Skip to content

R
rules
Commit 190e4883 by Marc Rivero López Committed by GitHub
Options

Update APT_WoolenGoldfish.yar

parent 058ef81b
Showing with 20 additions and 10 deletions
malware/APT_WoolenGoldfish.yar
...@@ -5,8 +5,9 @@ ...@@ -5,8 +5,9 @@
import "pe" import "pe"
rule WoolenGoldfish_Sample_1
{
rule WoolenGoldfish_Sample_1 : APT {
meta: meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ" description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth" author = "Florian Roth"
...@@ -14,14 +15,18 @@ rule WoolenGoldfish_Sample_1 : APT { ...@@ -14,14 +15,18 @@ rule WoolenGoldfish_Sample_1 : APT {
date = "2015/03/25" date = "2015/03/25"
score = 60 score = 60
hash = "7ad0eb113bc575363a058f4bf21dbab8c8f7073a" hash = "7ad0eb113bc575363a058f4bf21dbab8c8f7073a"
strings: strings:
$s1 = "Cannot execute (%d)" fullword ascii $s1 = "Cannot execute (%d)" fullword ascii
$s16 = "SvcName" fullword ascii $s16 = "SvcName" fullword ascii
condition: condition:
all of them all of them
} }
rule WoolenGoldfish_Generic_1 { rule WoolenGoldfish_Generic_1
{
meta: meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ" description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth" author = "Florian Roth"
...@@ -32,11 +37,11 @@ rule WoolenGoldfish_Generic_1 { ...@@ -32,11 +37,11 @@ rule WoolenGoldfish_Generic_1 {
hash0 = "5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3" hash0 = "5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3"
hash1 = "d5b2b30fe2d4759c199e3659d561a50f88a7fb2e" hash1 = "d5b2b30fe2d4759c199e3659d561a50f88a7fb2e"
hash2 = "a42f1ad2360833baedd2d5f59354c4fc3820c475" hash2 = "a42f1ad2360833baedd2d5f59354c4fc3820c475"
strings: strings:
$x0 = "Users\\Wool3n.H4t\\" $x0 = "Users\\Wool3n.H4t\\"
$x1 = "C-CPP\\CWoolger" $x1 = "C-CPP\\CWoolger"
$x2 = "NTSuser.exe" fullword wide $x2 = "NTSuser.exe" fullword wide
$s1 = "107.6.181.116" fullword wide $s1 = "107.6.181.116" fullword wide
$s2 = "oShellLink.Hotkey = \"CTRL+SHIFT+F\"" fullword $s2 = "oShellLink.Hotkey = \"CTRL+SHIFT+F\"" fullword
$s3 = "set WshShell = WScript.CreateObject(\"WScript.Shell\")" fullword $s3 = "set WshShell = WScript.CreateObject(\"WScript.Shell\")" fullword
...@@ -47,11 +52,12 @@ rule WoolenGoldfish_Generic_1 { ...@@ -47,11 +52,12 @@ rule WoolenGoldfish_Generic_1 {
$s8 = "[Enter]" fullword $s8 = "[Enter]" fullword
$s9 = "[Control]" fullword $s9 = "[Control]" fullword
condition: condition:
( 1 of ($x*) and 2 of ($s*) ) or ( 1 of ($x*) and 2 of ($s*) ) or ( 6 of ($s*) )
( 6 of ($s*) )
} }
rule WoolenGoldfish_Generic_2 { rule WoolenGoldfish_Generic_2
{
meta: meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ" description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth" author = "Florian Roth"
...@@ -62,13 +68,17 @@ rule WoolenGoldfish_Generic_2 { ...@@ -62,13 +68,17 @@ rule WoolenGoldfish_Generic_2 {
hash2 = "62172eee1a4591bde2658175dd5b8652d5aead2a" hash2 = "62172eee1a4591bde2658175dd5b8652d5aead2a"
hash3 = "7fef48e1303e40110798dfec929ad88f1ad4fbd8" hash3 = "7fef48e1303e40110798dfec929ad88f1ad4fbd8"
hash4 = "c1edf6e3a271cf06030cc46cbd90074488c05564" hash4 = "c1edf6e3a271cf06030cc46cbd90074488c05564"
strings: strings:
$s0 = "modules\\exploits\\littletools\\agent_wrapper\\release" ascii $s0 = "modules\\exploits\\littletools\\agent_wrapper\\release" ascii
condition: condition:
all of them all of them
} }
rule WoolenGoldfish_Generic_3 { rule WoolenGoldfish_Generic_3
{
meta: meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ" description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth" author = "Florian Roth"
...@@ -77,11 +87,11 @@ rule WoolenGoldfish_Generic_3 { ...@@ -77,11 +87,11 @@ rule WoolenGoldfish_Generic_3 {
score = 90 score = 90
hash1 = "86222ef166474e53f1eb6d7e6701713834e6fee7" hash1 = "86222ef166474e53f1eb6d7e6701713834e6fee7"
hash2 = "e8dbcde49c7f760165ebb0cb3452e4f1c24981f5" hash2 = "e8dbcde49c7f760165ebb0cb3452e4f1c24981f5"
strings: strings:
$x1 = "... get header FATAL ERROR !!! %d bytes read > header_size" fullword ascii $x1 = "... get header FATAL ERROR !!! %d bytes read > header_size" fullword ascii
$x2 = "index.php?c=%S&r=%x&u=1&t=%S" fullword wide $x2 = "index.php?c=%S&r=%x&u=1&t=%S" fullword wide
$x3 = "connect_back_tcp_channel#do_connect:: Error resolving connect back hostname" fullword ascii $x3 = "connect_back_tcp_channel#do_connect:: Error resolving connect back hostname" fullword ascii
$s0 = "kernel32.dll GetProcAddressLoadLibraryAws2_32.dll" fullword ascii $s0 = "kernel32.dll GetProcAddressLoadLibraryAws2_32.dll" fullword ascii
$s1 = "Content-Type: multipart/form-data; boundary=%S" fullword wide $s1 = "Content-Type: multipart/form-data; boundary=%S" fullword wide
$s2 = "Attempting to unlock uninitialized lock!" fullword ascii $s2 = "Attempting to unlock uninitialized lock!" fullword ascii
...@@ -93,7 +103,7 @@ rule WoolenGoldfish_Generic_3 { ...@@ -93,7 +103,7 @@ rule WoolenGoldfish_Generic_3 {
$s10 = "Error entering thread lock" fullword ascii $s10 = "Error entering thread lock" fullword ascii
$s11 = "Error exiting thread lock" fullword ascii $s11 = "Error exiting thread lock" fullword ascii
$s12 = "connect_back_tcp_channel_init:: socket() failed" fullword ascii $s12 = "connect_back_tcp_channel_init:: socket() failed" fullword ascii
condition: condition:
( 1 of ($x*) ) or ( 1 of ($x*) ) or ( 8 of ($s*) )
( 8 of ($s*) )
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment