Skip to content

R
rules
Commit 30e8c152 by Marc Rivero López Committed by GitHub
Options

Update APT_OPCleaver.yar

parent d910faf2
Showing with 127 additions and 9 deletions
malware/APT_OPCleaver.yar
...@@ -7,394 +7,472 @@ import "pe" ...@@ -7,394 +7,472 @@ import "pe"
rule ZhoupinExploitCrew rule ZhoupinExploitCrew
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "zhoupin exploit crew" nocase $s1 = "zhoupin exploit crew" nocase
$s2 = "zhopin exploit crew" nocase $s2 = "zhopin exploit crew" nocase
condition: condition:
1 of them 1 of them
} }
rule BackDoorLogger : Backdoor APT rule BackDoorLogger
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "BackDoorLogger" $s1 = "BackDoorLogger"
$s2 = "zhuAddress" $s2 = "zhuAddress"
condition: condition:
all of them all of them
} }
rule Jasus : APT rule Jasus
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "pcap_dump_open" $s1 = "pcap_dump_open"
$s2 = "Resolving IPs to poison..." $s2 = "Resolving IPs to poison..."
$s3 = "WARNNING: Gateway IP can not be found" $s3 = "WARNNING: Gateway IP can not be found"
condition: condition:
all of them all of them
} }
rule LoggerModule rule LoggerModule
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "%s-%02d%02d%02d%02d%02d.r" $s1 = "%s-%02d%02d%02d%02d%02d.r"
$s2 = "C:\\Users\\%s\\AppData\\Cookies\\" $s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
condition: condition:
all of them all of them
} }
rule NetC rule NetC
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "NetC.exe" wide $s1 = "NetC.exe" wide
$s2 = "Net Service" $s2 = "Net Service"
condition: condition:
all of them all of them
} }
rule ShellCreator2 rule ShellCreator2
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "ShellCreator2.Properties" $s1 = "ShellCreator2.Properties"
$s2 = "set_IV" $s2 = "set_IV"
condition: condition:
all of them all of them
} }
rule SmartCopy2 rule SmartCopy2
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "SmartCopy2.Properties" $s1 = "SmartCopy2.Properties"
$s2 = "ZhuFrameWork" $s2 = "ZhuFrameWork"
condition: condition:
all of them all of them
} }
rule SynFlooder rule SynFlooder
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "Unable to resolve [ %s ]. ErrorCode %d" $s1 = "Unable to resolve [ %s ]. ErrorCode %d"
$s2 = "your target's IP is : %s" $s2 = "your target's IP is : %s"
$s3 = "Raw TCP Socket Created successfully." $s3 = "Raw TCP Socket Created successfully."
condition: condition:
all of them all of them
} }
rule TinyZBot rule TinyZBot
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "NetScp" wide $s1 = "NetScp" wide
$s2 = "TinyZBot.Properties.Resources.resources" $s2 = "TinyZBot.Properties.Resources.resources"
$s3 = "Aoao WaterMark" $s3 = "Aoao WaterMark"
$s4 = "Run_a_exe" $s4 = "Run_a_exe"
$s5 = "netscp.exe" $s5 = "netscp.exe"
$s6 = "get_MainModule_WebReference_DefaultWS" $s6 = "get_MainModule_WebReference_DefaultWS"
$s7 = "remove_CheckFileMD5Completed" $s7 = "remove_CheckFileMD5Completed"
$s8 = "http://tempuri.org/" $s8 = "http://tempuri.org/"
$s9 = "Zhoupin_Cleaver" $s9 = "Zhoupin_Cleaver"
condition: condition:
($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9) ($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9)
} }
rule antivirusdetector : antivirus rule antivirusdetector
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "getShadyProcess" $s1 = "getShadyProcess"
$s2 = "getSystemAntiviruses" $s2 = "getSystemAntiviruses"
$s3 = "AntiVirusDetector" $s3 = "AntiVirusDetector"
condition: condition:
all of them all of them
} }
rule csext rule csext
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "COM+ System Extentions" $s1 = "COM+ System Extentions"
$s2 = "csext.exe" $s2 = "csext.exe"
$s3 = "COM_Extentions_bin" $s3 = "COM_Extentions_bin"
condition: condition:
all of them all of them
} }
rule kagent rule kagent
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "kill command is in last machine, going back" $s1 = "kill command is in last machine, going back"
$s2 = "message data length in B64: %d Bytes" $s2 = "message data length in B64: %d Bytes"
condition: condition:
all of them all of them
} }
rule mimikatzWrapper : Toolkit rule mimikatzWrapper : Toolkit
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "mimikatzWrapper" $s1 = "mimikatzWrapper"
$s2 = "get_mimikatz" $s2 = "get_mimikatz"
condition: condition:
all of them all of them
} }
rule pvz_in rule pvz_in
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "LAST_TIME=00/00/0000:00:00PM$" $s1 = "LAST_TIME=00/00/0000:00:00PM$"
$s2 = "if %%ERRORLEVEL%% == 1 GOTO line" $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
condition: condition:
all of them all of them
} }
rule pvz_out rule pvz_out
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "Network Connectivity Module" wide $s1 = "Network Connectivity Module" wide
$s2 = "OSPPSVC" wide $s2 = "OSPPSVC" wide
condition: condition:
all of them all of them
} }
rule wndTest rule wndTest
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "[Alt]" wide $s1 = "[Alt]" wide
$s2 = "<< %s >>:" wide $s2 = "<< %s >>:" wide
$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;" $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
condition: condition:
all of them all of them
} }
rule zhCat rule zhCat
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "zhCat -l -h -tp 1234" $s1 = "zhCat -l -h -tp 1234"
$s2 = "ABC ( A Big Company )" wide $s2 = "ABC ( A Big Company )" wide
condition: condition:
all of them all of them
} }
rule zhLookUp rule zhLookUp
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "zhLookUp.Properties" $s1 = "zhLookUp.Properties"
condition: condition:
all of them all of them
} }
rule zhmimikatz : Toolkit rule zhmimikatz
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "MimikatzRunner" $s1 = "MimikatzRunner"
$s2 = "zhmimikatz" $s2 = "zhmimikatz"
condition: condition:
all of them all of them
} }
rule Zh0uSh311 rule Zh0uSh311
{ {
meta: meta:
author = "Cylance" author = "Cylance"
date = "2014-12-02" date = "2014-12-02"
description = "http://cylance.com/opcleaver" description = "http://cylance.com/opcleaver"
strings: strings:
$s1 = "Zh0uSh311" $s1 = "Zh0uSh311"
condition: condition:
all of them all of them
} }
import "pe"
rule OPCLEAVER_BackDoorLogger rule OPCLEAVER_BackDoorLogger
{ {
meta: meta:
description = "Keylogger used by attackers in Operation Cleaver" description = "Keylogger used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "BackDoorLogger" $s1 = "BackDoorLogger"
$s2 = "zhuAddress" $s2 = "zhuAddress"
condition: condition:
all of them all of them
} }
rule OPCLEAVER_Jasus rule OPCLEAVER_Jasus
{ {
meta: meta:
description = "ARP cache poisoner used by attackers in Operation Cleaver" description = "ARP cache poisoner used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "pcap_dump_open" $s1 = "pcap_dump_open"
$s2 = "Resolving IPs to poison..." $s2 = "Resolving IPs to poison..."
$s3 = "WARNNING: Gateway IP can not be found" $s3 = "WARNNING: Gateway IP can not be found"
condition: condition:
all of them all of them
} }
rule OPCLEAVER_LoggerModule rule OPCLEAVER_LoggerModule
{ {
meta: meta:
description = "Keylogger used by attackers in Operation Cleaver" description = "Keylogger used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "%s-%02d%02d%02d%02d%02d.r" $s1 = "%s-%02d%02d%02d%02d%02d.r"
$s2 = "C:\\Users\\%s\\AppData\\Cookies\\" $s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
condition: condition:
all of them all of them
} }
rule OPCLEAVER_NetC rule OPCLEAVER_NetC
{ {
meta: meta:
description = "Net Crawler used by attackers in Operation Cleaver" description = "Net Crawler used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "NetC.exe" wide $s1 = "NetC.exe" wide
$s2 = "Net Service" $s2 = "Net Service"
condition: condition:
all of them all of them
} }
rule OPCLEAVER_ShellCreator2 rule OPCLEAVER_ShellCreator2
{ {
meta: meta:
description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells" description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "ShellCreator2.Properties" $s1 = "ShellCreator2.Properties"
$s2 = "set_IV" $s2 = "set_IV"
condition: condition:
all of them all of them
} }
rule OPCLEAVER_SmartCopy2 rule OPCLEAVER_SmartCopy2
{ {
meta: meta:
description = "Malware or hack tool used by attackers in Operation Cleaver" description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "SmartCopy2.Properties" $s1 = "SmartCopy2.Properties"
$s2 = "ZhuFrameWork" $s2 = "ZhuFrameWork"
condition: condition:
all of them all of them
} }
rule OPCLEAVER_SynFlooder rule OPCLEAVER_SynFlooder
{ {
meta: meta:
description = "Malware or hack tool used by attackers in Operation Cleaver" description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "Unable to resolve [ %s ]. ErrorCode %d" $s1 = "Unable to resolve [ %s ]. ErrorCode %d"
$s2 = "your target’s IP is : %s" $s2 = "your target’s IP is : %s"
$s3 = "Raw TCP Socket Created successfully." $s3 = "Raw TCP Socket Created successfully."
condition: condition:
all of them all of them
} }
rule OPCLEAVER_TinyZBot rule OPCLEAVER_TinyZBot
{ {
meta: meta:
description = "Tiny Bot used by attackers in Operation Cleaver" description = "Tiny Bot used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "NetScp" wide $s1 = "NetScp" wide
$s2 = "TinyZBot.Properties.Resources.resources" $s2 = "TinyZBot.Properties.Resources.resources"
...@@ -405,205 +483,245 @@ rule OPCLEAVER_TinyZBot ...@@ -405,205 +483,245 @@ rule OPCLEAVER_TinyZBot
$s7 = "remove_CheckFileMD5Completed" $s7 = "remove_CheckFileMD5Completed"
$s8 = "http://tempuri.org/" $s8 = "http://tempuri.org/"
$s9 = "Zhoupin_Cleaver" $s9 = "Zhoupin_Cleaver"
condition: condition:
(($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9) (($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
} }
rule OPCLEAVER_ZhoupinExploitCrew rule OPCLEAVER_ZhoupinExploitCrew
{ {
meta: meta:
description = "Keywords used by attackers in Operation Cleaver" description = "Keywords used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "zhoupin exploit crew" nocase $s1 = "zhoupin exploit crew" nocase
$s2 = "zhopin exploit crew" nocase $s2 = "zhopin exploit crew" nocase
condition: condition:
1 of them 1 of them
} }
rule OPCLEAVER_antivirusdetector rule OPCLEAVER_antivirusdetector
{ {
meta: meta:
description = "Hack tool used by attackers in Operation Cleaver" description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "getShadyProcess" $s1 = "getShadyProcess"
$s2 = "getSystemAntiviruses" $s2 = "getSystemAntiviruses"
$s3 = "AntiVirusDetector" $s3 = "AntiVirusDetector"
condition: condition:
all of them all of them
} }
rule OPCLEAVER_csext rule OPCLEAVER_csext
{ {
meta: meta:
description = "Backdoor used by attackers in Operation Cleaver" description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "COM+ System Extentions" $s1 = "COM+ System Extentions"
$s2 = "csext.exe" $s2 = "csext.exe"
$s3 = "COM_Extentions_bin" $s3 = "COM_Extentions_bin"
condition: condition:
all of them all of them
} }
rule OPCLEAVER_kagent rule OPCLEAVER_kagent
{ {
meta: meta:
description = "Backdoor used by attackers in Operation Cleaver" description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "kill command is in last machine, going back" $s1 = "kill command is in last machine, going back"
$s2 = "message data length in B64: %d Bytes" $s2 = "message data length in B64: %d Bytes"
condition: condition:
all of them all of them
} }
rule OPCLEAVER_mimikatzWrapper rule OPCLEAVER_mimikatzWrapper
{ {
meta: meta:
description = "Mimikatz Wrapper used by attackers in Operation Cleaver" description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "mimikatzWrapper" $s1 = "mimikatzWrapper"
$s2 = "get_mimikatz" $s2 = "get_mimikatz"
condition: condition:
all of them all of them
} }
rule OPCLEAVER_pvz_in rule OPCLEAVER_pvz_in
{ {
meta: meta:
description = "Parviz tool used by attackers in Operation Cleaver" description = "Parviz tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "LAST_TIME=00/00/0000:00:00PM$" $s1 = "LAST_TIME=00/00/0000:00:00PM$"
$s2 = "if %%ERRORLEVEL%% == 1 GOTO line" $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
condition: condition:
all of them all of them
} }
rule OPCLEAVER_pvz_out rule OPCLEAVER_pvz_out
{ {
meta: meta:
description = "Parviz tool used by attackers in Operation Cleaver" description = "Parviz tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "Network Connectivity Module" wide $s1 = "Network Connectivity Module" wide
$s2 = "OSPPSVC" wide $s2 = "OSPPSVC" wide
condition: condition:
all of them all of them
} }
rule OPCLEAVER_wndTest rule OPCLEAVER_wndTest
{ {
meta: meta:
description = "Backdoor used by attackers in Operation Cleaver" description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "[Alt]" wide $s1 = "[Alt]" wide
$s2 = "<< %s >>:" wide $s2 = "<< %s >>:" wide
$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;" $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
condition: condition:
all of them all of them
} }
rule OPCLEAVER_zhCat rule OPCLEAVER_zhCat
{ {
meta: meta:
description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver" description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword $s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
$s2 = "ABC ( A Big Company )" wide fullword $s2 = "ABC ( A Big Company )" wide fullword
condition: condition:
all of them all of them
} }
rule OPCLEAVER_zhLookUp rule OPCLEAVER_zhLookUp
{ {
meta: meta:
description = "Hack tool used by attackers in Operation Cleaver" description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "zhLookUp.Properties" $s1 = "zhLookUp.Properties"
condition: condition:
all of them all of them
} }
rule OPCLEAVER_zhmimikatz rule OPCLEAVER_zhmimikatz
{ {
meta: meta:
description = "Mimikatz wrapper used by attackers in Operation Cleaver" description = "Mimikatz wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Cylance Inc." author = "Cylance Inc."
score = "70" score = "70"
strings: strings:
$s1 = "MimikatzRunner" $s1 = "MimikatzRunner"
$s2 = "zhmimikatz" $s2 = "zhmimikatz"
condition: condition:
all of them all of them
} }
rule OPCLEAVER_Parviz_Developer rule OPCLEAVER_Parviz_Developer
{ {
meta: meta:
description = "Parviz developer known from Operation Cleaver" description = "Parviz developer known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Florian Roth" author = "Florian Roth"
score = "70" score = "70"
strings: strings:
$s1 = "Users\\parviz\\documents\\" nocase $s1 = "Users\\parviz\\documents\\" nocase
condition: condition:
$s1 $s1
} }
rule OPCLEAVER_CCProxy_Config rule OPCLEAVER_CCProxy_Config
{ {
meta: meta:
description = "CCProxy config known from Operation Cleaver" description = "CCProxy config known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02" date = "2014/12/02"
author = "Florian Roth" author = "Florian Roth"
score = "70" score = "70"
strings: strings:
$s1 = "UserName=User-001" fullword ascii $s1 = "UserName=User-001" fullword ascii
$s2 = "Web=1" fullword ascii $s2 = "Web=1" fullword ascii
$s3 = "Mail=1" fullword ascii $s3 = "Mail=1" fullword ascii
$s4 = "FTP=0" fullword ascii $s4 = "FTP=0" fullword ascii
$x1 = "IPAddressLow=78.109.194.114" fullword ascii $x1 = "IPAddressLow=78.109.194.114" fullword ascii
condition: condition:
all of ($s*) or $x1 all of ($s*) or $x1
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment