/* FIVE EYES ------------------------------------------------------------------------------- */ rule FiveEyes_QUERTY_Malwareqwerty_20121 { meta: description = "FiveEyes QUERTY Malware - file 20121.xml" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "8263fb58350f3b1d3c4220a602421232d5e40726" strings: $s0 = "20121_cmdDef.xml" fullword ascii $s1 = "20121.dll" fullword ascii $s2 = "\"Reserved for future use.\"" fullword ascii $s3 = "" fullword ascii $s5 = "" fullword ascii $s6 = "" fullword ascii $s7 = "" fullword ascii $s8 = "" fullword ascii $s9 = "" fullword ascii $s10 = "" fullword ascii condition: 9 of them } rule FiveEyes_QUERTY_Malwaresig_20123_sys { meta: description = "FiveEyes QUERTY Malware - file 20123.sys.bin" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "a0f0087bd1f8234d5e847363d7e15be8a3e6f099" strings: $s0 = "20123.dll" fullword ascii $s1 = "kbdclass.sys" fullword wide $s2 = "IoFreeMdl" fullword ascii $s3 = "ntoskrnl.exe" fullword ascii $s4 = "KfReleaseSpinLock" fullword ascii condition: all of them } rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef { meta: description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd" strings: $s0 = "Keystroke Collector" fullword ascii $s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys." fullword ascii $s2 = "" fullword ascii $s3 = "" fullword ascii $s4 = "20121" fullword ascii $s5 = "System or Administrator (if Administrator, I think the DriverIns" ascii $s6 = "Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64" ascii $s7 = "plugin/Collection" fullword ascii $s8 = "None" fullword ascii $s9 = "0" fullword ascii $s10 = "E_QwertyKM" fullword ascii $s11 = "" fullword ascii $s12 = "" fullword ascii $s13 = "1" fullword ascii $s14 = "None" fullword ascii $s15 = "Erebus" fullword ascii $s16 = "" fullword ascii $s17 = "None" fullword ascii $s18 = "" fullword ascii $s19 = "U_HookManager v1.0, Kernel Covert Store v1.0" fullword ascii $s20 = "" fullword ascii $s6 = "" fullword ascii $s7 = "" fullword ascii $s8 = "" fullword ascii $s9 = "" fullword ascii $s10 = "" fullword ascii $s11 = "" fullword ascii condition: 9 of them } rule FiveEyes_QUERTY_Malwaresig_20120_dll { meta: description = "FiveEyes QUERTY Malware - file 20120.dll.bin" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "6811bfa3b8cda5147440918f83c40237183dbd25" strings: $s0 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.txt" fullword wide $s1 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.xml" fullword wide $s2 = "Failed to send the EQwerty_driverStatusCommand to the implant." fullword ascii $s3 = "- Log Used (number of windows) - %d" fullword wide $s4 = "- Log Limit (number of windows) - %d" fullword wide $s5 = "Process or User Default Language" fullword wide $s6 = "Windows 98/Me, Windows NT 4.0 and later: Vietnamese" fullword wide $s7 = "- Logging of keystrokes is switched ON" fullword wide $s8 = "- Logging of keystrokes is switched OFF" fullword wide $s9 = "Qwerty is currently logging active windows with titles containing the fo" wide $s10 = "Windows 95, Windows NT 4.0 only: Korean (Johab)" fullword wide $s11 = "FAILED to get Qwerty Status" fullword wide $s12 = "- Successfully retrieved Log from Implant." fullword wide $s13 = "- Logging of all Windows is toggled ON" fullword wide $s14 = "- Logging of all Windows is toggled OFF" fullword wide $s15 = "Qwerty FAILED to retrieve window list." fullword wide $s16 = "- UNSUCCESSFUL Log Retrieval from Implant." fullword wide $s17 = "The implant failed to return a valid status" fullword ascii $s18 = "- Log files were NOT generated!" fullword wide $s19 = "Windows 2000/XP: Armenian. This is Unicode only." fullword wide $s20 = "- This machine is using a PS/2 Keyboard - Continue on using QWERTY" fullword wide condition: 10 of them } rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef { meta: description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "cda9ceaf0a39d6b8211ce96307302a53dfbd71ea" strings: $s0 = "This PPC gets the current keystroke log." fullword ascii $s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii $s2 = "This command will remove the WindowTitle corresponding to the given window title" ascii $s3 = "This command will return the current status of the Keyboard Logger (Whether it i" ascii $s4 = "This command Toggles logging of all Keys. If allkeys is toggled all keystrokes w" ascii $s5 = "Turn logging of all keys on|off" fullword ascii $s6 = "Get Keystroke Log" fullword ascii $s7 = "Keystroke Logger Lp Plugin" fullword ascii $s8 = "display help for this function" fullword ascii $s9 = "This command will switch ON Logging of keys. All keys taht are entered to a acti" ascii $s10 = "Set the log limit (in number of windows)" fullword ascii $s11 = "qwgetlog" fullword ascii $s12 = "qwgetlog" fullword ascii $s13 = "The title of the Window whose keys you wish to Log once it becomes a" ascii $s14 = "This command will switch OFF Logging of keys. No keystrokes will be captured" fullword ascii $s15 = "The title of the Window whose keys you no longer whish to log" fullword ascii $s17 = "" fullword ascii $s18 = "" fullword ascii $s19 = "" fullword ascii $s20 = "" fullword ascii condition: 10 of them } rule FiveEyes_QUERTY_Malwareqwerty_20120 { meta: description = "FiveEyes QUERTY Malware - file 20120.xml" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "597082f05bfd3225587d480c30f54a7a1326a892" strings: $s0 = "20120_cmdDef.xml" fullword ascii $s1 = "20120.dll" fullword ascii $s2 = "\"Reserved for future use.\"" fullword ascii $s3 = "" fullword ascii $s5 = "" fullword ascii $s6 = "" fullword ascii $s7 = "" fullword ascii $s8 = "" fullword ascii $s9 = "" fullword ascii $s10 = "" fullword ascii condition: all of them } rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef { meta: description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "64ac06aa4e8d93ea6063eade7ce9687b1d035907" strings: $s0 = "Keystroke Logger Plugin." fullword ascii $s1 = "Failed to get File Time" fullword ascii $s2 = "Keystroke Logger Plugin." fullword ascii $s3 = "Failed to set File Time" fullword ascii $s4 = "" fullword ascii $s5 = "" fullword ascii $s6 = "" fullword ascii $s7 = "20120" fullword ascii $s8 = "No Comms. with Driver" fullword ascii $s9 = "" fullword ascii $s10 = "Invalid File Size" fullword ascii $s11 = "Windows (User/Win32)" fullword ascii $s12 = "File Size Mismatch" fullword ascii $s13 = "plugin/Utility" fullword ascii $s14 = "None" fullword ascii $s15 = "None" fullword ascii $s16 = "E_QwertyIM" fullword ascii $s17 = "None" fullword ascii $s18 = "0" fullword ascii $s19 = "00001002" fullword ascii $s20 = "00001001" fullword ascii condition: 12 of them }