From a7cbf7b9c7f5b230da9ce81dd7aff3046047759e Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Fri, 28 Sep 2018 13:29:43 +0200
Subject: [PATCH] Suspicious SFX running wscript.exe

---
 yara/gen_susp_sfx.yar | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 yara/gen_susp_sfx.yar

diff --git a/yara/gen_susp_sfx.yar b/yara/gen_susp_sfx.yar
new file mode 100644
index 0000000..73afa27
--- /dev/null
+++ b/yara/gen_susp_sfx.yar
@@ -0,0 +1,18 @@
+
+rule SUSP_SFX_RunProgram_WScript {
+   meta:
+      description = "Detects suspicious SFX as used by Gamaredon group"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-09-27"
+      hash1 = "e3bb02c5985fc64759b9c2d3c5474d46237ce472b4a0101c6313dafa939de5a9"
+      hash2 = "0ecf88d4b32895b4819dec3acb62eaaa7035aa6292499d903f76af60fcec0d6a"
+      hash3 = "a7a48f5220bd1ebe04de258d71fdd001711c165d162bd45e8cfbe8964eddf01c"
+      hash4 = "b6fa4889d8a87d45706d92714d716025bf223c01929755321faac1ab0db94a88"
+      hash5 = "7117b39890659c7dd11e15092c5e5ea9495bec0ff2b6e25254f6e343ed6ca33d"
+      hash6 = "ec2afb63555986fa55b7f98ae57c57e1138acb404a0dd2fe4f3d315730b9898e"
+   strings:
+      $x1 = "RunProgram=\"wscript.exe" fullword ascii
+   condition:
+      uint16(0) == 0x5a4d and filesize < 10000KB and 1 of them
+}