Skip to content

R
rules
Commit 4d2b6850 by Marc Rivero López Committed by GitHub
Options

Update APT_OpPotao.yar

parent 454726b2
master
No related merge requests found
Showing with 14 additions and 5 deletions
malware/APT_OpPotao.yar
...@@ -33,32 +33,34 @@ ...@@ -33,32 +33,34 @@
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// //
private rule PotaoDecoy private rule PotaoDecoy
{ {
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$str1 = "eroqw11" $str1 = "eroqw11"
$str2 = "2sfsdf" $str2 = "2sfsdf"
$str3 = "RtlDecompressBuffer" $str3 = "RtlDecompressBuffer"
$wiki_str = "spanned more than 100 years and ruined three consecutive" wide $wiki_str = "spanned more than 100 years and ruined three consecutive" wide
$old_ver1 = {53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 (00 | 78)} $old_ver1 = {53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 (00 | 78)}
$old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00} $old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00}
condition: condition:
($mz at 0) and ( (all of ($str*)) or any of ($old_ver*) or $wiki_str ) ($mz at 0) and ( (all of ($str*)) or any of ($old_ver*) or $wiki_str )
} }
private rule PotaoDll private rule PotaoDll
{ {
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$dllstr1 = "?AVCncBuffer@@" $dllstr1 = "?AVCncBuffer@@"
$dllstr2 = "?AVCncRequest@@" $dllstr2 = "?AVCncRequest@@"
$dllstr3 = "Petrozavodskaya, 11, 9" $dllstr3 = "Petrozavodskaya, 11, 9"
$dllstr4 = "_Scan@0" $dllstr4 = "_Scan@0"
$dllstr5 = "\x00/sync/document/" $dllstr5 = "\x00/sync/document/"
$dllstr6 = "\\temp.temp" $dllstr6 = "\\temp.temp"
$dllname1 = "node69MainModule.dll" $dllname1 = "node69MainModule.dll"
$dllname2 = "node69-main.dll" $dllname2 = "node69-main.dll"
$dllname3 = "node69MainModuleD.dll" $dllname3 = "node69MainModuleD.dll"
...@@ -69,21 +71,25 @@ private rule PotaoDll ...@@ -69,21 +71,25 @@ private rule PotaoDll
$dllname8 = "KeyLog2Runner.dll" $dllname8 = "KeyLog2Runner.dll"
$dllname9 = "GetAllSystemInfo.dll" $dllname9 = "GetAllSystemInfo.dll"
$dllname10 = "FilePathStealer.dll" $dllname10 = "FilePathStealer.dll"
condition: condition:
($mz at 0) and (any of ($dllstr*) and any of ($dllname*)) ($mz at 0) and (any of ($dllstr*) and any of ($dllname*))
} }
private rule PotaoUSB private rule PotaoUSB
{ {
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$binary1 = { 33 C0 8B C8 83 E1 03 BA ?? ?? ?? 00 2B D1 8A 0A 32 88 ?? ?? ?? 00 2A C8 FE C9 88 88 ?? ?? ?? 00 40 3D ?? ?? 00 00 7C DA C3 } $binary1 = { 33 C0 8B C8 83 E1 03 BA ?? ?? ?? 00 2B D1 8A 0A 32 88 ?? ?? ?? 00 2A C8 FE C9 88 88 ?? ?? ?? 00 40 3D ?? ?? 00 00 7C DA C3 }
$binary2 = { 55 8B EC 51 56 C7 45 FC 00 00 00 00 EB 09 8B 45 FC 83 C0 01 89 45 FC 81 7D FC ?? ?? 00 00 7D 3D 8B 4D FC 0F BE 89 ?? ?? ?? 00 8B 45 FC 33 D2 BE 04 00 00 00 F7 F6 B8 03 00 00 00 2B C2 0F BE 90 ?? ?? ?? 00 33 CA 2B 4D FC 83 E9 01 81 E1 FF 00 00 00 8B 45 FC 88 88 ?? ?? ?? 00 EB B1 5E 8B E5 5D C3} $binary2 = { 55 8B EC 51 56 C7 45 FC 00 00 00 00 EB 09 8B 45 FC 83 C0 01 89 45 FC 81 7D FC ?? ?? 00 00 7D 3D 8B 4D FC 0F BE 89 ?? ?? ?? 00 8B 45 FC 33 D2 BE 04 00 00 00 F7 F6 B8 03 00 00 00 2B C2 0F BE 90 ?? ?? ?? 00 33 CA 2B 4D FC 83 E9 01 81 E1 FF 00 00 00 8B 45 FC 88 88 ?? ?? ?? 00 EB B1 5E 8B E5 5D C3}
condition: condition:
($mz at 0) and any of ($binary*) ($mz at 0) and any of ($binary*)
} }
private rule PotaoSecondStage private rule PotaoSecondStage
{ {
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
// hash of CryptBinaryToStringA and CryptStringToBinaryA // hash of CryptBinaryToStringA and CryptStringToBinaryA
...@@ -91,14 +97,16 @@ private rule PotaoSecondStage ...@@ -91,14 +97,16 @@ private rule PotaoSecondStage
// old hash of CryptBinaryToStringA and CryptStringToBinaryA // old hash of CryptBinaryToStringA and CryptStringToBinaryA
$binary2 = {5F 21 63 DD [10-30] EC FD 33 02} $binary2 = {5F 21 63 DD [10-30] EC FD 33 02}
$binary3 = {CA 77 67 57 [10-30] BA 08 20 7A} $binary3 = {CA 77 67 57 [10-30] BA 08 20 7A}
$str1 = "?AVCrypt32Import@@" $str1 = "?AVCrypt32Import@@"
$str2 = "%.5llx" $str2 = "%.5llx"
condition: condition:
($mz at 0) and any of ($binary*) and any of ($str*) ($mz at 0) and any of ($binary*) and any of ($str*)
} }
rule Potao rule Potao
{ {
meta: meta:
Author = "Anton Cherepanov" Author = "Anton Cherepanov"
Date = "2015/07/29" Date = "2015/07/29"
...@@ -107,6 +115,7 @@ rule Potao ...@@ -107,6 +115,7 @@ rule Potao
Source = "https://github.com/eset/malware-ioc/" Source = "https://github.com/eset/malware-ioc/"
Contact = "threatintel@eset.com" Contact = "threatintel@eset.com"
License = "BSD 2-Clause" License = "BSD 2-Clause"
condition: condition:
PotaoDecoy or PotaoDll or PotaoUSB or PotaoSecondStage PotaoDecoy or PotaoDll or PotaoUSB or PotaoSecondStage
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment