Malware Unspecified

2024-11-06 18:15:20 +00:00 · 2017-08-01 14:01:53 +02:00 · 2017-08-01 14:01:53 +02:00 · ba25f2e452
commit ba25f2e452
parent 6f7c4d9459
1 changed files with 49 additions and 5 deletions
--- a/yara/crime_malware_generic.yar
+++ b/yara/crime_malware_generic.yar
@ -12,18 +12,18 @@ rule TrojanDownloader {
 	strings:
 		$x1 = "Hello World!" fullword ascii
 		$x2 = "CONIN$" fullword ascii
-			
+
 		$s6 = "GetCommandLineA" fullword ascii
 		$s7 = "ExitProcess" fullword ascii
-		$s8 = "CreateFileA" fullword ascii						
+		$s8 = "CreateFileA" fullword ascii

-		$s5 = "SetConsoleMode" fullword ascii		
-		$s9 = "TerminateProcess" fullword ascii	
+		$s5 = "SetConsoleMode" fullword ascii
+		$s9 = "TerminateProcess" fullword ascii
 		$s10 = "GetCurrentProcess" fullword ascii
 		$s11 = "UnhandledExceptionFilter" fullword ascii
 		$s3 = "user32.dll" fullword ascii
 		$s16 = "GetEnvironmentStrings" fullword ascii
-		$s2 = "GetLastActivePopup" fullword ascii		
+		$s2 = "GetLastActivePopup" fullword ascii
 		$s17 = "GetFileType" fullword ascii
 		$s19 = "HeapCreate" fullword ascii
 		$s20 = "VirtualFree" fullword ascii
@ -37,3 +37,47 @@ rule TrojanDownloader {
 	condition:
 		$x1 and $x2 and ( all of ($s*) ) and filesize < 35000
 }
+
+/*
+   Yara Rule Set
+   Author: Florian Roth
+   Date: 2017-08-01
+   Identifier: IsmDoor
+   Reference: https://twitter.com/Voulnet/status/892104753295110145
+   License: http://creativecommons.org/licenses/by-nc-sa/4.0/
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule IsmDoor_Jul17_A2 {
+   meta:
+      description = "Detects IsmDoor Malware"
+      author = "Florian Roth"
+      reference = "https://twitter.com/Voulnet/status/892104753295110145"
+      date = "2017-08-01"
+      hash1 = "be72c89efef5e59c4f815d2fce0da5a6fac8c90b86ee0e424868d4ae5e550a59"
+      hash2 = "ea1be14eb474c9f70e498c764aaafc8b34173c80cac9a8b89156e9390bd87ba8"
+   strings:
+      $s1 = "powershell -exec bypass -file \"" fullword ascii
+      $s2 = "PAQlFcaWUaFkVICEx2CkNCUUpGcA" ascii
+      $s3 = "\\Documents" fullword ascii
+      $s4 = "\\Libraries" fullword ascii
+   condition:
+      ( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them )
+}
+
+rule Unknown_Malware_Sample_Jul17_2 {
+   meta:
+      description = "Detects unknown malware sample with pastebin RAW URL"
+      author = "Florian Roth"
+      reference = "https://goo.gl/iqH8CK"
+      date = "2017-08-01"
+      hash1 = "3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52"
+   strings:
+      $s1 = "4System.Web.Services.Protocols.SoapHttpClientProtocol" fullword ascii
+      $s2 = "https://pastebin.com/raw/" wide
+      $s3 = "My.Computer" fullword ascii
+      $s4 = "MyTemplate" fullword ascii
+   condition:
+      ( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
+}