valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 10:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
signature-base/yara/apt_volatile_cedar.yar

121 lines
4.0 KiB
Plaintext
Raw Permalink Blame History

rule Explosive_EXE : APT {
meta:
description = "Explosion/Explosive Malware - Volatile Cedar APT"
author = "Check Point Software Technologies Inc."
strings:
$DLD_S = "DLD-S:"
$DLD_E = "DLD-E:"
condition:
all of them and
uint16(0) == 0x5A4D
}
rule Explosion_Sample_1 {
meta:
description = "Explosion/Explosive Malware - Volatile Cedar APT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/5vYaNb"
date = "2015/04/03"
score = 70
hash = "c97693ecb36247bdb44ab3f12dfeae8be4d299bb"
strings:
$s5 = "REG ADD \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii
$s9 = "WinAutologon From Winlogon Reg" fullword ascii
$s10 = "82BD0E67-9FEA-4748-8672-D5EFE5B779B0" fullword ascii
$s11 = "IE:Password-Protected sites" fullword ascii
$s12 = "\\his.sys" fullword ascii
$s13 = "HTTP Password" fullword ascii
$s14 = "\\data.sys" fullword ascii
$s15 = "EL$_RasDefaultCredentials#0" fullword wide
$s17 = "Office Outlook HTTP" fullword ascii
$s20 = "Hist :<b> %ws</b> :%s </br></br>" fullword ascii
condition:
all of them and
uint16(0) == 0x5A4D
}
rule Explosion_Sample_2 {
meta:
description = "Explosion/Explosive Malware - Volatile Cedar APT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/5vYaNb"
date = "2015/04/03"
score = 70
hash = "62fe6e9e395f70dd632c70d5d154a16ff38dcd29"
strings:
$s0 = "serverhelp.dll" fullword wide
$s1 = "Windows Help DLL" fullword wide
$s5 = "SetWinHoK" fullword ascii
condition:
all of them and
uint16(0) == 0x5A4D
}
rule Explosion_Generic_1 {
meta:
description = "Generic Rule for Explosion/Explosive Malware - Volatile Cedar APT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "not set"
date = "2015/04/03"
score = 70
super_rule = 1
hash0 = "d0f059ba21f06021579835a55220d1e822d1233f95879ea6f7cb9d301408c821"
hash1 = "1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908"
hash2 = "d8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726"
hash3 = "e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747"
hash4 = "03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0"
strings:
$s0 = "autorun.exe" fullword
$s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 5.1; .NET CL"
$s2 = "%drp.exe" fullword
$s3 = "%s_%s%d.exe" fullword
$s4 = "open=autorun.exe" fullword
$s5 = "http://www.microsoft.com/en-us/default.aspx" fullword
$s10 = "error.renamefile" fullword
$s12 = "insufficient lookahead" fullword
$s13 = "%s %s|" fullword
$s16 = ":\\autorun.exe" fullword
condition:
7 of them and
uint16(0) == 0x5A4D
}
rule Explosive_UA {
meta:
description = "Explosive Malware Embedded User Agent - Volatile Cedar APT http://goo.gl/HQRCdw"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/HQRCdw"
date = "2015/04/03"
score = 60
strings:
$x1 = "Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)" fullword
condition:
$x1 and
uint16(0) == 0x5A4D
}
rule Webshell_Caterpillar_ASPX {
meta:
description = "Volatile Cedar Webshell - from file caterpillar.aspx"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/emons5"
date = "2015/04/03"
super_rule = 1
hash0 = "af4c99208fb92dc42bc98c4f96c3536ec8f3fe56"
strings:
$s0 = "Dim objNewRequest As WebRequest = HttpWebRequest.Create(sURL)" fullword
$s1 = "command = \"ipconfig /all\"" fullword
$s3 = "For Each xfile In mydir.GetFiles()" fullword
$s6 = "Dim oScriptNet = Server.CreateObject(\"WSCRIPT.NETWORK\")" fullword
$s10 = "recResult = adoConn.Execute(strQuery)" fullword
$s12 = "b = Request.QueryString(\"src\")" fullword
$s13 = "rw(\"<a href='\" + link + \"' target='\" + target + \"'>\" + title + \"</a>\")" fullword
condition:
all of them
}
Reference in New Issue View Git Blame Copy Permalink