1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
rule shifu_shiz {
meta:
description = "Memory string yara for Shifu/Shiz"
author = "J from THL <j@techhelplist.com>"
reference1 = "https://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/"
reference2 = "https://beta.virusbay.io/sample/browse/24a6dfaa98012a839658c143475a1e46"
reference3 = "https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/crime_shifu_trojan.yar"
date = "2018-03-16"
maltype1 = "Banker"
maltype2 = "Keylogger"
maltype3 = "Stealer"
filetype = "memory"
strings:
$aa = "auth_loginByPassword" fullword ascii
$ab = "back_command" fullword ascii
$ac = "back_custom1" fullword ascii
$ad = "GetClipboardData" fullword ascii
$ae = "iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe" fullword ascii
$af = "mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe" fullword ascii
$ag = "svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe" fullword ascii
$ah = "!inject" fullword ascii
$ai = "!deactivebc" fullword ascii
$aj = "!kill_os" fullword ascii
$ak = "!load" fullword ascii
$al = "!new_config" fullword ascii
$am = "!activebc" fullword ascii
$an = "keylog.txt" fullword ascii
$ao = "keys_path.txt" fullword ascii
$ap = "pass.log" fullword ascii
$aq = "passwords.txt" fullword ascii
$ar = "Content-Disposition: form-data; name=\"file\"; filename=\"report\"" fullword ascii
$as = "Content-Disposition: form-data; name=\"pcname\"" fullword ascii
$at = "botid=%s&ver=" fullword ascii
$au = "action=auth&np=&login=" fullword ascii
$av = "&ctl00%24MainMenu%24Login1%24UserName=" fullword ascii
$aw = "&cvv=" fullword ascii
$ax = "&cvv2=" fullword ascii
$ay = "&domain=" fullword ascii
$az = "LOGIN_AUTHORIZATION_CODE=" fullword ascii
$ba = "name=%s&port=%u" fullword ascii
$bb = "PeekNamedPipe" fullword ascii
$bc = "[pst]" fullword ascii
$bd = "[ret]" fullword ascii
$be = "[tab]" fullword ascii
$bf = "[bks]" fullword ascii
$bg = "[del]" fullword ascii
$bh = "[ins]" fullword ascii
$bi = "&up=%u&os=%03u&rights=%s<ime=%s%d&token=%d&cn=" fullword ascii
condition:
18 of them
}