APT_MAL_RU_Snake_Indicators_May23_1
Detects indicators found in Snake malware samples
source signature-baseauthor Florian Roth
view YARA rule
rule APT_MAL_RU_Snake_Indicators_May23_1 {
meta:
description = "Detects indicators found in Snake malware samples"
author = "Florian Roth"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
date = "2023-05-10"
score = 85
hash1 = "10b854d66240d9ee1ce4296d2f7857d2b1c6f062ca836d13d777930d678b3ca6"
hash2 = "15ac5a61fb3e751045de2d7f5ff26c673f3883e326cd1b3a63889984a4fb2a8f"
hash3 = "315ec991709eb45eccf724dfe31bccb7affcac7f8e8007e688ba8d02827205e0"
hash4 = "417eb4fb9ada270af35562ff317807ac5ca9ee26181fe89990858f0944d3a6a7"
hash5 = "48112970de6ea0f925f0657b30adcd0723df94afc98cfafdc991d70ad3602119"
hash6 = "55ea557bcf4c143f20c616abe9075f7faafbf825aeef9ddb4f2b201acc44414b"
hash7 = "6568bbeeb417e1111bf284e73152d90fe17e5497da7630ccddcbc666730dccef"
hash8 = "81d620cb645006ffc9ac1b9d98a53aa286ae92b025bda075962079633f020482"
hash9 = "888a3029b1b8b664eb1fc77dd511c4088a1e28ae5535a8683642bb3dca011d00"
hash10 = "9027b4fef50b36289d630059425dc1137c88328329c3ea9dbc348dccd001adc0"
hash11 = "9ac199572cab67433726976a0e9ba39d6feed1d567d6d230ebe3133df8dcb7fa"
hash12 = "a64e5d872421991226ee040b4cd49a89ca681bdef4c10c4798b6c7b5c832c6df"
hash13 = "b5d2da5eb57b5ab26edb927469552629f3cf43bbce2b1a128f6daac7cf57f6f7"
hash14 = "bc15de1d1c6c62c0bf856e0368adabc4941e7b687a969912494c173233e6d28d"
hash15 = "bdf94311313c39a3413464f623bd75a3db2eb05cc01090acd6dcd462a605eb4a"
hash16 = "e4311892ae00bf8148a94fa900fc8e2c279a2acd3b4b4b4c3d0c99dd1d32353c"
hash17 = "ed74288b367a93c6b47343bc696e751b9c465761ce9c4208901726baa758b234"
hash18 = "ef1f1c7692b92a730f76b6227643b2d02a6e353af6e930166e3b48e3903e4ffd"
hash19 = "f5e982b76af7f447742753f0b57eec3d7dd2e3c8e5506c35d4cf6c860b829f45"
id = "0d4fa8a7-447c-5905-bab9-b63de6209036"
strings:
$s1 = "\\\\.\\%s\\\\" ascii fullword
$s2 = "read_peer_nfo" ascii fullword
$s3 = "rcv_buf=%d%c" ascii fullword
$s4 = "%s: (0x%08x)" ascii fullword
$s5 = "no_impersonate" ascii fullword
condition:
all of them
}
Copy rule
APT_MAL_RU_Snake_Malware_Queue_File_May23_1
Detects Queue files used by Snake malware
source signature-baseauthor Florian Roth
view YARA rule
rule APT_MAL_RU_Snake_Malware_Queue_File_May23_1 {
meta:
description = "Detects Queue files used by Snake malware"
author = "Florian Roth"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
date = "2023-05-10"
score = 80
id = "c7ed554e-b55e-5c3f-aa8b-231cb1073f34"
condition:
filename matches /(\{[0-9A-Fa-f]{8}\-([0-9A-Fa-f]{4}\-){3}[0-9A-Fa-f]{12}\}\.){2}crmlog/
/* and filepath contains "\\Registration\\" // not needed - already specific enough */
// we reduce the range for the entropy calculation to the first 1024 for performance
// reasons. In a fully encrypted file - as used by Snake - this should already be specific enough
//and math.entropy(0, filesize) >= 7.0
and math.entropy(0, 1024) >= 7.0
}
Copy rule
APT_MAL_RU_Turla_Kazuar_May20_1
Detects Turla Kazuar malware
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_MAL_RU_Turla_Kazuar_May20_1 {
meta:
description = "Detects Turla Kazuar malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.epicturla.com/blog/sysinturla"
date = "2020-05-28"
hash1 = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"
hash2 = "1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa"
hash3 = "2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f"
hash4 = "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"
id = "cd0d1fa2-5303-55f8-90a7-4a699ec79230"
strings:
$s1 = "Sysinternals" ascii fullword
$s2 = "Test Copyright" wide fullword
$op1 = { 0d 01 00 08 34 2e 38 30 2e 30 2e 30 00 00 13 01 }
condition:
uint16(0) == 0x5a4d and
filesize < 2000KB and
all of them
}
Copy rule
APT_MAL_RU_WIN_Snake_Malware_May23_1
Hunting Russian Intelligence Snake Malware
source signature-baseauthor Matt Suiche (Magnet Forensics)
view YARA rule
rule APT_MAL_RU_WIN_Snake_Malware_May23_1 {
meta:
author = "Matt Suiche (Magnet Forensics)"
description = "Hunting Russian Intelligence Snake Malware"
date = "2023-05-10"
modified = "2025-03-21"
threat_name = "Windows.Malware.Snake"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
score = 70
scan_context = "memory"
license = "MIT"
/* The original search only query those bytes in PAGE_EXECUTE_WRITECOPY VADs */
id = "53d2de3c-350c-5090-84bb-b6cde16a80ad"
strings:
$a = { 25 73 23 31 }
$b = { 25 73 23 32 }
$c = { 25 73 23 33 }
$d = { 25 73 23 34 }
$e = { 2e 74 6d 70 }
/* $f = { 2e 74 6d 70 } */
$g = { 2e 73 61 76 }
$h = { 2e 75 70 64 }
condition:
all of them
}
Copy rule
APT_MAL_RU_WIN_Snake_Malware_PeIconSizes_May23_1
Detects Comadmin file that houses Snake's kernel driver and the driver's loader
source signature-baseauthor CSA
view YARA rule
rule APT_MAL_RU_WIN_Snake_Malware_PeIconSizes_May23_1 {
meta:
description = "Detects Comadmin file that houses Snake's kernel driver and the driver's loader"
author = "CSA"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
date = "2023-05-10"
score = 75
condition:
uint16(0) == 0x5a4d
and (
filename == "WerFault.exe"
or filename == "werfault.exe"
)
and filepath contains "\\WinSxS\\"
and for any rsrc in pe.resources: (
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 3240
)
and for any rsrc in pe.resources: (
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 1384
)
and for any rsrc in pe.resources: (
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 7336
)
}
Copy rule
The BLUELIGHT malware family. Leverages Microsoft OneDrive for network communications.
source signature-baseauthor threatintel@volexity.com
view YARA rule
rule APT_MAL_Win_BlueLight : InkySquid {
meta:
author = "threatintel@volexity.com"
date = "2021-04-23"
description = "The BLUELIGHT malware family. Leverages Microsoft OneDrive for network communications."
hash1 = "7c40019c1d4cef2ffdd1dd8f388aaba537440b1bffee41789c900122d075a86d"
hash2 = "94b71ee0861cc7cfbbae53ad2e411a76f296fd5684edf6b25ebe79bf6a2a600a"
license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt"
reference = "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/"
id = "3ec2d44c-4c08-514d-a839-acef3f53f7dc"
strings:
$pdb1 = "\\Development\\BACKDOOR\\ncov\\"
$pdb2 = "Release\\bluelight.pdb"
$msg0 = "https://ipinfo.io" fullword
$msg1 = "country" fullword
$msg5 = "\"UserName\":\"" fullword
$msg7 = "\"ComName\":\"" fullword
$msg8 = "\"OS\":\"" fullword
$msg9 = "\"OnlineIP\":\"" fullword
$msg10 = "\"LocalIP\":\"" fullword
$msg11 = "\"Time\":\"" fullword
$msg12 = "\"Compiled\":\"" fullword
$msg13 = "\"Process Level\":\"" fullword
$msg14 = "\"AntiVirus\":\"" fullword
$msg15 = "\"VM\":\"" fullword
condition:
any of ($pdb*) or
all of ($msg*)
}
Copy rule
North Korean origin malware which uses a custom Google App for c2 communications.
source signature-baseauthor threatintel@volexity.com
view YARA rule
rule APT_MAL_Win_BlueLight_B : InkySquid
{
meta:
author = "threatintel@volexity.com"
description = "North Korean origin malware which uses a custom Google App for c2 communications."
date = "2021-06-21"
hash1 = "837eaf7b736583497afb8bbdb527f70577901eff04cc69d807983b233524bfed"
license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt"
reference = "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/"
id = "3ec2d44c-4c08-514d-a839-acef3f53f7dc"
strings:
$magic = "host_name: %ls, cookie_name: %s, cookie: %s, CT: %llu, ET: %llu, value: %s, path: %ls, secu: %d, http: %d, last: %llu, has: %d"
$f1 = "%ls.INTEG.RAW" wide
$f2 = "edb.chk" ascii
$f3 = "edb.log" ascii
$f4 = "edbres00001.jrs" ascii
$f5 = "edbres00002.jrs" ascii
$f6 = "edbtmp.log" ascii
$f7 = "cheV01.dat" ascii
$chrome1 = "Failed to get chrome cookie"
$chrome2 = "mail.google.com, cookie_name: OSID"
$chrome3 = ".google.com, cookie_name: SID,"
$chrome4 = ".google.com, cookie_name: __Secure-3PSID,"
$chrome5 = "Failed to get Edge cookie"
$chrome6 = "google.com, cookie_name: SID,"
$chrome7 = "google.com, cookie_name: __Secure-3PSID,"
$chrome8 = "Failed to get New Edge cookie"
$chrome9 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"
$chrome10 = "Content-Type: application/x-www-form-urlencoded;charset=utf-8"
$chrome11 = "Cookie: SID=%s; OSID=%s; __Secure-3PSID=%s"
$chrome12 = "https://mail.google.com"
$chrome13 = "result.html"
$chrome14 = "GM_ACTION_TOKEN"
$chrome15 = "GM_ID_KEY="
$chrome16 = "/mail/u/0/?ik=%s&at=%s&view=up&act=prefs"
$chrome17 = "p_bx_ie=1"
$chrome18 = "myaccount.google.com, cookie_name: OSID"
$chrome19 = "Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3"
$chrome20 = "Content-Type: application/x-www-form-urlencoded;charset=utf-8"
$chrome21 = "Cookie: SID=%s; OSID=%s; __Secure-3PSID=%s"
$chrome22 = "https://myaccount.google.com"
$chrome23 = "result.html"
$chrome24 = "myaccount.google.com"
$chrome25 = "/_/AccountSettingsUi/data/batchexecute"
$chrome26 = "f.req=%5B%5B%5B%22BqLdsd%22%2C%22%5Btrue%5D%22%2Cnull%2C%22generic%22%5D%5D%5D&at="
$chrome27 = "response.html"
$msg1 = "https_status is %s"
$msg2 = "Success to find GM_ACTION_TOKEN and GM_ID_KEY"
$msg3 = "Failed to find GM_ACTION_TOKEN and GM_ID_KEY"
$msg4 = "Failed HttpSendRequest to mail.google.com"
$msg5 = "Success to enable imap"
$msg6 = "Failed to enable imap"
$msg7 = "Success to find SNlM0e"
$msg8 = "Failed to find SNlM0e"
$msg9 = "Failed HttpSendRequest to myaccount.google.com"
$msg10 = "Success to enable thunder access"
$msg11 = "Failed to enable thunder access"
$keylogger_component1 = "[TAB]"
$keylogger_component2 = "[RETURN]"
$keylogger_component3 = "PAUSE"
$keylogger_component4 = "[ESC]"
$keylogger_component5 = "[PAGE UP]"
$keylogger_component6 = "[PAGE DOWN]"
$keylogger_component7 = "[END]"
$keylogger_component8 = "[HOME]"
$keylogger_component9 = "[ARROW LEFT]"
$keylogger_component10 = "[ARROW UP]"
$keylogger_component11 = "[ARROW RIGHT]"
$keylogger_component12 = "[ARROW DOWN]"
$keylogger_component13 = "[INS]"
$keylogger_component14 = "[DEL]"
$keylogger_component15 = "[WIN]"
$keylogger_component16 = "[NUM *]"
$keylogger_component17 = "[NUM +]"
$keylogger_component18 = "[NUM ,]"
$keylogger_component19 = "[NUM -]"
$keylogger_component20 = "[NUM .]"
$keylogger_component21 = "NUM /]"
$keylogger_component22 = "[NUMLOCK]"
$keylogger_component23 = "[SCROLLLOCK]"
$keylogger_component24 = "Time: "
$keylogger_component25 = "Window: "
$keylogger_component26 = "CAPSLOCK+"
$keylogger_component27 = "SHIFT+"
$keylogger_component28 = "CTRL+"
$keylogger_component29 = "ALT+"
condition:
$magic or
(
all of ($f*) and
5 of ($keylogger_component*)
) or
24 of ($chrome*) or
4 of ($msg*) or
27 of ($keylogger_component*)
}
Copy rule
The DECROK malware family, which uses the victim's hostname to decrypt and execute an embedded payload.
source signature-baseauthor threatintel@volexity.com
view YARA rule
rule APT_MAL_Win_DecRok : InkySquid
{
meta:
author = "threatintel@volexity.com"
date = "2021-06-23"
description = "The DECROK malware family, which uses the victim's hostname to decrypt and execute an embedded payload."
hash = "6a452d088d60113f623b852f33f8f9acf0d4197af29781f889613fed38f57855"
license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt"
reference = "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/"
id = "dc83843d-fd2a-52f1-82e8-8e36b135a0c5"
strings:
$v1 = {C7 ?? ?? ?? 01 23 45 67 [2-20] C7 ?? ?? ?? 89 AB CD EF C7 ?? ?? ?? FE DC BA 98}
$av1 = "Select * From AntiVirusProduct" wide
$av2 = "root\\SecurityCenter2" wide
/* CreateThread..%02x */
$funcformat = { 25 30 32 78 [0-10] 43 72 65 61 74 65 54 68 72 65 61 64 }
condition:
all of them
}
Copy rule
APT_MAL_Win_RokLoad_Loader
A shellcode loader used to decrypt and run an embedded executable.
source signature-baseauthor threatintel@volexity.com
view YARA rule
rule APT_MAL_Win_RokLoad_Loader : InkySquid
{
meta:
author = "threatintel@volexity.com"
date = "2021-06-23"
description = "A shellcode loader used to decrypt and run an embedded executable."
hash = "85cd5c3bb028fe6931130ccd5d0b0c535c01ce2bcda660a3b72581a1a5382904"
license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt"
reference = "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/"
id = "229dbf3c-1538-5ecd-b5f8-8c9a9c81c515"
strings:
$bytes00 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 57 41 54 41 55 41 56 41 57 48 ?? ?? ?? b9 ?? ?? ?? ?? 33 ff e8 ?? ?? ?? ?? b9 ?? ?? ?? ?? 4c 8b e8 e8 ?? ?? ?? ?? 4c 8b f0 41 ff d6 b9 ?? ?? ?? ?? 44 8b f8 e8 ?? ?? ?? ?? 4c 8b e0 e8 ?? ?? ?? ?? 48 }
condition:
$bytes00 at 0
}
Copy rule
APT_ME_BigBang_Gen_Jul18_1
Detects malware from Big Bang campaign against Palestinian authorities
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_ME_BigBang_Gen_Jul18_1 {
meta:
description = "Detects malware from Big Bang campaign against Palestinian authorities"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://research.checkpoint.com/apt-attack-middle-east-big-bang/"
date = "2018-07-09"
hash1 = "4db68522600f2d8aabd255e2da999a9d9c9f1f18491cfce9dadf2296269a172b"
hash2 = "ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224"
hash3 = "e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc"
id = "f1097998-9414-511c-b177-ff09154964a8"
strings:
$x2 = "%@W@%S@c@ri%@p@%t.S@%he@%l%@l" ascii
$x3 = "S%@h%@e%l%@l." ascii
$x4 = "(\"S@%t@%a%@rt%@up\")" ascii
$x5 = "aW5zdGFsbCBwcm9nOiBwcm9nIHdpbGwgZGVsZXRlIG9sZCB0bXAgZmlsZQ==" fullword ascii /* base64 encoded string 'install prog: prog will delete old tmp file' */
$x6 = "aW5zdGFsbCBwcm9nOiBUaGVyZSBpcyBubyBvbGQgZmlsZSBpbiB0ZW1wLg==" fullword ascii /* base64 encoded string 'install prog: There is no old file in temp.' */
$x7 = "VXBkYXRlIHByb2c6IFRoZXJlIGlzIG5vIG9sZCBmaWxlIGluIHRlbXAu" fullword ascii /* base64 encoded string 'Update prog: There is no old file in temp.' */
$x8 = "aW5zdGFsbCBwcm9nOiBDcmVhdGUgVGFzayBhZnRlciA1IG1pbiB0byBydW4gRmlsZSBmcm9tIHRtcA==" fullword ascii /* base64 encoded string 'install prog: Create Task after 5 min to run File from tmp' */
$x9 = "UnVuIEZpbGU6IE15IHByb2cgaXMgRXhpdC4=" fullword ascii /* base64 encoded string 'Run File: My prog is Exit.' */
$x10 = "li%@%@nk.W%@%@indo@%%@%@%wS%@%@tyle = 3" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and (
1 of them or
pe.imphash() == "0f09ea2a68d04f331df9a5d0f8641332"
)
}
Copy rule
APT_ME_BigBang_Mal_Jul18_1
Detects malware from Big Bang report
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_ME_BigBang_Mal_Jul18_1 {
meta:
description = "Detects malware from Big Bang report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://research.checkpoint.com/apt-attack-middle-east-big-bang/"
date = "2018-07-09"
hash1 = "ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224"
hash2 = "e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc"
id = "f30b2e11-f90a-5068-8eaa-25f11218ec6c"
strings:
$s1 = "%Y%m%d-%I-%M-%S" fullword ascii
$s2 = "/api/serv/requests/%s/runfile/delete" fullword ascii
$s3 = "\\part.txt" ascii
$s4 = "\\ALL.txt" ascii
$s5 = "\\sat.txt" ascii
$s6 = "runfile.proccess_name" fullword ascii
$s7 = "%s%s%p%s%zd%s%d%s%s%s%s%s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and 4 of them
}
Copy rule
Detects APT malware from AR18-165A report by US CERT
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_NK_AR18_165A_1 {
meta:
description = "Detects APT malware from AR18-165A report by US CERT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
date = "2018-06-15"
hash1 = "089e49de61701004a5eff6de65476ed9c7632b6020c2c0f38bb5761bca897359"
id = "45f5205d-7f69-5646-aef8-f95d139f9720"
strings:
$s1 = "netsh.exe advfirewall firewall add rule name=\"PortOpenning\" dir=in protocol=tcp localport=%d action=allow enable=yes" fullword wide
$s2 = "netsh.exe firewall add portopening TCP %d \"PortOpenning\" enable" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them
}
Copy rule
APT_NK_AR18_165A_HiddenCobra_import_deob
Hidden Cobra - Detects installed proxy module as a service
source signature-baseauthor NCCIC trusted 3rd party - Edit: Tobias Michalski
view YARA rule
rule APT_NK_AR18_165A_HiddenCobra_import_deob {
meta:
author = "NCCIC trusted 3rd party - Edit: Tobias Michalski"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
md5 = "ae769e62fef4a1709c12c9046301aa5d"
md5 = "e48fe20eblf5a5887f2ac631fed9ed63"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
description = "Hidden Cobra - Detects installed proxy module as a service"
id = "f403d589-be35-57a7-9675-f92657c11acc"
strings:
$ = { 8a 01 3c 62 7c 0a 3c 79 7f 06 b2 db 2a d0 88 11 8a 41 01 41 84 c0 75 e8}
$ = { 8A 08 80 F9 62 7C 0B 80 F9 79 7F 06 82 DB 2A D1 88 10 8A 48 01 40 84 C9 75 E6}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
Copy rule
APT_NK_BabyShark_KimJoingRAT_Apr19_1
Detects BabyShark KimJongRAT
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_NK_BabyShark_KimJoingRAT_Apr19_1 {
meta:
description = "Detects BabyShark KimJongRAT"
author = "Florian Roth (Nextron Systems)"
reference = "https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/"
date = "2019-04-27"
hash1 = "d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712"
id = "c6bd1e1a-68f2-5a2d-a159-b16ea0d33987"
strings:
$x1 = "%s\\Microsoft\\ttmp.log" fullword wide
$a1 = "logins.json" fullword ascii
$s1 = "https://www.google.com/accounts/servicelogin" fullword ascii
$s2 = "https://login.yahoo.com/config/login" fullword ascii
$s3 = "SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login" ascii
$s4 = "\\mozsqlite3.dll" ascii
$s5 = "SMTP Password" fullword ascii
$s6 = "Yandex\\YandexBrowser\\User Data\\Default\\Login Data" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and (
1 of ($x*) or
( $a1 and 3 of ($s*) )
)
}
Copy rule
APT_NK_Lazarus_Network_Backdoor_Unpacked
Detects unpacked variant of Lazarus Group network backdoor
source signature-baseauthor f-secure
view YARA rule
rule APT_NK_Lazarus_Network_Backdoor_Unpacked {
meta:
author = "f-secure"
description = "Detects unpacked variant of Lazarus Group network backdoor"
date = "2020-06-10"
reference = "https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical"
id = "8eda9e74-1a19-5510-82d8-cd2eb324629c"
strings:
$str_netsh_1 = "netsh firewall add portopening TCP %d" ascii wide nocase
$str_netsh_2 = "netsh firewall delete portopening TCP %d" ascii wide nocase
$str_mask_1 = "cmd.exe /c \"%s >> %s 2>&1\"" ascii wide
$str_mask_2 = "cmd.exe /c \"%s 2>> %s\"" ascii wide
$str_mask_3 = "%s\\%s\\%s" ascii wide
$str_other_1 = "perflog.dat" ascii wide nocase
$str_other_2 = "perflog.evt" ascii wide nocase
$str_other_3 = "cbstc.log" ascii wide nocase
$str_other_4 = "LdrGetProcedureAddress" ascii
$str_other_5 = "NtProtectVirtualMemory" ascii
condition:
int16(0) == 0x5a4d
and filesize < 3000KB
and 1 of ($str_netsh*)
and 1 of ($str_mask*)
and 1 of ($str_other*)
}
Copy rule
Detects RC4 loop in Lazarus Group implant
source signature-baseauthor f-secure
view YARA rule
rule APT_NK_Lazarus_RC4_Loop {
meta:
author = "f-secure "
description = "Detects RC4 loop in Lazarus Group implant"
date = "2020-06-10"
reference = "https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical"
id = "a9503795-b4b8-505e-a1bf-df64ec8c1c32"
strings:
$str_rc4_loop = { 41 FE 8? 00 01 00 00 45 0F B6 ?? 00 01 00 00 48
FF C? 43 0F B6 0? ?? 41 00 8? 01 01 00 00 41 0F
B6 ?? 01 01 00 00 }
condition:
int16(0) == 0x5a4d and filesize < 3000KB and $str_rc4_loop
}
Copy rule
Detects DLLs loaded by shellcode loader (6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad) (relation to Lazarus group)
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_NK_MAL_DLL_Apr23_1 {
meta:
description = "Detects DLLs loaded by shellcode loader (6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad) (relation to Lazarus group)"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/"
date = "2023-04-03"
score = 75
hash1 = "69dd140f45c3fa3aaa64c69f860cd3c74379dec37c46319d7805a29b637d4dbf"
hash3 = "bb1066c1ca53139dc5a2c1743339f4e6360d6fe4f2f3261d24fc28a12f3e2ab9"
hash4 = "dca33d6dacac0859ec2f3104485720fe2451e21eb06e676f4860ecc73a41e6f9"
hash5 = "fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e"
id = "c2abe266-0c21-51aa-9426-46a4f59df937"
strings:
$x1 = "vG2eZ1KOeGd2n5fr" ascii fullword
$s1 = "Windows %d(%d)-%s" ascii fullword
$s2 = "auth_timestamp: " ascii fullword
$s3 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" wide fullword
$op1 = { b8 c8 00 00 00 83 fb 01 44 0f 47 e8 41 8b c5 48 8b b4 24 e0 18 00 00 4c 8b a4 24 e8 18 00 00 48 8b 8d a0 17 00 00 48 33 cc }
$op2 = { 33 d2 46 8d 04 b5 00 00 00 00 66 0f 1f 44 00 00 49 63 c0 41 ff c0 8b 4c 84 70 31 4c 94 40 48 ff c2 }
$op3 = { 89 5c 24 50 0f 57 c0 c7 44 24 4c 04 00 00 00 c7 44 24 48 40 00 00 00 0f 11 44 24 60 0f 11 44 24 70 0f 11 45 80 0f 11 45 90 }
condition:
uint16(0) == 0x5a4d and
filesize < 500KB and (
1 of ($x*)
or 2 of them
)
or (
$x1 and 1 of ($s*)
or 3 of them
)
}
Copy rule
APT_NK_MAL_Keylogger_Unknown_Nov19_1
Detects unknown keylogger reported by CNMF in November 2019
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_NK_MAL_Keylogger_Unknown_Nov19_1 {
meta:
description = "Detects unknown keylogger reported by CNMF in November 2019"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/CNMF_VirusAlert/status/1192131508007505921"
date = "2019-11-06"
hash1 = "04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30"
hash2 = "618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6"
id = "5311d883-52e0-5503-9494-c583fabbedfe"
strings:
$x1 = "CKeyLogDlg::Keylogger_WriteFile" ascii
$x2 = "Keylog file is saved >>>>>> %s" fullword ascii
$x3 = "MicCap file is saved >>>>>> %s" fullword ascii
$x4 = "cr5cr33nc4p.dat" fullword ascii
$xc1 = { 73 74 61 74 75 73 00 00 5C 4B 65 79 6C 6F 67 }
$xc2 = { 5B 43 4D 69 63 43 61 70 44 6C 67 5D 2E 00 00 00
25 30 34 64 25 30 32 64 25 30 32 64 25 30 32 64
25 30 32 64 2E 77 61 76 }
$xc3 = { 25 73 00 00 25 73 5C 2A 2E 2A 00 00 61 62 00 00
5B 25 73 5D 20 75 70 6C 6F 61 64 20 66 61 69 6C
65 64 2E 00 72 62 00 00 5B 25 73 5D 20 6F 70 65
6E 20 66 61 69 6C 65 64 2E 00 00 00 2E 2E 00 00
5B 25 73 20 2D 3E 20 25 73 5D 20 63 6F 70 79 20
66 61 69 6C 65 64 }
$s1 = "%s\\cmd.exe /c %s" fullword ascii
$s2 = "File upload error occured in [CFSDlg::ProcessResultMessage]." fullword ascii
$s3 = "\\SAM\\Domains\\Account\\Users\\Names" ascii
$s4 = "%s_hist%d:%d:%s:%s:::" fullword ascii
$s5 = "CARAT_Ws2_32.dll" fullword ascii
$s6 = "PID [%s], open process failed." fullword ascii
condition:
uint16(0) == 0x5a4d and filesize <= 40000KB and ( 1 of ($x*) or 4 of them )
}
Copy rule
APT_NK_MAL_M_Hunting_VEILEDSIGNAL_1
Detects VEILEDSIGNAL malware
source signature-baseauthor Mandiant
view YARA rule
rule APT_NK_MAL_M_Hunting_VEILEDSIGNAL_1 {
meta:
description = "Detects VEILEDSIGNAL malware"
author = "Mandiant"
score = 75
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
hash1 = "404b09def6054a281b41d309d809a428"
hash2 = "c6441c961dcad0fe127514a918eaabd4"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
id = "3e7c92fe-a7bd-5180-9935-4f98f2b64e2b"
strings:
$rh1 = { 68 5D 7A D2 2C 3C 14 81 2C 3C 14 81 2C 3C 14 81 77 54 10 80 26 3C 14 81 77 54 17 80 29 3C 14 81 77 54 11 80 AB 3C 14 81 D4 4C 11 80 33 3C 14 81 D4 4C 10 80 22 3C 14 81 D4 4C 17 80 25 3C 14 81 77 54 15 80 27 3C 14 81 2C 3C 15 81 4B 3C 14 81 94 4D 1D 80 28 3C 14 81 94 4D 14 80 2D 3C 14 81 94 4D 16 80 2D 3C 14 81 }
$rh2 = { 00 E5 A0 2B 44 84 CE 78 44 84 CE 78 44 84 CE 78 1F EC CA 79 49 84 CE 78 1F EC CD 79 41 84 CE 78 1F EC CB 79 C8 84 CE 78 BC F4 CA 79 4A 84 CE 78 BC F4 CD 79 4D 84 CE 78 BC F4 CB 79 65 84 CE 78 1F EC CF 79 43 84 CE 78 44 84 CF 78 22 84 CE 78 FC F5 C7 79 42 84 CE 78 FC F5 CE 79 45 84 CE 78 FC F5 CC 79 45 84 CE 78}
$rh3 = { DA D2 21 22 9E B3 4F 71 9E B3 4F 71 9E B3 4F 71 C5 DB 4C 70 94 B3 4F 71 C5 DB 4A 70 15 B3 4F 71 C5 DB 4B 70 8C B3 4F 71 66 C3 4B 70 8C B3 4F 71 66 C3 4C 70 8F B3 4F 71 C5 DB 49 70 9F B3 4F 71 66 C3 4A 70 B0 B3 4F 71 C5 DB 4E 70 97 B3 4F 71 9E B3 4E 71 F9 B3 4F 71 26 C2 46 70 9F B3 4F 71 26 C2 B0 71 9F B3 4F 71 9E B3 D8 71 9F B3 4F 71 26 C2 4D 70 9F B3 4F 71 }
$rh4 = { CB 8A 35 66 8F EB 5B 35 8F EB 5B 35 8F EB 5B 35 D4 83 5F 34 85 EB 5B 35 D4 83 58 34 8A EB 5B 35 D4 83 5E 34 09 EB 5B 35 77 9B 5E 34 92 EB 5B 35 77 9B 5F 34 81 EB 5B 35 77 9B 58 34 86 EB 5B 35 D4 83 5A 34 8C EB 5B 35 8F EB 5A 35 D3 EB 5B 35 37 9A 52 34 8C EB 5B 35 37 9A 58 34 8E EB 5B 35 37 9A 5B 34 8E EB 5B 35 37 9A 59 34 8E EB 5B 35 }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($rh*)
}
Copy rule
APT_NK_MAL_M_Hunting_VEILEDSIGNAL_2
Detects VEILEDSIGNAL malware
source signature-baseauthor Mandiant
view YARA rule
rule APT_NK_MAL_M_Hunting_VEILEDSIGNAL_2 {
meta:
description = "Detects VEILEDSIGNAL malware"
author = "Mandiant"
score = 75
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
hash1 = "404b09def6054a281b41d309d809a428"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
id = "1b96c2f0-1c57-593e-9630-a72d43eb857e"
strings:
$sb1 = { C1 E0 05 4D 8? [2] 33 D0 45 69 C0 7D 50 BF 12 8B C2 41 FF C2 C1 E8 07 33 D0 8B C2 C1 E0 16 41 81 C0 87 D6 12 00 }
$si1 = "CryptBinaryToStringA" fullword
$si2 = "BCryptGenerateSymmetricKey" fullword
$si3 = "CreateThread" fullword
$ss1 = "ChainingModeGCM" wide
$ss2 = "__tutma" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
Copy rule
APT_NK_MAL_M_Hunting_VEILEDSIGNAL_3
Detects VEILEDSIGNAL malware
source signature-baseauthor Mandiant
view YARA rule
rule APT_NK_MAL_M_Hunting_VEILEDSIGNAL_3 {
meta:
description = "Detects VEILEDSIGNAL malware"
author = "Mandiant"
score = 75
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "c6441c961dcad0fe127514a918eaabd4"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
id = "82790c65-1d93-509b-95df-841543943c30"
strings:
$ss1 = { 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6A 73 6F 6E 2C 20 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 2C 20 2A 2F 2A 3B 20 71 3D 30 2E 30 31 00 00 61 63 63 65 70 74 00 00 65 6E 2D 55 53 2C 65 6E 3B 71 3D 30 2E 39 00 00 61 63 63 65 70 74 2D 6C 61 6E 67 75 61 67 65 00 63 6F 6F 6B 69 65 00 00 }
$si1 = "HttpSendRequestW" fullword
$si2 = "CreateNamedPipeW" fullword
$si3 = "CreateThread" fullword
$se1 = "DllGetClassObject" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
Copy rule
APT_NK_MAL_M_Hunting_VEILEDSIGNAL_4
Detects VEILEDSIGNAL malware
source signature-baseauthor Mandiant
view YARA rule
rule APT_NK_MAL_M_Hunting_VEILEDSIGNAL_4 {
meta:
description = "Detects VEILEDSIGNAL malware"
author = "Mandiant"
score = 75
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
hash1 = "404b09def6054a281b41d309d809a428"
hash2 = "c6441c961dcad0fe127514a918eaabd4"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
id = "379e6471-3c4f-5c72-b8fd-17f481e89ac6"
strings:
$sb1 = { FF 15 FC 76 01 00 8B F0 85 C0 74 ?? 8D 50 01 [6-16] FF 15 [4] 48 8B D8 48 85 C0 74 ?? 89 ?? 24 28 44 8B CD 4C 8B C? 48 89 44 24 20 }
$sb2 = { 33 D2 33 C9 FF 15 [4] 4C 8B CB 4C 89 74 24 28 4C 8D 05 [2] FF FF 44 89 74 24 20 33 D2 33 C9 FF 15 }
$si1 = "CreateThread" fullword
$si2 = "MultiByteToWideChar" fullword
$si3 = "LocalAlloc" fullword
$se1 = "DllGetClassObject" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
Copy rule
APT_NK_MAL_M_Hunting_VEILEDSIGNAL_5
Detects VEILEDSIGNAL malware
source signature-baseauthor Mandiant
view YARA rule
rule APT_NK_MAL_M_Hunting_VEILEDSIGNAL_5 {
meta:
description = "Detects VEILEDSIGNAL malware"
author = "Mandiant"
score = 75
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
hash1 = "6727284586ecf528240be21bb6e97f88"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
id = "7d0718fc-4f1c-5293-8dc4-81a5783fbfb2"
strings:
$sb1 = { 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D [3] 48 8B CB FF 15 [4] EB }
$ss1 = "chrome.exe" wide fullword
$ss2 = "firefox.exe" wide fullword
$ss3 = "msedge.exe" wide fullword
$ss4 = "\\\\.\\pipe\\*" ascii fullword
$ss5 = "FindFirstFileA" ascii fullword
$ss6 = "Process32FirstW" ascii fullword
$ss7 = "RtlAdjustPrivilege" ascii fullword
$ss8 = "GetCurrentProcess" ascii fullword
$ss9 = "NtWaitForSingleObject" ascii fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
Copy rule
APT_NK_MAL_M_Hunting_VEILEDSIGNAL_6
Detects VEILEDSIGNAL malware
source signature-baseauthor Mandiant
view YARA rule
rule APT_NK_MAL_M_Hunting_VEILEDSIGNAL_6 {
meta:
description = "Detects VEILEDSIGNAL malware"
author = "Mandiant"
score = 75
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
hash1 = "00a43d64f9b5187a1e1f922b99b09b77"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
id = "2cbedbc0-d465-5674-bf9c-9362003eb8d2"
strings:
$ss1 = "C:\\Programdata\\" wide
$ss2 = "devobj.dll" wide fullword
$ss3 = "msvcr100.dll" wide fullword
$ss4 = "TpmVscMgrSvr.exe" wide fullword
$ss5 = "\\Microsoft\\Windows\\TPM" wide fullword
$ss6 = "CreateFileW" ascii fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them
}
Copy rule
APT_NK_Methodology_Artificial_UserAgent_IE_Win7
Detects hard-coded User-Agent string that has been present in several APT37 malware families.
source signature-baseauthor Steve Miller aka @stvemillertime
view YARA rule
rule APT_NK_Methodology_Artificial_UserAgent_IE_Win7 {
meta:
author = "Steve Miller aka @stvemillertime"
description = "Detects hard-coded User-Agent string that has been present in several APT37 malware families."
hash1 = "e63efbf8624a531bb435b7446dbbfc25"
score = 45
id = "a747c908-7af7-5c29-8386-a71db7648061"
strings:
$a1 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
$a2 = {4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 3b 20 54 72 69 64 65 6e 74 2f 37 2e 30 3b 20 72 76 3a 31 31 2e 30 29 20 6c 69 6b 65 20 47 65 63 6b 6f 00 00 00 00}
$fp1 = "Esumsoft" wide
$fp2 = "Acunetix" wide ascii
$fp3 = "TASER SYNC" ascii
condition:
uint16(0) == 0x5A4D and all of ($a*) and not 1 of ($fp*)
}
Copy rule
APT_NK_Scarcruft_RUBY_Shellcode_XOR_Routine
Detects Ruby ShellCode XOR routine used by ScarCruft APT group
source signature-baseauthor S2WLAB_TALON_JACK2
view YARA rule
rule APT_NK_Scarcruft_RUBY_Shellcode_XOR_Routine {
meta:
author = "S2WLAB_TALON_JACK2"
description = "Detects Ruby ShellCode XOR routine used by ScarCruft APT group"
type = "APT"
version = "0.1"
date = "2021-05-20"
reference = "https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48"
id = "c393f2db-8ade-5083-9cec-f62f23056f8b"
strings:
/*
8B 4C 18 08 mov ecx, [eax+ebx+8]
C1 C7 0D rol edi, 0Dh
40 inc eax
F6 C7 01 test bh, 1
74 06 jz short loc_D0
81 F7 97 EA AE 78 xor edi, 78AEEA97h
*/
$hex1 = {C1 C7 0D 40 F6 C7 01 74 ?? 81 F7}
/*
41 C1 C2 0D rol r10d, 0Dh
41 8B C2 mov eax, r10d
44 8B CA mov r9d, edx
41 8B CA mov ecx, r10d
41 81 F2 97 EA AE 78 xor r10d, 78AEEA97h
*/
$hex2 = {41 C1 C2 0D 41 8B C2 44 8B CA 41 8B CA 41 81 F2}
condition:
1 of them
}
Copy rule
APT_NK_Scarcruft_evolved_ROKRAT
Detects RokRAT malware used by ScarCruft APT group
source signature-baseauthor S2WLAB_TALON_JACK2
view YARA rule
rule APT_NK_Scarcruft_evolved_ROKRAT {
meta:
author = "S2WLAB_TALON_JACK2"
description = "Detects RokRAT malware used by ScarCruft APT group"
type = "APT"
version = "0.1"
date = "2021-07-09"
reference = "https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48"
id = "53cabf41-0154-5372-b667-60d8a7cb9806"
strings:
/*
0x140130f25 C744242032311223 mov dword ptr [rsp + 0x20], 0x23123132
0x140130f2d C744242434455667 mov dword ptr [rsp + 0x24], 0x67564534
0x140130f35 C744242878899AAB mov dword ptr [rsp + 0x28], 0xab9a8978
0x140130f3d C744242C0CBDCEDF mov dword ptr [rsp + 0x2c], 0xdfcebd0c
0x140130f45 C745F02B7EA516 mov dword ptr [rbp - 0x10], 0x16a57e2b
0x140130f4c C745F428AED2A6 mov dword ptr [rbp - 0xc], 0xa6d2ae28
0x140130f53 C745F8ABF71588 mov dword ptr [rbp - 8], 0x8815f7ab
0x140130f5a C745FC09CF4F3C mov dword ptr [rbp - 4], 0x3c4fcf09
*/
$AES_IV_KEY = {
C7 44 24 ?? 32 31 12 23
C7 44 24 ?? 34 45 56 67
C7 44 24 ?? 78 89 9A AB
C7 44 24 ?? 0C BD CE DF
C7 45 ?? 2B 7E A5 16
C7 45 ?? 28 AE D2 A6
C7 45 ?? AB F7 15 88
C7 45 ?? 09 CF 4F 3C
}
/*
0x14012b637 80E90F sub cl, 0xf
0x14012b63a 80F1C8 xor cl, 0xc8
0x14012b63d 8848FF mov byte ptr [rax - 1], cl
0x14012b640 4883EA01 sub rdx, 1
*/
$url_deocde = {
80 E9 0F
80 F1 C8
88 48 ??
48 83 EA 01 }
condition:
uint16(0) == 0x5A4D and
any of them
}
Copy rule
APT_NK_TradingTech_ForensicArtifacts_Apr23_1
Detects forensic artifacts, file names and keywords related the Trading Technologies compromise UNC4736
source signature-baseauthor Florian Roth
view YARA rule
rule APT_NK_TradingTech_ForensicArtifacts_Apr23_1 {
meta:
description = "Detects forensic artifacts, file names and keywords related the Trading Technologies compromise UNC4736"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
modified = "2023-04-21"
score = 60
id = "f79a5321-4f22-52d9-aa83-4aa750ecc036"
strings:
$x1 = "www.tradingtechnologies.com/trading/order-management" ascii wide
$xf1 = "X_TRADER_r7.17.90p608.exe" ascii wide
$xf2 = "\\X_TRADER-ja.mst" ascii wide
$xf3 = "C:\\Programdata\\TPM\\TpmVscMgrSvr.exe" ascii wide
$xf4 = "C:\\Programdata\\TPM\\winscard.dll" ascii wide
$fp1 = "<html"
condition:
not uint16(0) == 0x5025
and 1 of ($x*) and not 1 of ($fp*)
}
Copy rule
Python Loader used to execute the BLUELIGHT malware family.
source signature-baseauthor threatintel@volexity.com
view YARA rule
rule APT_PY_BlueLight_Loader : InkySquid
{
meta:
author = "threatintel@volexity.com"
description = "Python Loader used to execute the BLUELIGHT malware family."
date = "2021-06-22"
hash1 = "80269413be6ad51b8b19631b2f5559c9572842e789bbce031babe6e879d2e120"
license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt"
reference = "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/"
id = "f8da3e40-c3b0-5b7f-8ece-81874993d8cd"
strings:
$s1 = "\"\".join(chr(ord(" ascii
$s2 = "import ctypes " ascii
$s3 = "ctypes.CFUNCTYPE(ctypes.c_int)" ascii
$s4 = "ctypes.memmove" ascii
$s5 = "python ended" ascii
condition:
all of them
}
Copy rule
APT_PY_ESXi_Backdoor_Dec22
Detects Python backdoor found on ESXi servers
source signature-baseauthor Florian Roth
view YARA rule
rule APT_PY_ESXi_Backdoor_Dec22 {
meta:
description = "Detects Python backdoor found on ESXi servers"
author = "Florian Roth"
reference = "https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers"
date = "2022-12-14"
score = 85
id = "f0a3b9b9-0031-5d9f-97f8-70f83863ee63"
strings:
$x1 = "cmd = str(base64.b64decode(encoded_cmd), " ascii
$x2 = "sh -i 2>&1 | nc %s %s > /tmp/" ascii
condition:
filesize < 10KB and 1 of them or all of them
}
Copy rule
APT_RU_APT27_HyperBro_Vftrace_Loader_Jan22_1
Yara rule to detect first Hyperbro Loader Stage, often called vftrace.dll. Detects decoding function.
source signature-baseauthor Bundesamt fuer Verfassungsschutz (modified by Florian Roth)
view YARA rule
rule APT_RU_APT27_HyperBro_Vftrace_Loader_Jan22_1 {
meta:
description = "Yara rule to detect first Hyperbro Loader Stage, often called vftrace.dll. Detects decoding function."
author = "Bundesamt fuer Verfassungsschutz (modified by Florian Roth)"
date = "2022-01-14"
sharing = "TLP:WHITE"
reference = "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf"
hash1 = "333B52C2CFAC56B86EE9D54AEF4F0FF4144528917BC1AA1FE1613EFC2318339A"
id = "b049e163-2694-5fb9-a3a3-98cc77bcd0ca"
strings:
$decoder_routine = { 8A ?? 41 10 00 00 8B ?? 28 ?? ?? 4? 3B ?? 72 ?? }
condition:
uint16(0) == 0x5a4d and
filesize < 5MB and
$decoder_routine and
pe.exports("D_C_Support_SetD_File")
}
Copy rule
APT_RU_Sandworm_PY_May20_1
Detects Sandworm Python loader
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_RU_Sandworm_PY_May20_1 {
meta:
description = "Detects Sandworm Python loader"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/billyleonard/status/1266054881225236482"
date = "2020-05-28"
hash1 = "c025008463fdbf44b2f845f2d82702805d931771aea4b506573b83c8f58bccca"
id = "a392d800-1fe8-5ae9-b813-e1dfcedecda6"
strings:
$x1 = "o.addheaders=[('User-Agent','Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko')]" ascii fullword
$s1 = "exec(o.open('http://" ascii
$s2 = "__import__({2:'urllib2',3:'urllib.request'}"
condition:
uint16(0) == 0x6d69 and
filesize < 1KB and
1 of ($x*) or 2 of them
}
Copy rule
APT_RU_Sandworm_PY_May20_2
Detects Sandworm Python loader
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_RU_Sandworm_PY_May20_2 {
meta:
description = "Detects Sandworm Python loader"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/billyleonard/status/1266054881225236482"
date = "2020-05-28"
hash1 = "abfa83cf54db8fa548942acd845b4f34acc94c46d4e1fb5ce7e97cc0c6596676"
id = "5b32ad64-d959-5632-a03c-17aa055b213f"
strings:
$x1 = "import sys;import re, subprocess;cmd" ascii fullword
$x2 = "UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http"
$x3 = "';t='/admin/get.php';req" ascii
$x4 = "ps -ef | grep Little\\ Snitch | grep " ascii fullword
condition:
uint16(0) == 0x6d69 and
filesize < 2KB and
1 of them
}
Copy rule
APT_SH_CodeCov_Hack_Apr21_1
Detects manipulated Codecov bash uploader tool that has been manipulated by an unknown actor during March / April 2021
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_SH_CodeCov_Hack_Apr21_1 {
meta:
description = "Detects manipulated Codecov bash uploader tool that has been manipulated by an unknown actor during March / April 2021"
author = "Florian Roth (Nextron Systems)"
reference = "https://about.codecov.io/security-update/"
date = "2021-04-16"
id = "b5fb74c4-073e-53af-a207-1672e63c9a64"
strings:
$a1 = "Global report uploading tool for Codecov"
$s1 = "curl -sm 0.5 -d"
condition:
uint16(0) == 0x2123 and
filesize < 70KB and
all of them
}
Copy rule
APT_SH_ESXi_Backdoor_Dec22
Detects malicious script found on ESXi servers
source signature-baseauthor Florian Roth
view YARA rule
rule APT_SH_ESXi_Backdoor_Dec22 {
meta:
description = "Detects malicious script found on ESXi servers"
author = "Florian Roth"
reference = "https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers"
date = "2022-12-14"
score = 75
id = "983ac20c-2e61-5365-8849-b3aeb999f909"
strings:
$x1 = "mv /bin/hostd-probe.sh /bin/hostd-probe.sh.1" ascii fullword
$x2 = "/bin/nohup /bin/python -u /store/packages/vmtools.py" ascii
$x3 = "/bin/rm /bin/hostd-probe.sh.1"
condition:
filesize < 10KB and 1 of them
}
Copy rule
APT_SH_Sandworm_Shell_Script_May20_1
Detects shell script used by Sandworm in attack against Exim mail server
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_SH_Sandworm_Shell_Script_May20_1 {
meta:
description = "Detects shell script used by Sandworm in attack against Exim mail server"
author = "Florian Roth (Nextron Systems)"
reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
date = "2020-05-28"
hash1 = "dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730"
hash2 = "538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e"
id = "21cf2c89-5511-5eb6-a2dd-4ad54ebfa2d1"
strings:
$x1 = "echo \"GRANT ALL PRIVILEGES ON * . * TO 'mysqldb'@'localhost';\" >> init-file.txt" ascii fullword
$x2 = "import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version" ascii fullword
$x3 = "sed -i -e '/PasswordAuthentication/s/no/yes/g; /PermitRootLogin/s/no/yes/g;" ascii fullword
$x4 = "useradd -M -l -g root -G root -b /root -u 0 -o mysql_db" ascii fullword
$s1 = "/ip.php?port=${PORT}\"" ascii fullword
$s2 = "sed -i -e '/PasswordAuthentication" ascii fullword
$s3 = "PATH_KEY=/root/.ssh/authorized_keys" ascii fullword
$s4 = "CREATE USER" ascii fullword
$s5 = "crontab -l | { cat; echo" ascii fullword
$s6 = "mysqld --user=mysql --init-file=/etc/opt/init-file.txt --console" ascii fullword
$s7 = "sshkey.php" ascii fullword
condition:
uint16(0) == 0x2123 and
filesize < 20KB and
1 of ($x*) or 4 of them
}
Copy rule
APT_SUSP_NK_3CX_Malicious_Samples_Mar23_1
Detects indicator (event name) found in samples related to 3CX compromise
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_SUSP_NK_3CX_Malicious_Samples_Mar23_1 {
meta:
description = "Detects indicator (event name) found in samples related to 3CX compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/"
date = "2023-03-30"
score = 70
hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983"
hash3 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
hash4 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
id = "b233846a-19df-579b-a674-233d66824008"
strings:
$a1 = "AVMonitorRefreshEvent" wide fullword
condition:
1 of them
}
Copy rule
APT_SUSP_NK_3CX_RC4_Key_Mar23_1
Detects RC4 key used in 3CX binaries known to be malicious
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_SUSP_NK_3CX_RC4_Key_Mar23_1 {
meta:
description = "Detects RC4 key used in 3CX binaries known to be malicious"
author = "Florian Roth (Nextron Systems)"
date = "2023-03-29"
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
score = 70
hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983"
hash3 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
hash4 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
id = "18ea2185-11a1-51ad-a51a-df9e6357bb58"
strings:
$x1 = "3jB(2bsG#@c7"
condition:
( uint16(0) == 0xcfd0 or uint16(0) == 0x5a4d )
and $x1
}
Copy rule
APT_UA_Hermetic_Wiper_Feb22_1
Detects Hermetic Wiper malware
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_UA_Hermetic_Wiper_Feb22_1 {
meta:
description = "Detects Hermetic Wiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/"
date = "2022-02-24"
score = 75
hash1 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
hash2 = "3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767"
hash3 = "2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf"
hash4 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
id = "2cbe4a69-e31a-5f5f-ab1a-9d71d16fb30f"
strings:
$xc1 = { 00 5C 00 5C 00 2E 00 5C 00 50 00 68 00 79 00 73
00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76
00 65 00 25 00 75 00 00 00 5C 00 5C 00 2E 00 5C
00 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56
00 5C 00 25 00 75 00 00 00 5C 00 5C 00 2E 00 5C
00 00 00 00 00 25 00 73 00 25 00 2E 00 32 00 73
00 00 00 00 00 24 00 42 00 69 00 74 00 6D 00 61
00 70 00 00 00 24 00 4C 00 6F 00 67 00 46 00 69
00 6C 00 65 }
$sc1 = { 00 44 00 72 00 69 00 76 00 65 00 72 00 73 00 00
00 64 00 72 00 76 00 00 00 53 00 79 00 73 00 74
00 65 00 6D 00 33 00 32 }
$s1 = "\\\\?\\C:\\Windows\\System32\\winevt\\Logs" wide fullword
$s2 = "\\\\.\\EPMNTDRV\\%u" wide fullword
$s3 = "DRV_XP_X64" wide fullword
$s4 = "%ws%.2ws" wide fullword
$op1 = { 8b 7e 08 0f 57 c0 8b 46 0c 83 ef 01 66 0f 13 44 24 20 83 d8 00 89 44 24 18 0f 88 3b 01 00 00 }
$op2 = { 13 fa 8b 55 f4 4e 3b f3 7f e6 8a 45 0f 01 4d f0 0f 57 c0 }
condition:
( uint16(0) == 0x5a53 or uint16(0) == 0x5a4d ) and
filesize < 400KB and ( 1 of ($x*) or 3 of them )
}
Copy rule
APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1
Detects scheduled task pattern found in Hermetic Wiper malware related intrusions
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1 {
meta:
description = "Detects scheduled task pattern found in Hermetic Wiper malware related intrusions"
author = "Florian Roth (Nextron Systems)"
reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia"
date = "2022-02-25"
score = 85
id = "a628f773-9c71-5979-a4db-37b6b6bd6a56"
strings:
$a0 = "<Task version=" ascii wide
$sa1 = "CSIDL_SYSTEM_DRIVE\\temp" ascii wide
$sa2 = "postgresql.exe 1> \\\\127.0.0.1\\ADMIN$" ascii wide
$sa3 = "cmd.exe /Q /c move CSIDL_SYSTEM_DRIVE" ascii wide
condition:
$a0 and 1 of ($s*)
}
Copy rule
CN_APT_ZeroT_extracted_Go
Chinese APT by Proofpoint ZeroT RAT - file Go.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_APT_ZeroT_extracted_Go {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Go.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
modified = "2023-01-06"
hash1 = "83ddc69fe0d3f3d2f46df7e72995d59511c1bfcca1a4e14c330cb71860b4806b"
id = "ba929e6d-4162-58e7-b8a8-bcb066b64522"
strings:
$x1 = "%s\\cmd.exe /c %s\\Zlh.exe" fullword ascii
$x2 = "\\BypassUAC.VS2010\\Release\\" ascii
$s1 = "Zjdsf.exe" fullword ascii
$s2 = "SS32prep.exe" fullword ascii
$s3 = "windowsgrep.exe" fullword ascii
$s4 = "Sysdug.exe" fullword ascii
$s5 = "Proessz.exe" fullword ascii
$s6 = "%s\\Zlh.exe" fullword ascii
$s7 = "/C %s\\%s" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) or 3 of ($s*) ) ) or ( 7 of them )
}
Copy rule
CN_APT_ZeroT_extracted_Mcutil
Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_APT_ZeroT_extracted_Mcutil {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "266c06b06abbed846ebabfc0e683f5d20dadab52241bc166b9d60e9b8493b500"
id = "c887d36b-8aeb-54f1-a683-727561723238"
strings:
$s1 = "LoaderDll.dll" fullword ascii
$s2 = "QageBox1USER" fullword ascii
$s3 = "xhmowl" fullword ascii
$s4 = "?KEYKY" fullword ascii
$s5 = "HH:mm:_s" fullword ascii
$s6 = "=licni] has maX0t" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 90KB and 3 of them ) or ( all of them )
}
Copy rule
CN_APT_ZeroT_extracted_Zlh
Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_APT_ZeroT_extracted_Zlh {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "711f0a635bbd6bf1a2890855d0bd51dff79021db45673541972fe6e1288f5705"
id = "4c8b9a90-6cb3-5aba-a993-f73207341d0e"
strings:
$s1 = "nflogger.dll" fullword wide
$s2 = "%s %d: CreateProcess('%s', '%s') failed. Windows error code is 0x%08x" fullword ascii
$s3 = "_StartZlhh(): Executed \"%s\"" ascii
$s4 = "Executable: '%s' (%s) %i" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them )
}
Copy rule
Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_APT_ZeroT_nflogger {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "946adbeb017616d56193a6d43fe9c583be6ad1c7f6a22bab7df9db42e6e8ab10"
id = "0d23f312-e3b6-5c23-855b-25ae54265512"
strings:
$x1 = "\\LoaderDll.VS2010\\Release\\" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}
Copy rule
Detects Ammyy Admin Downloader
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Actor_AmmyyAdmin {
meta:
description = "Detects Ammyy Admin Downloader"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - CN Actor"
date = "2017-06-22"
score = 60
hash1 = "1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed"
id = "08ffb61a-e2de-538e-9d9f-040276324af9"
strings:
$x2 = "\\Ammyy\\sources\\main\\Downloader.cpp" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}
Copy rule
CN_Actor_RA_Tool_Ammyy_mscorsvw
Detects Ammyy remote access tool
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Actor_RA_Tool_Ammyy_mscorsvw {
meta:
description = "Detects Ammyy remote access tool"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - CN Actor"
date = "2017-06-22"
hash1 = "1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed"
hash2 = "d9ec0a1be7cd218042c54bfbc12000662b85349a6b78731a09ed336e5d3cf0b4"
id = "71a0c5a9-b4dc-508d-a6b7-4b85b75bc34b"
strings:
$s1 = "Please enter password for accessing remote computer" fullword ascii
$s2 = "Die Zugriffsanforderung wurde vom Remotecomputer abgelehnt" fullword ascii
$s3 = "It will automatically be run the next time this computer is restart or you can start it manually" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and 3 of them )
}
Copy rule
Detects an unknown GUI scanner tool - CN background
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_GUI_Scanner {
meta:
description = "Detects an unknown GUI scanner tool - CN background"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "3c67bbb1911cdaef5e675c56145e1112"
score = 65
date = "04.10.2014"
id = "ca88d4d3-5d18-5856-874f-e50deceef54f"
strings:
$s1 = "good.txt" fullword ascii
$s2 = "IP.txt" fullword ascii
$s3 = "xiaoyuer" fullword ascii
$s0w = "ssh(" wide
$s1w = ").exe" fullword wide
condition:
all of them
}
Copy rule
Detects a chinese MSSQL scanner
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Hacktool_1433_Scanner {
meta:
description = "Detects a chinese MSSQL scanner"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 40
date = "12.10.2014"
id = "77712d29-1a32-59e7-999a-a2ef02212886"
strings:
$s0 = "1433" wide fullword
$s1 = "1433V" wide
$s2 = "del Weak1.txt" ascii fullword
$s3 = "del Attack.txt" ascii fullword
$s4 = "del /s /Q C:\\Windows\\system32\\doors\\" ascii
$s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii
condition:
uint16(0) == 0x5a4d and all of ($s*)
}
Copy rule
CN_Hacktool_1433_Scanner_Comp2
Detects a chinese MSSQL scanner - component 2
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Hacktool_1433_Scanner_Comp2 {
meta:
description = "Detects a chinese MSSQL scanner - component 2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 40
date = "12.10.2014"
id = "7d707be5-dad0-5d91-965b-908a8603b6c0"
strings:
$s0 = "1433" wide fullword
$s1 = "1433V" wide
$s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword
condition:
uint16(0) == 0x5a4d and all of ($s*)
}
Copy rule
CN_Hacktool_BAT_PortsOpen
Detects a chinese BAT hacktool for local port evaluation
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Hacktool_BAT_PortsOpen {
meta:
description = "Detects a chinese BAT hacktool for local port evaluation"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "12.10.2014"
id = "55c3f678-ba70-5a4a-b288-9d0953eff968"
strings:
$s0 = "for /f \"skip=4 tokens=2,5\" %%a in ('netstat -ano -p TCP') do (" ascii
$s1 = "in ('tasklist /fi \"PID eq %%b\" /FO CSV') do " ascii
$s2 = "@echo off" ascii
condition:
all of them
}
Copy rule