Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
1b00995e
Commit
1b00995e
authored
Jan 23, 2017
by
Marc Rivero López
Committed by
GitHub
Jan 23, 2017
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update APT_Unit78020.yar
parent
b246887b
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
22 additions
and
12 deletions
+22
-12
APT_Unit78020.yar
malware/APT_Unit78020.yar
+22
-12
No files found.
malware/APT_Unit78020.yar
View file @
1b00995e
...
@@ -9,7 +9,9 @@
...
@@ -9,7 +9,9 @@
Identifier: Unit 78020 Malware
Identifier: Unit 78020 Malware
*/
*/
rule Unit78020_Malware_Gen1 {
rule Unit78020_Malware_Gen1
{
meta:
meta:
description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule"
description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule"
author = "Florian Roth"
author = "Florian Roth"
...
@@ -21,6 +23,7 @@ rule Unit78020_Malware_Gen1 {
...
@@ -21,6 +23,7 @@ rule Unit78020_Malware_Gen1 {
hash4 = "5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2"
hash4 = "5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2"
hash5 = "7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af"
hash5 = "7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af"
hash6 = "88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790"
hash6 = "88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790"
strings:
strings:
$x1 = "greensky27.vicp.net" fullword wide
$x1 = "greensky27.vicp.net" fullword wide
$x2 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii
$x2 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii
...
@@ -33,13 +36,11 @@ rule Unit78020_Malware_Gen1 {
...
@@ -33,13 +36,11 @@ rule Unit78020_Malware_Gen1 {
$x8 = "pnoc-ec.vicp.net" fullword wide
$x8 = "pnoc-ec.vicp.net" fullword wide
$x9 = "aseanph.vicp.net" fullword wide
$x9 = "aseanph.vicp.net" fullword wide
$x10 = "pnoc.vicp.net" fullword wide
$x10 = "pnoc.vicp.net" fullword wide
$a1 = "dMozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide /* typo */
$a1 = "dMozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide /* typo */
$a2 = "User-Agent: Netscape" fullword ascii /* ;) */
$a2 = "User-Agent: Netscape" fullword ascii /* ;) */
$a3 = "Accept-Language:En-us/r/n" fullword wide /* typo */
$a3 = "Accept-Language:En-us/r/n" fullword wide /* typo */
$a4 = "\\Office Start.lnk" fullword wide
$a4 = "\\Office Start.lnk" fullword wide
$a5 = "\\MSN Talk Start.lnk" fullword wide
$a5 = "\\MSN Talk Start.lnk" fullword wide
$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide
$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide
$s2 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" fullword ascii
$s2 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" fullword ascii
$s3 = "%USERPROFILE%\\Application Data\\Mozilla\\Firefox\\Profiles" fullword wide
$s3 = "%USERPROFILE%\\Application Data\\Mozilla\\Firefox\\Profiles" fullword wide
...
@@ -57,20 +58,22 @@ rule Unit78020_Malware_Gen1 {
...
@@ -57,20 +58,22 @@ rule Unit78020_Malware_Gen1 {
$s15 = "R_eOR_eOR_eO)CiOS_eO" fullword ascii
$s15 = "R_eOR_eOR_eO)CiOS_eO" fullword ascii
$s16 = "DRIVE_RAMDISK" fullword wide
$s16 = "DRIVE_RAMDISK" fullword wide
$s17 = "%s %s %s %s %d %d %d %d " fullword ascii
$s17 = "%s %s %s %s %d %d %d %d " fullword ascii
condition:
condition:
( uint16(0) == 0x5a4d and filesize < 250KB and 1 of ($x*) ) or
( uint16(0) == 0x5a4d and filesize < 250KB and 1 of ($x*) ) or 2 of ($a*) or 6 of ($s*)
2 of ($a*) or
6 of ($s*)
}
}
rule Unit78020_Malware_1 : APT {
rule Unit78020_Malware_1
{
meta:
meta:
description = "Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe"
description = "Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe"
author = "Florian Roth"
author = "Florian Roth"
reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
date = "2015-09-24"
date = "2015-09-24"
hash = "a93d01f1cc2d18ced2f3b2b78319aadc112f611ab8911ae9e55e13557c1c791a"
hash = "a93d01f1cc2d18ced2f3b2b78319aadc112f611ab8911ae9e55e13557c1c791a"
strings:
strings:
$s1 = "%ProgramFiles%\\Internet Explorer\\iexplore.exe" fullword ascii
$s1 = "%ProgramFiles%\\Internet Explorer\\iexplore.exe" fullword ascii
$s2 = "msictl.exe" fullword ascii
$s2 = "msictl.exe" fullword ascii
...
@@ -78,11 +81,14 @@ rule Unit78020_Malware_1 : APT {
...
@@ -78,11 +81,14 @@ rule Unit78020_Malware_1 : APT {
$s4 = "mshtml.dat" fullword ascii
$s4 = "mshtml.dat" fullword ascii
$s5 = "msisvc" fullword ascii
$s5 = "msisvc" fullword ascii
$s6 = "NOKIAN95/WEB" fullword ascii
$s6 = "NOKIAN95/WEB" fullword ascii
condition:
condition:
uint16(0) == 0x5a4d and filesize < 160KB and 4 of them
uint16(0) == 0x5a4d and filesize < 160KB and 4 of them
}
}
rule Unit78020_Malware_Gen2 {
rule Unit78020_Malware_Gen2
{
meta:
meta:
description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule"
description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule"
author = "Florian Roth"
author = "Florian Roth"
...
@@ -92,6 +98,7 @@ rule Unit78020_Malware_Gen2 {
...
@@ -92,6 +98,7 @@ rule Unit78020_Malware_Gen2 {
hash1 = "76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd"
hash1 = "76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd"
hash2 = "7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af"
hash2 = "7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af"
hash3 = "981e2fa1ae4145359036b46e8b53cc5da37dd2311204859761bd91572f025e8a"
hash3 = "981e2fa1ae4145359036b46e8b53cc5da37dd2311204859761bd91572f025e8a"
strings:
strings:
$s0 = "-GetModuleFileNameExW" fullword ascii
$s0 = "-GetModuleFileNameExW" fullword ascii
$s1 = "\\MSN Talk Start.lnk" fullword wide
$s1 = "\\MSN Talk Start.lnk" fullword wide
...
@@ -99,11 +106,14 @@ rule Unit78020_Malware_Gen2 {
...
@@ -99,11 +106,14 @@ rule Unit78020_Malware_Gen2 {
$s3 = "WinMM Version 1.0" fullword wide
$s3 = "WinMM Version 1.0" fullword wide
$s4 = "dwError1 = %d" fullword ascii
$s4 = "dwError1 = %d" fullword ascii
$s5 = "*Can't Get" fullword wide
$s5 = "*Can't Get" fullword wide
condition:
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
}
rule Unit78020_Malware_Gen3 {
rule Unit78020_Malware_Gen3
{
meta:
meta:
description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong"
description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong"
author = "Florian Roth"
author = "Florian Roth"
...
@@ -112,11 +122,11 @@ rule Unit78020_Malware_Gen3 {
...
@@ -112,11 +122,11 @@ rule Unit78020_Malware_Gen3 {
super_rule = 1
super_rule = 1
hash1 = "2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac"
hash1 = "2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac"
hash2 = "5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2"
hash2 = "5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2"
strings:
strings:
$x1 = "GET http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii
$x1 = "GET http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii
$x2 = "POST http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii
$x2 = "POST http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii
$x3 = "J:\\chong\\" ascii
$x3 = "J:\\chong\\" ascii
$s1 = "User-Agent: Netscape" fullword ascii
$s1 = "User-Agent: Netscape" fullword ascii
$s2 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" fullword ascii
$s2 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" fullword ascii
$s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\User Shell Folders" fullword wide
$s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\User Shell Folders" fullword wide
...
@@ -127,7 +137,7 @@ rule Unit78020_Malware_Gen3 {
...
@@ -127,7 +137,7 @@ rule Unit78020_Malware_Gen3 {
$s8 = "Host: %ws:%d" fullword ascii
$s8 = "Host: %ws:%d" fullword ascii
$s9 = "GET %dHTTP/1.1" fullword ascii
$s9 = "GET %dHTTP/1.1" fullword ascii
$s10 = "SCHANNEL.DLL" fullword ascii /* Goodware String - occured 6 times */
$s10 = "SCHANNEL.DLL" fullword ascii /* Goodware String - occured 6 times */
condition:
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 1 of ($x*) ) or
( uint16(0) == 0x5a4d and filesize < 300KB and 1 of ($x*) ) or 4 of ($s*)
4 of ($s*)
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
