Merge pull request #332 from techhelplist/master

add sig for Hancitor botnet malware

Merge pull request #332 from techhelplist/master
add sig for Hancitor botnet malware
15ac9816 · Marc Rivero López · GitHub · 29738546 · d13afa94 · 15ac9816
Unverified Commit 15ac9816 authored Oct 07, 2018 by Marc Rivero López Committed by GitHub Oct 07, 2018
Show whitespace changes
Inline Side-by-side

Showing with 74 additions and 0 deletions

MALW_Yordanyan_ActiveAgent.yar malware/MALW_Yordanyan_ActiveAgent.yar +47 -0

MALW_hancitor.yar malware/MALW_hancitor.yar +27 -0

No files found.
--- a/malware/MALW_Yordanyan_ActiveAgent.yar
+++ b/malware/MALW_Yordanyan_ActiveAgent.yar
+
+rule yordanyan_activeagent {
+	meta:
+		description = "Memory string yara for Yordanyan ActiveAgent"
+		author = "J from THL <j@techhelplist.com>"
+		reference1 = "https://www.virustotal.com/#/file/a2e34bfd5a9789837bc2d580e87ec11b9f29c4a50296ef45b06e3895ff399746/detection"
+		reference2 = "ETPRO TROJAN Win32.ActiveAgent CnC Create"
+		date = "2018-10-04"
+		maltype = "Botnet"
+		filetype = "memory"
+
+	strings:
+		// the wide strings are 16bit bigendian strings in memory. strings -e b memdump.file
+		$s01 = "I'm KeepRunner!" wide
+		$s02 = "I'm Updater!" wide
+		$s03 = "Starting Download..." wide
+		$s04 = "Download Complete!" wide
+		$s05 = "Running New Agent and terminating updater!" wide
+		$s06 = "Can't Run downloaded file!" wide
+		$s07 = "Retrying download and run!" wide
+		$s08 = "Can't init Client." wide
+		$s09 = "Client initialised -" wide
+		$s10 = "Client not found!" wide
+		$s11 = "Client signed." wide
+		$s12 = "GetClientData" wide
+		$s13 = "&counter=" wide
+		$s14 = "&agent_file_version=" wide
+		$s15 = "&agent_id=" wide
+		$s16 = "mac_address=" wide
+		$s17 = "Getting Attachments" wide
+		$s18 = "public_name" wide
+		$s19 = "Yor agent id =" wide
+		$s20 = "Yor agent version =" wide
+		$s21 = "Last agent version =" wide
+		$s22 = "Agent is last version." wide
+		$s23 = "Updating Agent" wide
+		$s24 = "Terminating RunKeeper" wide
+		$s25 = "Terminating RunKeeper: Done" wide
+		$s26 = "ActiveAgent" ascii
+		$s27 = "public_name" ascii
+
+	condition:
+		15 of them
+
+}
+
+
--- a/malware/MALW_hancitor.yar
+++ b/malware/MALW_hancitor.yar
+
+
+rule hancitor {
+	meta:
+		description = "Memory string yara for Hancitor"
+		author = "J from THL <j@techhelplist.com>"
+		reference1 = "https://researchcenter.paloaltonetworks.com/2018/02/threat-brief-hancitor-actors/"
+		reference2 = "https://www.virustotal.com/#/file/43e17f30b78c085e9bda8cadf5063cd5cec9edaa7441594ba1fe51391cc1c486/"
+		reference3 = "https://www.virustotal.com/#/file/d135f03b9fdc709651ac9d0264e155c5580b072577a8ff24c90183b126b5e12a/"
+		date = "2018-09-18"
+		maltype1 = "Botnet"
+		filetype = "memory"
+
+	strings:
+		$a = "GUID="	ascii
+                $b = "&BUILD="	ascii
+                $c = "&INFO="	ascii
+                $d = "&IP="	ascii
+                $e = "&TYPE=" 	ascii
+                $f = "php|http"	ascii
+		$g = "GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d" ascii fullword
+
+
+	condition:
+		5 of ($a,$b,$c,$d,$e,$f) or $g
+
+}