mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-06 10:05:18 +00:00
89 lines
3.3 KiB
Plaintext
89 lines
3.3 KiB
Plaintext
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2017-08-01
|
|
Identifier: Foudre
|
|
Reference: https://goo.gl/Nbqbt6
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
import "pe"
|
|
|
|
rule Foudre_Backdoor_1 {
|
|
meta:
|
|
description = "Detects Foudre Backdoor"
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
author = "Florian Roth"
|
|
reference = "https://goo.gl/Nbqbt6"
|
|
date = "2017-08-01"
|
|
hash1 = "7e73a727dc8f3c48e58468c3fd0a193a027d085f25fa274a6e187cf503f01f74"
|
|
hash2 = "7ce2c5111e3560aa6036f98b48ceafe83aa1ac3d3b33392835316c859970f8bc"
|
|
strings:
|
|
$s1 = "initialization failed: Reinstall the program" fullword wide
|
|
$s2 = "SnailDriver V1" fullword wide
|
|
$s3 = "lp.ini" fullword wide
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 100KB and 2 of them )
|
|
}
|
|
|
|
rule Foudre_Backdoor_Dropper_1 {
|
|
meta:
|
|
description = "Detects Foudre Backdoor"
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
author = "Florian Roth"
|
|
reference = "https://goo.gl/Nbqbt6"
|
|
date = "2017-08-01"
|
|
hash1 = "6bc9f6ac2f6688ed63baa29913eaf8c64738cf19933d974d25a0c26b7d01b9ac"
|
|
hash2 = "da228831089c56743d1fbc8ef156c672017cdf46a322d847a270b9907def53a5"
|
|
strings:
|
|
$x1 = "536F594A96C5496CB3949A4DA4775B576E049C57696E646F77735C43757272656E7456657273696F6E5C5C52756E" fullword wide
|
|
$x2 = "2220263024C380B3278695851482EC32" fullword wide
|
|
|
|
$s1 = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\\\Startup\\" fullword wide
|
|
$s2 = "C:\\Documents and Settings\\All Users\\" fullword wide
|
|
$s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\\\Shell Folders" fullword wide
|
|
$s4 = "ShellExecuteW" fullword wide
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) or 4 of them ) )
|
|
}
|
|
|
|
rule Foudre_Backdoor_Component_1 {
|
|
meta:
|
|
description = "Detects Foudre Backdoor"
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
author = "Florian Roth"
|
|
reference = "https://goo.gl/Nbqbt6"
|
|
date = "2017-08-01"
|
|
hash1 = "7c6206eaf0c5c9c6c8d8586a626b49575942572c51458575e51cba72ba2096a4"
|
|
hash2 = "db605d501d3a5ca2b0e3d8296d552fbbf048ee831be21efca407c45bf794b109"
|
|
strings:
|
|
/* $s1 = "Project1.dll" fullword ascii */
|
|
/* Better: Project1.dll\x00D1 */
|
|
$s1 = { 50 72 6F 6A 65 63 74 31 2E 64 6C 6C 00 44 31 }
|
|
$s2 = "winmgmts:\\\\localhost\\root\\SecurityCenter2" fullword wide
|
|
$s3 = "C:\\Documents and Settings\\All Users\\" fullword wide
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 2000KB and
|
|
( 3 of them ) or
|
|
( 2 of them and pe.exports("D1") )
|
|
)
|
|
}
|
|
|
|
rule Foudre_Backdoor_SFX {
|
|
meta:
|
|
description = "Detects Foudre Backdoor SFX"
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
author = "Florian Roth"
|
|
reference = "https://goo.gl/Nbqbt6"
|
|
date = "2017-08-01"
|
|
hash1 = "2b37ce9e31625d8b9e51b88418d4bf38ed28c77d98ca59a09daab01be36d405a"
|
|
hash2 = "4d51a0ea4ecc62456295873ff135e4d94d5899c4de749621bafcedbf4417c472"
|
|
strings:
|
|
$s1 = "main.exe" fullword ascii
|
|
$s2 = "pub.key" fullword ascii
|
|
$s3 = "WinRAR self-extracting archive" fullword wide
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
|
|
}
|