1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-05-25
Identifier: Kaspersky Report on threats involving CVE-2015-2545
*/
/* Rule Set ----------------------------------------------------------------- */
rule Mal_Dropper_httpEXE_from_CAB : Dropper {
meta:
description = "Detects a dropper from a CAB file mentioned in the article"
author = "Florian Roth"
reference = "https://goo.gl/13Wgy1"
date = "2016-05-25"
score = 60
hash1 = "9e7e5f70c4b32a4d5e8c798c26671843e76bb4bd5967056a822e982ed36e047b"
strings:
$s1 = "029.Hdl" fullword ascii
$s2 = "http.exe" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) ) )
}
rule Mal_http_EXE : Trojan {
meta:
description = "Detects trojan from APT report named http.exe"
author = "Florian Roth"
reference = "https://goo.gl/13Wgy1"
date = "2016-05-25"
score = 80
hash1 = "ad191d1d18841f0c5e48a5a1c9072709e2dd6359a6f6d427e0de59cfcd1d9666"
strings:
$x1 = "Content-Disposition: form-data; name=\"file1\"; filename=\"%s\"" fullword ascii
$x2 = "%ALLUSERSPROFILE%\\Accessories\\wordpade.exe" fullword ascii
$x3 = "\\dumps.dat" fullword ascii
$x4 = "\\wordpade.exe" fullword ascii
$x5 = "\\%s|%s|4|%d|%4d-%02d-%02d %02d:%02d:%02d|" fullword ascii
$x6 = "\\%s|%s|5|%d|%4d-%02d-%02d %02d:%02d:%02d|" fullword ascii
$x7 = "cKaNBh9fnmXgJcSBxx5nFS+8s7abcQ==" fullword ascii
$x8 = "cKaNBhFLn1nXMcCR0RlbMQ==" fullword ascii /* base64: pKY1[1 */
$s1 = "SELECT * FROM moz_logins;" fullword ascii
$s2 = "makescr.dat" fullword ascii
$s3 = "%s\\Mozilla\\Firefox\\profiles.ini" fullword ascii
$s4 = "?moz-proxy://" fullword ascii
$s5 = "[%s-%s] Title: %s" fullword ascii
$s6 = "Cforeign key mismatch - \"%w\" referencing \"%w\"" fullword ascii
$s7 = "Windows 95 SR2" fullword ascii
$s8 = "\\|%s|0|0|" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) and 2 of ($s*) ) ) or ( 3 of ($x*) )
}
rule Mal_PotPlayer_DLL : dll {
meta:
description = "Detects a malicious PotPlayer.dll"
author = "Florian Roth"
reference = "https://goo.gl/13Wgy1"
date = "2016-05-25"
score = 70
hash1 = "705409bc11fb45fa3c4e2fa9dd35af7d4613e52a713d9c6ea6bc4baff49aa74a"
strings:
$x1 = "C:\\Users\\john\\Desktop\\PotPlayer\\Release\\PotPlayer.pdb" fullword ascii
$s3 = "PotPlayer.dll" fullword ascii
$s4 = "\\update.dat" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and $x1 or all of ($s*)
}