mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-07 02:25:19 +00:00
befb06c4a1
https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner
39 lines
1.6 KiB
Plaintext
39 lines
1.6 KiB
Plaintext
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2018-01-09
|
|
Identifier: NK Miner Malware
|
|
Reference: https://goo.gl/PChE1z
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule NK_Miner_Malware_Jan18_1 {
|
|
meta:
|
|
description = "Detects Noth Korean Monero Miner mentioned in AlienVault report"
|
|
author = "Florian Roth (original rule by Chris Doman)"
|
|
reference = "https://goo.gl/PChE1z"
|
|
date = "2018-01-09"
|
|
hash1 = "0024e32c0199ded445c0b968601f21cc92fc0c534d2642f2dd64c1c978ff01f3"
|
|
hash2 = "42300b6a09f183ae167d7a11d9c6df21d022a5f02df346350d3d875d557d3b76"
|
|
strings:
|
|
$x0 = "c:\\users\\jawhar\\documents\\" ascii
|
|
$x1 = "C:\\Users\\Jawhar\\documents\\" ascii
|
|
$x2 = "The number of processors on this computer is {0}." fullword wide
|
|
$x3 = { 00 00 1F 43 00 3A 00 5C 00 4E 00 65 00 77 00 44
|
|
00 69 00 72 00 65 00 63 00 74 00 6F 00 72 00 79
|
|
00 00 }
|
|
$x4 = "Le fichier Hello txt n'existe pas" fullword wide
|
|
$x5 = "C:\\NewDirectory2\\info2" fullword wide
|
|
|
|
/* Incorported from Chris Doman's rule - https://goo.gl/PChE1z*/
|
|
$a = "82e999fb-a6e0-4094-aa1f-1a306069d1a5" ascii
|
|
$b = "4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS" ascii
|
|
$c = "barjuok.ryongnamsan.edu.kp" wide ascii
|
|
$d = "C:\\SoftwaresInstall\\soft" wide ascii
|
|
$e = "C:\\Windows\\Sys64\\intelservice.exe" wide ascii
|
|
$f = "C:\\Windows\\Sys64\\updater.exe" wide ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 30KB and 1 of them
|
|
}
|