Skip to content

R
rules
Switch branch/tag
Find file
BlameHistoryPermalink
APT_Grasshopper.yar 2.97 KB
Edit
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 
/*
Set of rules for Grasshopper APT.
Infected DLL hashes of Stolen Goods 2.1.
Ref: https://wikileaks.org/vault7/document/StolenGoods-2_1-UserGuide/StolenGoods-2_1-UserGuide.pdf

Author: Jaume Martin
Date: 07-04-2017
*/

import "hash"

rule Control32 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "b3dc808fc7cb4492669ec019911ef22a"
}

rule Control64 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "bec30379078d5c5c7845d3be33707b89"
}

rule GH_PM32 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "2f2c5b3f3b1f97908074f526ac90a28d"
}

rule GH_PM64 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "fe6c0097412b2c7b7f4b8a489004dd14"
}

rule MemStub32_GH1 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "0a579ad25fdd4db8110aac4dbb7d2da3"
}

rule MemStub32 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "8987652f26732607b769247adb4e9cce"
}

rule MemStub64_GH1 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "2350403a09e6928f0a7ba5d74da58cb9"
}

rule MemStub64 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "6b5b46d3212fc3fc5b455d9efd8d3ffa"
}

rule msvcrt_Win7AMD64 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "c8fc794cc5a22b5a1e0803b0b8acce77"
}

rule msvcrt_Win7x86 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "7713e5c5a48b020c9575b1b50f2e5e9e"
}

rule msvcrt_WIN8AMD64 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "33c59fcdf027470e0ab1d366f54a6ebf"
}

rule msvcrt_WIN8x86 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "95490c2b284a9bb63f0ee49254ab727e"
}

rule msvcrt_WinXPx86 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "b68f72d77754f8b76168ced0924a4174"
}

rule Network_Win7AMD64 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "eb92031a38f17d0e63285b5142b31966"
}

rule Network_Win7x86 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "548889baed7768b828d9c2f373abd225"
}

rule Network_WinXPx86 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "877341a16d5d223435c43a9db7f721bc"
}

rule RabbitStew32 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "a9d2e8ae5ddbf8f2842d96f7de2faef8"
}

rule RabbitStew64 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "fa415b6280104e813770df520b303897"
}

rule Vbr {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "961d2fd68fde2ae0b7c52e0c90767d0d"
}