valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 10:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

BKA Emotet rules

Browse Source
This commit is contained in:
Florian Roth 2021-04-16 10:32:09 +02:00
parent a020ac46a7
commit c5bee404a6
1 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
yara/crime_emotet.yar
View File

@ -33,3 +33,35 @@ rule MAL_Emotet_Jan20_1 {
1 of them
)
}
rule MAL_Emotet_BKA_Quarantine_Apr21 {
meta:
author = "press inquiries <info@bka.de>, technical contact <info@mha.bka.de>"
reference = "https://www.bka.de/DE/IhreSicherheit/RichtigesVerhalten/StraftatenImInternet/FAQ/FAQ_node.html"
descripton = "The modified emotet binary replaces the original emotet on the system of the victim. The original emotet is copied to a quarantine for evidence-preservation."
note = "The quarantine folder depends on the scope of the initial emotet infection (user or administrator). It is the temporary folder as returned by GetTempPathW under a filename starting with UDP as returned by GetTempFileNameW. To prevent accidental reinfection by a user, the quarantined emotet is encrypted using RC4 and a 0x20 bytes long key found at the start of the quarantined file (see $key)."
sharing = "TLP:WHITE"
date = "2021-03-23"
strings:
$key = { c3 da da 19 63 45 2c 86 77 3b e9 fd 24 64 fb b8 07 fe 12 d0 2a 48 13 38 48 68 e8 ae 91 3c ed 82 }
condition:
$key at 0
}
rule MAL_Emotet_BKA_Cleanup_Apr21 {
meta:
author = "press inquiries <info@bka.de>, technical contact <info@mha.bka.de>"
reference = "https://www.bka.de/DE/IhreSicherheit/RichtigesVerhalten/StraftatenImInternet/FAQ/FAQ_node.html"
descripton = "This rule targets a modified emotet binary deployed by the Bundeskriminalamt on the 26th of January 2021."
note = "The binary will replace the original emotet by copying it to a quarantine. It also contains a routine to perform a self-deinstallation on the 25th of April 2021. The three-month timeframe between rollout and self-deinstallation was chosen primarily for evidence purposes as well as to allow remediation."
sharing = "TLP:WHITE"
date = "2021-03-23"
strings:
$key = { c3 da da 19 63 45 2c 86 77 3b e9 fd 24 64 fb b8 07 fe 12 d0 2a 48 13 38 48 68 e8 ae 91 3c ed 82 }
condition:
filesize > 300KB and
filesize < 700KB and
uint16(0) == 0x5A4D and
$key
}