Skip to content

R
rules
Commit 2cb9d752 by Marc Rivero López Committed by GitHub
Options

Update APT_Codoso.yar 

Fixed rule style
parent 40504207
Showing with 371 additions and 306 deletions
malware/APT_Codoso.yar
...@@ -13,328 +13,393 @@ ...@@ -13,328 +13,393 @@
/* Rule Set ----------------------------------------------------------------- */ /* Rule Set ----------------------------------------------------------------- */
rule Codoso_PlugX_3 { rule Codoso_PlugX_3
meta: {
description = "Detects Codoso APT PlugX Malware"
author = "Florian Roth" meta:
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" description = "Detects Codoso APT PlugX Malware"
date = "2016-01-30" author = "Florian Roth"
hash = "74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
strings: date = "2016-01-30"
$s1 = "Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password." fullword wide hash = "74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3"
$s2 = "mcs.exe" fullword ascii
$s3 = "McAltLib.dll" fullword ascii strings:
$s4 = "WinRAR self-extracting archive" fullword wide $s1 = "Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password." fullword wide
condition: $s2 = "mcs.exe" fullword ascii
uint16(0) == 0x5a4d and filesize < 1200KB and all of them $s3 = "McAltLib.dll" fullword ascii
$s4 = "WinRAR self-extracting archive" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1200KB and all of them
} }
rule Codoso_PlugX_2 {
meta: rule Codoso_PlugX_2
description = "Detects Codoso APT PlugX Malware" {
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" meta:
date = "2016-01-30" description = "Detects Codoso APT PlugX Malware"
hash = "b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb" author = "Florian Roth"
strings: reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
$s1 = "%TEMP%\\HID" fullword wide date = "2016-01-30"
$s2 = "%s\\hid.dll" fullword wide hash = "b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb"
$s3 = "%s\\SOUNDMAN.exe" fullword wide
$s4 = "\"%s\\SOUNDMAN.exe\" %d %d" fullword wide strings:
$s5 = "%s\\HID.dllx" fullword wide $s1 = "%TEMP%\\HID" fullword wide
condition: $s2 = "%s\\hid.dll" fullword wide
( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) or all of them $s3 = "%s\\SOUNDMAN.exe" fullword wide
$s4 = "\"%s\\SOUNDMAN.exe\" %d %d" fullword wide
$s5 = "%s\\HID.dllx" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) or all of them
} }
rule Codoso_CustomTCP_4 {
meta: rule Codoso_CustomTCP_4
description = "Detects Codoso APT CustomTCP Malware" {
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" meta:
date = "2016-01-30" description = "Detects Codoso APT CustomTCP Malware"
hash1 = "ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0" author = "Florian Roth"
hash2 = "130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
hash3 = "3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa" date = "2016-01-30"
hash4 = "02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13" hash1 = "ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0"
strings: hash2 = "130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8"
$x1 = "varus_service_x86.dll" fullword ascii hash3 = "3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa"
hash4 = "02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13"
$s1 = "/s %s /p %d /st %d /rt %d" fullword ascii
$s2 = "net start %%1" fullword ascii strings:
$s3 = "ping 127.1 > nul" fullword ascii $x1 = "varus_service_x86.dll" fullword ascii
$s4 = "McInitMISPAlertEx" fullword ascii $s1 = "/s %s /p %d /st %d /rt %d" fullword ascii
$s5 = "sc start %%1" fullword ascii $s2 = "net start %%1" fullword ascii
$s6 = "net stop %%1" fullword ascii $s3 = "ping 127.1 > nul" fullword ascii
$s7 = "WorkerRun" fullword ascii $s4 = "McInitMISPAlertEx" fullword ascii
condition: $s5 = "sc start %%1" fullword ascii
( uint16(0) == 0x5a4d and filesize < 400KB and 5 of them ) or $s6 = "net stop %%1" fullword ascii
( $x1 and 2 of ($s*) ) $s7 = "WorkerRun" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 5 of them ) or ( $x1 and 2 of ($s*) )
} }
rule Codoso_CustomTCP_3 {
meta: rule Codoso_CustomTCP_3
description = "Detects Codoso APT CustomTCP Malware" {
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" meta:
date = "2016-01-30" description = "Detects Codoso APT CustomTCP Malware"
hash = "d66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090" author = "Florian Roth"
strings: reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
$s1 = "DnsApi.dll" fullword ascii date = "2016-01-30"
$s2 = "softWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\%s" ascii hash = "d66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090"
$s3 = "CONNECT %s:%d hTTP/1.1" ascii
$s4 = "CONNECT %s:%d HTTp/1.1" ascii strings:
$s5 = "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0;)" ascii $s1 = "DnsApi.dll" fullword ascii
$s6 = "iphlpapi.dll" ascii $s2 = "softWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\%s" ascii
$s7 = "%systemroot%\\Web\\" ascii $s3 = "CONNECT %s:%d hTTP/1.1" ascii
$s8 = "Proxy-Authorization: Negotiate %s" ascii $s4 = "CONNECT %s:%d HTTp/1.1" ascii
$s9 = "CLSID\\{%s}\\InprocServer32" ascii $s5 = "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0;)" ascii
condition: $s6 = "iphlpapi.dll" ascii
( uint16(0) == 0x5a4d and filesize < 500KB and 5 of them ) or 7 of them $s7 = "%systemroot%\\Web\\" ascii
$s8 = "Proxy-Authorization: Negotiate %s" ascii
$s9 = "CLSID\\{%s}\\InprocServer32" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 500KB and 5 of them ) or 7 of them
} }
rule Codoso_CustomTCP_2 {
meta: rule Codoso_CustomTCP_2
description = "Detects Codoso APT CustomTCP Malware" {
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" meta:
date = "2016-01-30" description = "Detects Codoso APT CustomTCP Malware"
hash = "3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3" author = "Florian Roth"
strings: reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
$s1 = "varus_service_x86.dll" fullword ascii date = "2016-01-30"
$s2 = "/s %s /p %d /st %d /rt %d" fullword ascii hash = "3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3"
$s3 = "net start %%1" fullword ascii
$s4 = "ping 127.1 > nul" fullword ascii strings:
$s5 = "McInitMISPAlertEx" fullword ascii $s1 = "varus_service_x86.dll" fullword ascii
$s6 = "sc start %%1" fullword ascii $s2 = "/s %s /p %d /st %d /rt %d" fullword ascii
$s7 = "B_WKNDNSK^" fullword ascii $s3 = "net start %%1" fullword ascii
$s8 = "net stop %%1" fullword ascii $s4 = "ping 127.1 > nul" fullword ascii
condition: $s5 = "McInitMISPAlertEx" fullword ascii
uint16(0) == 0x5a4d and filesize < 406KB and all of them $s6 = "sc start %%1" fullword ascii
$s7 = "B_WKNDNSK^" fullword ascii
$s8 = "net stop %%1" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 406KB and all of them
} }
rule Codoso_PGV_PVID_6 {
meta: rule Codoso_PGV_PVID_6
description = "Detects Codoso APT PGV_PVID Malware" {
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" meta:
date = "2016-01-30" description = "Detects Codoso APT PGV_PVID Malware"
hash = "4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f" author = "Florian Roth"
strings: reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
$s0 = "rundll32 \"%s\",%s" fullword ascii date = "2016-01-30"
$s1 = "/c ping 127.%d & del \"%s\"" fullword ascii hash = "4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f"
condition:
uint16(0) == 0x5a4d and filesize < 6000KB and all of them strings:
$s0 = "rundll32 \"%s\",%s" fullword ascii
$s1 = "/c ping 127.%d & del \"%s\"" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 6000KB and all of them
} }
rule Codoso_Gh0st_3 {
meta: rule Codoso_Gh0st_3
description = "Detects Codoso APT Gh0st Malware" {
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" meta:
date = "2016-01-30" description = "Detects Codoso APT Gh0st Malware"
hash = "bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd" author = "Florian Roth"
strings: reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
$x1 = "RunMeByDLL32" fullword ascii date = "2016-01-30"
hash = "bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd"
$s1 = "svchost.dll" fullword wide
$s2 = "server.dll" fullword ascii strings:
$s3 = "Copyright ? 2008" fullword wide $x1 = "RunMeByDLL32" fullword ascii
$s4 = "testsupdate33" fullword ascii $s1 = "svchost.dll" fullword wide
$s5 = "Device Protect Application" fullword wide $s2 = "server.dll" fullword ascii
$s6 = "MSVCP60.DLL" fullword ascii /* Goodware String - occured 1 times */ $s3 = "Copyright ? 2008" fullword wide
$s7 = "mail-news.eicp.net" fullword ascii $s4 = "testsupdate33" fullword ascii
condition: $s5 = "Device Protect Application" fullword wide
uint16(0) == 0x5a4d and filesize < 195KB and $x1 or 4 of them $s6 = "MSVCP60.DLL" fullword ascii /* Goodware String - occured 1 times */
$s7 = "mail-news.eicp.net" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 195KB and $x1 or 4 of them
} }
rule Codoso_Gh0st_2 {
meta: rule Codoso_Gh0st_2
description = "Detects Codoso APT Gh0st Malware" {
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" meta:
date = "2016-01-30" description = "Detects Codoso APT Gh0st Malware"
hash = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841" author = "Florian Roth"
strings: reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
$s0 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii date = "2016-01-30"
$s1 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii hash = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841"
$s13 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide
$s14 = "%s -r debug 1" fullword ascii strings:
$s15 = "\\\\.\\keymmdrv1" fullword ascii $s0 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii
$s17 = "RunMeByDLL32" fullword ascii $s1 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii
condition: $s13 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide
uint16(0) == 0x5a4d and filesize < 500KB and 1 of them $s14 = "%s -r debug 1" fullword ascii
$s15 = "\\\\.\\keymmdrv1" fullword ascii
$s17 = "RunMeByDLL32" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 1 of them
} }
rule Codoso_CustomTCP {
meta: rule Codoso_CustomTCP
description = "Codoso CustomTCP Malware" {
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" meta:
date = "2016-01-30" description = "Codoso CustomTCP Malware"
hash = "b95d7f56a686a05398198d317c805924c36f3abacbb1b9e3f590ec0d59f845d8" author = "Florian Roth"
strings: reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
$s4 = "wnyglw" fullword ascii date = "2016-01-30"
$s5 = "WorkerRun" fullword ascii hash = "b95d7f56a686a05398198d317c805924c36f3abacbb1b9e3f590ec0d59f845d8"
$s7 = "boazdcd" fullword ascii
$s8 = "wayflw" fullword ascii strings:
$s9 = "CODETABL" fullword ascii $s4 = "wnyglw" fullword ascii
condition: $s5 = "WorkerRun" fullword ascii
uint16(0) == 0x5a4d and filesize < 405KB and all of them $s7 = "boazdcd" fullword ascii
$s8 = "wayflw" fullword ascii
$s9 = "CODETABL" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 405KB and all of them
} }
/* Super Rules ------------------------------------------------------------- */ /* Super Rules ------------------------------------------------------------- */
rule Codoso_PGV_PVID_5 { rule Codoso_PGV_PVID_5
meta: {
description = "Detects Codoso APT PGV PVID Malware"
author = "Florian Roth" meta:
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" description = "Detects Codoso APT PGV PVID Malware"
date = "2016-01-30" author = "Florian Roth"
super_rule = 1 reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" date = "2016-01-30"
hash2 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" super_rule = 1
strings: hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
$s1 = "/c del %s >> NUL" fullword ascii hash2 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
$s2 = "%s%s.manifest" fullword ascii
condition: strings:
uint16(0) == 0x5a4d and filesize < 500KB and all of them $s1 = "/c del %s >> NUL" fullword ascii
$s2 = "%s%s.manifest" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of them
} }
rule Codoso_Gh0st_1 { rule Codoso_Gh0st_1
meta: {
description = "Detects Codoso APT Gh0st Malware"
author = "Florian Roth" meta:
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" description = "Detects Codoso APT Gh0st Malware"
date = "2016-01-30" author = "Florian Roth"
super_rule = 1 reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
hash1 = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841" date = "2016-01-30"
hash2 = "7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8" super_rule = 1
hash3 = "d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297" hash1 = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841"
strings: hash2 = "7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8"
$x1 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii hash3 = "d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297"
$x2 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii
$x3 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide strings:
$x4 = "\\\\.\\keymmdrv1" fullword ascii $x1 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii
$x2 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii
$s1 = "spideragent.exe" fullword ascii $x3 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide
$s2 = "AVGIDSAgent.exe" fullword ascii $x4 = "\\\\.\\keymmdrv1" fullword ascii
$s3 = "kavsvc.exe" fullword ascii $s1 = "spideragent.exe" fullword ascii
$s4 = "mspaint.exe" fullword ascii $s2 = "AVGIDSAgent.exe" fullword ascii
$s5 = "kav.exe" fullword ascii $s3 = "kavsvc.exe" fullword ascii
$s6 = "avp.exe" fullword ascii $s4 = "mspaint.exe" fullword ascii
$s7 = "NAV.exe" fullword ascii $s5 = "kav.exe" fullword ascii
$s6 = "avp.exe" fullword ascii
$c1 = "Elevation:Administrator!new:" wide $s7 = "NAV.exe" fullword ascii
$c2 = "Global\\RUNDLL32EXITEVENT_NAME{12845-8654-543}" fullword ascii $c1 = "Elevation:Administrator!new:" wide
$c3 = "\\sysprep\\sysprep.exe" fullword wide $c2 = "Global\\RUNDLL32EXITEVENT_NAME{12845-8654-543}" fullword ascii
$c4 = "\\sysprep\\CRYPTBASE.dll" fullword wide $c3 = "\\sysprep\\sysprep.exe" fullword wide
$c5 = "Global\\TERMINATEEVENT_NAME{12845-8654-542}" fullword ascii $c4 = "\\sysprep\\CRYPTBASE.dll" fullword wide
$c6 = "ConsentPromptBehaviorAdmin" fullword ascii $c5 = "Global\\TERMINATEEVENT_NAME{12845-8654-542}" fullword ascii
$c7 = "\\sysprep" fullword wide $c6 = "ConsentPromptBehaviorAdmin" fullword ascii
$c8 = "Global\\UN{5FFC0C8B-8BE5-49d5-B9F2-BCDC8976EE10}" fullword ascii $c7 = "\\sysprep" fullword wide
condition: $c8 = "Global\\UN{5FFC0C8B-8BE5-49d5-B9F2-BCDC8976EE10}" fullword ascii
uint16(0) == 0x5a4d and filesize < 1000KB and ( 4 of ($s*) or 4 of ($c*) ) or
1 of ($x*) or condition:
6 of ($c*) uint16(0) == 0x5a4d and filesize < 1000KB and ( 4 of ($s*) or 4 of ($c*) ) or 1 of ($x*) or 6 of ($c*)
} }
rule Codoso_PGV_PVID_4 {
meta: rule Codoso_PGV_PVID_4
description = "Detects Codoso APT PlugX Malware" {
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" meta:
date = "2016-01-30" description = "Detects Codoso APT PlugX Malware"
super_rule = 1 author = "Florian Roth"
hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
hash2 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761" date = "2016-01-30"
hash3 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1" super_rule = 1
hash4 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3" hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
hash5 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" hash2 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761"
strings: hash3 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1"
$x1 = "dropper, Version 1.0" fullword wide hash4 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
$x2 = "dropper" fullword wide hash5 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
$x3 = "DROPPER" fullword wide
$x4 = "About dropper" fullword wide strings:
$x1 = "dropper, Version 1.0" fullword wide
$s1 = "Microsoft Windows Manager Utility" fullword wide $x2 = "dropper" fullword wide
$s2 = "SYSTEM\\CurrentControlSet\\Services\\" fullword ascii /* Goodware String - occured 9 times */ $x3 = "DROPPER" fullword wide
$s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" fullword ascii /* Goodware String - occured 10 times */ $x4 = "About dropper" fullword wide
$s4 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3" ascii /* Goodware String - occured 46 times */ $s1 = "Microsoft Windows Manager Utility" fullword wide
$s5 = "<supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"></supportedOS>" fullword ascii /* Goodware String - occured 65 times */ $s2 = "SYSTEM\\CurrentControlSet\\Services\\" fullword ascii /* Goodware String - occured 9 times */
condition: $s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" fullword ascii /* Goodware String - occured 10 times */
uint16(0) == 0x5a4d and filesize < 900KB and 1 of ($x*) and 2 of ($s*) $s4 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3" ascii /* Goodware String - occured 46 times */
$s5 = "<supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"></supportedOS>" fullword ascii /* Goodware String - occured 65 times */
condition:
uint16(0) == 0x5a4d and filesize < 900KB and 1 of ($x*) and 2 of ($s*)
} }
rule Codoso_PlugX_1 {
meta: rule Codoso_PlugX_1
description = "Detects Codoso APT PlugX Malware" {
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" meta:
date = "2016-01-30" description = "Detects Codoso APT PlugX Malware"
super_rule = 1 author = "Florian Roth"
hash1 = "0b8cbc9b4761ab35acce2aa12ba2c0a283afd596b565705514fd802c8b1e144b" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
hash2 = "448711bd3f689ceebb736d25253233ac244d48cb766834b8f974c2e9d4b462e8" date = "2016-01-30"
hash3 = "fd22547497ce52049083092429eeff0599d0b11fe61186e91c91e1f76b518fe2" super_rule = 1
strings: hash1 = "0b8cbc9b4761ab35acce2aa12ba2c0a283afd596b565705514fd802c8b1e144b"
$s1 = "GETPASSWORD1" fullword ascii hash2 = "448711bd3f689ceebb736d25253233ac244d48cb766834b8f974c2e9d4b462e8"
$s2 = "NvSmartMax.dll" fullword ascii hash3 = "fd22547497ce52049083092429eeff0599d0b11fe61186e91c91e1f76b518fe2"
$s3 = "LICENSEDLG" fullword ascii
condition: strings:
uint16(0) == 0x5a4d and filesize < 800KB and all of them $s1 = "GETPASSWORD1" fullword ascii
$s2 = "NvSmartMax.dll" fullword ascii
$s3 = "LICENSEDLG" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of them
} }
rule Codoso_PGV_PVID_3 {
meta: rule Codoso_PGV_PVID_3
description = "Detects Codoso APT PGV PVID Malware" {
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" meta:
date = "2016-01-30" description = "Detects Codoso APT PGV PVID Malware"
super_rule = 1 author = "Florian Roth"
hash1 = "126fbdcfed1dfb31865d4b18db2fb963f49df838bf66922fea0c37e06666aee1" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
hash2 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" date = "2016-01-30"
hash3 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761" super_rule = 1
hash4 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1" hash1 = "126fbdcfed1dfb31865d4b18db2fb963f49df838bf66922fea0c37e06666aee1"
hash5 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3" hash2 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
hash6 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" hash3 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761"
strings: hash4 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1"
$x1 = "Copyright (C) Microsoft Corporation. All rights reserved.(C) 2012" fullword wide hash5 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
condition: hash6 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
$x1
strings:
$x1 = "Copyright (C) Microsoft Corporation. All rights reserved.(C) 2012" fullword wide
condition:
$x1
} }
rule Codoso_PGV_PVID_2 {
meta: rule Codoso_PGV_PVID_2
description = "Detects Codoso APT PGV PVID Malware" {
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" meta:
date = "2016-01-30" description = "Detects Codoso APT PGV PVID Malware"
super_rule = 1 author = "Florian Roth"
hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
hash2 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3" date = "2016-01-30"
hash3 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" super_rule = 1
strings: hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
$s0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii hash2 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
$s1 = "regsvr32.exe /s \"%s\"" fullword ascii hash3 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
$s2 = "Help and Support" fullword ascii
$s3 = "netsvcs" fullword ascii strings:
$s9 = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" fullword ascii /* Goodware String - occured 4 times */ $s0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii
$s10 = "winlogon" fullword ascii /* Goodware String - occured 4 times */ $s1 = "regsvr32.exe /s \"%s\"" fullword ascii
$s11 = "System\\CurrentControlSet\\Services" fullword ascii /* Goodware String - occured 11 times */ $s2 = "Help and Support" fullword ascii
condition: $s3 = "netsvcs" fullword ascii
uint16(0) == 0x5a4d and filesize < 907KB and all of them $s9 = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" fullword ascii /* Goodware String - occured 4 times */
$s10 = "winlogon" fullword ascii /* Goodware String - occured 4 times */
$s11 = "System\\CurrentControlSet\\Services" fullword ascii /* Goodware String - occured 11 times */
condition:
uint16(0) == 0x5a4d and filesize < 907KB and all of them
} }
rule Codoso_PGV_PVID_1 {
meta: rule Codoso_PGV_PVID_1
description = "Detects Codoso APT PGV PVID Malware" {
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" meta:
date = "2016-01-30" description = "Detects Codoso APT PGV PVID Malware"
super_rule = 1 author = "Florian Roth"
hash1 = "41a936b0d1fd90dffb2f6d0bcaf4ad0536f93ca7591f7b75b0cd1af8804d0824" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
hash2 = "58334eb7fed37e3104d8235d918aa5b7856f33ea52a74cf90a5ef5542a404ac3" date = "2016-01-30"
hash3 = "934b87ddceabb2063b5e5bc4f964628fe0c63b63bb2346b105ece19915384fc7" super_rule = 1
hash4 = "ce91ea20aa2e6af79508dd0a40ab0981f463b4d2714de55e66d228c579578266" hash1 = "41a936b0d1fd90dffb2f6d0bcaf4ad0536f93ca7591f7b75b0cd1af8804d0824"
hash5 = "e770a298ae819bba1c70d0c9a2e02e4680d3cdba22d558d21caaa74e3970adf1" hash2 = "58334eb7fed37e3104d8235d918aa5b7856f33ea52a74cf90a5ef5542a404ac3"
strings: hash3 = "934b87ddceabb2063b5e5bc4f964628fe0c63b63bb2346b105ece19915384fc7"
$x1 = "Cookie: pgv_pvid=" ascii hash4 = "ce91ea20aa2e6af79508dd0a40ab0981f463b4d2714de55e66d228c579578266"
$x2 = "DRIVERS\\ipinip.sys" fullword wide hash5 = "e770a298ae819bba1c70d0c9a2e02e4680d3cdba22d558d21caaa74e3970adf1"
$s1 = "TsWorkSpaces.dll" fullword ascii strings:
$s2 = "%SystemRoot%\\System32\\wiaservc.dll" fullword wide $x1 = "Cookie: pgv_pvid=" ascii
$s3 = "/selfservice/microsites/search.php?%016I64d" fullword ascii $x2 = "DRIVERS\\ipinip.sys" fullword wide
$s4 = "/solutions/company-size/smb/index.htm?%016I64d" fullword ascii $s1 = "TsWorkSpaces.dll" fullword ascii
$s5 = "Microsoft Chart ActiveX Control" fullword wide $s2 = "%SystemRoot%\\System32\\wiaservc.dll" fullword wide
$s6 = "MSChartCtrl.ocx" fullword wide $s3 = "/selfservice/microsites/search.php?%016I64d" fullword ascii
$s7 = "{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}" fullword ascii $s4 = "/solutions/company-size/smb/index.htm?%016I64d" fullword ascii
$s8 = "WUServiceMain" fullword ascii /* Goodware String - occured 2 times */ $s5 = "Microsoft Chart ActiveX Control" fullword wide
condition: $s6 = "MSChartCtrl.ocx" fullword wide
( uint16(0) == 0x5a4d and ( 1 of ($x*) or 3 of them ) ) or $s7 = "{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}" fullword ascii
5 of them $s8 = "WUServiceMain" fullword ascii /* Goodware String - occured 2 times */
condition:
( uint16(0) == 0x5a4d and ( 1 of ($x*) or 3 of them ) ) or 5 of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment