Skip to content

R
rules
Commit 02324cf4 by Marc Rivero López Committed by GitHub
Options

Update APT_Oilrig.yar

parent 30e8c152
Showing with 34 additions and 8 deletions
malware/APT_Oilrig.yar
......@@ -4,7 +4,9 @@
*/
/* Rule Set ----------------------------------------------------------------- */
rule OilRig_Malware_Campaign_Gen1 {
rule OilRig_Malware_Campaign_Gen1
{
meta:
description = "Detects malware from OilRig Campaign"
author = "Florian Roth"
......@@ -41,7 +43,6 @@ rule OilRig_Malware_Campaign_Gen1 {
$x2 = "wss.Run \"powershell.exe \" & Chr(34) & \"& {waitfor haha /T 2}\" & Chr(34), 0" fullword ascii
$x3 = "Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\update.vbs\")" fullword ascii
$s4 = "CreateObject(\"WScript.Shell\").Run cmd, 0o" fullword ascii
/* Base64 encode config */
/* $global:myhost = */
$b1 = "JGdsb2JhbDpteWhvc3QgP" ascii
......@@ -55,28 +56,35 @@ rule OilRig_Malware_Campaign_Gen1 {
$b5 = "DQpTZXQgd3NzID0gQ3JlYXRlT2JqZWN" ascii
/* whoami & hostname */
$b6 = "d2hvYW1pICYgaG9zdG5hb" ascii
condition:
( uint16(0) == 0xcfd0 and filesize < 700KB and 1 of them )
}
rule OilRig_Malware_Campaign_Mal1 {
rule OilRig_Malware_Campaign_Mal1
{
meta:
description = "Detects malware from OilRig Campaign"
author = "Florian Roth"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "e17e1978563dc10b73fd54e7727cbbe95cc0b170a4e7bd0ab223e059f6c25fcc"
strings:
$x1 = "DownloadExecute=\"powershell \"\"&{$r=Get-Random;$wc=(new-object System.Net.WebClient);$wc.DownloadFile(" ascii
$x2 = "-ExecutionPolicy Bypass -File \"&HOME&\"dns.ps1\"" fullword ascii
$x3 = "CreateObject(\"WScript.Shell\").Run Replace(DownloadExecute,\"-_\",\"bat\")" fullword ascii
$x4 = "CreateObject(\"WScript.Shell\").Run DnsCmd,0" fullword ascii
$s1 = "http://winodwsupdates.me" ascii
condition:
( uint16(0) == 0x4f48 and filesize < 4KB and 1 of them ) or ( 2 of them )
}
rule OilRig_Malware_Campaign_Gen2 {
rule OilRig_Malware_Campaign_Gen2
{
meta:
description = "Detects malware from OilRig Campaign"
author = "Florian Roth"
......@@ -84,6 +92,7 @@ rule OilRig_Malware_Campaign_Gen2 {
date = "2016-10-12"
hash1 = "c6437f57a8f290b5ec46b0933bfa8a328b0cb2c0c7fbeea7f21b770ce0250d3d"
hash2 = "293522e83aeebf185e653ac279bba202024cedb07abc94683930b74df51ce5cb"
strings:
$s1 = "%userprofile%\\AppData\\Local\\Microsoft\\ " fullword ascii
$s2 = "$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('" fullword ascii
......@@ -94,11 +103,14 @@ rule OilRig_Malware_Campaign_Gen2 {
$s7 = "') -replace '__',('HTP'+$id) | " fullword ascii
$s8 = "&{$rn = Get-Random -minimum 1 -maximum 10000; $id = 'AZ" fullword ascii
$s9 = "http://www.israirairlines.com/?mode=page&page=14635&lang=eng<" fullword ascii
condition:
( uint16(0) == 0xcfd0 and filesize < 4000KB and 2 of ($s*) ) or ( 4 of them )
}
rule OilRig_Malware_Campaign_Gen3 {
rule OilRig_Malware_Campaign_Gen3
{
meta:
description = "Detects malware from OilRig Campaign"
author = "Florian Roth"
......@@ -107,21 +119,26 @@ rule OilRig_Malware_Campaign_Gen3 {
hash1 = "5e9ddb25bde3719c392d08c13a295db418d7accd25d82d020b425052e7ba6dc9"
hash2 = "bd0920c8836541f58e0778b4b64527e5a5f2084405f73ee33110f7bc189da7a9"
hash3 = "90639c7423a329e304087428a01662cc06e2e9153299e37b1b1c90f6d0a195ed"
strings:
$x1 = "source code from https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.htmlrrrr" fullword ascii
$x2 = "\\Libraries\\fireueye.vbs" fullword ascii
$x3 = "\\Libraries\\fireeye.vbs&" fullword wide
condition:
( uint16(0) == 0xcfd0 and filesize < 100KB and 1 of them )
}
rule OilRig_Malware_Campaign_Mal2 {
rule OilRig_Malware_Campaign_Mal2
{
meta:
description = "Detects malware from OilRig Campaign"
author = "Florian Roth"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "65920eaea00764a245acb58a3565941477b78a7bcc9efaec5bf811573084b6cf"
strings:
$x1 = "wss.Run \"powershell.exe \" & Chr(34) & \"& {(Get-Content $env:Public\\Libraries\\update.vbs) -replace '__',(Get-Random) | Set-C" ascii
$x2 = "Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\update.vbs\")" fullword ascii
......@@ -129,36 +146,45 @@ rule OilRig_Malware_Campaign_Mal2 {
$x4 = "mailto:Tarik.Imam@gartner.com" fullword wide
$x5 = "Call Extract(DnsPs1, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\dns.ps1\")" fullword ascii
$x6 = "2dy53My5vcmcvMjAw" fullword wide /* base64 encoded string 'w.w3.org/200' */
condition:
( uint16(0) == 0xcfd0 and filesize < 200KB and 1 of them )
}
rule OilRig_Campaign_Reconnaissance {
rule OilRig_Campaign_Reconnaissance
{
meta:
description = "Detects Windows discovery commands - known from OilRig Campaign"
author = "Florian Roth"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "5893eae26df8e15c1e0fa763bf88a1ae79484cdb488ba2fc382700ff2cfab80c"
strings:
$s1 = "whoami & hostname & ipconfig /all" ascii
$s2 = "net user /domain 2>&1 & net group /domain 2>&1" ascii
$s3 = "net group \"domain admins\" /domain 2>&1 & " ascii
condition:
( filesize < 1KB and 1 of them )
}
rule OilRig_Malware_Campaign_Mal3 {
rule OilRig_Malware_Campaign_Mal3
{
meta:
description = "Detects malware from OilRig Campaign"
author = "Florian Roth"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "02226181f27dbf59af5377e39cf583db15200100eea712fcb6f55c0a2245a378"
strings:
$x1 = "(Get-Content $env:Public\\Libraries\\dns.ps1) -replace ('#'+'##'),$botid | Set-Content $env:Public\\Libraries\\dns.ps1" fullword ascii
$x2 = "Invoke-Expression ($global:myhome+'tp\\'+$global:filename+'.bat > '+$global:myhome+'tp\\'+$global:filename+'.txt')" fullword ascii
$x3 = "('00000000'+(convertTo-Base36(Get-Random -Maximum 46655)))" fullword ascii
condition:
( filesize < 10KB and 1 of them )
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment