Update APT_Winnti.yar

058ef81b · Marc Rivero López · GitHub · ea3674fe · 058ef81b
Commit 058ef81b authored Jan 24, 2017 by Marc Rivero López Committed by GitHub Jan 24, 2017
Show whitespace changes
Inline Side-by-side

Showing with 31 additions and 13 deletions

APT_Winnti.yar malware/APT_Winnti.yar +31 -13

No files found.
--- a/malware/APT_Winnti.yar
+++ b/malware/APT_Winnti.yar
@@ -9,7 +9,9 @@
 	Identifier: Winnti Malware
 */

-rule Winnti_signing_cert {
+rule Winnti_signing_cert 
+{
+
    meta:
        description = "Detects a signing certificate used by the Winnti APT group"
        author = "Florian Roth"
@@ -18,15 +20,19 @@ rule Winnti_signing_cert {
        score = 75
        hash1 = "a9a8dc4ae77b1282f0c8bdebd2643458fc1ceb3145db4e30120dd81676ff9b61"
        hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672"
+
    strings:
        $s1 = "Guangzhou YuanLuo Technology Co." ascii
        $s2 = "Guangzhou YuanLuo Technology Co.,Ltd" ascii
        $s3 = "$Asahi Kasei Microdevices Corporation0" fullword ascii
+
    condition:
        uint16(0) == 0x5a4d and filesize < 700KB and 1 of them
 }

-rule Winnti_malware_Nsiproxy {
+rule Winnti_malware_Nsiproxy 
+{
+
    meta:
        description = "Detects a Winnti rootkit"
        author = "Florian Roth"
@@ -37,22 +43,24 @@ rule Winnti_malware_Nsiproxy {
        hash3 = "326e2cabddb641777d489a9e7a39d52c0dc2dcb1fde1762554ea162792056b6e"
        hash4 = "aff7c7478fe33c57954b6fec2095efe8f9edf5cdb48a680de9439ba62a77945f"
        hash5 = "ba7ccd027fd2c826bbe8f2145d5131eff906150bd98fe25a10fbee2c984df1b8"
+   
    strings:
        $x1 = "\\Driver\\nsiproxy" fullword wide
-
        $a1 = "\\Device\\StreamPortal" fullword wide
        $a2 = "\\Device\\PNTFILTER" fullword wide
-
        $s1 = "Cookie: SN=" fullword ascii
        $s2 = "\\BaseNamedObjects\\_transmition_synchronization_" fullword wide
        $s3 = "Winqual.sys" fullword wide
        $s4 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide
        $s5 = "http://www.wasabii.com.tw 0" fullword ascii
+    
    condition:
        uint16(0) == 0x5a4d and $x1 and 1 of ($a*) and 2 of ($s*)
 }

-rule Winnti_malware_UpdateDLL {
+rule Winnti_malware_UpdateDLL 
+{
+
    meta:
        description = "Detects a Winnti malware - Update.dll"
        author = "Florian Roth"
@@ -63,12 +71,12 @@ rule Winnti_malware_UpdateDLL {
        hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
        hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
        hash4 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
+   
    strings:
        $c1 = "'Wymajtec$Tima Stempijg Sarviges GA -$G2" fullword ascii
        $c2 = "AHDNEAFE1.sys" fullword ascii
        $c3 = "SOTEFEHJ3.sys" fullword ascii
        $c4 = "MainSYS64.sys" fullword ascii
-
        $s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide
        $s2 = "Update.dll" fullword ascii
        $s3 = "\\\\.\\pipe\\usbpcex%d" fullword wide
@@ -78,13 +86,14 @@ rule Winnti_malware_UpdateDLL {
        $s7 = "\\??\\pipe\\usbpcex%d" fullword wide
        $s8 = "HOST: %s" fullword ascii
        $s9 = "$$$--Hello" fullword ascii
+    
    condition:
-		uint16(0) == 0x5a4d and filesize < 1000KB and
-		(
-			( 1 of ($c*) and 3 of ($s*) ) or all of ($s*)
-		)
+        uint16(0) == 0x5a4d and filesize < 1000KB and ( ( 1 of ($c*) and 3 of ($s*) ) or all of ($s*) )
 }
-rule Winnti_malware_FWPK {
+
+rule Winnti_malware_FWPK 
+{
+
    meta:
        description = "Detects a Winnti malware - FWPKCLNT.SYS"
        author = "Florian Roth"
@@ -94,6 +103,7 @@ rule Winnti_malware_FWPK {
        hash1 = "1098518786c84b0d31f215122275582bdcd1666653ebc25d50a142b4f5dabf2c"
        hash2 = "9a684ffad0e1c6a22db1bef2399f839d8eff53d7024fb014b9a5f714d11febd7"
        hash3 = "a836397817071c35e24e94b2be3c2fa4ffa2eb1675d3db3b4456122ff4a71368"
+  
    strings:
        $s0 = "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\" fullword wide
        $s1 = "%x:%d->%x:%d, Flag %s%s%s%s%s, seq %u, ackseq %u, datalen %u" fullword ascii
@@ -107,11 +117,14 @@ rule Winnti_malware_FWPK {
        $s9 = "\\BaseNamedObjects\\EKV0000000000" fullword wide
        $s10 = "%x->%x" fullword ascii
        $s11 = "IPInjectPkt" fullword ascii /* Goodware String - occured 6 times */
+ 
    condition:
        uint16(0) == 0x5a4d and filesize < 642KB and all of them
 }

-rule Winnti_malware_StreamPortal_Gen {
+rule Winnti_malware_StreamPortal_Gen 
+{
+
    meta:
        description = "Detects a Winnti malware - Streamportal"
        author = "Florian Roth"
@@ -121,6 +134,7 @@ rule Winnti_malware_StreamPortal_Gen {
        hash1 = "326e2cabddb641777d489a9e7a39d52c0dc2dcb1fde1762554ea162792056b6e"
        hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672"
        hash3 = "aff7c7478fe33c57954b6fec2095efe8f9edf5cdb48a680de9439ba62a77945f"
+  
    strings:
        $s0 = "Proxies destination address/port for TCP" fullword wide
        $s3 = "\\Device\\StreamPortal" fullword wide
@@ -129,11 +143,14 @@ rule Winnti_malware_StreamPortal_Gen {
        $s6 = "\\BaseNamedObjects\\_transmition_synchronization_" fullword wide
        $s17 = "NTOSKRNL.EXE" fullword wide /* Goodware String - occured 4 times */
        $s19 = "FwpsReferenceNetBufferList0" fullword ascii /* Goodware String - occured 5 times */
+  
    condition:
        uint16(0) == 0x5a4d and filesize < 275KB and all of them
 }
-rule WinntiPharma : Backdoor 
+
+rule WinntiPharma 
 {
+
 meta:
    author = "Jose Ramon Palanco"
    copyright = "Drainware, Inc."
@@ -147,6 +164,7 @@ strings:
    $s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
    $s3 = "master secret"
    $s4 = "MyEngineNetEvent"
+
 condition:
    all of ($s*)
 }