1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule DarkComet_1 : RAT
{
meta:
description = "DarkComet RAT"
author = "botherder https://github.com/botherder"
strings:
$bot1 = /(#)BOT#OpenUrl/ wide ascii
$bot2 = /(#)BOT#Ping/ wide ascii
$bot3 = /(#)BOT#RunPrompt/ wide ascii
$bot4 = /(#)BOT#SvrUninstall/ wide ascii
$bot5 = /(#)BOT#URLDownload/ wide ascii
$bot6 = /(#)BOT#URLUpdate/ wide ascii
$bot7 = /(#)BOT#VisitUrl/ wide ascii
$bot8 = /(#)BOT#CloseServer/ wide ascii
$ddos1 = /(D)DOSHTTPFLOOD/ wide ascii
$ddos2 = /(D)DOSSYNFLOOD/ wide ascii
$ddos3 = /(D)DOSUDPFLOOD/ wide ascii
$keylogger1 = /(A)ctiveOnlineKeylogger/ wide ascii
$keylogger2 = /(U)nActiveOnlineKeylogger/ wide ascii
$keylogger3 = /(A)ctiveOfflineKeylogger/ wide ascii
$keylogger4 = /(U)nActiveOfflineKeylogger/ wide ascii
$shell1 = /(A)CTIVEREMOTESHELL/ wide ascii
$shell2 = /(S)UBMREMOTESHELL/ wide ascii
$shell3 = /(K)ILLREMOTESHELL/ wide ascii
condition:
4 of ($bot*) or all of ($ddos*) or all of ($keylogger*) or all of ($shell*)
}
rule DarkComet_2 : rat
{
meta:
description = "DarkComet"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-01-12"
filetype = "memory"
version = "1.0"
strings:
$a = "#BEGIN DARKCOMET DATA --"
$b = "#EOF DARKCOMET DATA --"
$c = "DC_MUTEX-"
$k1 = "#KCMDDC5#-890"
$k2 = "#KCMDDC51#-890"
condition:
any of them
}
rule DarkComet_3 : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/DarkComet"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
// Versions 2x
$a1 = "#BOT#URLUpdate"
$a2 = "Command successfully executed!"
$a3 = "MUTEXNAME" wide
$a4 = "NETDATA" wide
// Versions 3x & 4x & 5x
$b1 = "FastMM Borland Edition"
$b2 = "%s, ClassID: %s"
$b3 = "I wasn't able to open the hosts file"
$b4 = "#BOT#VisitUrl"
$b5 = "#KCMDDC"
condition:
all of ($a*) or all of ($b*)
}
rule DarkComet_Keylogger_File : RAT
{
meta:
author = "Florian Roth"
description = "Looks like a keylogger file created by DarkComet Malware"
date = "25.07.14"
reference = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
score = 50
strings:
$magic = "::"
$entry = /\n:: [A-Z]/
$timestamp = /\([0-9]?[0-9]:[0-9][0-9]:[0-9][0-9] [AP]M\)/
condition:
($magic at 0) and #entry > 10 and #timestamp > 10
}
rule DarkComet_4 : RAT
{ meta:
reference = "https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara"
strings:
$a1 = "#BOT#"
$a2 = "WEBCAMSTOP"
$a3 = "UnActiveOnlineKeyStrokes"
$a4 = "#SendTaskMgr"
$a5 = "#RemoteScreenSize"
$a6 = "ping 127.0.0.1 -n 4 > NUL &&"
condition:
all of them
}
rule DarkComet_5
{
meta:
maltype = "DarkComet RAT"
author = "https://github.com/reed1713"
description = "Malware creates the MSDCSC directory, which is a common path utilized by DarkComet, as well as the mutex pattern."
strings:
$type="Microsoft-Windows-Security-Auditing"
$eventid="4688"
$data=/AppData\\Local\\Temp\\MSDCSC\\.+\.exe/
$type1="Microsoft-Windows-Security-Auditing"
$eventid1="4674"
$data1=/DC_MUTEX-[0-9A-Z]{7}/
condition:
($type and $eventid and $data) or ($type1 and $eventid1 and $data1)
}