valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Sofacy IOCs and YARA signature

Browse Source
This commit is contained in:
Florian Roth 2018-03-01 09:29:57 +01:00
parent c6807a024d
commit 4bdcf3c64b
4 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
iocs/c2-iocs.txt
View File

@ -121,3 +121,5 @@ controleng.com;US-CERT TA17-293A https://www.us-cert.gov/ncas/alerts/TA17-293A
203.113.4.230;US-CERT TA17-293A https://www.us-cert.gov/ncas/alerts/TA17-293A
149.210.156.198;US-CERT TA17-293A https://www.us-cert.gov/ncas/alerts/TA17-293A
151.80.163.14;US-CERT TA17-293A https://www.us-cert.gov/ncas/alerts/TA17-293A
cdnverify.net;Sofacy activity https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/

4
iocs/filename-iocs.txt
View File

@ -2810,4 +2810,8 @@ AppData\\Local\\cdnver\.dll;90
AppData\\Local\\kb6867\.bin;80
AppData\\Roaming\\kb6867\.bin;80
# Sofacy Activity https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
\\AppData\\Local\\cdnver\.dll;100
\\AppData\\Local\\cdnver\.bat;100
# End

5
iocs/hash-iocs.txt
View File

@ -8152,3 +8152,8 @@ ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790;Dark Caracal -
ed25b0c20b1c1b271a511a1266fe3967ab851aaa9f793bdf4f3d19de1dcf6532;Dark Caracal - PE32 executable (GUI) Intel 80386
f581a75a0f8f8eb200a283437bed48f30ae9d5616e94f64acfd93c12fcef987a;Dark Caracal - PE32 executable (GUI) Intel 80386
d57701321f2f13585a02fc8ba6cbf1f2f094764bfa067eb73c0101060289b0ba;Dark Caracal - PE32 executable (GUI) Intel 80386
ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8;Sofacy Activity https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8;Sofacy Activity https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7;Sofacy Activity https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
23411bb30042c9357ac4928dc6fca6955390361e660fec7ac238bbdcc8b83701;Sofacy Activity https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/

22
yara/apt_sofacy.yar Normal file
View File

@ -0,0 +1,22 @@
rule Sofacy_Campaign_Mal_Feb18_cdnver {
meta:
description = "Detects Sofacy malware"
author = "Florian Roth"
reference = "https://twitter.com/ClearskySec/status/960924755355369472"
date = "2018-02-07"
hash1 = "12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8"
strings:
$x1 = "cdnver.dll" fullword wide
$x2 = { 25 73 0A 00 00 00 00 00 30 00 00 00 20 00 2D 00
20 00 00 00 0A 00 00 00 25 00 73 00 00 00 00 00
69 00 6D 00 61 00 67 00 65 00 2F 00 6A 00 70 00
65 00 67 }
$s1 = "S7%s - %lu" fullword ascii
$s2 = "SNFIRNW" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 90KB and (
pe.imphash() == "01f3d0fe6fb9d9df24620e67afc143c7" or
1 of ($x*) or
2 of them
)
}