From c5bee404a6a4e0513b83ffdd569055396cfa06c2 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 16 Apr 2021 10:32:09 +0200
Subject: [PATCH] BKA Emotet rules

---
 yara/crime_emotet.yar | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/yara/crime_emotet.yar b/yara/crime_emotet.yar
index ea28e12..0cd7f6f 100644
--- a/yara/crime_emotet.yar
+++ b/yara/crime_emotet.yar
@@ -33,3 +33,35 @@ rule MAL_Emotet_Jan20_1 {
          1 of them
       )
 }
+
+rule MAL_Emotet_BKA_Quarantine_Apr21 {
+   meta:
+      author = "press inquiries <info@bka.de>, technical contact <info@mha.bka.de>"
+      reference = "https://www.bka.de/DE/IhreSicherheit/RichtigesVerhalten/StraftatenImInternet/FAQ/FAQ_node.html"
+      descripton = "The modified emotet binary replaces the original emotet on the system of the victim. The original emotet is copied to a quarantine for evidence-preservation."
+      note = "The quarantine folder depends on the scope of the initial emotet infection (user or administrator). It is the temporary folder as returned by GetTempPathW under a filename starting with UDP as returned by GetTempFileNameW. To prevent accidental reinfection by a user, the quarantined emotet is encrypted using RC4 and a 0x20 bytes long key found at the start of the quarantined file (see $key)."
+      sharing = "TLP:WHITE"
+      date = "2021-03-23"
+   strings:
+      $key = { c3 da da 19 63 45 2c 86 77 3b e9 fd 24 64 fb b8 07 fe 12 d0 2a 48 13 38 48 68 e8 ae 91 3c ed 82 }
+   condition:
+      $key at 0
+}
+
+rule MAL_Emotet_BKA_Cleanup_Apr21 {
+   meta:
+      author = "press inquiries <info@bka.de>, technical contact <info@mha.bka.de>"
+      reference = "https://www.bka.de/DE/IhreSicherheit/RichtigesVerhalten/StraftatenImInternet/FAQ/FAQ_node.html"
+      descripton = "This rule targets a modified emotet binary deployed by the Bundeskriminalamt on the 26th of January 2021."
+      note = "The binary will replace the original emotet by copying it to a quarantine. It also contains a routine to perform a self-deinstallation on the 25th of April 2021. The three-month timeframe between rollout and self-deinstallation was chosen primarily for evidence purposes as well as to allow remediation."
+      sharing = "TLP:WHITE"
+      date = "2021-03-23"
+   strings:
+      $key = { c3 da da 19 63 45 2c 86 77 3b e9 fd 24 64 fb b8 07 fe 12 d0 2a 48 13 38 48 68 e8 ae 91 3c ed 82 }
+   condition:
+      filesize > 300KB and
+      filesize < 700KB and
+      uint16(0) == 0x5A4D and
+      $key
+}
+