Skip to content

R
rules
Commit 1b1c9665 by Marc Rivero López Committed by GitHub
Options

Update APT_Hellsing.yar 

Fixed style rule
parent b047b622
Showing with 133 additions and 135 deletions
malware/APT_Hellsing.yar
...@@ -4,155 +4,153 @@ ...@@ -4,155 +4,153 @@
import "pe" import "pe"
rule apt_hellsing_implantstrings
rule apt_hellsing_implantstrings : PE
{ {
meta:
Author = "Costin Raiu, Kaspersky Lab" meta:
Date = "2015-04-07" Author = "Costin Raiu, Kaspersky Lab"
Description = "detection for Hellsing implants" Date = "2015-04-07"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" Description = "detection for Hellsing implants"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ" strings:
$mz="MZ"
$a1="the file uploaded failed !" $a1="the file uploaded failed !"
$a2="ping 127.0.0.1" $a2="ping 127.0.0.1"
$b1="the file downloaded failed !"
$b1="the file downloaded failed !" $b2="common.asp"
$b2="common.asp" $c="xweber_server.exe"
$d="action="
$c="xweber_server.exe" $debugpath1="d:\\Hellsing\\release\\msger\\" nocase
$d="action=" $debugpath2="d:\\hellsing\\sys\\xrat\\" nocase
$debugpath3="D:\\Hellsing\\release\\exe\\" nocase
$debugpath1="d:\\Hellsing\\release\\msger\\" nocase $debugpath4="d:\\hellsing\\sys\\xkat\\" nocase
$debugpath2="d:\\hellsing\\sys\\xrat\\" nocase $debugpath5="e:\\Hellsing\\release\\clare" nocase
$debugpath3="D:\\Hellsing\\release\\exe\\" nocase $debugpath6="e:\\Hellsing\\release\\irene\\" nocase
$debugpath4="d:\\hellsing\\sys\\xkat\\" nocase $debugpath7="d:\\hellsing\\sys\\irene\\" nocase
$debugpath5="e:\\Hellsing\\release\\clare" nocase $e="msger_server.dll"
$debugpath6="e:\\Hellsing\\release\\irene\\" nocase $f="ServiceMain"
$debugpath7="d:\\hellsing\\sys\\irene\\" nocase
condition:
$e="msger_server.dll" ($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
$f="ServiceMain"
condition:
($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
} }
rule apt_hellsing_installer : PE rule apt_hellsing_installer
{ {
meta:
Author = "Costin Raiu, Kaspersky Lab" meta:
Date = "2015-04-07" Author = "Costin Raiu, Kaspersky Lab"
Description = "detection for Hellsing xweber/msger installers" Date = "2015-04-07"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" Description = "detection for Hellsing xweber/msger installers"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ" strings:
$mz="MZ"
$cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\"" $cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
$a1="xweber_install_uac.exe"
$a1="xweber_install_uac.exe" $a2="system32\\cmd.exe" wide
$a2="system32\\cmd.exe" wide $a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y="
$a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y=" $a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g="
$a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g=" $a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw=="
$a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw==" $a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide
$a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide $a10="%SystemRoot%\\system32\\cmd.exe" wide
$a10="%SystemRoot%\\system32\\cmd.exe" wide $a11="msger_install.dll"
$a11="msger_install.dll" $a12={00 65 78 2E 64 6C 6C 00}
$a12={00 65 78 2E 64 6C 6C 00}
condition:
condition: ($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
} }
rule apt_hellsing_proxytool : PE rule apt_hellsing_proxytool
{ {
meta:
Author = "Costin Raiu, Kaspersky Lab" meta:
Date = "2015-04-07" Author = "Costin Raiu, Kaspersky Lab"
Description = "detection for Hellsing proxy testing tool" Date = "2015-04-07"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" Description = "detection for Hellsing proxy testing tool"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ" strings:
$a1="PROXY_INFO: automatic proxy url => %s " $mz="MZ"
$a2="PROXY_INFO: connection type => %d " $a1="PROXY_INFO: automatic proxy url => %s "
$a3="PROXY_INFO: proxy server => %s " $a2="PROXY_INFO: connection type => %d "
$a4="PROXY_INFO: bypass list => %s " $a3="PROXY_INFO: proxy server => %s "
$a5="InternetQueryOption failed with GetLastError() %d" $a4="PROXY_INFO: bypass list => %s "
$a6="D:\\Hellsing\\release\\exe\\exe\\" nocase $a5="InternetQueryOption failed with GetLastError() %d"
$a6="D:\\Hellsing\\release\\exe\\exe\\" nocase
condition:
($mz at 0) and (2 of ($a*)) and filesize < 300000 condition:
($mz at 0) and (2 of ($a*)) and filesize < 300000
} }
rule apt_hellsing_xkat : PE rule apt_hellsing_xkat
{ {
meta:
Author = "Costin Raiu, Kaspersky Lab" meta:
Date = "2015-04-07" Author = "Costin Raiu, Kaspersky Lab"
Description = "detection for Hellsing xKat tool" Date = "2015-04-07"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" Description = "detection for Hellsing xKat tool"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ" strings:
$a1="\\Dbgv.sys" $mz="MZ"
$a2="XKAT_BIN" $a1="\\Dbgv.sys"
$a3="release sys file error." $a2="XKAT_BIN"
$a4="driver_load error. " $a3="release sys file error."
$a5="driver_create error." $a4="driver_load error. "
$a6="delete file:%s error." $a5="driver_create error."
$a7="delete file:%s ok." $a6="delete file:%s error."
$a8="kill pid:%d error." $a7="delete file:%s ok."
$a9="kill pid:%d ok." $a8="kill pid:%d error."
$a10="-pid-delete" $a9="kill pid:%d ok."
$a11="kill and delete pid:%d error." $a10="-pid-delete"
$a12="kill and delete pid:%d ok." $a11="kill and delete pid:%d error."
$a12="kill and delete pid:%d ok."
condition:
($mz at 0) and (6 of ($a*)) and filesize < 300000 condition:
($mz at 0) and (6 of ($a*)) and filesize < 300000
} }
rule apt_hellsing_msgertype2 : PE rule apt_hellsing_msgertype2
{ {
meta:
Author = "Costin Raiu, Kaspersky Lab" meta:
Date = "2015-04-07" Author = "Costin Raiu, Kaspersky Lab"
Description = "detection for Hellsing msger type 2 implants" Date = "2015-04-07"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" Description = "detection for Hellsing msger type 2 implants"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ" strings:
$a1="%s\\system\\%d.txt" $mz="MZ"
$a2="_msger" $a1="%s\\system\\%d.txt"
$a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s" $a2="_msger"
$a4="http://%s/data/%s.1000001000" $a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
$a5="/lib/common.asp?action=user_upload&file=" $a4="http://%s/data/%s.1000001000"
$a6="%02X-%02X-%02X-%02X-%02X-%02X" $a5="/lib/common.asp?action=user_upload&file="
$a6="%02X-%02X-%02X-%02X-%02X-%02X"
condition:
($mz at 0) and (4 of ($a*)) and filesize < 500000 condition:
($mz at 0) and (4 of ($a*)) and filesize < 500000
} }
rule apt_hellsing_irene : PE rule apt_hellsing_irene
{ {
meta:
Author = "Costin Raiu, Kaspersky Lab" meta:
Date = "2015-04-07" Author = "Costin Raiu, Kaspersky Lab"
Description = "detection for Hellsing msger irene installer" Date = "2015-04-07"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" Description = "detection for Hellsing msger irene installer"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ" strings:
$a1="\\Drivers\\usbmgr.tmp" wide $mz="MZ"
$a2="\\Drivers\\usbmgr.sys" wide $a1="\\Drivers\\usbmgr.tmp" wide
$a3="common_loadDriver CreateFile error! " $a2="\\Drivers\\usbmgr.sys" wide
$a4="common_loadDriver StartService error && GetLastError():%d! " $a3="common_loadDriver CreateFile error! "
$a5="irene" wide $a4="common_loadDriver StartService error && GetLastError():%d! "
$a6="aPLib v0.43 - the smaller the better" $a5="irene" wide
$a6="aPLib v0.43 - the smaller the better"
condition:
($mz at 0) and (4 of ($a*)) and filesize < 500000 condition:
($mz at 0) and (4 of ($a*)) and filesize < 500000
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment