Skip to content

R
rules
Commit 058ef81b by Marc Rivero López Committed by GitHub
Options

Update APT_Winnti.yar

parent ea3674fe
Showing with 31 additions and 13 deletions
malware/APT_Winnti.yar
...@@ -9,7 +9,9 @@ ...@@ -9,7 +9,9 @@
Identifier: Winnti Malware Identifier: Winnti Malware
*/ */
rule Winnti_signing_cert { rule Winnti_signing_cert
{
meta: meta:
description = "Detects a signing certificate used by the Winnti APT group" description = "Detects a signing certificate used by the Winnti APT group"
author = "Florian Roth" author = "Florian Roth"
...@@ -18,15 +20,19 @@ rule Winnti_signing_cert { ...@@ -18,15 +20,19 @@ rule Winnti_signing_cert {
score = 75 score = 75
hash1 = "a9a8dc4ae77b1282f0c8bdebd2643458fc1ceb3145db4e30120dd81676ff9b61" hash1 = "a9a8dc4ae77b1282f0c8bdebd2643458fc1ceb3145db4e30120dd81676ff9b61"
hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672" hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672"
strings: strings:
$s1 = "Guangzhou YuanLuo Technology Co." ascii $s1 = "Guangzhou YuanLuo Technology Co." ascii
$s2 = "Guangzhou YuanLuo Technology Co.,Ltd" ascii $s2 = "Guangzhou YuanLuo Technology Co.,Ltd" ascii
$s3 = "$Asahi Kasei Microdevices Corporation0" fullword ascii $s3 = "$Asahi Kasei Microdevices Corporation0" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and filesize < 700KB and 1 of them uint16(0) == 0x5a4d and filesize < 700KB and 1 of them
} }
rule Winnti_malware_Nsiproxy { rule Winnti_malware_Nsiproxy
{
meta: meta:
description = "Detects a Winnti rootkit" description = "Detects a Winnti rootkit"
author = "Florian Roth" author = "Florian Roth"
...@@ -37,22 +43,24 @@ rule Winnti_malware_Nsiproxy { ...@@ -37,22 +43,24 @@ rule Winnti_malware_Nsiproxy {
hash3 = "326e2cabddb641777d489a9e7a39d52c0dc2dcb1fde1762554ea162792056b6e" hash3 = "326e2cabddb641777d489a9e7a39d52c0dc2dcb1fde1762554ea162792056b6e"
hash4 = "aff7c7478fe33c57954b6fec2095efe8f9edf5cdb48a680de9439ba62a77945f" hash4 = "aff7c7478fe33c57954b6fec2095efe8f9edf5cdb48a680de9439ba62a77945f"
hash5 = "ba7ccd027fd2c826bbe8f2145d5131eff906150bd98fe25a10fbee2c984df1b8" hash5 = "ba7ccd027fd2c826bbe8f2145d5131eff906150bd98fe25a10fbee2c984df1b8"
strings: strings:
$x1 = "\\Driver\\nsiproxy" fullword wide $x1 = "\\Driver\\nsiproxy" fullword wide
$a1 = "\\Device\\StreamPortal" fullword wide $a1 = "\\Device\\StreamPortal" fullword wide
$a2 = "\\Device\\PNTFILTER" fullword wide $a2 = "\\Device\\PNTFILTER" fullword wide
$s1 = "Cookie: SN=" fullword ascii $s1 = "Cookie: SN=" fullword ascii
$s2 = "\\BaseNamedObjects\\_transmition_synchronization_" fullword wide $s2 = "\\BaseNamedObjects\\_transmition_synchronization_" fullword wide
$s3 = "Winqual.sys" fullword wide $s3 = "Winqual.sys" fullword wide
$s4 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide $s4 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide
$s5 = "http://www.wasabii.com.tw 0" fullword ascii $s5 = "http://www.wasabii.com.tw 0" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and $x1 and 1 of ($a*) and 2 of ($s*) uint16(0) == 0x5a4d and $x1 and 1 of ($a*) and 2 of ($s*)
} }
rule Winnti_malware_UpdateDLL { rule Winnti_malware_UpdateDLL
{
meta: meta:
description = "Detects a Winnti malware - Update.dll" description = "Detects a Winnti malware - Update.dll"
author = "Florian Roth" author = "Florian Roth"
...@@ -63,12 +71,12 @@ rule Winnti_malware_UpdateDLL { ...@@ -63,12 +71,12 @@ rule Winnti_malware_UpdateDLL {
hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a" hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58" hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
hash4 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a" hash4 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
strings: strings:
$c1 = "'Wymajtec$Tima Stempijg Sarviges GA -$G2" fullword ascii $c1 = "'Wymajtec$Tima Stempijg Sarviges GA -$G2" fullword ascii
$c2 = "AHDNEAFE1.sys" fullword ascii $c2 = "AHDNEAFE1.sys" fullword ascii
$c3 = "SOTEFEHJ3.sys" fullword ascii $c3 = "SOTEFEHJ3.sys" fullword ascii
$c4 = "MainSYS64.sys" fullword ascii $c4 = "MainSYS64.sys" fullword ascii
$s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide $s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide
$s2 = "Update.dll" fullword ascii $s2 = "Update.dll" fullword ascii
$s3 = "\\\\.\\pipe\\usbpcex%d" fullword wide $s3 = "\\\\.\\pipe\\usbpcex%d" fullword wide
...@@ -78,13 +86,14 @@ rule Winnti_malware_UpdateDLL { ...@@ -78,13 +86,14 @@ rule Winnti_malware_UpdateDLL {
$s7 = "\\??\\pipe\\usbpcex%d" fullword wide $s7 = "\\??\\pipe\\usbpcex%d" fullword wide
$s8 = "HOST: %s" fullword ascii $s8 = "HOST: %s" fullword ascii
$s9 = "$$$--Hello" fullword ascii $s9 = "$$$--Hello" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and filesize < 1000KB and uint16(0) == 0x5a4d and filesize < 1000KB and ( ( 1 of ($c*) and 3 of ($s*) ) or all of ($s*) )
(
( 1 of ($c*) and 3 of ($s*) ) or all of ($s*)
)
} }
rule Winnti_malware_FWPK {
rule Winnti_malware_FWPK
{
meta: meta:
description = "Detects a Winnti malware - FWPKCLNT.SYS" description = "Detects a Winnti malware - FWPKCLNT.SYS"
author = "Florian Roth" author = "Florian Roth"
...@@ -94,6 +103,7 @@ rule Winnti_malware_FWPK { ...@@ -94,6 +103,7 @@ rule Winnti_malware_FWPK {
hash1 = "1098518786c84b0d31f215122275582bdcd1666653ebc25d50a142b4f5dabf2c" hash1 = "1098518786c84b0d31f215122275582bdcd1666653ebc25d50a142b4f5dabf2c"
hash2 = "9a684ffad0e1c6a22db1bef2399f839d8eff53d7024fb014b9a5f714d11febd7" hash2 = "9a684ffad0e1c6a22db1bef2399f839d8eff53d7024fb014b9a5f714d11febd7"
hash3 = "a836397817071c35e24e94b2be3c2fa4ffa2eb1675d3db3b4456122ff4a71368" hash3 = "a836397817071c35e24e94b2be3c2fa4ffa2eb1675d3db3b4456122ff4a71368"
strings: strings:
$s0 = "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\" fullword wide $s0 = "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\" fullword wide
$s1 = "%x:%d->%x:%d, Flag %s%s%s%s%s, seq %u, ackseq %u, datalen %u" fullword ascii $s1 = "%x:%d->%x:%d, Flag %s%s%s%s%s, seq %u, ackseq %u, datalen %u" fullword ascii
...@@ -107,11 +117,14 @@ rule Winnti_malware_FWPK { ...@@ -107,11 +117,14 @@ rule Winnti_malware_FWPK {
$s9 = "\\BaseNamedObjects\\EKV0000000000" fullword wide $s9 = "\\BaseNamedObjects\\EKV0000000000" fullword wide
$s10 = "%x->%x" fullword ascii $s10 = "%x->%x" fullword ascii
$s11 = "IPInjectPkt" fullword ascii /* Goodware String - occured 6 times */ $s11 = "IPInjectPkt" fullword ascii /* Goodware String - occured 6 times */
condition: condition:
uint16(0) == 0x5a4d and filesize < 642KB and all of them uint16(0) == 0x5a4d and filesize < 642KB and all of them
} }
rule Winnti_malware_StreamPortal_Gen { rule Winnti_malware_StreamPortal_Gen
{
meta: meta:
description = "Detects a Winnti malware - Streamportal" description = "Detects a Winnti malware - Streamportal"
author = "Florian Roth" author = "Florian Roth"
...@@ -121,6 +134,7 @@ rule Winnti_malware_StreamPortal_Gen { ...@@ -121,6 +134,7 @@ rule Winnti_malware_StreamPortal_Gen {
hash1 = "326e2cabddb641777d489a9e7a39d52c0dc2dcb1fde1762554ea162792056b6e" hash1 = "326e2cabddb641777d489a9e7a39d52c0dc2dcb1fde1762554ea162792056b6e"
hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672" hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672"
hash3 = "aff7c7478fe33c57954b6fec2095efe8f9edf5cdb48a680de9439ba62a77945f" hash3 = "aff7c7478fe33c57954b6fec2095efe8f9edf5cdb48a680de9439ba62a77945f"
strings: strings:
$s0 = "Proxies destination address/port for TCP" fullword wide $s0 = "Proxies destination address/port for TCP" fullword wide
$s3 = "\\Device\\StreamPortal" fullword wide $s3 = "\\Device\\StreamPortal" fullword wide
...@@ -129,11 +143,14 @@ rule Winnti_malware_StreamPortal_Gen { ...@@ -129,11 +143,14 @@ rule Winnti_malware_StreamPortal_Gen {
$s6 = "\\BaseNamedObjects\\_transmition_synchronization_" fullword wide $s6 = "\\BaseNamedObjects\\_transmition_synchronization_" fullword wide
$s17 = "NTOSKRNL.EXE" fullword wide /* Goodware String - occured 4 times */ $s17 = "NTOSKRNL.EXE" fullword wide /* Goodware String - occured 4 times */
$s19 = "FwpsReferenceNetBufferList0" fullword ascii /* Goodware String - occured 5 times */ $s19 = "FwpsReferenceNetBufferList0" fullword ascii /* Goodware String - occured 5 times */
condition: condition:
uint16(0) == 0x5a4d and filesize < 275KB and all of them uint16(0) == 0x5a4d and filesize < 275KB and all of them
} }
rule WinntiPharma : Backdoor
rule WinntiPharma
{ {
meta: meta:
author = "Jose Ramon Palanco" author = "Jose Ramon Palanco"
copyright = "Drainware, Inc." copyright = "Drainware, Inc."
...@@ -147,6 +164,7 @@ strings: ...@@ -147,6 +164,7 @@ strings:
$s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}" $s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
$s3 = "master secret" $s3 = "master secret"
$s4 = "MyEngineNetEvent" $s4 = "MyEngineNetEvent"
condition: condition:
all of ($s*) all of ($s*)
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment