YARA rules for Royal
15 rules · scoped to tool · back to Royal
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule MAL_EXE_RoyalRansomware {
meta:
author = "Silas Cutler, modfied by Florian Roth"
description = "Detection for Royal Ransomware seen Dec 2022"
date = "2023-01-03"
version = "1.0"
hash = "a8384c9e3689eb72fa737b570dbb53b2c3d103c62d46747a96e1e1becf14dfea"
DaysofYARA = "3/100"
id = "f83316f7-b8c4-5907-a38e-80535215e7ef"
strings:
$x_ext = ".royal_" wide
$x_fname = "royal_dll.dll"
$s_readme = "README.TXT" wide
$s_cli_flag01 = "-networkonly" wide
$s_cli_flag02 = "-localonly" wide
$x_ransom_msg01 = "If you are reading this, it means that your system were hit by Royal ransomware."
$x_ransom_msg02 = "Try Royal today and enter the new era of data security!"
$x_onion_site = "http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/"
condition:
uint16(0) == 0x5A4D and
(
2 of ($x*) or
5 of them
)
}
rule APT15_Malware_Mar18_RoyalCli {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"
hash1 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
id = "165bfa6c-1a8d-5628-8c35-da4e4a2ae04f"
strings:
$s1 = "\\Release\\RoyalCli.pdb" ascii
$s2 = "%snewcmd.exe" fullword ascii
$s3 = "Run cmd error %d" fullword ascii
$s4 = "%s~clitemp%08x.ini" fullword ascii
$s5 = "run file failed" fullword ascii
$s6 = "Cmd timeout %d" fullword ascii
$s7 = "2 %s %d 0 %d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
}
rule APT15_Malware_Mar18_RoyalDNS {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"
hash1 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
id = "c2f519db-2750-53ce-ae18-697ea041faaf"
strings:
$x1 = "del c:\\windows\\temp\\r.exe /f /q" fullword ascii
$x2 = "%s\\r.exe" fullword ascii
$s1 = "rights.dll" fullword ascii
$s2 = "\"%s\">>\"%s\"\\s.txt" fullword ascii
$s3 = "Nwsapagent" fullword ascii
$s4 = "%s\\r.bat" fullword ascii
$s5 = "%s\\s.txt" fullword ascii
$s6 = "runexe" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (
( pe.exports("RunInstallA") and pe.exports("RunUninstallA") ) or
1 of ($x*) or
2 of them
)
}
rule malware_apt15_royalcli_1{
meta:
description = "Generic strings found in the Royal CLI tool"
author = "David Cannings"
sha256 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
id = "432c09bf-3c44-5a2c-ba69-7b4fe7eb43cc"
strings:
$ = "%s~clitemp%08x.tmp" fullword
$ = "%s /c %s>%s" fullword
$ = "%snewcmd.exe" fullword
$ = "%shkcmd.exe" fullword
$ = "%s~clitemp%08x.ini" fullword
$ = "myRObject" fullword
$ = "myWObject" fullword
$ = "2 %s %d 0 %d\x0D\x0A"
$ = "2 %s %d 1 %d\x0D\x0A"
$ = "%s file not exist" fullword
condition:
uint16(0) == 0x5A4D and 5 of them
}
rule malware_apt15_royalcli_2{
meta:
author = "Nikolaos Pantazopoulos"
description = "APT15 RoyalCli backdoor"
id = "d4acfd2d-385d-5063-898e-d339b50733eb"
strings:
$string1 = "%shkcmd.exe" fullword
$string2 = "myRObject" fullword
$string3 = "%snewcmd.exe" fullword
$string4 = "%s~clitemp%08x.tmp" fullword
$string6 = "myWObject" fullword
condition:
uint16(0) == 0x5A4D and 2 of them
}
rule malware_apt15_royaldll_2 {
meta:
author = "Ahmed Zaki"
sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
description = "DNS backdoor used by APT15"
id = "3bc546a5-38b9-5504-b09e-305ba7bbd6bc"
strings:
$= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" wide ascii
$= "netsvcs" wide ascii fullword
$= "%SystemRoot%\\System32\\svchost.exe -k netsvcs" wide ascii fullword
$= "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
$= "myWObject" wide ascii
condition:
uint16(0) == 0x5A4D and all of them
and pe.exports("ServiceMain")
and filesize > 50KB and filesize < 600KB
}
rule RoyalRoad_code_pattern1
{
meta:
description = "Detects RoyalRoad weaponized RTF documents"
reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
date = "2020/01/15"
author = "nao_sec"
score = 80
id = "db2fb24c-df99-5622-ac3d-d31c34481984"
strings:
$S1= "48905d006c9c5b0000000000030101030a0a01085a5ab844eb7112ba7856341231"
$RTF= "{\\rt"
condition:
$RTF at 0 and $S1
}
rule RoyalRoad_code_pattern2
{
meta:
description = "Detects RoyalRoad weaponized RTF documents"
reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
date = "2020/01/15"
author = "nao_sec"
score = 80
id = "135024ae-9ecf-5691-95ca-96002e500fd5"
strings:
$S1= "653037396132353234666136336135356662636665" ascii
$RTF= "{\\rt"
condition:
$RTF at 0 and $S1
}
rule RoyalRoad_code_pattern3
{
meta:
description = "Detects RoyalRoad weaponized RTF documents"
reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
date = "2020/01/15"
author = "nao_sec"
score = 80
id = "7bce2fe6-a921-51ec-8b5f-5d7f55ab3864"
strings:
$S1="4746424151515151505050500000000000584242eb0642424235353336204460606060606060606061616161616161616161616161616161"
$RTF= "{\\rt"
condition:
$RTF at 0 and $S1
}
rule RoyalRoad_code_pattern4ab
{
meta:
description = "Detects RoyalRoad weaponized RTF documents"
reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
date = "2020/01/15"
author = "nao_sec"
score = 80
id = "b4926888-b576-59f7-932a-03b9326845da"
strings:
$S1= "4746424151515151505050500000000000584242EB064242423535333620446060606060606060606161616161616}1616161616161616161" ascii
$RTF= "{\\rt"
condition:
$RTF at 0 and $S1
}
rule RoyalRoad_code_pattern4ce
{
meta:
description = "Detects RoyalRoad weaponized RTF documents"
reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
date = "2020/01/15"
author = "nao_sec"
score = 80
id = "c6e8a072-23cd-5f6a-9b4f-57d3e4500d13"
strings:
$S1= "584242eb064242423535333620446060606060606060606161616161616161616161616}1616161" ascii
$RTF= "{\\rt"
condition:
$RTF at 0 and $S1
}
rule RoyalRoad_code_pattern4d
{
meta:
description = "Detects RoyalRoad weaponized RTF documents"
reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
date = "2020/01/15"
author = "nao_sec"
score = 80
id = "1677dfb4-7611-5bef-87d1-4cec6285791f"
strings:
$S1= "584242eb06424242353533362044606060606060606060616161616161616161616}16161616161" ascii
$RTF= "{\\rt"
condition:
$RTF at 0 and $S1
}
rule RoyalRoad_RTF
{
meta:
description = "Detects RoyalRoad weaponized RTF documents"
reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
date = "2020/01/15"
author = "nao_sec"
score = 80
id = "366ec9c3-e6ad-5198-88d5-15aa84a8358f"
strings:
$S1= "objw2180\\objh300" ascii
$RTF= "{\\rt"
condition:
$RTF at 0 and $S1
}
rule RoyalRoad_RTF_v7
{
meta:
description = "Detects RoyalRoad weaponized RTF documents"
reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
date = "2020/01/15"
author = "nao_sec"
score = 60
id = "9d2af980-a851-533a-b25d-ee52277e319c"
strings:
$v7_1= "{\\object\\objocx{\\objdata" ascii
$v7_2= "ods0000" ascii
$RTF= "{\\rt"
condition:
$RTF at 0 and all of ($v7*)
}
rule RoyalRoad_encode_in_RTF
{
meta:
description = "Detects RoyalRoad weaponized RTF documents"
reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
date = "2020/01/15"
author = "nao_sec"
score = 60
id = "66614152-8f9b-5e62-b6bd-ba0286e66d4d"
strings:
$enc_hex_1 = "B0747746"
$enc_hex_2 = "B2A66DFF"
$enc_hex_3 = "F2A32072"
$enc_hex_4 = "B2A46EFF"
$enc_hex_1l = "b0747746"
$enc_hex_2l = "b2a66Dff"
$enc_hex_3l = "f2a32072"
$enc_hex_4l = "b2a46eff"
$RTF= "{\\rt"
condition:
$RTF at 0 and 1 of ($enc_hex*)
}