valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
0d1648a850
signature-base/yara/apt_winnti_hdroot.yar

80 lines
3.2 KiB
Plaintext
Raw Blame History

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-07-07
Identifier: HDRoot
Reference: Winnti HDRoot VT
*/
/* Rule Set ----------------------------------------------------------------- */
rule HDRoot_Sample_Jul17_1 {
meta:
description = "Detects HDRoot samples"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Winnti HDRoot VT"
date = "2017-07-07"
hash1 = "6d2ad82f455becc8c830d000633a370857928c584246a7f41fe722cc46c0d113"
strings:
$s1 = "gleupdate.dll" fullword ascii
$s2 = "\\DosDevices\\%ws\\system32\\%ws" fullword wide
$s3 = "l\\Driver\\nsiproxy" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 60KB and 3 of them )
}
rule HDRoot_Sample_Jul17_2 {
meta:
description = "Detects HDRoot samples"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Winnti HDRoot VT"
date = "2017-07-07"
super_rule = 1
hash1 = "1c302ed9786fc600073cc6f3ed2e50e7c23785c94a2908f74f92971d978b704b"
hash2 = "3b7cfa40e26fb6b079b55ec030aba244a6429e263a3d9832e32ab09e7a3c4a9c"
hash3 = "71eddf71a94c5fd04c9f3ff0ca1eb6b1770df1a3a8f29689fb8588427b5c9e8e"
hash4 = "80e088f2fd2dbde0f9bc21e056b6521991929c4e0ecd3eb5833edff6362283f4"
strings:
$x1 = "http://microsoftcompanywork.htm" fullword ascii
$x2 = "compose.aspx?s=%4X%4X%4X%4X%4X%4X" fullword ascii
$t1 = "http://babelfish.yahoo.com/translate_url?" fullword ascii
$t2 = "http://translate.google.com/translate?prev=hp&hl=en&js=n&u=%s?%d&sl=es&tl=en" fullword ascii
$u1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.5." ascii
$u2 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)" fullword ascii
$u3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; TERA:" fullword ascii
$s1 = "\\system32\\ntoskrnl.exe" fullword ascii
$s2 = "Schedsvc.dll" fullword wide
$s3 = "dllserver64.dll" fullword ascii
$s4 = "C:\\TERA_SR.txt" fullword ascii
$s5 = "updatevnsc.dat" fullword wide
$s6 = "tera dll service global event" fullword ascii
$s7 = "Referer: http://%s/%s" fullword ascii
$s8 = "tera replace dll config" fullword ascii
$s9 = "SetupDll64.dll" fullword ascii
$s10 = "copy %%ComSpec%% \"%s\"" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and ( 1 of ($x*) or all of ($u*) or 8 of them )
}
rule Unspecified_Malware_Jul17_1A {
meta:
description = "Detects samples of an unspecified malware - July 2017"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Winnti HDRoot VT"
date = "2017-07-07"
hash1 = "e1c38142b6194237a4cd4603829aa6edb6436e7bba15e3e6b0c9e8c6b629b42b"
strings:
$s1 = "%SystemRoot%\\System32\\wuauserv.dll" fullword ascii
$s2 = "systemroot%\\system32\\wuauserv.dll" fullword ascii
$s3 = "ocgen.logIN" fullword wide
$s4 = "ocmsn.logIN" fullword wide
$s5 = "Install.log" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and all of them )
}
Reference in New Issue View Git Blame Copy Permalink