valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
cd83f5a2b8
signature-base/yara/apt_turla_neuron.yar
Florian Roth fd13d0ba7c changed Neuron2 loader rule
2019-10-21 16:48:14 +02:00

137 lines
5.8 KiB
Plaintext
Raw Blame History

/*
Yara Rule Set
Author: NCSC UK
Date: 2017-11-23
Identifier: Turla Neuron
Reference: https://www.ncsc.gov.uk/alerts/turla-group-malware
*/
rule Neuron_common_strings {
meta:
description = "Rule for detection of Neuron based on commonly used strings"
author = "NCSC UK"
hash = "d1d7a96fcadc137e80ad866c838502713db9cdfe59939342b8e3beacf9c7fe29"
date = "2017/11/23"
reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
strings:
$strServiceName = "MSExchangeService" ascii
$strReqParameter_1 = "cadataKey" wide
/* $strReqParameter_2 = "cid" wide */ /* disabled due to performance reasons */
$strReqParameter_3 = "cadata" wide
$strReqParameter_4 = "cadataSig" wide
$strEmbeddedKey = "PFJTQUtleVZhbHVlPjxNb2R1bHVzPnZ3WXRKcnNRZjVTcCtWVG9Rb2xuaEVkMHVwWDFrVElFTUNTNEFnRkRCclNm clpKS0owN3BYYjh2b2FxdUtseXF2RzBJcHV0YXhDMVRYazRoeFNrdEpzbHljU3RFaHBUc1l4OVBEcURabVVZVklVb HlwSFN1K3ljWUJWVFdubTZmN0JTNW1pYnM0UWhMZElRbnl1ajFMQyt6TUhwZ0xmdEc2b1d5b0hyd1ZNaz08L01vZH VsdXM+PEV4cG9uZW50PkFRQUI8L0V4cG9uZW50PjwvUlNBS2V5VmFsdWU+" wide
$strDefaultKey = "8d963325-01b8-4671-8e82-d0904275ab06" wide
$strIdentifier = "MSXEWS" wide
$strListenEndpoint = "443/ews/exchange/" wide
$strB64RegKeySubstring = "U09GVFdBUkVcTWljcm9zb2Z0XENyeXB0b2dyYXBo" wide
$strName = "neuron_service" ascii
$dotnetMagic = "BSJB" ascii
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $dotnetMagic and 6 of ($str*)
}
rule Neuron_standalone_signature {
meta:
description = "Rule for detection of Neuron based on a standalone signature from .NET metadata"
author = "NCSC UK"
hash = "d1d7a96fcadc137e80ad866c838502713db9cdfe59939342b8e3beacf9c7fe29"
date = "2017/11/23"
reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
strings:
$a = { eb073d151231011234080e12818d1d051281311d1281211d1281211d128121081d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281 }
$dotnetMagic = "BSJB" ascii
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
}
rule Nautilus_modified_rc4_loop {
meta:
description = "Rule for detection of Nautilus based on assembly code for a modified RC4 loop"
author = "NCSC UK"
hash = "a415ab193f6cd832a0de4fcc48d5f53d6f0b06d5e13b3c359878c6c31f3e7ec3"
date = "2017/11/23"
reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
strings:
$a = {42 0F B6 14 04 41 FF C0 03 D7 0F B6 CA 8A 14 0C 43 32 14 13 41 88 12 49 FF C2 49 FF C9}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $a
}
rule Nautilus_rc4_key {
meta:
description = "Rule for detection of Nautilus based on a hardcoded RC4 key"
author = "NCSC UK"
hash = "a415ab193f6cd832a0de4fcc48d5f53d6f0b06d5e13b3c359878c6c31f3e7ec3"
date = "2017/11/23"
reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
strings:
$key = {31 42 31 34 34 30 44 39 30 46 43 39 42 43 42 34 36 41 39 41 43 39 36 34 33 38 46 45 45 41 38 42}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $key
}
rule Nautilus_common_strings {
meta:
description = "Rule for detection of Nautilus based on common plaintext strings"
author = "NCSC UK"
hash = "a415ab193f6cd832a0de4fcc48d5f53d6f0b06d5e13b3c359878c6c31f3e7ec3"
date = "2017/11/23"
reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
strings:
$ = "nautilus-service.dll" ascii
$ = "oxygen.dll" ascii
$ = "config_listen.system" ascii
$ = "ctx.system" ascii
$ = "3FDA3998-BEF5-426D-82D8-1A71F29ADDC3" ascii
$ = "C:\\ProgramData\\Microsoft\\Windows\\Caches\\{%s}.2.ver0x0000000000000001.db" ascii
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 3 of them
}
/* Forensic Artifacts */
rule Nautilus_forensic_artificats {
meta:
description = "Rule for detection of Nautilus related strings"
author = "NCSC UK / Florian Roth"
date = "2017/11/23"
score = 60
reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
strings:
$ = "App_Web_juvjerf3.dll" fullword ascii
$ = "App_Web_vcplrg8q.dll" fullword ascii
$ = "ar_all2.txt" fullword ascii
$ = "ar_sa.txt" fullword ascii
$ = "Convert.FromBase64String(temp[1])" fullword ascii
$ = "D68gq#5p0(3Ndsk!" fullword ascii
$ = "dcomnetsrv" fullword ascii
$ = "ERRORF~1.ASP" fullword ascii
$ = "intelliAdminRpc" fullword ascii
$ = "J8fs4F4rnP7nFl#f" fullword ascii
$ = "Msnb.exe" fullword ascii
$ = "nautilus-service.dll"
$ = "Neuron_service" fullword ascii
$ = "owa_ar2.bat" fullword ascii
$ = "payload.x64.dll.system" fullword ascii
$ = "service.x64.dll.system" fullword ascii
condition:
1 of them
}
rule APT_Neuron2_Loader_Strings {
meta:
description = "Rule for detection of Neuron2 based on strings within the loader"
author = "NCSC"
referer = "https://otx.alienvault.com/pulse/5dad718fa5ec6c21e85c1c66"
hash = "51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927"
strings:
$ = "dcom_api" ascii
$ = "http://*:80/OWA/OAB/" ascii
$ = "https://*:443/OWA/OAB/" ascii
$ = "dcomnetsrv.cpp" wide
$ = "dcomnet.dll" ascii
$ = "D:\\Develop\\sps\\neuron2\\x64\\Release\\dcomnet.pdb" ascii
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 2 of them
}
Reference in New Issue View Git Blame Copy Permalink