
$s1 = "g\\system32\\" wide
$s2 = "ztvttw" fullword wide
$s3 = "lwizvm" fullword ascii
$s4 = "FEJIKC" fullword ascii
$s5 = "INZQND" fullword ascii
$s6 = "IUTLOM" fullword wide
$s7 = "DKFKCK" fullword ascii
$op1 = { 94 35 77 73 03 40 eb e9 }
$op2 = { 80 7c 41 01 00 74 0a 3d }
$op3 = { 74 0a 3d 00 94 35 77 }
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and 4 of them )
}
rule PUA_VULN_Renamed_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6"
hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a"
date = "2024-08-07"
score = 70
id = "299e1312-e4ff-5152-a046-b020c825df5a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c0064006f005300200043006f00720070006f0072006100740069006f006e } /* CompanyName EldoSCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c0020003100300036 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* InternalName elrawdsksys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200610077004400690073006b } /* ProductName RawDisk */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* OriginalFilename elrawdsksys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d0032003000310031002c00200045006c0064006f005300200043006f00720070006f0072006100740069006f006e0020 } /* LegalCopyright CopyrightCEldoSCorporation */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elrawdsk/i
}