Skip to content

R
rules
Commit 13af57f8 by Marc Rivero López Committed by GitHub
Options

Update APT_APT29_Grizzly_Steppe.yar 

Rules indented correctly
parent fe775b56
Showing with 30 additions and 19 deletions
malware/APT_APT29_Grizzly_Steppe.yar
...@@ -8,13 +8,17 @@ ...@@ -8,13 +8,17 @@
Date: 2016-12-29 Date: 2016-12-29
Identifier: GRIZZLY STEPPE Identifier: GRIZZLY STEPPE
*/ */
rule GRIZZLY_STEPPE_Malware_1 {
rule GRIZZLY_STEPPE_Malware_1
{
meta: meta:
description = "Auto-generated rule - file HRDG022184_certclint.dll" description = "Auto-generated rule - file HRDG022184_certclint.dll"
author = "Florian Roth" author = "Florian Roth"
reference = "https://goo.gl/WVflzO" reference = "https://goo.gl/WVflzO"
date = "2016-12-29" date = "2016-12-29"
hash1 = "9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5" hash1 = "9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5"
strings: strings:
$s1 = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb" fullword ascii $s1 = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb" fullword ascii
$s2 = "Repeat last find command)Replace specific text with different text" fullword wide $s2 = "Repeat last find command)Replace specific text with different text" fullword wide
...@@ -22,11 +26,14 @@ rule GRIZZLY_STEPPE_Malware_1 { ...@@ -22,11 +26,14 @@ rule GRIZZLY_STEPPE_Malware_1 {
$s6 = "Self Process" fullword wide $s6 = "Self Process" fullword wide
$s7 = "Default Process" fullword wide $s7 = "Default Process" fullword wide
$s8 = "Star Polk.exe" fullword wide $s8 = "Star Polk.exe" fullword wide
condition: condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 4 of them ) ( uint16(0) == 0x5a4d and filesize < 300KB and 4 of them )
} }
rule GRIZZLY_STEPPE_Malware_2 { rule GRIZZLY_STEPPE_Malware_2
{
meta: meta:
description = "Auto-generated rule - file 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0" description = "Auto-generated rule - file 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0"
author = "Florian Roth" author = "Florian Roth"
...@@ -34,24 +41,28 @@ rule GRIZZLY_STEPPE_Malware_2 { ...@@ -34,24 +41,28 @@ rule GRIZZLY_STEPPE_Malware_2 {
date = "2016-12-29" date = "2016-12-29"
hash1 = "9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0" hash1 = "9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0"
hash2 = "55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641" hash2 = "55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641"
strings: strings:
$x1 = "GoogleCrashReport.dll" fullword ascii $x1 = "GoogleCrashReport.dll" fullword ascii
$s1 = "CrashErrors" fullword ascii $s1 = "CrashErrors" fullword ascii
$s2 = "CrashSend" fullword ascii $s2 = "CrashSend" fullword ascii
$s3 = "CrashAddData" fullword ascii $s3 = "CrashAddData" fullword ascii
$s4 = "CrashCleanup" fullword ascii $s4 = "CrashCleanup" fullword ascii
$s5 = "CrashInit" fullword ascii $s5 = "CrashInit" fullword ascii
condition: condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and $x1 ) or ( all of them ) ( uint16(0) == 0x5a4d and filesize < 1000KB and $x1 ) or ( all of them )
} }
rule PAS_TOOL_PHP_WEB_KIT_mod { rule PAS_TOOL_PHP_WEB_KIT_mod
{
meta: meta:
description = "Detects PAS Tool PHP Web Kit" description = "Detects PAS Tool PHP Web Kit"
reference = "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity" reference = "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity"
author = "US CERT - modified by Florian Roth due to performance reasons" author = "US CERT - modified by Florian Roth due to performance reasons"
date = "2016/12/29" date = "2016/12/29"
strings: strings:
$php = "<?php" $php = "<?php"
$base64decode1 = "='base'.(" $base64decode1 = "='base'.("
...@@ -60,47 +71,47 @@ rule PAS_TOOL_PHP_WEB_KIT_mod { ...@@ -60,47 +71,47 @@ rule PAS_TOOL_PHP_WEB_KIT_mod {
$gzinflate = "gzinflate" $gzinflate = "gzinflate"
$cookie = "_COOKIE" $cookie = "_COOKIE"
$isset = "isset" $isset = "isset"
condition: condition:
$php at 0 and $php at 0 and (filesize > 10KB and filesize < 30KB) and #cookie == 2 and #isset == 3 and all of them
(filesize > 10KB and filesize < 30KB) and
#cookie == 2 and
#isset == 3 and
all of them
} }
rule WebShell_PHP_Web_Kit_v3 { rule WebShell_PHP_Web_Kit_v3
{
meta: meta:
description = "Detects PAS Tool PHP Web Kit" description = "Detects PAS Tool PHP Web Kit"
reference = "https://github.com/wordfence/grizzly" reference = "https://github.com/wordfence/grizzly"
author = "Florian Roth" author = "Florian Roth"
date = "2016/01/01" date = "2016/01/01"
strings: strings:
$php = "<?php $" $php = "<?php $"
$php2 = "@assert(base64_decode($_REQUEST[" $php2 = "@assert(base64_decode($_REQUEST["
$s1 = "(str_replace(\"\\n\", '', '" $s1 = "(str_replace(\"\\n\", '', '"
$s2 = "(strrev($" ascii $s2 = "(strrev($" ascii
$s3 = "de'.'code';" ascii $s3 = "de'.'code';" ascii
condition: condition:
( $php at 0 or $php2 ) and ( $php at 0 or $php2 ) and filesize > 8KB and filesize < 100KB and all of ($s*)
filesize > 8KB and filesize < 100KB and
all of ($s*)
} }
rule WebShell_PHP_Web_Kit_v4 { rule WebShell_PHP_Web_Kit_v4
{
meta: meta:
description = "Detects PAS Tool PHP Web Kit" description = "Detects PAS Tool PHP Web Kit"
reference = "https://github.com/wordfence/grizzly" reference = "https://github.com/wordfence/grizzly"
author = "Florian Roth" author = "Florian Roth"
date = "2016/01/01" date = "2016/01/01"
strings: strings:
$php = "<?php $" $php = "<?php $"
$s1 = "(StR_ReplAcE(\"\\n\",''," $s1 = "(StR_ReplAcE(\"\\n\",'',"
$s2 = ";if(PHP_VERSION<'5'){" ascii $s2 = ";if(PHP_VERSION<'5'){" ascii
$s3 = "=SuBstr_rePlACe(" ascii $s3 = "=SuBstr_rePlACe(" ascii
condition: condition:
$php at 0 and $php at 0 and filesize > 8KB and filesize < 100KB and 2 of ($s*)
filesize > 8KB and filesize < 100KB and
2 of ($s*)
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment