1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
rule ROKRAT_loader : TAU DPRK APT
{
meta:
author = "CarbonBlack Threat Research" //JMyers
date = "2018-Jan-11"
description = "Designed to catch loader observed used with ROKRAT malware"
reference = "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/"
rule_version = 1
yara_version = "3.7.0"
TLP = "White"
exemplar_hashes = "e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd"
strings:
$n1 = "wscript.exe"
$n2 = "cmd.exe"
$s1 = "CreateProcess"
$s2 = "VirtualAlloc"
$s3 = "WriteProcessMemory"
$s4 = "CreateRemoteThread"
$s5 = "LoadResource"
$s6 = "FindResource"
$b1 = {33 C9 33 C0 E8 00 00 00 00 5E} //Clear Register, call+5, pop ESI
$b2 = /\xB9.{3}\x00\x81\xE9?.{3}\x00/ //subtraction for encoded data offset
//the above regex could slow down scanning
$b3 = {03 F1 83 C6 02} //Fix up position
$b4 = {3E 8A 06 34 90 46} //XOR decode Key
$b5 = {3E 30 06 46 49 83 F9 00 75 F6} //XOR routine and jmp to code
//push api hash values plain text
$hpt_1 = {68 EC 97 03 0C} //api name hash value – Global Alloc
$hpt_2 = {68 54 CA AF 91} //api name hash value – Virtual Alloc
$hpt_3 = {68 8E 4E 0E EC} //api name hash value – Load Library
$hpt_4 = {68 AA FC 0D 7C} //api name hash value – GetProc Addr
$hpt_5 = {68 1B C6 46 79} //api name hash value – Virtual Protect
$hpt_6 = {68 F6 22 B9 7C} //api name hash value – Global Free
//push api hash values encoded XOR 0x13
$henc_1 = {7B FF 84 10 1F} //api name hash value – Global Alloc
$henc_2 = {7B 47 D9 BC 82} //api name hash value – Virtual Alloc
$henc_3 = {7B 9D 5D 1D EC} //api name hash value – Load Library
$henc_4 = {7B B9 EF 1E 6F} //api name hash value – GetProc Addr
$henc_5 = {7B 08 D5 55 6A} //api name hash value – Virtual Protect
$henc_6 = {7B E5 31 AA 6F} //api name hash value – Global Free
condition:
(1 of ($n*) and 4 of ($s*) and 4 of ($b*)) or all of ($hpt*) or all of ($henc*)
}
rule ROKRAT_payload : TAU DPRK APT
{
meta:
author = "CarbonBlack Threat Research" //JMyers
date = "2018-Jan-11"
description = "Designed to catch loader observed used with ROKRAT malware"
reference = "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/"
rule_version = 1
yara_version = "3.7.0"
TLP = "White"
exemplar_hashes = "e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573"
strings:
$s1 = "api.box.com/oauth2/token" wide
$s2 = "upload.box.com/api/2.0/files/content" wide
$s3 = "api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1" wide
$s4 = "cloud-api.yandex.net/v1/disk/resources/download?path=%s" wide
$s5 = "SbieDll.dll"
$s6 = "dbghelp.dll"
$s7 = "api_log.dll"
$s8 = "dir_watch.dll"
$s9 = "def_%s.jpg" wide
$s10 = "pho_%s_%d.jpg" wide
$s11 = "login=%s&password=%s&login_submit=Authorizing" wide
$s12 = "gdiplus.dll"
$s13 = "Set-Cookie:\\b*{.+?}\\n" wide
$s14 = "charset={[A-Za-z0-9\\-_]+}" wide
condition:
12 of ($s*)
}