/* Yara Rule Set Author: Florian Roth Date: 2016-08-29 Identifier: VT Research QA Malware */ /* Rule Set ----------------------------------------------------------------- */ /* This rule can only be used with THOR or LOKI due to the external variable 'filename' */ rule Malware_QA_update_test { meta: description = "VT Research QA uploaded malware - file update_.exe" author = "Florian Roth" reference = "VT Research QA" date = "2016-08-29" score = 80 hash1 = "3b3392bc730ded1f97c51e23611740ff8b218abf0a1100903de07819eeb449aa" strings: $s1 = "test.exe" fullword ascii $s2 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGP" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and all of them and filename == "update.exe" } /* Rules that can be used in any tool with YARA support */ rule Malware_QA_not_copy { meta: description = "VT Research QA uploaded malware - file not copy.exe" author = "Florian Roth" reference = "VT Research QA" date = "2016-08-29" score = 80 hash1 = "1410f38498567b64a4b984c69fe4f2859421e4ac598b9750d8f703f1d209f836" strings: $x1 = "U2VydmVyLmV4ZQ==" fullword wide /* base64 encoded string 'Server.exe' */ $x2 = "\\not copy\\obj\\Debug\\not copy.pdb" ascii $x3 = "fuckyou888.ddns.net" fullword wide $s1 = "cmd.exe /c ping 0 -n 2 & del \"" fullword wide $s2 = "Server.exe" fullword wide $s3 = "Execute ERROR" fullword wide $s4 = "not copy.exe" fullword wide $s5 = "Non HosT" fullword wide $s6 = "netsh firewall delete allowedprogram" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($x*) or 4 of ($s*) ) ) or ( 5 of them ) } rule Malware_QA_update { meta: description = "VT Research QA uploaded malware - file update.exe" author = "Florian Roth" reference = "VT Research QA" date = "2016-08-29" score = 80 hash1 = "6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541" hash2 = "6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e" strings: $x1 = "UnActiveOfflineKeylogger" fullword ascii $x2 = "BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|" fullword ascii $x3 = "ActiveOnlineKeylogger" fullword ascii $x4 = "C:\\Users\\DarkCoderSc\\" ascii $x5 = "Celesty Binder\\Stub\\STATIC\\Stub.pdb" ascii $x6 = "BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|" fullword ascii $s1 = "MSRSAAP.EXE" fullword wide $s2 = "Command successfully executed!|" fullword ascii $s3 = "BTMemoryLoadLibary: Get DLLEntyPoint failed" fullword ascii $s4 = "I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!" fullword ascii $s5 = "\\Internet Explorer\\iexplore.exe" fullword ascii $s6 = "ping 127.0.0.1 -n 4 > NUL && \"" fullword ascii $s7 = "BTMemoryGetProcAddress: DLL doesn't export anything" fullword ascii $s8 = "POST /index.php/1.0" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 3000KB and ( 1 of ($x*) or 3 of ($s*) ) ) or ( all of them ) } rule Malware_QA_tls { meta: description = "VT Research QA uploaded malware - file tls.exe" author = "Florian Roth" reference = "VT Research QA" date = "2016-08-29" score = 80 hash1 = "f06d1f2bee2eb6590afbfa7f011ceba9bd91ba31cdc721bc728e13b547ac9370" strings: $s1 = "\\funoverip\\ultimate-payload-template1\\" ascii $s2 = "ULTIMATEPAYLOADTEMPLATE1" fullword wide $s3 = "ultimate-payload-template1" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 1 of them ) or ( all of them ) } rule Malware_QA_get_The_FucKinG_IP { meta: description = "VT Research QA uploaded malware - file get The FucKinG IP.exe" author = "Florian Roth" reference = "VT Research QA" date = "2016-08-29" score = 80 hash1 = "7b2c04e384919075be96e3412d92c14fc1165d1bc7556fd207488959c5c4d2f7" strings: $x1 = "C:\\Users\\Mdram ahmed\\AppData" $x2 = "\\Local\\Temporary Projects\\get The FucKinG IP\\" ascii $x3 = "get The FucKinG IP.exe" fullword wide $x4 = "get ip by mdr3m" fullword wide $x5 = "MDR3M kik: Mdr3mhm" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and 1 of ($x*) ) or ( 2 of them ) } rule Malware_QA_vqgk { meta: description = "VT Research QA uploaded malware - file vqgk.dll" author = "Florian Roth" reference = "VT Research QA" date = "2016-08-29" score = 80 hash1 = "99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c" strings: $x1 = "Z:\\devcenter\\aggressor\\external" ascii $x2 = "\\beacon\\Release\\beacon.pdb" fullword ascii $x3 = "%d is an x86 process (can't inject x64 content)" fullword ascii $x4 = "%d is an x64 process (can't inject x86 content)" fullword ascii $s1 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii $s2 = "Could not open process token: %d (%u)" fullword ascii $s3 = "\\\\%s\\pipe\\msagent_%x" fullword ascii $s4 = "\\sysnative\\rundll32.exe" fullword ascii $s5 = "Failed to impersonate logged on user %d (%u)" fullword ascii $s6 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii $s7 = "could not write to process memory: %d" fullword ascii $s8 = "beacon.dll" fullword ascii $s9 = "Failed to impersonate token from %d (%u)" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 600KB and ( 1 of ($x*) or 5 of ($s*) ) ) or ( 7 of them ) } rule Malware_QA_1177 { meta: description = "VT Research QA uploaded malware - file 1177.vbs" author = "Florian Roth" reference = "VT Research QA" date = "2016-08-29" score = 80 hash1 = "ff3a2740330a6cbae7888e7066942b53015728c367cf9725e840af5b2a3fa247" strings: $x1 = ".specialfolders (\"startup\") & \"\\ServerName.EXE\"" fullword ascii $x2 = "expandenvironmentstrings(\"%%InsallDir%%\") " ascii $s1 = "CreateObject(\"WScript.Shell\").Run(" ascii $s2 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAA" ascii $s3 = "cial Thank's to Dev-point.com" fullword ascii $s4 = ".createElement(\"tmp\")" fullword ascii $s5 = "'%CopyToStartUp%" fullword ascii condition: ( uint16(0) == 0x4d27 and filesize < 100KB and ( 1 of ($x*) or 4 of ($s*) ) ) or ( 5 of them ) }