valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
0d1648a850
signature-base/yara/apt_tophat.yar

75 lines
3.2 KiB
Plaintext
Raw Blame History

/*
Yara Rule Set
Author: Florian Roth
Date: 2018-01-29
Identifier: TopHat
Reference: https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule TopHat_Malware_Jan18_1 {
meta:
description = "Detects malware from TopHat campaign"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix"
date = "2018-01-29"
hash1 = "5c0b253966befd57f4d22548f01116ffa367d027f162514c1b043a747bead596"
hash2 = "1f9bca1d5ce5d14d478d32f105b3ab5d15e1c520bde5dfca22324262e84d4eaf"
strings:
$s1 = "WINMGMTS:\\\\.\\ROOT\\CIMV2" fullword ascii
$s2 = "UENCRYPTION" fullword ascii
$s3 = "TEXPORTAPIS" fullword ascii
$s4 = "tcustommemorystream" fullword ascii
$s5 = "tmemorystream" fullword ascii
$s6 = "ExtrasNoteCONSOLEemb" fullword ascii
$s7 = "DIALOG INCLUDE" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and (
pe.imphash() == "c221006b240b1c993217bd61e5ee31b6" or
6 of them
)
}
rule TopHat_Malware_Jan18_2 {
meta:
description = "Auto-generated rule - file e.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix"
date = "2018-01-29"
hash1 = "9580d15a06cd59c01c59bca81fa0ca8229f410b264a38538453f7d97bfb315e7"
strings:
$s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" fullword ascii
$s2 = "\\SYSTEM\\CurrentControlSet\\Control\\Keyboard Layouts\\" fullword ascii
$s3 = "LError loading dock zone from the stream. Expecting version %d, but found %d." fullword wide
$s4 = "WINMGMTS:\\\\.\\ROOT\\CIMV2" fullword ascii
$s5 = "UENCRYPTION" fullword ascii
$s6 = "TEXPORTAPIS" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and (
pe.imphash() == "f98cebcae832abc3c46e6e296aecfc03" and
5 of them
)
}
rule TopHat_BAT {
meta:
description = "Auto-generated rule - file cgen.bat"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix"
date = "2018-01-29"
hash1 = "f998271c4140caad13f0674a192093092e2a9f7794a7fbbdaa73ae8f2496c387"
hash2 = "0fbc6fd653b971c8677aa17ecd2749200a4a563f9dd5409cfb26d320618db3e2"
strings:
$s1 = "= New-Object IO.MemoryStream(,[Convert]::FromBase64String(\"" ascii
$s2 = "goto Start" fullword ascii
$s3 = ":Start" fullword ascii
condition:
filesize < 5KB and all of them
}
Reference in New Issue View Git Blame Copy Permalink