Reworked many rules based on YARA performance guidelines

https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7
This commit is contained in:
Florian Roth 2019-03-02 16:02:11 +01:00
parent f3371f2cfd
commit 78706dbe46
36 changed files with 119 additions and 174 deletions

View File

@ -37,11 +37,11 @@ meta:
$sc_1 = "config.xml" $sc_1 = "config.xml"
$sc_2 = "options" $sc_2 = "options"
$sc_3 = "plugins" $sc_3 = "plugins"
$sc_4 = "util" /* $sc_4 = "util" */
$sc_5 = "util/OSHelper" $sc_5 = "util/OSHelper"
$sc_6 = "Start.class" $sc_6 = "Start.class"
$sc_7 = "AlienSpy" $sc_7 = "AlienSpy"
$sc_8 = "PK" /* $sc_8 = "PK" */ /* too short atom - disabled for performance reasons */
condition: condition:

View File

@ -62,6 +62,7 @@ rule PAS_TOOL_PHP_WEB_KIT_mod {
$cookie = "_COOKIE" $cookie = "_COOKIE"
$isset = "isset" $isset = "isset"
condition: condition:
uint32(0) == 0x68703f3c and
$php at 0 and $php at 0 and
(filesize > 10KB and filesize < 30KB) and (filesize > 10KB and filesize < 30KB) and
#cookie == 2 and #cookie == 2 and
@ -84,7 +85,7 @@ rule WebShell_PHP_Web_Kit_v3 {
$s2 = "(strrev($" ascii $s2 = "(strrev($" ascii
$s3 = "de'.'code';" ascii $s3 = "de'.'code';" ascii
condition: condition:
( $php at 0 or $php2 ) and ( ( uint32(0) == 0x68703f3c and $php at 0 ) or $php2 ) and
filesize > 8KB and filesize < 100KB and filesize > 8KB and filesize < 100KB and
all of ($s*) all of ($s*)
} }
@ -103,6 +104,7 @@ rule WebShell_PHP_Web_Kit_v4 {
$s2 = ";if(PHP_VERSION<'5'){" ascii $s2 = ";if(PHP_VERSION<'5'){" ascii
$s3 = "=SuBstr_rePlACe(" ascii $s3 = "=SuBstr_rePlACe(" ascii
condition: condition:
uint32(0) == 0x68703f3c and
$php at 0 and $php at 0 and
filesize > 8KB and filesize < 100KB and filesize > 8KB and filesize < 100KB and
2 of ($s*) 2 of ($s*)

View File

@ -341,7 +341,6 @@ rule APT30_Sample_14 {
hash = "b0740175d20eab79a5d62cdbe0ee1a89212a8472" hash = "b0740175d20eab79a5d62cdbe0ee1a89212a8472"
strings: strings:
$s0 = "AdobeReader.exe" fullword wide $s0 = "AdobeReader.exe" fullword wide
$s1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" fullword ascii
$s4 = "10.1.7.27" fullword wide $s4 = "10.1.7.27" fullword wide
$s5 = "Copyright 1984-2012 Adobe Systems Incorporated and its licensors. All ri" wide $s5 = "Copyright 1984-2012 Adobe Systems Incorporated and its licensors. All ri" wide
$s8 = "Adobe Reader" fullword wide $s8 = "Adobe Reader" fullword wide

View File

@ -14,17 +14,17 @@ rule Casper_Backdoor_x86 {
$s1 = "\"svchost.exe\"" fullword wide $s1 = "\"svchost.exe\"" fullword wide
$s2 = "firefox.exe" fullword ascii $s2 = "firefox.exe" fullword ascii
$s3 = "\"Host Process for Windows Services\"" fullword wide $s3 = "\"Host Process for Windows Services\"" fullword wide
$x1 = "\\Users\\*" fullword ascii $x1 = "\\Users\\*" fullword ascii
$x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii $x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
$x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii $x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
$x4 = "\\Documents and Settings\\*" fullword ascii $x4 = "\\Documents and Settings\\*" fullword ascii
$y1 = "%s; %S=%S" fullword wide $y1 = "%s; %S=%S" fullword wide
$y2 = "%s; %s=%s" fullword ascii $y2 = "%s; %s=%s" fullword ascii
$y3 = "Cookie: %s=%s" fullword ascii $y3 = "Cookie: %s=%s" fullword ascii
$y4 = "http://%S:%d" fullword wide $y4 = "http://%S:%d" fullword wide
$z1 = "http://google.com/" fullword ascii $z1 = "http://google.com/" fullword ascii
$z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii $z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
$z3 = "Operating System\"" fullword wide $z3 = "Operating System\"" fullword wide
@ -66,18 +66,17 @@ rule Casper_Included_Strings {
strings: strings:
$a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST" $a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
$a1 = "& SYSTEMINFO) ELSE EXIT" $a1 = "& SYSTEMINFO) ELSE EXIT"
$mz = { 4d 5a }
$c1 = "domcommon.exe" wide fullword // File Name $c1 = "domcommon.exe" wide fullword // File Name
$c2 = "jpic.gov.sy" fullword // C2 Server $c2 = "jpic.gov.sy" fullword // C2 Server
$c3 = "aiomgr.exe" wide fullword // File Name $c3 = "aiomgr.exe" wide fullword // File Name
$c4 = "perfaudio.dat" fullword // Temp File Name $c4 = "perfaudio.dat" fullword // Temp File Name
$c5 = "Casper_DLL.dll" fullword // Name $c5 = "Casper_DLL.dll" fullword // Name
$c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } // Decryption Key $c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } // Decryption Key
$c7 = "{4216567A-4512-9825-7745F856}" fullword // Mutex $c7 = "{4216567A-4512-9825-7745F856}" fullword // Mutex
condition: condition:
all of ($a*) or all of ($a*) or
( $mz at 0 ) and ( 1 of ($c*) ) uint16(0) == 0x5a4d and ( 1 of ($c*) )
} }
rule Casper_SystemInformation_Output { rule Casper_SystemInformation_Output {
@ -87,7 +86,7 @@ rule Casper_SystemInformation_Output {
author = "Florian Roth" author = "Florian Roth"
reference = "http://goo.gl/VRJNLo" reference = "http://goo.gl/VRJNLo"
date = "2015/03/06" date = "2015/03/06"
score = 70 score = 70
strings: strings:
$a0 = "***** SYSTEM INFORMATION ******" $a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******" $a1 = "***** SECURITY INFORMATION ******"
@ -98,4 +97,4 @@ rule Casper_SystemInformation_Output {
$a6 = "<CONFIG TIMESTAMP=" $a6 = "<CONFIG TIMESTAMP="
condition: condition:
all of them all of them
} }

View File

@ -36,15 +36,13 @@ rule APT_DarkHydrus_Jul18_2 {
date = "2018-07-28" date = "2018-07-28"
hash1 = "b2571e3b4afbce56da8faa726b726eb465f2e5e5ed74cf3b172b5dd80460ad81" hash1 = "b2571e3b4afbce56da8faa726b726eb465f2e5e5ed74cf3b172b5dd80460ad81"
strings: strings:
$s1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii
$s2 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii
$s4 = "windir" fullword ascii /* Goodware String - occured 47 times */ $s4 = "windir" fullword ascii /* Goodware String - occured 47 times */
$s6 = "temp.dll" fullword ascii /* Goodware String - occured 3 times */ $s6 = "temp.dll" fullword ascii /* Goodware String - occured 3 times */
$s7 = "libgcj-12.dll" fullword ascii /* Goodware String - occured 3 times */ $s7 = "libgcj-12.dll" fullword ascii /* Goodware String - occured 3 times */
$s8 = "%s\\System32\\%s" fullword ascii /* Goodware String - occured 4 times */ $s8 = "%s\\System32\\%s" fullword ascii /* Goodware String - occured 4 times */
$s9 = "StartW" fullword ascii /* Goodware String - occured 5 times */ $s9 = "StartW" fullword ascii /* Goodware String - occured 5 times */
condition: condition:
uint16(0) == 0x5a4d and filesize < 40KB and 6 of them uint16(0) == 0x5a4d and filesize < 40KB and all of them
} }
rule APT_DarkHydrus_Jul18_3 { rule APT_DarkHydrus_Jul18_3 {
@ -56,14 +54,12 @@ rule APT_DarkHydrus_Jul18_3 {
date = "2018-07-28" date = "2018-07-28"
hash1 = "c8b3d4b6acce6b6655e17255ef7a214651b7fc4e43f9964df24556343393a1a3" hash1 = "c8b3d4b6acce6b6655e17255ef7a214651b7fc4e43f9964df24556343393a1a3"
strings: strings:
$s1 = "msdncss.com" fullword ascii
$s2 = "Ws2_32.dll" fullword ascii $s2 = "Ws2_32.dll" fullword ascii
$s3 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)" fullword ascii $s3 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)" fullword ascii
$s4 = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and filesize < 100KB and ( uint16(0) == 0x5a4d and filesize < 100KB and (
pe.imphash() == "478eacfbe2b201dabe63be53f34148a5" or pe.imphash() == "478eacfbe2b201dabe63be53f34148a5" or
3 of them all of them
) )
} }

View File

@ -15,10 +15,9 @@ rule derusbi_kernel
strings: strings:
$token1 = "$$$--Hello" $token1 = "$$$--Hello"
$token2 = "Wrod--$$$" $token2 = "Wrod--$$$"
$cfg = "XXXXXXXXXXXXXXX"
$class = ".?AVPCC_BASEMOD@@" $class = ".?AVPCC_BASEMOD@@"
condition: condition:
uint16(0) == 0x5A4D and $token1 and $token2 and $cfg and $class uint16(0) == 0x5A4D and $token1 and $token2 and $class
} }
rule derusbi_linux rule derusbi_linux

View File

@ -158,7 +158,6 @@ rule APT_FIN7_EXE_Sample_Aug18_5 {
hash1 = "7789a3d7d05c30b4efaf3f2f5811804daa56d78a9a660968a4f1f9a78a9108a0" hash1 = "7789a3d7d05c30b4efaf3f2f5811804daa56d78a9a660968a4f1f9a78a9108a0"
strings: strings:
$s1 = "x0=%d, y0=%d, x1=%d, y1=%d" fullword ascii $s1 = "x0=%d, y0=%d, x1=%d, y1=%d" fullword ascii
$s2 = "........................................................................................................" fullword ascii
$s3 = "sdfkjdfjfhgurgvncmnvmfdjdkfjdkfjdf" fullword wide $s3 = "sdfkjdfjfhgurgvncmnvmfdjdkfjdkfjdf" fullword wide
condition: condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them uint16(0) == 0x5a4d and filesize < 400KB and all of them

View File

@ -1419,7 +1419,7 @@ rule IMPLANT_8_v1
author = "US CERT" author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10" date = "2017-02-10"
score = 85 score = 65
strings: strings:
$DOTNET = "mscorlib" ascii $DOTNET = "mscorlib" ascii
$REF_URL = "https://www.google.com/url?sa=" wide $REF_URL = "https://www.google.com/url?sa=" wide
@ -1432,11 +1432,13 @@ rule IMPLANT_8_v1
$REF_var_7 = "&ei=" wide $REF_var_7 = "&ei=" wide
$REF_var_8 = "&usg=" wide $REF_var_8 = "&usg=" wide
$REF_var_9 = "&bvm=" wide $REF_var_9 = "&bvm=" wide
/*
$REF_value_1 = "QFj" wide $REF_value_1 = "QFj" wide
$REF_value_2 = "bv.81" wide $REF_value_2 = "bv.81" wide
*/ /* disabled due to performance reasons */
condition: condition:
(uint16(0) == 0x5A4D) and ($DOTNET) and ($REF_URL) and (uint16(0) == 0x5A4D) and ($DOTNET) and ($REF_URL) and
(3 of ($REF_var*)) and (1 of ($REF_value*)) (3 of ($REF_var*)) /* and (1 of ($REF_value*)) */
} }
/* TOO MANY FALSE POSITIVES /* TOO MANY FALSE POSITIVES

View File

@ -207,12 +207,10 @@ meta:
description = "Rule to detect Moonlight Maze encrypted keylogger logs" description = "Rule to detect Moonlight Maze encrypted keylogger logs"
strings: strings:
$a1={47 01 22 2A 6D 3E 39 2C} $a1={47 01 22 2A 6D 3E 39 2C}
condition: condition:
uint32(0) == 0x2a220147 and ($a1 at 0)
($a1 at 0)
} }

View File

@ -33,8 +33,6 @@
private rule PrikormkaDropper private rule PrikormkaDropper
{ {
strings: strings:
$mz = { 4D 5A }
$kd1 = "KDSTORAGE" wide $kd1 = "KDSTORAGE" wide
$kd2 = "KDSTORAGE_64" wide $kd2 = "KDSTORAGE_64" wide
$kd3 = "KDRUNDRV32" wide $kd3 = "KDRUNDRV32" wide
@ -47,14 +45,12 @@ private rule PrikormkaDropper
$inj1 = "?AVCinj2008Dlg@@" ascii $inj1 = "?AVCinj2008Dlg@@" ascii
$inj2 = "?AVCinj2008App@@" ascii $inj2 = "?AVCinj2008App@@" ascii
condition: condition:
($mz at 0) and ((any of ($bin*)) or (3 of ($kd*)) or (all of ($inj*))) uint16(0) == 0x5a4d and ((any of ($bin*)) or (3 of ($kd*)) or (all of ($inj*)))
} }
private rule PrikormkaModule private rule PrikormkaModule
{ {
strings: strings:
$mz = { 4D 5A }
// binary // binary
$str1 = {6D 70 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00} $str1 = {6D 70 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00}
$str2 = {68 6C 70 75 63 74 66 2E 64 6C 6C 00 43 79 63 6C 65} $str2 = {68 6C 70 75 63 74 66 2E 64 6C 6C 00 43 79 63 6C 65}
@ -106,14 +102,12 @@ private rule PrikormkaModule
$str34 = "\\TOOLS PZZ\\Bezzahod\\" ascii $str34 = "\\TOOLS PZZ\\Bezzahod\\" ascii
condition: condition:
($mz at 0) and (any of ($str*)) uint16(0) == 0x5a4d and (any of ($str*))
} }
private rule PrikormkaEarlyVersion private rule PrikormkaEarlyVersion
{ {
strings: strings:
$mz = { 4D 5A }
$str1 = "IntelRestore" ascii fullword $str1 = "IntelRestore" ascii fullword
$str2 = "Resent" wide fullword $str2 = "Resent" wide fullword
$str3 = "ocp8.1" wide fullword $str3 = "ocp8.1" wide fullword
@ -124,7 +118,7 @@ private rule PrikormkaEarlyVersion
$str8 = "KDLLCFX" wide fullword $str8 = "KDLLCFX" wide fullword
$str9 = "KDLLRUNDRV" wide fullword $str9 = "KDLLRUNDRV" wide fullword
condition: condition:
($mz at 0) and (2 of ($str*)) uint16(0) == 0x5a4d and (2 of ($str*))
} }
rule Prikormka rule Prikormka

View File

@ -3,7 +3,7 @@
Author: Florian Roth Author: Florian Roth
Date: 2016-05-23 Date: 2016-05-23
Identifier: Swiss RUAG APT Case Identifier: Swiss RUAG APT Case
Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
*/ */
rule RUAG_Tavdig_Malformed_Executable { rule RUAG_Tavdig_Malformed_Executable {
@ -28,7 +28,7 @@ rule RUAG_Bot_Config_File {
$s2 = "name = " ascii $s2 = "name = " ascii
$s3 = "exe = cmd.exe" ascii $s3 = "exe = cmd.exe" ascii
condition: condition:
$s1 at 0 and $s2 and $s3 and filesize < 160 uint32(0) == 0x4e4f435b and $s1 at 0 and $s2 and $s3 and filesize < 160
} }
rule RUAG_Cobra_Malware { rule RUAG_Cobra_Malware {
@ -54,16 +54,16 @@ rule RUAG_Cobra_Config_File {
$s1 = "object_id=" ascii $s1 = "object_id=" ascii
$s2 = "[TIME]" ascii fullword $s2 = "[TIME]" ascii fullword
$s3 = "lastconnect" ascii $s3 = "lastconnect" ascii
$s4 = "[CW_LOCAL]" ascii fullword $s4 = "[CW_LOCAL]" ascii fullword
$s5 = "system_pipe" ascii $s5 = "system_pipe" ascii
$s6 = "user_pipe" ascii $s6 = "user_pipe" ascii
$s7 = "[TRANSPORT]" ascii $s7 = "[TRANSPORT]" ascii
$s8 = "run_task_system" ascii $s8 = "run_task_system" ascii
$s9 = "[WORKDATA]" ascii $s9 = "[WORKDATA]" ascii
$s10 = "address1" ascii $s10 = "address1" ascii
condition: condition:
$h1 at 0 and 8 of ($s*) and filesize < 5KB uint32(0) == 0x4d414e5b and $h1 at 0 and 8 of ($s*) and filesize < 5KB
} }
rule RUAG_Exfil_Config_File { rule RUAG_Exfil_Config_File {
@ -77,9 +77,9 @@ rule RUAG_Exfil_Config_File {
$s1 = "system_pipe" ascii $s1 = "system_pipe" ascii
$s2 = "spstatus" ascii $s2 = "spstatus" ascii
$s3 = "adaptable" ascii $s3 = "adaptable" ascii
$s4 = "post_frag" ascii $s4 = "post_frag" ascii
$s5 = "pfsgrowperiod" ascii $s5 = "pfsgrowperiod" ascii
condition: condition:
$h1 at 0 and all of ($s*) and filesize < 1KB uint32(0) == 0x4152545b and $h1 at 0 and all of ($s*) and filesize < 1KB
} }

View File

@ -11,7 +11,6 @@ rule SNOWGLOBE_Babar_Malware {
hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36" hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36"
score = 80 score = 80
strings: strings:
$mz = { 4d 5a }
$z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword $z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword
$z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword $z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword
$z2 = "ExecQueryFailled!" fullword ascii $z2 = "ExecQueryFailled!" fullword ascii
@ -29,7 +28,7 @@ rule SNOWGLOBE_Babar_Malware {
$x5 = "cmd.exe" fullword ascii $x5 = "cmd.exe" fullword ascii
$x6 = "DLLPATH" fullword ascii $x6 = "DLLPATH" fullword ascii
condition: condition:
( $mz at 0 ) and filesize < 1MB and uint16(0) == 0x5a4d and filesize < 1MB and
( (
( 1 of ($z*) and 1 of ($x*) ) or ( 1 of ($z*) and 1 of ($x*) ) or
( 3 of ($s*) and 4 of ($x*) ) ( 3 of ($s*) and 4 of ($x*) )

View File

@ -128,23 +128,13 @@ rule apt_win_exe_trojan_derusbi {
date = "2016/02/29" date = "2016/02/29"
reference = "https://github.com/fideliscyber/indicators/tree/master/FTA-1021" reference = "https://github.com/fideliscyber/indicators/tree/master/FTA-1021"
strings: strings:
$sa_1 = "USB" wide ascii
$sa_2 = "RAM" wide ascii
$sa_3 = "SHARE" wide ascii
$sa_4 = "HOST: %s:%d" $sa_4 = "HOST: %s:%d"
$sa_5 = "POST"
$sa_6 = "User-Agent: Mozilla" $sa_6 = "User-Agent: Mozilla"
$sa_7 = "Proxy-Connection: Keep-Alive" $sa_7 = "Proxy-Connection: Keep-Alive"
$sa_8 = "Connection: Keep-Alive" $sa_8 = "Connection: Keep-Alive"
$sa_9 = "Server: Apache" $sa_9 = "Server: Apache"
$sa_10 = "HTTP/1.1"
$sa_11 = "ImagePath"
$sa_12 = "ZwUnloadDriver" $sa_12 = "ZwUnloadDriver"
$sa_13 = "ZwLoadDriver" $sa_13 = "ZwLoadDriver"
$sa_14 = "ServiceMain"
$sa_15 = "regsvr32.exe"
$sa_16 = "/s /u" wide ascii
$sa_17 = "rand"
$sa_18 = "_time64" $sa_18 = "_time64"
$sa_19 = "DllRegisterServer" $sa_19 = "DllRegisterServer"
$sa_20 = "DllUnregisterServer" $sa_20 = "DllUnregisterServer"
@ -164,7 +154,7 @@ rule apt_win_exe_trojan_derusbi {
$sc_3 = "_crt_debugger_hook" wide ascii $sc_3 = "_crt_debugger_hook" wide ascii
$sc_4 = "ue8G5" wide ascii $sc_4 = "ue8G5" wide ascii
$sd_1 = "NET" wide ascii /* $sd_1 = "NET" wide ascii */ /* disabled due to performance reasons */
$sd_2 = "\\\\.\\pipe\\%s" wide ascii $sd_2 = "\\\\.\\pipe\\%s" wide ascii
$sd_3 = ".dat" wide ascii $sd_3 = ".dat" wide ascii
$sd_4 = "CONNECT %s:%d" wide ascii $sd_4 = "CONNECT %s:%d" wide ascii
@ -172,16 +162,16 @@ rule apt_win_exe_trojan_derusbi {
$se_1 = "-%s-%04d" wide ascii $se_1 = "-%s-%04d" wide ascii
$se_2 = "-%04d" wide ascii $se_2 = "-%04d" wide ascii
$se_3 = "FAL" wide ascii /* $se_3 = "FAL" wide ascii */ /* disabled due to performance reasons */
$se_4 = "OK" wide ascii /* $se_4 = "OK" wide ascii */ /* disabled due to performance reasons */
$se_5 = "2.03" wide ascii $se_5 = "2.03" wide ascii
$se_6 = "XXXXXXXXXXXXXXX" wide ascii /* $se_6 = "XXXXXXXXXXXXXXX" wide ascii */ /* disabled due to memory usage reasons */
condition: condition:
uint16(0) == 0x5A4D and ( uint16(0) == 0x5A4D and (
all of ($sa_*) or all of ($sa_*) or
( (
(13 of ($sa_*)) and ( (8 of ($sa_*)) and (
(5 of ($sb_*)) or (5 of ($sb_*)) or
(3 of ($sc_*)) or (3 of ($sc_*)) or
(all of ($sd_*)) or (all of ($sd_*)) or

View File

@ -16,7 +16,7 @@ rule Neuron_common_strings {
strings: strings:
$strServiceName = "MSExchangeService" ascii $strServiceName = "MSExchangeService" ascii
$strReqParameter_1 = "cadataKey" wide $strReqParameter_1 = "cadataKey" wide
$strReqParameter_2 = "cid" wide /* $strReqParameter_2 = "cid" wide */ /* disabled due to performance reasons */
$strReqParameter_3 = "cadata" wide $strReqParameter_3 = "cadata" wide
$strReqParameter_4 = "cadataSig" wide $strReqParameter_4 = "cadataSig" wide
$strEmbeddedKey = "PFJTQUtleVZhbHVlPjxNb2R1bHVzPnZ3WXRKcnNRZjVTcCtWVG9Rb2xuaEVkMHVwWDFrVElFTUNTNEFnRkRCclNm clpKS0owN3BYYjh2b2FxdUtseXF2RzBJcHV0YXhDMVRYazRoeFNrdEpzbHljU3RFaHBUc1l4OVBEcURabVVZVklVb HlwSFN1K3ljWUJWVFdubTZmN0JTNW1pYnM0UWhMZElRbnl1ajFMQyt6TUhwZ0xmdEc2b1d5b0hyd1ZNaz08L01vZH VsdXM+PEV4cG9uZW50PkFRQUI8L0V4cG9uZW50PjwvUlNBS2V5VmFsdWU+" wide $strEmbeddedKey = "PFJTQUtleVZhbHVlPjxNb2R1bHVzPnZ3WXRKcnNRZjVTcCtWVG9Rb2xuaEVkMHVwWDFrVElFTUNTNEFnRkRCclNm clpKS0owN3BYYjh2b2FxdUtseXF2RzBJcHV0YXhDMVRYazRoeFNrdEpzbHljU3RFaHBUc1l4OVBEcURabVVZVklVb HlwSFN1K3ljWUJWVFdubTZmN0JTNW1pYnM0UWhMZElRbnl1ajFMQyt6TUhwZ0xmdEc2b1d5b0hyd1ZNaz08L01vZH VsdXM+PEV4cG9uZW50PkFRQUI8L0V4cG9uZW50PjwvUlNBS2V5VmFsdWU+" wide

View File

@ -43,7 +43,7 @@ rule turla_png_dropper {
} }
condition: condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and
all of ($api*) and all of ($api*) and
1 of ($code*) 1 of ($code*)
} }
@ -57,19 +57,19 @@ rule turla_png_reg_enum_payload {
strings: strings:
$crypt00 = "Microsoft Software Key Storage Provider" wide $crypt00 = "Microsoft Software Key Storage Provider" wide
$crypt01 = "ChainingModeCBC" wide $crypt01 = "ChainingModeCBC" wide
$crypt02 = "AES" wide /* $crypt02 = "AES" wide */ /* disabled due to performance reasons */
condition: condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and
pe.imports("advapi32.dll", "StartServiceCtrlDispatcherA") and pe.imports("advapi32.dll", "StartServiceCtrlDispatcherA") and
pe.imports("advapi32.dll", "RegEnumValueA") and pe.imports("advapi32.dll", "RegEnumValueA") and
pe.imports("advapi32.dll", "RegEnumKeyExA") and pe.imports("advapi32.dll", "RegEnumKeyExA") and
pe.imports("ncrypt.dll", "NCryptOpenStorageProvider") and pe.imports("ncrypt.dll", "NCryptOpenStorageProvider") and
pe.imports("ncrypt.dll", "NCryptEnumKeys") and pe.imports("ncrypt.dll", "NCryptEnumKeys") and
pe.imports("ncrypt.dll", "NCryptOpenKey") and pe.imports("ncrypt.dll", "NCryptOpenKey") and
pe.imports("ncrypt.dll", "NCryptDecrypt") and pe.imports("ncrypt.dll", "NCryptDecrypt") and
pe.imports("ncrypt.dll", "BCryptGenerateSymmetricKey") and pe.imports("ncrypt.dll", "BCryptGenerateSymmetricKey") and
pe.imports("ncrypt.dll", "BCryptGetProperty") and pe.imports("ncrypt.dll", "BCryptGetProperty") and
pe.imports("ncrypt.dll", "BCryptDecrypt") and pe.imports("ncrypt.dll", "BCryptDecrypt") and
pe.imports("ncrypt.dll", "BCryptEncrypt") and pe.imports("ncrypt.dll", "BCryptEncrypt") and
all of them all of them
} }

View File

@ -222,7 +222,6 @@ rule Waterbear_13_Jun17 {
$s3 = "ChangeServiceConfig failed (%d)" fullword ascii $s3 = "ChangeServiceConfig failed (%d)" fullword ascii
$s4 = "Proxy %d:%s %d" fullword ascii $s4 = "Proxy %d:%s %d" fullword ascii
$s5 = "win9807.tmp" fullword ascii $s5 = "win9807.tmp" fullword ascii
$s6 = "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" fullword ascii
$s7 = "Service stopped successfully" fullword ascii $s7 = "Service stopped successfully" fullword ascii
$s8 = "current dns:%s" fullword ascii $s8 = "current dns:%s" fullword ascii
$s9 = "%c%u|%u|%u|%u|%u|" fullword ascii $s9 = "%c%u|%u|%u|%u|%u|" fullword ascii

View File

@ -7,11 +7,10 @@ rule WaterBug_wipbot_2013_core_PDF {
date = "22.01.2015" date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl" reference = "http://t.co/rF35OaAXrl"
strings: strings:
$PDF = "%PDF-" $a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/
$a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/
$b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/ $b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
condition: condition:
($PDF at 0) and #a > 150 and #b > 200 uint32(0) == 0x46445025 and #a > 150 and #b > 200
} }
rule WaterBug_wipbot_2013_dll { rule WaterBug_wipbot_2013_dll {
@ -19,7 +18,7 @@ rule WaterBug_wipbot_2013_dll {
description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component" description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
author = "Symantec Security Response" author = "Symantec Security Response"
date = "22.01.2015" date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl" reference = "http://t.co/rF35OaAXrl"
strings: strings:
$string1 = "/%s?rank=%s" $string1 = "/%s?rank=%s"
$string2 = "ModuleStart\x00ModuleStop\x00start" $string2 = "ModuleStart\x00ModuleStop\x00start"
@ -35,7 +34,7 @@ rule WaterBug_wipbot_2013_core {
description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error" description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
author = "Symantec Security Response" author = "Symantec Security Response"
date = "22.01.2015" date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl" reference = "http://t.co/rF35OaAXrl"
strings: strings:
$mz = "MZ" $mz = "MZ"
$code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00} $code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00}
@ -51,15 +50,15 @@ rule WaterBug_turla_dropper {
author = "Symantec Security Response" author = "Symantec Security Response"
date = "22.01.2015" date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl" reference = "http://t.co/rF35OaAXrl"
strings: strings:
$a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34} $a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34}
$b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8} $b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8}
condition: condition:
all of them all of them
} }
rule WaterBug_fa_malware { rule WaterBug_fa_malware {
meta: meta:
description = "Symantec Waterbug Attack - FA malware variant" description = "Symantec Waterbug Attack - FA malware variant"
author = "Symantec Security Response" author = "Symantec Security Response"
date = "22.01.2015" date = "22.01.2015"
@ -80,11 +79,11 @@ rule WaterBug_fa_malware {
rule WaterBug_turla_dll { rule WaterBug_turla_dll {
meta: meta:
description = "Symantec Waterbug Attack - Trojan Turla DLL" description = "Symantec Waterbug Attack - Trojan Turla DLL"
author = "Symantec Security Response" author = "Symantec Security Response"
date = "22.01.2015" date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl" reference = "http://t.co/rF35OaAXrl"
strings: strings:
$a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/ $a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
condition: condition:
@ -92,26 +91,26 @@ rule WaterBug_turla_dll {
} }
rule WaterBug_sav_dropper { rule WaterBug_sav_dropper {
meta: meta:
description = "Symantec Waterbug Attack - SAV Dropper" description = "Symantec Waterbug Attack - SAV Dropper"
author = "Symantec Security Response" author = "Symantec Security Response"
date = "22.01.2015" date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl" reference = "http://t.co/rF35OaAXrl"
strings: strings:
$mz = "MZ" $mz = "MZ"
$a = /[a-z]{,10}_x64.sys\x00hMZ\x00/ $a = /[a-z]{,10}_x64.sys\x00hMZ\x00/
condition: condition:
($mz at 0) and uint32(0x400) == 0x000000c3 and pe.number_of_sections == 6 and $a ($mz at 0) and uint32(0x400) == 0x000000c3 and pe.number_of_sections == 6 and $a
} }
*/ */
rule WaterBug_sav { rule WaterBug_sav {
meta: meta:
description = "Symantec Waterbug Attack - SAV Malware" description = "Symantec Waterbug Attack - SAV Malware"
author = "Symantec Security Response" author = "Symantec Security Response"
date = "22.01.2015" date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl" reference = "http://t.co/rF35OaAXrl"
strings: strings:
$mz = "MZ" $mz = "MZ"
$code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 } $code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 }
@ -119,5 +118,5 @@ rule WaterBug_sav {
$code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 } $code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 }
$code2 = { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B} $code2 = { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B}
condition: condition:
($mz at 0) and (($code1a or $code1b or $code1c) and $code2) ($mz at 0) and (($code1a or $code1b or $code1c) and $code2)
} }

View File

@ -213,7 +213,6 @@ rule WildNeutron_Sample_9 {
hash = "781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e" hash = "781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e"
strings: strings:
$s0 = "http://get.adobe.com/flashplayer/" fullword wide /* PEStudio Blacklist: strings */ /* score: '30.00' */ $s0 = "http://get.adobe.com/flashplayer/" fullword wide /* PEStudio Blacklist: strings */ /* score: '30.00' */
$s1 = "xxxxxxxxxxxxxxxxxxxx" fullword wide /* reversed goodware string 'xxxxxxxxxxxxxxxxxxxx' */ /* score: '19.00' */
$s4 = " Player Installer/Uninstaller" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.42' */ $s4 = " Player Installer/Uninstaller" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.42' */
$s5 = "Adobe Flash Plugin Updater" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.00' */ $s5 = "Adobe Flash Plugin Updater" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.00' */
$s6 = "uSOFTWARE\\Adobe" fullword wide /* PEStudio Blacklist: strings */ /* score: '10.42' */ $s6 = "uSOFTWARE\\Adobe" fullword wide /* PEStudio Blacklist: strings */ /* score: '10.42' */

View File

@ -365,7 +365,6 @@ rule MAL_BurningUmbrella_Sample_22 {
hash1 = "fa116cf9410f1613003ca423ad6ca92657a61b8e9eda1b05caf4f30ca650aee5" hash1 = "fa116cf9410f1613003ca423ad6ca92657a61b8e9eda1b05caf4f30ca650aee5"
strings: strings:
$s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\" fullword ascii $s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\" fullword ascii
$s2 = "========================================================================================================" fullword ascii
$s3 = "Content-Disposition: form-data; name=\"txt\"; filename=\"" fullword ascii $s3 = "Content-Disposition: form-data; name=\"txt\"; filename=\"" fullword ascii
$s4 = "Fail To Enum Service" fullword ascii $s4 = "Fail To Enum Service" fullword ascii
$s5 = "Host Power ON Time" fullword ascii $s5 = "Host Power ON Time" fullword ascii

View File

@ -39,7 +39,6 @@ rule CN_Honker_passwd_dict_3389 {
$s4 = "passwd" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 42 times */ $s4 = "passwd" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 42 times */
$s5 = "password" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 244 times */ $s5 = "password" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 244 times */
$s7 = "12345678" fullword ascii /* Goodware String - occured 29 times */ $s7 = "12345678" fullword ascii /* Goodware String - occured 29 times */
$s8 = "888888" fullword ascii /* Goodware String - occured 61 times */
condition: condition:
filesize < 1KB and all of them filesize < 1KB and all of them
} }
@ -354,4 +353,4 @@ rule CN_Honker_mssqlpw_scan {
$s1 = "response.Write \"Done!<br>Process \" & tTime & \" s\"" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "response.Write \"Done!<br>Process \" & tTime & \" s\"" fullword ascii /* PEStudio Blacklist: strings */
condition: condition:
filesize < 6KB and all of them filesize < 6KB and all of them
} }

View File

@ -33,23 +33,21 @@ rule Enfal_Malware_Backdoor {
hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41" hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41"
score = 60 score = 60
strings: strings:
$mz = { 4d 5a }
$x1 = "Micorsoft Corportation" fullword wide $x1 = "Micorsoft Corportation" fullword wide
$x2 = "IM Monnitor Service" fullword wide $x2 = "IM Monnitor Service" fullword wide
$s1 = "imemonsvc.dll" fullword wide $s1 = "imemonsvc.dll" fullword wide
$s2 = "iphlpsvc.tmp" fullword $s2 = "iphlpsvc.tmp" fullword
$z1 = "urlmon" fullword $z1 = "urlmon" fullword
$z2 = "Registered trademarks and service marks are the property of their respec" wide $z2 = "Registered trademarks and service marks are the property of their respec" wide
$z3 = "XpsUnregisterServer" fullword $z3 = "XpsUnregisterServer" fullword
$z4 = "XpsRegisterServer" fullword $z4 = "XpsRegisterServer" fullword
$z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword $z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword
condition: condition:
( $mz at 0 ) and uint16(0) == 0x5a4d and
( (
1 of ($x*) or 1 of ($x*) or
( all of ($s*) and all of ($z*) ) ( all of ($s*) and all of ($z*) )
) )
} }

View File

@ -6,7 +6,6 @@ rule Hermes2_1 {
reference = "https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html" reference = "https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html"
hash = "b27881f59c8d8cc529fa80a58709db36" hash = "b27881f59c8d8cc529fa80a58709db36"
strings: strings:
$magic = { 4D 5A }
//in both version 2.1 and sample in Feb //in both version 2.1 and sample in Feb
$s1 = "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\\" $s1 = "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\\"
$s2 = "0419" $s2 = "0419"
@ -23,5 +22,5 @@ rule Hermes2_1 {
$u2 = "HERMES 2.1 TEST BUILD, press ok" $u2 = "HERMES 2.1 TEST BUILD, press ok"
$u3 = "hnKwtMcOadHwnXutKHqPvpgfysFXfAFTcaDHNdCnktA" //RSA Key part $u3 = "hnKwtMcOadHwnXutKHqPvpgfysFXfAFTcaDHNdCnktA" //RSA Key part
condition: condition:
$magic at 0 and all of ($s*) and 3 of ($S*) and 1 of ($u*) uint16(0) == 0x5a4d and all of ($s*) and 3 of ($S*) and 1 of ($u*)
} }

View File

@ -337,7 +337,7 @@ rule OtherTools_servu {
$s2 = "GetProcAddress" fullword ascii $s2 = "GetProcAddress" fullword ascii
$s3 = "WriteFile" fullword ascii $s3 = "WriteFile" fullword ascii
condition: condition:
$s0 at 0 and filesize < 50KB and all of them uint32(0) == 0x454b5a4d and $s0 at 0 and filesize < 50KB and all of them
} }
rule ustrrefadd { rule ustrrefadd {

View File

@ -15,5 +15,5 @@ rule mimikatz_kirbi_ticket
strings: strings:
$asn1 = { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 } $asn1 = { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
condition: condition:
$asn1 at 0 uint16(0) == 0x8276 and $asn1 at 0
} }

View File

@ -231,10 +231,10 @@ rule Msfpayloads_msf_9 {
$s3 = "[0] = \"chmod\";" ascii $s3 = "[0] = \"chmod\";" ascii
$s4 = "= Runtime.getRuntime().exec(" ascii $s4 = "= Runtime.getRuntime().exec(" ascii
$s5 = ", 16) & 0xff;" ascii $s5 = ", 16) & 0xff;" ascii
$x1 = "4d5a9000030000000" ascii
condition: condition:
4 of ($s*) or $x1 at 0 4 of ($s*) or (
uint32(0) == 0x00905a4d and uint32(4) == 0x00000003
)
} }
rule Msfpayloads_msf_10 { rule Msfpayloads_msf_10 {

View File

@ -1,3 +1,4 @@
rule OSX_backdoor_Bella { rule OSX_backdoor_Bella {
meta: meta:
description = "Bella MacOS/OSX backdoor" description = "Bella MacOS/OSX backdoor"
@ -7,7 +8,7 @@ rule OSX_backdoor_Bella {
hash = "4288a81779a492b5b02bad6e90b2fa6212fa5f8ee87cc5ec9286ab523fc02446 cec7be2126d388707907b4f9d681121fd1e3ca9f828c029b02340ab1331a5524 e1cf136be50c4486ae8f5e408af80b90229f3027511b4beed69495a042af95be" hash = "4288a81779a492b5b02bad6e90b2fa6212fa5f8ee87cc5ec9286ab523fc02446 cec7be2126d388707907b4f9d681121fd1e3ca9f828c029b02340ab1331a5524 e1cf136be50c4486ae8f5e408af80b90229f3027511b4beed69495a042af95be"
strings: strings:
$h1 = /#!\/usr\/bin\/env\s+python/ $h1 = "#!/usr/bin/env"
//prereqs //prereqs
$s0 = "subprocess" fullword ascii $s0 = "subprocess" fullword ascii
@ -27,7 +28,8 @@ rule OSX_backdoor_Bella {
$subpart2_b = "appleIDPhish" fullword ascii $subpart2_b = "appleIDPhish" fullword ascii
$subpart2_c = "iTunes" fullword ascii $subpart2_c = "iTunes" fullword ascii
condition: condition:
$h1 at 0 uint32(0) == 0x752f2123
and $h1 at 0
and filesize < 120KB and filesize < 120KB
and @s0[1] < 100 and @s0[1] < 100
and @s1[1] < 100 and @s1[1] < 100

View File

@ -7,7 +7,7 @@ rule OSX_backdoor_EvilOSX {
hash = "89e5b8208daf85f549d9b7df8e2a062e47f15a5b08462a4224f73c0a6223972a" hash = "89e5b8208daf85f549d9b7df8e2a062e47f15a5b08462a4224f73c0a6223972a"
strings: strings:
$h1 = /#!\/usr\/bin\/env\s+python/ $h1 = "#!/usr/bin/env"
$s0 = "import base64" fullword ascii $s0 = "import base64" fullword ascii
$s1 = "b64decode" fullword ascii $s1 = "b64decode" fullword ascii
@ -23,7 +23,8 @@ rule OSX_backdoor_EvilOSX {
$enc_x1 = /(AGUAdABfAGwAYQB1AG4AYwBoAF8AYQBnAGUAbgB0AF8AZABpAHIAZQBjAHQAbwByAHkA|cAZQB0AF8AbABhAHUAbgBjAGgAXwBhAGcAZQBuAHQAXwBkAGkAcgBlAGMAdABvAHIAeQ|dldF9sYXVuY2hfYWdlbnRfZGlyZWN0b3J5|Z2V0X2xhdW5jaF9hZ2VudF9kaXJlY3Rvcn|ZwBlAHQAXwBsAGEAdQBuAGMAaABfAGEAZwBlAG4AdABfAGQAaQByAGUAYwB0AG8AcgB5A|ZXRfbGF1bmNoX2FnZW50X2RpcmVjdG9ye)/ ascii $enc_x1 = /(AGUAdABfAGwAYQB1AG4AYwBoAF8AYQBnAGUAbgB0AF8AZABpAHIAZQBjAHQAbwByAHkA|cAZQB0AF8AbABhAHUAbgBjAGgAXwBhAGcAZQBuAHQAXwBkAGkAcgBlAGMAdABvAHIAeQ|dldF9sYXVuY2hfYWdlbnRfZGlyZWN0b3J5|Z2V0X2xhdW5jaF9hZ2VudF9kaXJlY3Rvcn|ZwBlAHQAXwBsAGEAdQBuAGMAaABfAGEAZwBlAG4AdABfAGQAaQByAGUAYwB0AG8AcgB5A|ZXRfbGF1bmNoX2FnZW50X2RpcmVjdG9ye)/ ascii
condition: condition:
$h1 at 0 uint32(0) == 0x752f2123
and $h1 at 0
and filesize < 30KB and filesize < 30KB
and all of ($s*) and all of ($s*)
and and

View File

@ -26,7 +26,8 @@ rule Persistence_Agent_MacOS {
$einterval_b = /(AHUAbgBBAHQATABvAGEAZA|dW5BdExvYW|IAdQBuAEEAdABMAG8AYQBkA|J1bkF0TG9hZ|UgB1AG4AQQB0AEwAbwBhAGQA|UnVuQXRMb2Fk)/ ascii $einterval_b = /(AHUAbgBBAHQATABvAGEAZA|dW5BdExvYW|IAdQBuAEEAdABMAG8AYQBkA|J1bkF0TG9hZ|UgB1AG4AQQB0AEwAbwBhAGQA|UnVuQXRMb2Fk)/ ascii
condition: condition:
$h1 at 0 uint32(0) == 0x752f2123
and $h1 at 0
and filesize < 120KB and filesize < 120KB
and and
( (

View File

@ -15,7 +15,6 @@ rule RAT_AAR
$d = "testmemory.FRMMain.resources" $d = "testmemory.FRMMain.resources"
$e = "$this.Icon" wide $e = "$this.Icon" wide
$f = "{11111-22222-20001-00001}" wide $f = "{11111-22222-20001-00001}" wide
$g = "@@@@@"
condition: condition:
all of them all of them

View File

@ -76,8 +76,6 @@ rule Equation_Kaspersky_TripleFantasy_1 {
date = "2015/02/16" date = "2015/02/16"
hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9" hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9"
strings: strings:
$mz = { 4d 5a }
$s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide $s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide
$s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide $s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide
$s2 = "%WINDIR%\\sjyntmv.dat" fullword wide $s2 = "%WINDIR%\\sjyntmv.dat" fullword wide
@ -95,7 +93,7 @@ rule Equation_Kaspersky_TripleFantasy_1 {
$z2 = "www.google.com@80" fullword wide $z2 = "www.google.com@80" fullword wide
$z3 = "127.0.0.1:3128" fullword wide $z3 = "127.0.0.1:3128" fullword wide
condition: condition:
( $mz at 0 ) and filesize < 300000 and uint16(0) == 0x5a4d and filesize < 300000 and
( (
( all of ($s*) and all of ($z*) ) or ( all of ($s*) and all of ($z*) ) or
( all of ($s*) and 1 of ($x*) ) ( all of ($s*) and 1 of ($x*) )
@ -111,8 +109,6 @@ rule Equation_Kaspersky_DoubleFantasy_1 {
date = "2015/02/16" date = "2015/02/16"
hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2" hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2"
strings: strings:
$mz = { 4d 5a }
$z1 = "msvcp5%d.dll" fullword ascii $z1 = "msvcp5%d.dll" fullword ascii
$s0 = "actxprxy.GetProxyDllInfo" fullword ascii $s0 = "actxprxy.GetProxyDllInfo" fullword ascii
@ -120,7 +116,6 @@ rule Equation_Kaspersky_DoubleFantasy_1 {
$s5 = "actxprxy.DllRegisterServer" fullword ascii $s5 = "actxprxy.DllRegisterServer" fullword ascii
$s6 = "actxprxy.DllUnregisterServer" fullword ascii $s6 = "actxprxy.DllUnregisterServer" fullword ascii
$x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii
$x2 = "191H1a1" fullword ascii $x2 = "191H1a1" fullword ascii
$x3 = "November " fullword ascii $x3 = "November " fullword ascii
$x4 = "abababababab" fullword ascii $x4 = "abababababab" fullword ascii
@ -128,7 +123,7 @@ rule Equation_Kaspersky_DoubleFantasy_1 {
$x6 = "October " fullword ascii $x6 = "October " fullword ascii
$x7 = "September " fullword ascii $x7 = "September " fullword ascii
condition: condition:
( $mz at 0 ) and filesize < 350000 and uint16(0) == 0x5a4d and filesize < 350000 and
( (
( $z1 ) or ( $z1 ) or
( all of ($s*) and 6 of ($x*) ) ( all of ($s*) and 6 of ($x*) )
@ -144,7 +139,6 @@ rule Equation_Kaspersky_GROK_Keylogger {
date = "2015/02/16" date = "2015/02/16"
hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f" hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f"
strings: strings:
$mz = { 4d 5a }
$s0 = "c:\\users\\rmgree5\\" ascii $s0 = "c:\\users\\rmgree5\\" ascii
$s1 = "msrtdv.sys" fullword wide $s1 = "msrtdv.sys" fullword wide
@ -161,7 +155,7 @@ rule Equation_Kaspersky_GROK_Keylogger {
$z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide $z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
$z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword $z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword
condition: condition:
( $mz at 0 ) and filesize < 250000 and uint16(0) == 0x5a4d and filesize < 250000 and
( (
$s0 or $s0 or
( $s1 and 6 of ($x*) ) or ( $s1 and 6 of ($x*) ) or
@ -194,8 +188,6 @@ rule Equation_Kaspersky_EquationDrugInstaller {
date = "2015/02/16" date = "2015/02/16"
hash = "61fab1b8451275c7fd580895d9c68e152ff46417" hash = "61fab1b8451275c7fd580895d9c68e152ff46417"
strings: strings:
$mz = { 4d 5a }
$s0 = "\\system32\\win32k.sys" fullword wide $s0 = "\\system32\\win32k.sys" fullword wide
$s1 = "ALL_FIREWALLS" fullword ascii $s1 = "ALL_FIREWALLS" fullword ascii
@ -207,7 +199,7 @@ rule Equation_Kaspersky_EquationDrugInstaller {
$x6 = "WinStaObj" fullword wide $x6 = "WinStaObj" fullword wide
$x7 = "BINRES" fullword wide $x7 = "BINRES" fullword wide
condition: condition:
( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*) uint16(0) == 0x5a4d and filesize < 500000 and all of ($s*) and 5 of ($x*)
} }
rule Equation_Kaspersky_EquationLaserInstaller { rule Equation_Kaspersky_EquationLaserInstaller {
@ -219,7 +211,6 @@ rule Equation_Kaspersky_EquationLaserInstaller {
date = "2015/02/16" date = "2015/02/16"
hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df" hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df"
strings: strings:
$mz = { 4d 5a }
$s0 = "Failed to get Windows version" fullword ascii $s0 = "Failed to get Windows version" fullword ascii
$s1 = "lsasrv32.dll and lsass.exe" fullword wide $s1 = "lsasrv32.dll and lsass.exe" fullword wide
$s2 = "\\\\%s\\mailslot\\%s" fullword ascii $s2 = "\\\\%s\\mailslot\\%s" fullword ascii
@ -230,7 +221,7 @@ rule Equation_Kaspersky_EquationLaserInstaller {
$s7 = "VIEWERS" fullword ascii $s7 = "VIEWERS" fullword ascii
$s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide $s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide
condition: condition:
( $mz at 0 ) and filesize < 250000 and 6 of ($s*) uint16(0) == 0x5a4d and filesize < 250000 and 6 of ($s*)
} }
rule Equation_Kaspersky_FannyWorm { rule Equation_Kaspersky_FannyWorm {
@ -242,8 +233,6 @@ rule Equation_Kaspersky_FannyWorm {
date = "2015/02/16" date = "2015/02/16"
hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7" hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7"
strings: strings:
$mz = { 4d 5a }
$s1 = "x:\\fanny.bmp" fullword ascii $s1 = "x:\\fanny.bmp" fullword ascii
$s2 = "32.exe" fullword ascii $s2 = "32.exe" fullword ascii
$s3 = "d:\\fanny.bmp" fullword ascii $s3 = "d:\\fanny.bmp" fullword ascii
@ -265,7 +254,7 @@ rule Equation_Kaspersky_FannyWorm {
$x15 = "Global\\RPCMutex" fullword ascii $x15 = "Global\\RPCMutex" fullword ascii
$x16 = "Global\\DirectMarketing" fullword ascii $x16 = "Global\\DirectMarketing" fullword ascii
condition: condition:
( $mz at 0 ) and filesize < 300000 and uint16(0) == 0x5a4d and filesize < 300000 and
( (
( 2 of ($s*) ) or ( 2 of ($s*) ) or
( 1 of ($s*) and 6 of ($x*) ) or ( 1 of ($s*) and 6 of ($x*) ) or
@ -282,7 +271,6 @@ rule Equation_Kaspersky_HDD_reprogramming_module {
date = "2015/02/16" date = "2015/02/16"
hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500" hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
strings: strings:
$mz = { 4d 5a }
$s0 = "nls_933w.dll" fullword ascii $s0 = "nls_933w.dll" fullword ascii
$s1 = "BINARY" fullword wide $s1 = "BINARY" fullword wide
@ -290,7 +278,7 @@ rule Equation_Kaspersky_HDD_reprogramming_module {
$s3 = "HAL.dll" fullword ascii $s3 = "HAL.dll" fullword ascii
$s4 = "READ_REGISTER_UCHAR" fullword ascii $s4 = "READ_REGISTER_UCHAR" fullword ascii
condition: condition:
( $mz at 0 ) and filesize < 300000 and all of ($s*) uint16(0) == 0x5a4d and filesize < 300000 and all of ($s*)
} }
rule Equation_Kaspersky_EOP_Package { rule Equation_Kaspersky_EOP_Package {
@ -302,7 +290,6 @@ rule Equation_Kaspersky_EOP_Package {
date = "2015/02/16" date = "2015/02/16"
hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962" hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962"
strings: strings:
$mz = { 4d 5a }
$s0 = "abababababab" fullword ascii $s0 = "abababababab" fullword ascii
$s1 = "abcdefghijklmnopq" fullword ascii $s1 = "abcdefghijklmnopq" fullword ascii
$s2 = "@STATIC" fullword wide $s2 = "@STATIC" fullword wide
@ -311,7 +298,7 @@ rule Equation_Kaspersky_EOP_Package {
$s5 = "prkMtx" fullword wide $s5 = "prkMtx" fullword wide
$s6 = "cnFormVoidFBC" fullword wide $s6 = "cnFormVoidFBC" fullword wide
condition: condition:
( $mz at 0 ) and filesize < 100000 and all of ($s*) uint16(0) == 0x5a4d and filesize < 100000 and all of ($s*)
} }
rule Equation_Kaspersky_TripleFantasy_Loader { rule Equation_Kaspersky_TripleFantasy_Loader {
@ -323,8 +310,6 @@ rule Equation_Kaspersky_TripleFantasy_Loader {
date = "2015/02/16" date = "2015/02/16"
hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3" hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3"
strings: strings:
$mz = { 4d 5a }
$x1 = "Original Innovations, LLC" fullword wide $x1 = "Original Innovations, LLC" fullword wide
$x2 = "Moniter Resource Protocol" fullword wide $x2 = "Moniter Resource Protocol" fullword wide
$x3 = "ahlhcib.dll" fullword wide $x3 = "ahlhcib.dll" fullword wide
@ -336,7 +321,7 @@ rule Equation_Kaspersky_TripleFantasy_Loader {
$s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii $s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii
$s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii $s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii
condition: condition:
( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) ) uint16(0) == 0x5a4d and filesize < 50000 and ( all of ($x*) and all of ($s*) )
} }
/* Rule generated from the mentioned keywords */ /* Rule generated from the mentioned keywords */
@ -350,8 +335,6 @@ rule Equation_Kaspersky_SuspiciousString {
date = "2015/02/17" date = "2015/02/17"
score = 60 score = 60
strings: strings:
$mz = { 4d 5a }
$s1 = "i386\\DesertWinterDriver.pdb" fullword $s1 = "i386\\DesertWinterDriver.pdb" fullword
$s2 = "Performing UR-specific post-install..." $s2 = "Performing UR-specific post-install..."
$s3 = "Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!" $s3 = "Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!"
@ -359,7 +342,7 @@ rule Equation_Kaspersky_SuspiciousString {
$s5 = "standalonegrok_2.1.1.1" $s5 = "standalonegrok_2.1.1.1"
$s6 = "c:\\users\\rmgree5\\" $s6 = "c:\\users\\rmgree5\\"
condition: condition:
( $mz at 0 ) and filesize < 500000 and all of ($s*) uint16(0) == 0x5a4d and filesize < 500000 and all of ($s*)
} }
/* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */ /* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */
@ -392,10 +375,9 @@ rule EquationDrug_CompatLayer_UnilayDLL {
date = "2015/03/11" date = "2015/03/11"
hash = "a3a31937956f161beba8acac35b96cb74241cd0f" hash = "a3a31937956f161beba8acac35b96cb74241cd0f"
strings: strings:
$mz = { 4d 5a }
$s0 = "unilay.dll" fullword ascii $s0 = "unilay.dll" fullword ascii
condition: condition:
( $mz at 0 ) and $s0 uint16(0) == 0x5a4d and $s0
} }
rule EquationDrug_HDDSSD_Op { rule EquationDrug_HDDSSD_Op {

View File

@ -35,7 +35,7 @@ rule Regin_APT_KernelDriver_Generic_A {
$x1 = "LRich6" fullword ascii $x1 = "LRich6" fullword ascii
$x2 = "KeServiceDescriptorTable" fullword ascii $x2 = "KeServiceDescriptorTable" fullword ascii
condition: condition:
$m0 at 0 and $m1 and uint16(0) == 0x5a4d and $m0 at 0 and $m1 and
all of ($s*) and 1 of ($x*) all of ($s*) and 1 of ($x*)
} }
@ -85,6 +85,7 @@ rule Regin_APT_KernelDriver_Generic_B {
$z4 = "wcslen" fullword ascii $z4 = "wcslen" fullword ascii
$z5 = "atoi" fullword ascii $z5 = "atoi" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and
$m0 at 0 and all of ($s*) and $m0 at 0 and all of ($s*) and
( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) ) ( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) )
and filesize < 20KB and filesize < 20KB
@ -111,6 +112,7 @@ rule Regin_APT_KernelDriver_Generic_C {
$y1 = "LSA Shell" fullword wide $y1 = "LSA Shell" fullword wide
$y2 = "0Richw" fullword ascii $y2 = "0Richw" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and
$m0 at 0 and all of ($s*) and $m0 at 0 and all of ($s*) and
( all of ($x*) or all of ($y*) ) ( all of ($x*) or all of ($y*) )
and filesize < 20KB and filesize < 20KB
@ -198,8 +200,6 @@ rule Regin_Sample_3 {
date = "27.11.14" date = "27.11.14"
hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129" hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
strings: strings:
$hd = { fe ba dc fe }
$s0 = "Service Pack x" fullword wide $s0 = "Service Pack x" fullword wide
$s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword wide $s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
$s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide $s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide
@ -216,7 +216,7 @@ rule Regin_Sample_3 {
$s13 = "RtlGetVersion" fullword wide $s13 = "RtlGetVersion" fullword wide
$s14 = "ntkrnlpa.exe" fullword ascii $s14 = "ntkrnlpa.exe" fullword ascii
condition: condition:
( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB uint32(0) == 0xfedcbafe and all of ($s*) and filesize > 160KB and filesize < 200KB
} }
rule Regin_Sample_Set_1 { rule Regin_Sample_Set_1 {
@ -249,7 +249,7 @@ rule Regin_Sample_Set_1 {
$s19 = "IoCreateDevice" fullword ascii $s19 = "IoCreateDevice" fullword ascii
$s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii $s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii
condition: condition:
all of them and filesize < 40KB and filesize > 30KB filesize < 40KB and filesize > 30KB and all of them
} }
rule Regin_Sample_Set_2 { rule Regin_Sample_Set_2 {

View File

@ -487,8 +487,6 @@ rule Tiny_Network_Tool_Generic {
hash1 = "cafc31d39c1e4721af3ba519759884b9" hash1 = "cafc31d39c1e4721af3ba519759884b9"
hash2 = "8e635b9a1e5aa5ef84bfa619bd2a1f92" hash2 = "8e635b9a1e5aa5ef84bfa619bd2a1f92"
strings: strings:
$magic = { 4d 5a }
$s0 = "KERNEL32.DLL" fullword ascii $s0 = "KERNEL32.DLL" fullword ascii
$s1 = "CRTDLL.DLL" fullword ascii $s1 = "CRTDLL.DLL" fullword ascii
$s3 = "LoadLibraryA" fullword ascii $s3 = "LoadLibraryA" fullword ascii
@ -509,7 +507,7 @@ rule Tiny_Network_Tool_Generic {
$z4 = "ToAscii" fullword ascii $z4 = "ToAscii" fullword ascii
condition: condition:
( $magic at 0 ) and all of ($s*) and ( all of ($y*) or all of ($x*) or all of ($z*) ) and filesize < 15KB uint16(0) == 0x5a4d and all of ($s*) and ( all of ($y*) or all of ($x*) or all of ($z*) ) and filesize < 15KB
} }
rule Beastdoor_Backdoor { rule Beastdoor_Backdoor {
@ -667,7 +665,6 @@ rule CN_Hacktool_1433_Scanner {
score = 40 score = 40
date = "12.10.2014" date = "12.10.2014"
strings: strings:
$magic = { 4d 5a }
$s0 = "1433" wide fullword $s0 = "1433" wide fullword
$s1 = "1433V" wide $s1 = "1433V" wide
$s2 = "del Weak1.txt" ascii fullword $s2 = "del Weak1.txt" ascii fullword
@ -675,7 +672,7 @@ rule CN_Hacktool_1433_Scanner {
$s4 = "del /s /Q C:\\Windows\\system32\\doors\\" fullword ascii $s4 = "del /s /Q C:\\Windows\\system32\\doors\\" fullword ascii
$s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii $s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii
condition: condition:
( $magic at 0 ) and all of ($s*) uint16(0) == 0x5a4d and all of ($s*)
} }
rule CN_Hacktool_1433_Scanner_Comp2 { rule CN_Hacktool_1433_Scanner_Comp2 {
@ -686,12 +683,11 @@ rule CN_Hacktool_1433_Scanner_Comp2 {
score = 40 score = 40
date = "12.10.2014" date = "12.10.2014"
strings: strings:
$magic = { 4d 5a }
$s0 = "1433" wide fullword $s0 = "1433" wide fullword
$s1 = "1433V" wide $s1 = "1433V" wide
$s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword $s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword
condition: condition:
( $magic at 0 ) and all of ($s*) uint16(0) == 0x5a4d and all of ($s*)
} }
rule WCE_Modified_1_1014 { rule WCE_Modified_1_1014 {
@ -1175,7 +1171,7 @@ rule Hacktools_CN_445_cmd {
$s0 = "cs.exe %1" fullword ascii $s0 = "cs.exe %1" fullword ascii
$s2 = "nc %1 4444" fullword ascii $s2 = "nc %1 4444" fullword ascii
condition: condition:
$bat at 0 and all of ($s*) uint32(0) == 0x68636540 and $bat at 0 and all of ($s*)
} }
rule Hacktools_CN_GOGOGO_Bat { rule Hacktools_CN_GOGOGO_Bat {

View File

@ -23,13 +23,12 @@ rule Weevely_Webshell {
date = "2014/12/14" date = "2014/12/14"
score = 60 score = 60
strings: strings:
$php = "<?php" ascii
$s0 = /\$[a-z]{4} = \$[a-z]{4}\("[a-z][a-z]?",[\s]?"",[\s]?"/ ascii $s0 = /\$[a-z]{4} = \$[a-z]{4}\("[a-z][a-z]?",[\s]?"",[\s]?"/ ascii
$s1 = /\$[a-z]{4} = str_replace\("[a-z][a-z]?","","/ ascii $s1 = /\$[a-z]{4} = str_replace\("[a-z][a-z]?","","/ ascii
$s2 = /\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\)\)\); \$[a-z]{4}\(\);/ ascii $s2 = /\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\)\)\); \$[a-z]{4}\(\);/ ascii
$s4 = /\$[a-z]{4}="[a-zA-Z0-9]{70}/ ascii $s4 = /\$[a-z]{4}="[a-zA-Z0-9]{70}/ ascii
condition: condition:
$php at 0 and all of ($s*) and filesize > 570 and filesize < 800 uint32(0) == 0x68703f3c and all of ($s*) and filesize > 570 and filesize < 800
} }
rule webshell_h4ntu_shell_powered_by_tsoi_ { rule webshell_h4ntu_shell_powered_by_tsoi_ {
@ -9135,7 +9134,7 @@ rule PHP_Webshell_1_Feb17 {
$s1 = "$i=Array(\"pv\"=>@phpversion(),\"sv\"" ascii $s1 = "$i=Array(\"pv\"=>@phpversion(),\"sv\"" ascii
$s3 = "$data = @unserialize(sh_decrypt(@base64_decode($data),$data_key));" ascii $s3 = "$data = @unserialize(sh_decrypt(@base64_decode($data),$data_key));" ascii
condition: condition:
( $h1 at 0 and 1 of them ) or 2 of them uint32(0) == 0x68703f3c and ( $h1 at 0 and 1 of them ) or 2 of them
} }
rule Webshell_Tiny_JSP_2 { rule Webshell_Tiny_JSP_2 {

View File

@ -334,11 +334,10 @@ rule APT_Cloaked_SuperScan
author = "Florian Roth" author = "Florian Roth"
score = 50 score = 50
strings: strings:
$magic = { 4d 5a }
$s0 = "SuperScan4.exe" wide fullword $s0 = "SuperScan4.exe" wide fullword
$s1 = "Foundstone Inc." wide fullword $s1 = "Foundstone Inc." wide fullword
condition: condition:
( $magic at 0 ) and $s0 and $s1 and not filename contains "superscan" uint16(0) == 0x5a4d and $s0 and $s1 and not filename contains "superscan"
} }
rule APT_Cloaked_ScanLine rule APT_Cloaked_ScanLine
@ -350,12 +349,11 @@ rule APT_Cloaked_ScanLine
author = "Florian Roth" author = "Florian Roth"
score = 50 score = 50
strings: strings:
$magic = { 4d 5a }
$s0 = "ScanLine" wide fullword $s0 = "ScanLine" wide fullword
$s1 = "Command line port scanner" wide fullword $s1 = "Command line port scanner" wide fullword
$s2 = "sl.exe" wide fullword $s2 = "sl.exe" wide fullword
condition: condition:
( $magic at 0 ) and $s0 and $s1 and $s2 and not filename == "sl.exe" uint16(0) == 0x5a4d and $s0 and $s1 and $s2 and not filename == "sl.exe"
} }
rule SAM_Hive_Backup rule SAM_Hive_Backup

View File

@ -12,12 +12,11 @@ rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b" hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
hash4 = "343af97d47582c8150d63cbced601113b14fcca6" hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
strings: strings:
$mz = { 4d 5a }
//$s1 = "VisualDiscovery.exe" fullword wide //$s1 = "VisualDiscovery.exe" fullword wide
$s2 = "Invalid key length used to initialize BlowFish." fullword ascii $s2 = "Invalid key length used to initialize BlowFish." fullword ascii
$s3 = "GetPCProxyHandler" fullword ascii $s3 = "GetPCProxyHandler" fullword ascii
$s4 = "StartPCProxy" fullword ascii $s4 = "StartPCProxy" fullword ascii
$s5 = "SetPCProxyHandler" fullword ascii $s5 = "SetPCProxyHandler" fullword ascii
condition: condition:
( $mz at 0 ) and filesize < 2MB and all of ($s*) uint16(0) == 0x5a4d and filesize < 2MB and all of ($s*)
} }

View File

@ -173,7 +173,6 @@ rule GIFCloaked_Webshell_A {
hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24" hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
score = 60 score = 60
strings: strings:
$magic = { 47 49 46 38 } /* GIF8 ... */
$s0 = "input type" $s0 = "input type"
$s1 = "<%eval request" $s1 = "<%eval request"
$s2 = "<%eval(Request.Item[" $s2 = "<%eval(Request.Item["
@ -184,7 +183,7 @@ rule GIFCloaked_Webshell_A {
$fp1 = "<form name=\"social_form\"" $fp1 = "<form name=\"social_form\""
condition: condition:
( $magic at 0 ) and ( 1 of ($s*) ) uint32(0) == 0x38464947 and ( 1 of ($s*) )
and not 1 of ($fp*) and not 1 of ($fp*)
} }