Skip to content

R
rules
Commit 093d7832 by Marc Rivero López Committed by GitHub
Options

Update APT_DeepPanda_Anthem.yar 

Fixed style rule
parent 4defb7e3
Showing with 17 additions and 6 deletions
malware/APT_DeepPanda_Anthem.yar
...@@ -4,16 +4,17 @@ ...@@ -4,16 +4,17 @@
import "pe" import "pe"
/* APTAnthemDeepPanda */
/* Anthem Deep Panda APT */ rule Anthem_DeepPanda_sl_txt_packed
rule Anthem_DeepPanda_sl_txt_packed : binary
{ {
meta: meta:
description = "Anthem Hack Deep Panda - ScanLine sl-txt-packed" description = "Anthem Hack Deep Panda - ScanLine sl-txt-packed"
author = "Florian Roth" author = "Florian Roth"
date = "2015/02/08" date = "2015/02/08"
hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34" hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34"
strings: strings:
$s0 = "Command line port scanner" fullword wide $s0 = "Command line port scanner" fullword wide
$s1 = "sl.exe" fullword wide $s1 = "sl.exe" fullword wide
...@@ -23,17 +24,20 @@ rule Anthem_DeepPanda_sl_txt_packed : binary ...@@ -23,17 +24,20 @@ rule Anthem_DeepPanda_sl_txt_packed : binary
$s9 = " 2002 Foundstone Inc." fullword wide $s9 = " 2002 Foundstone Inc." fullword wide
$s15 = ", Inc. 2002" fullword ascii $s15 = ", Inc. 2002" fullword ascii
$s20 = "ICMP Time" fullword ascii $s20 = "ICMP Time" fullword ascii
condition: condition:
all of them all of them
} }
rule Anthem_DeepPanda_lot1 : binary rule Anthem_DeepPanda_lot1
{ {
meta: meta:
description = "Anthem Hack Deep Panda - lot1.tmp-pwdump" description = "Anthem Hack Deep Panda - lot1.tmp-pwdump"
author = "Florian Roth" author = "Florian Roth"
date = "2015/02/08" date = "2015/02/08"
hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1" hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1"
strings: strings:
$s0 = "Unable to open target process: %d, pid %d" fullword ascii $s0 = "Unable to open target process: %d, pid %d" fullword ascii
$s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii $s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii
...@@ -49,17 +53,20 @@ rule Anthem_DeepPanda_lot1 : binary ...@@ -49,17 +53,20 @@ rule Anthem_DeepPanda_lot1 : binary
$s17 = "Timed out waiting to get our pipe back" fullword ascii $s17 = "Timed out waiting to get our pipe back" fullword ascii
$s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii $s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii
$s20 = "%s\\%s.exe" fullword ascii $s20 = "%s\\%s.exe" fullword ascii
condition: condition:
10 of them 10 of them
} }
rule Anthem_DeepPanda_htran_exe : binary rule Anthem_DeepPanda_htran_exe
{ {
meta: meta:
description = "Anthem Hack Deep Panda - htran-exe" description = "Anthem Hack Deep Panda - htran-exe"
author = "Florian Roth" author = "Florian Roth"
date = "2015/02/08" date = "2015/02/08"
hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9" hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"
strings: strings:
$s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii $s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii $s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
...@@ -79,18 +86,21 @@ rule Anthem_DeepPanda_htran_exe : binary ...@@ -79,18 +86,21 @@ rule Anthem_DeepPanda_htran_exe : binary
$s16 = "[+] Waiting another Client on port:%d...." fullword ascii $s16 = "[+] Waiting another Client on port:%d...." fullword ascii
$s17 = "[+] Accept a Client on port %d from %s ......" fullword ascii $s17 = "[+] Accept a Client on port %d from %s ......" fullword ascii
$s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii $s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii
condition: condition:
10 of them 10 of them
} }
rule Anthem_DeepPanda_Trojan_Kakfum : binary rule Anthem_DeepPanda_Trojan_Kakfum
{ {
meta: meta:
description = "Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll" description = "Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll"
author = "Florian Roth" author = "Florian Roth"
date = "2015/02/08" date = "2015/02/08"
hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2" hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"
hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f" hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f"
strings: strings:
$s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" fullword ascii $s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" fullword ascii
$s1 = "%s\\sqlsrv32.dll" fullword ascii $s1 = "%s\\sqlsrv32.dll" fullword ascii
...@@ -98,6 +108,7 @@ rule Anthem_DeepPanda_Trojan_Kakfum : binary ...@@ -98,6 +108,7 @@ rule Anthem_DeepPanda_Trojan_Kakfum : binary
$s3 = "%s\\%d.tmp" fullword ascii $s3 = "%s\\%d.tmp" fullword ascii
$s4 = "ServiceMaix" fullword ascii $s4 = "ServiceMaix" fullword ascii
$s15 = "sqlserver" fullword ascii $s15 = "sqlserver" fullword ascii
condition: condition:
all of them all of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment