1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule RSharedStrings : Surtr Family {
meta:
description = "identifiers for remote and gmremote"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
$ = "nView_DiskLoydb" wide
$ = "nView_KeyLoydb" wide
$ = "nView_skins" wide
$ = "UsbLoydb" wide
$ = "%sBurn%s" wide
$ = "soul" wide
condition:
any of them
}
rule RemoteStrings : Remote Variant Surtr Family {
meta:
description = "indicators for remote.dll - surtr stage 2"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
$ = "\x00Remote.dll\x00"
$ = "\x00CGm_PlugBase::"
$ = "\x00ServiceMain\x00_K_H_K_UH\x00"
$ = "\x00_Remote_\x00" wide
condition:
any of them
}
rule GmRemoteStrings : GmRemote Variant Family Surtr {
meta:
description = "identifiers for gmremote: surtr stage 2"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
$ = "\x00x86_GmRemote.dll\x00"
$ = "\x00D:\\Project\\GTProject\\Public\\List\\ListManager.cpp\x00"
$ = "\x00GmShutPoint\x00"
$ = "\x00GmRecvPoint\x00"
$ = "\x00GmInitPoint\x00"
$ = "\x00GmVerPoint\x00"
$ = "\x00GmNumPoint\x00"
$ = "_Gt_Remote_" wide
$ = "%sBurn\\workdll.tmp" wide
condition:
any of them
}
rule GmRemote : Family Surtr Variant GmRemote {
meta:
description = "identifier for gmremote"
author = "Katie Kleemola"
last_updated = "07-25-2014"
condition:
RSharedStrings and GmRemoteStrings
}
rule Remote : Family Surtr Variant Remote {
meta:
description = "identifier for remote"
author = "Katie Kleemola"
last_updated = "07-25-2014"
condition:
RSharedStrings and RemoteStrings
}
rule SurtrStrings : Surtr Family {
meta:
author = "Katie Kleemola"
description = "Strings for Surtr"
last_updated = "2014-07-16"
strings:
$ = "\x00soul\x00"
$ = "\x00InstallDll.dll\x00"
$ = "\x00_One.dll\x00"
$ = "_Fra.dll"
$ = "CrtRunTime.log"
$ = "Prod.t"
$ = "Proe.t"
$ = "Burn\\"
$ = "LiveUpdata_Mem\\"
condition:
any of them
}
rule SurtrCode : Surtr Family {
meta:
author = "Katie Kleemola"
description = "Code features for Surtr Stage1"
last_updated = "2014-07-16"
strings:
//decrypt config
$ = { 8A ?? ?? 84 ?? ?? 74 ?? 3C 01 74 ?? 34 01 88 41 3B ?? 72 ?? }
//if Burn folder name is not in strings
$ = { C6 [3] 42 C6 [3] 75 C6 [3] 72 C6 [3] 6E C6 [3] 5C }
//mov char in _Fire
$ = { C6 [3] 5F C6 [3] 46 C6 [3] 69 C6 [3] 72 C6 [3] 65 C6 [3] 2E C6 [3] 64 }
condition:
any of them
}
rule Surtr : Family {
meta:
author = "Katie Kleemola"
description = "Rule for Surtr Stage One"
last_updated = "2014-07-16"
condition:
SurtrStrings or SurtrCode
}