1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
import "pe"
rule IndiaBravo_PapaAlfa
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = "pmsconfig.msi" wide
$ = "scvrit001.bat"
condition:
all of them
}
rule IndiaBravo_RomeoCharlie
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "58ad28ac4fb911abb6a20382456c4ad6fe5c8ee5.ex_"
Status = "Signature is too loose to be useful."
strings:
/*
50 push eax ; argp
68 7E 66 04 80 push 8004667Eh ; cmd
8B 8D DC FE FF FF mov ecx, [ebp+skt]
51 push ecx ; s
FF 15 58 31 41 00 call ioctlsocket
83 F8 FF cmp eax, 0FFFFFFFFh
75 08 jnz short loc_4043F0
*/
$a = {50 68 7E 66 04 80 8B 8D [4] 51 FF 15 [4] 83 F8 FF 75}
$b1 = "xc123465-efff-87cc-37abcdef9"
$b2 = "[Check] - PORT ERROR..." wide
$b3 = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d"
condition:
2 of ($b*) or
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule IndiaBravo_RomeoBravo
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "6e3db4da27f12eaba005217eba7cd9133bc258c97fe44605d12e20a556775009"
strings:
/*
E8 C3 FE FF FF call generate64ByteRandomNumber
68 C8 01 00 00 push 1C8h ; dwLength
68 D8 E8 40 00 push offset g_Config ; pvBuffer
A3 80 EA 40 00 mov dword ptr g_Config.qwIdentifier, eax
89 15 84 EA 40 00 mov dword ptr g_Config.qwIdentifier+4, edx
E8 F9 E9 FF FF call DNSCALCDecode
83 C4 08 add esp, 8
8D 4C 24 08 lea ecx, [esp+214h+var_20C]
6A 00 push 0
51 push ecx
68 C8 01 00 00 push 1C8h
68 D8 E8 40 00 push offset g_Config
56 push esi
FF 15 74 E7 40 00 call WriteFile_9
56 push esi
FF 15 6C E7 40 00 call CloseHandle_9
*/
$a = {E8 [4] 68 [2] 00 00 68 [4] A3 [4] 89 15 [4] E8 [4] 83 C4 08 8D [3] 6A 00 5? 68 [2] 00 00 68 [4] 5? FF 15 [4] 5? FF 15}
$b1 = "tmscompg.msi" wide
$b2 = "cvrit000.bat"
condition:
2 of ($b*) or
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule IndiaBravo_generic
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$extractDll = "[2] - Extract Dll..." wide
$createSvc = "[3] - CreateSVC..." wide
condition:
all of them
}