valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8f48aa959b
signature-base/yara/apt_ghostdragon_gh0st_rat.yar
Florian Roth ece1450481 Gh0st Dragon RAT
2016-04-27 13:36:53 +02:00

88 lines
3.0 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
Yara Rule Set
Author: Florian Roth
Date: 2016-04-23
Identifier: Ghost Dragon Gh0st RAT
*/
rule GhostDragon_Gh0stRAT {
meta:
description = "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report"
author = "Florian Roth"
reference = "https://blog.cylance.com/the-ghost-dragon"
date = "2016-04-23"
hash1 = "f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197"
hash2 = "99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2"
hash3 = "6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df"
hash4 = "b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5"
strings:
$x1 = "REG ADD HKEY_LOCAL_MACHINE\\%s /v ServiceDll /t REG_EXPAND_SZ /d \"%s\"" fullword ascii
$x2 = "Global\\REALCHEL_GLOBAL_SUBMIT_20031020_" fullword ascii
$x3 = "\\xclolg2.tmp" fullword ascii
$x4 = "Http/1.1 403 Forbidden" fullword ascii
$x5 = "%sxsd%d.pif" fullword ascii
$x6 = "%s\\%s32.dl_" fullword ascii
$x7 = "%-23s %-16s 0x%x(%02d)" fullword ascii
$x8 = "RegSetValueEx(start)" fullword ascii
$x9 = "%s\\%s64.dl_" fullword ascii
$x10 = "$#REGMASTERKEY$WebCat was successfully started" fullword wide
$s1 = "viewsc.dll" fullword ascii
$s2 = "Proxy-Connection: Keep-Alive" fullword ascii
$s3 = "\\sfc_os.dll" fullword ascii
$s4 = "Mozilla/4.0 (compatible)" fullword ascii
$s5 = "Http/1.1 403 Forbidden" fullword ascii
$s6 = "CONNECT %s:%d HTTP/1.1" fullword ascii
$s7 = "WindowsUpperVersion" fullword ascii
$s8 = "[%d-%d-%d %d:%d:%d] (%s)" fullword ascii
$s9 = "SOFTWARE\\Microsoft\\DataAccess\\%s" fullword ascii
$s10 = "%s sp%d(%d)" fullword ascii
$s11 = "OpenSC ERROR " fullword ascii
$s12 = "get rgspath error " fullword ascii
$s13 = "Global\\GLOBAL_SUBMIT_0234_" fullword ascii
$s14 = "Global\\_vc_ck_ %d" fullword ascii
condition:
(
uint16(0) == 0x5a4d and filesize < 500KB
and (
1 of ($x*) or 4 of ($s*)
)
) or ( 6 of them )
}
rule GhostDragon_Gh0stRAT_Sample2 {
meta:
description = "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report"
author = "Florian Roth"
reference = "https://blog.cylance.com/the-ghost-dragon"
date = "2016-04-23"
hash1 = "71a52058f6b5cef66302c19169f67cf304507b4454cca83e2c36151da8da1d97"
strings:
$x1 = "AdobeWpk" fullword ascii
$x2 = "seekin.dll" fullword ascii
$c1 = "Windows NT 6.1; Trident/6.0)" fullword ascii
$c2 = "Mozilla/5.0 (compatible; MSIE 10.0; " fullword ascii
condition:
(
uint16(0) == 0x5a4d and filesize < 80KB and (
all of ($x*) or all of ($c*)
)
) or ( all of them )
}
rule GhostDragon_Gh0stRAT_Sample3 {
meta:
description = "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report"
author = "Florian Roth"
reference = "https://blog.cylance.com/the-ghost-dragon"
date = "2016-04-23"
hash1 = "1be9c68b31247357328596a388010c9cfffadcb6e9841fb22de8b0dc2d161c42"
strings:
$op1 = { 44 24 15 65 88 54 24 16 c6 44 24 }
$op2 = { 44 24 1b 43 c6 44 24 1c 75 88 54 24 1e }
$op3 = { 1e 79 c6 44 24 1f 43 c6 44 24 20 75 88 54 24 22 }
condition:
all of them
}
Reference in New Issue View Git Blame Copy Permalink