YARA rules for Dtrack
4 rules · scoped to tool · back to Dtrack
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule MAL_APT_NK_Andariel_NoPineapple_Dtrack_Unpacked {
meta:
author = "CISA.gov"
description = "Detects the Dtrack variant used by Andariel"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
score = 80
id = "6ccaf24b-c110-5788-a792-fa7f39fb18f7"
strings:
$str_nopineapple = "< No Pineapple! >"
$str_qt_library = "Qt 5.12.10"
$str_xor = { 8B 10 83 F6 ?? 83 FA 01 77 }
condition:
uint16(0) == 0x5A4D
and all of them
}
rule MAL_APT_NK_Andariel_DTrack_Unpacked {
meta:
author = "CISA.gov (modified by Florian Roth, Nextron Systems)"
description = "Detects DTrack variant used by Andariel"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
modified = "2024-07-26"
score = 75
id = "0c161275-2b2e-51a4-9e08-c118fb4c8671"
strings:
$x_str_cmd_4 = "/c systeminfo > \"%s\" & tasklist > \"%s\" & netstat -naop tcp > \"%s\"" wide
$x_str_cmd_2 = "/c ping -n 3 127.0.01 > NUL % echo EEE > \"%s\"" wide
$str_mutex = "MTX_Global"
$str_cmd_1 = "/c net use \\\\" wide
$str_cmd_3 = "/c move /y %s \\\\" wide
condition:
// I changed the condition here because there are two strings which are highly specific and unique, F.R.
uint16(0) == 0x5A4D
and (
1 of ($x*)
or 3 of them
)
}
rule MAL_APT_NK_WIN_DTrack_Auto {
meta:
author = "CISA.gov"
description = "Detects DTrack variant used by Andariel"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
score = 75
id = "1b40c685-beba-50fa-b484-c1526577cb23"
strings:
$sequence_0 = { 52 8b 45 08 50 e8 ?? ?? ?? ?? 83 c4 14 8b 4d 10 51 }
// n = 7, score = 400
// 52 | push edx
// 8b4508 | mov eax, dword ptr [ebp + 8]
// 50 | push eax
// e8???????? |
// 83c414 | add esp, 0x14
// 8b4d10 | mov ecx, dword ptr [ebp + 0x10]
// 51 | push ecx
$sequence_1 = { 3a 41 01 75 23 83 85 4c f6 ff ff 02 83 85 50 f6 ff ff 02 80 bd 4a f6 ff ff 00 75 ae c7 85 44 f6 ff ff 00 00 00 00 }
// n = 7, score = 300
// 3a4101 | cmp al, byte ptr [ecx + 1]
// 7523 | jne 0x25
// 83854cf6ffff02 | add dword ptr [ebp - 0x9b4], 2
// 838550f6ffff02 | add dword ptr [ebp - 0x9b0], 2
// 80bd4af6ffff00 | cmp byte ptr [ebp - 0x9b6], 0
// 75ae | jne 0xffffffb0
// c78544f6ffff00000000 | mov dword ptr [ebp - 0x9bc], 0
$sequence_2 = { 50 ff 15 ?? ?? ?? ?? a3 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 04 50 }
// n = 7, score = 300
// 50 | push eax
// ff15???????? |
// a3???????? |
// 68???????? |
// e8???????? |
// 83c404 | add esp, 4
// 50 | push eax
$sequence_3 = { 8d 8d d4 fa ff ff 51 e8 ?? ?? ?? ?? 83 c4 08 8b 15 ?? ?? ?? ?? }
// n = 5, score = 300
// 8d8dd4faffff | lea ecx, [ebp - 0x52c]
// 51 | push ecx
// e8???????? |
// 83c408 | add esp, 8
// 8b15???????? |
$sequence_4 = { 88 55 f5 6a 5c 8b 45 0c 50 e8 ?? ?? ?? ?? }
// n = 5, score = 300
// 8855f5 | mov byte ptr [ebp - 0xb], dl
// 6a5c | push 0x5c
// 8b450c | mov eax, dword ptr [ebp + 0xc]
// 50 | push eax
// e8???????? |
$sequence_5 = { 51 e8 ?? ?? ?? ?? 83 c4 10 8b 55 8c 52 }
// n = 5, score = 300
// 51 | push ecx
// e8???????? |
// 83c410 | add esp, 0x10
// 8b558c | mov edx, dword ptr [ebp - 0x74]
// 52 | push edx
$sequence_6 = { 8b 4d 0c 51 68 ?? ?? ?? ?? 8d 95 60 ea ff ff 52 e8 ?? ?? ?? ?? }
// n = 6, score = 300
// 8b4d0c | mov ecx, dword ptr [ebp + 0xc]
// 51 | push ecx
// 68???????? |
// 8d9560eaffff | lea edx, [ebp - 0x15a0]
// 52 | push edx
// e8???????? |
$sequence_7 = { 83 c0 01 89 45 f4 83 7d f4 20 7d 2c 8b 4d f8 }
// n = 5, score = 300
// 83c001 | add eax, 1
// 8945f4 | mov dword ptr [ebp - 0xc], eax
// 837df420 | cmp dword ptr [ebp - 0xc], 0x20
// 7d2c | jge 0x2e
// 8b4df8 | mov ecx, dword ptr [ebp - 8]
$sequence_8 = { 83 c0 01 89 85 6c f6 ff ff 8b 8d 70 f6 ff ff 8a 11 }
// n = 4, score = 300
// 83c001 | add eax, 1
// 89856cf6ffff | mov dword ptr [ebp - 0x994], eax
// 8b8d70f6ffff | mov ecx, dword ptr [ebp - 0x990]
// 8a11 | mov dl, byte ptr [ecx]
$sequence_9 = { 03 55 f0 0f b6 02 0f b6 4d f7 33 c1 0f b6 55 fc 33 c2 }
// n = 6, score = 200
// 0355f0 | add edx, dword ptr [ebp - 0x10]
// 0fb602 | movzx eax, byte ptr [edx]
// 0fb64df7 | movzx ecx, byte ptr [ebp - 9]
// 33c1 | xor eax, ecx
// 0fb655fc | movzx edx, byte ptr [ebp - 4]
// 33c2 | xor eax, edx
$sequence_10 = { d1 e9 89 4d f8 8b 55 18 89 55 fc c7 45 f0 00 00 00 00 }
// n = 5, score = 200
// d1e9 | shr ecx, 1
// 894df8 | mov dword ptr [ebp - 8], ecx
// 8b5518 | mov edx, dword ptr [ebp + 0x18]
// 8955fc | mov dword ptr [ebp - 4], edx
// c745f000000000 | mov dword ptr [ebp - 0x10], 0
$sequence_11 = { 8b 4d f0 3b 4d 10 0f 8d 90 00 00 00 8b 55 08 03 55 f0 0f b6 02 }
// n = 6, score = 200
// 8b4df0 | mov ecx, dword ptr [ebp - 0x10]
// 3b4d10 | cmp ecx, dword ptr [ebp + 0x10]
// 0f8d90000000 | jge 0x96
// 8b5508 | mov edx, dword ptr [ebp + 8]
// 0355f0 | add edx, dword ptr [ebp - 0x10]
// 0fb602 | movzx eax, byte ptr [edx]
$sequence_12 = { 89 4d 14 8b 45 f8 c1 e0 18 8b 4d fc c1 e9 08 0b c1 }
// n = 6, score = 200
// 894d14 | mov dword ptr [ebp + 0x14], ecx
// 8b45f8 | mov eax, dword ptr [ebp - 8]
// c1e018 | shl eax, 0x18
// 8b4dfc | mov ecx, dword ptr [ebp - 4]
// c1e908 | shr ecx, 8
// 0bc1 | or eax, ecx
$sequence_13 = { 0b c1 89 45 18 8b 55 14 89 55 f8 }
// n = 4, score = 200
// 0bc1 | or eax, ecx
// 894518 | mov dword ptr [ebp + 0x18], eax
// 8b5514 | mov edx, dword ptr [ebp + 0x14]
// 8955f8 | mov dword ptr [ebp - 8], edx
$sequence_14 = { 8b 55 14 89 55 f8 8b 45 18 89 45 fc e9 ?? ?? ?? ?? 8b e5 }
// n = 6, score = 200
// 8b5514 | mov edx, dword ptr [ebp + 0x14]
// 8955f8 | mov dword ptr [ebp - 8], edx
// 8b4518 | mov eax, dword ptr [ebp + 0x18]
// 8945fc | mov dword ptr [ebp - 4], eax
// e9???????? |
// 8be5 | mov esp, ebp
condition:
filesize < 1700KB and 7 of them
}
rule APT_MAL_DTRACK_Oct19_1 {
meta:
description = "Detects DTRACK malware"
author = "Florian Roth (Nextron Systems)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
reference = "https://twitter.com/a_tweeter_user/status/1188811977851887616?s=21"
date = "2019-10-28"
hash1 = "c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c"
hash2 = "a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68"
hash3 = "93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9"
hash4 = "3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682"
hash5 = "bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364"
hash6 = "58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb"
hash7 = "9d9571b93218f9a635cfeb67b3b31e211be062fd0593c0756eb06a1f58e187fd"
id = "802135bd-234d-574d-b111-fcc9eaa000f8"
strings:
$xc1 = { 25 73 2A 2E 2A 00 00 00 5C 00 00 00 25 73 7E 00
5C 00 00 00 77 62 00 00 64 61 74 00 64 6B 77 65
72 6F 33 38 6F 65 72 41 5E 74 40 23 00 00 00 00
63 3A 5C 00 25 73 5C 25 63 2E 74 6D 70 }
$sx1 = "%02d.%02d.%04d - %02d:%02d:%02d:%03d : " fullword ascii
$sx2 = "%s\\%c.tmp" fullword ascii
$sx3 = "dkwero38oerA" fullword ascii
$sx4 = "awz2qr21yfbj" fullword ascii
$s1 = "Execute_%s.log" ascii
$s2 = "%s\\%s\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" fullword ascii
$s3 = "CCS_Mozilla/5.0" fullword ascii
$s4 = "\\C$\\Windows\\Temp\\MpLogs\\" ascii
$s5 = "127.0.0.1 >NUL & echo EEEE > \"%s\"" fullword ascii
$s6 = "[+] DownloadCommand" fullword ascii
$s7 = "DC-Error: Too long cmd length" fullword ascii
$s8 = "%s\\~%d.tmp" fullword ascii
$s9 = "%02X:%02X:%02X:%02X:%02X:%02X" ascii fullword
$op1 = { 0f b6 8d a3 fc ff ff 85 c9 74 09 8b 55 f4 83 c2 }
$op2 = { 6a 00 8d 85 28 fc ff ff 50 6a 04 8d 4d f8 51 8b }
$op3 = { 8b 85 c8 fd ff ff 03 85 a4 fc ff ff 89 85 b4 fc }
condition:
$xc1 or 2 of ($sx*) or 4 of them or
( uint16(0) == 0x5a4d and filesize <= 3000KB and 2 of them )
}