From 085572e77f29459d62cc65285f58129f4d7b1461 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 9 Mar 2016 13:40:40 +0100 Subject: [PATCH] New Signatures --- yara/apt_irontiger_trendmicro.yar | 1 + yara/apt_keylogger_cn.yar | 33 ++++++++++++++++++++++++++ yara/thor-hacktools.yar | 39 +++++++++++++++++++++++++++++++ 3 files changed, 73 insertions(+) create mode 100644 yara/apt_keylogger_cn.yar diff --git a/yara/apt_irontiger_trendmicro.yar b/yara/apt_irontiger_trendmicro.yar index be4d91e..668485b 100644 --- a/yara/apt_irontiger_trendmicro.yar +++ b/yara/apt_irontiger_trendmicro.yar @@ -124,6 +124,7 @@ rule IronTiger_Gh0stRAT_variant $str4 = "Winds Update" nocase wide ascii condition: uint16(0) == 0x5a4d and (any of ($str*)) + and not filename == "UpdateSystemMib.exe" } rule IronTiger_GTalk_Trojan diff --git a/yara/apt_keylogger_cn.yar b/yara/apt_keylogger_cn.yar new file mode 100644 index 0000000..018b7a9 --- /dev/null +++ b/yara/apt_keylogger_cn.yar @@ -0,0 +1,33 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2016-03-07 + Identifier: CN Keylogger APT +*/ + +rule Keylogger_CN_APT { + meta: + description = "Keylogger - generic rule for a Chinese variant" + author = "Florian Roth" + date = "2016-03-07" + score = 75 + hash = "3efb3b5be39489f19d83af869f11a8ef8e9a09c3c7c0ad84da31fc45afcf06e7" + strings: + $x1 = "Mozilla/4.0 (compatible; MSIE6.0;Windows NT 5.1)" fullword ascii + $x2 = "attrib -s -h -r c:\\ntldr" fullword ascii + $x3 = "%sWindows NT %d.%d" fullword ascii + $x4 = "Referer: http://%s/%s.aspx?n=" fullword ascii + + $s1 = "\\cmd.exe /c \"systeminfo.exe >> " fullword ascii + $s2 = "%s\\cmd.exe /c %s >> \"%s\"" fullword ascii + $s3 = "shutdown.exe -r -t 0" fullword ascii + $s4 = "dir \"%SystemDrive%\\\" /s /a" fullword ascii + $s5 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;" fullword ascii + $s6 = "http_s.exe" fullword ascii + $s7 = "User Agent\\Post Platform\\" fullword ascii + $s8 = "desktop.tmp" fullword ascii + $s9 = "\\support.icw" fullword ascii + $s10 = "agc.tmp" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of ($x*) ) or 3 of them +} diff --git a/yara/thor-hacktools.yar b/yara/thor-hacktools.yar index af6cb67..ec653e3 100644 --- a/yara/thor-hacktools.yar +++ b/yara/thor-hacktools.yar @@ -2935,6 +2935,7 @@ rule mimikatz author = "Benjamin DELPY (gentilkiwi)" tool_author = "Benjamin DELPY (gentilkiwi)" score = 80 + type = "file" strings: $exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd } $exe_x86_2 = { 89 79 04 89 [0-3] 38 8d 04 b5 } @@ -3068,3 +3069,41 @@ rule VSSown_VBS { condition: all of them } + +rule Netview_Hacktool { + meta: + description = "Network domain enumeration tool - often used by attackers - file Nv.exe" + author = "Florian Roth" + reference = "https://github.com/mubix/netview" + date = "2016-03-07" + score = 60 + hash = "52cec98839c3b7d9608c865cfebc904b4feae0bada058c2e8cdbd561cfa1420a" + strings: + $s1 = "[+] %ws - Target user found - %s\\%s" fullword wide + $s2 = "[*] -g used without group specified - using \"Domain Admins\"" fullword ascii + $s3 = "[*] -i used without interval specified - ignoring" fullword ascii + $s4 = "[+] %ws - Session - %s from %s - Active: %d - Idle: %d" fullword wide + $s5 = "[+] %ws - Backup Domain Controller" fullword wide + $s6 = "[-] %ls - Share - Error: %ld" fullword wide + $s7 = "[-] %ls - Session - Error: %ld" fullword wide + $s8 = "[+] %s - OS Version - %d.%d" fullword ascii + $s9 = "Enumerating Logged-on Users" fullword ascii + $s10 = ": Specifies a domain to pull a list of hosts from" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 500KB and 2 of them ) or 3 of them +} + +rule Netview_Hacktool_Output { + meta: + description = "Network domain enumeration tool output - often used by attackers - file filename.txt" + author = "Florian Roth" + reference = "https://github.com/mubix/netview" + date = "2016-03-07" + score = 60 + strings: + $s1 = "[*] Using interval:" fullword + $s2 = "[*] Using jitter:" fullword + $s3 = "[+] Number of hosts:" fullword + condition: + 2 of them +}