Additional rules #145

Additional rules #145

malware/APT_Stuxnet.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule StuxNet_Malware_1 {
+	meta:
+		description = "Stuxnet Sample - file malware.exe"
+		author = "Florian Roth"
+		reference = "Internal Research"
+		date = "2016-07-09"
+		hash1 = "9c891edb5da763398969b6aaa86a5d46971bd28a455b20c2067cb512c9f9a0f8"
+	strings:
+		 // 0x10001778 8b 45 08  mov     eax, dword ptr [ebp + 8]
+		 // 0x1000177b 35 dd 79 19 ae    xor     eax, 0xae1979dd
+		 // 0x10001780 33 c9     xor     ecx, ecx
+		 // 0x10001782 8b 55 08  mov     edx, dword ptr [ebp + 8]
+		 // 0x10001785 89 02     mov     dword ptr [edx], eax
+		 // 0x10001787 89 ?? ??  mov     dword ptr [edx + 4], ecx
+		 $op1 = { 8b 45 08 35 dd 79 19 ae 33 c9 8b 55 08 89 02 89 }
+		 // 0x10002045 74 36     je      0x1000207d
+		 // 0x10002047 8b 7f 08  mov     edi, dword ptr [edi + 8]
+		 // 0x1000204a 83 ff 00  cmp     edi, 0
+		 // 0x1000204d 74 2e     je      0x1000207d
+		 // 0x1000204f 0f b7 1f  movzx   ebx, word ptr [edi]
+		 // 0x10002052 8b 7f 04  mov     edi, dword ptr [edi + 4]
+		 $op2 = { 74 36 8b 7f 08 83 ff 00 74 2e 0f b7 1f 8b 7f 04 }
+		 // 0x100020cf 74 70     je      0x10002141
+		 // 0x100020d1 81 78 05 8d 54 24 04      cmp     dword ptr [eax + 5], 0x424548d
+		 // 0x100020d8 75 1b     jne     0x100020f5
+		 // 0x100020da 81 78 08 04 cd ?? ??      cmp     dword ptr [eax + 8], 0xc22ecd04
+		 $op3 = { 74 70 81 78 05 8d 54 24 04 75 1b 81 78 08 04 cd }
+	condition:
+		all of them
+}
+
+rule Stuxnet_Malware_2 {
+	meta:
+		description = "Stuxnet Sample - file 63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802"
+		author = "Florian Roth"
+		reference = "Internal Research"
+		date = "2016-07-09"
+		hash1 = "63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802"
+	strings:
+		$s1 = "\\SystemRoot\\System32\\hal.dll" fullword wide
+		$s2 = "http://www.jmicron.co.tw0" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 70KB and all of them
+}
+
+rule StuxNet_dll {
+	meta:
+		description = "Stuxnet Sample - file dll.dll"
+		author = "Florian Roth"
+		reference = "Internal Research"
+		date = "2016-07-09"
+		hash1 = "9e392277f62206098cf794ddebafd2817483cfd57ec03c2e05e7c3c81e72f562"
+	strings:
+		$s1 = "SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 100KB and $s1
+}
+
+rule Stuxnet_Shortcut_to {
+	meta:
+		description = "Stuxnet Sample - file Copy of Shortcut to.lnk"
+		author = "Florian Roth"
+		reference = "Internal Research"
+		date = "2016-07-09"
+		hash1 = "801e3b6d84862163a735502f93b9663be53ccbdd7f12b0707336fecba3a829a2"
+	strings:
+		$x1 = "\\\\.\\STORAGE#Volume#_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP#5B6B098B97BE&0#{53f56307-b6bf-11d0-94f2-00a0c" wide
+	condition:
+		uint16(0) == 0x004c and filesize < 10KB and $x1
+}
+
+rule Stuxnet_Malware_3 {
+	meta:
+		description = "Stuxnet Sample - file ~WTR4141.tmp"
+		author = "Florian Roth"
+		reference = "Internal Research"
+		date = "2016-07-09"
+		hash1 = "6bcf88251c876ef00b2f32cf97456a3e306c2a263d487b0a50216c6e3cc07c6a"
+		hash2 = "70f8789b03e38d07584f57581363afa848dd5c3a197f2483c6dfa4f3e7f78b9b"
+	strings:
+		$x1 = "SHELL32.DLL.ASLR." fullword wide
+
+		$s1 = "~WTR4141.tmp" fullword wide
+		$s2 = "~WTR4132.tmp" fullword wide
+		$s3 = "totalcmd.exe" fullword wide
+		$s4 = "wincmd.exe" fullword wide
+		$s5 = "http://www.realtek.com0" fullword ascii
+		$s6 = "{%08x-%08x-%08x-%08x}" fullword wide
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 150KB and ( $x1 or 3 of ($s*) ) ) or ( 5 of them )
+}
+
+rule Stuxnet_Malware_4 {
+	meta:
+		description = "Stuxnet Sample - file 0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198"
+		author = "Florian Roth"
+		reference = "Internal Research"
+		date = "2016-07-09"
+		hash1 = "0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198"
+		hash2 = "1635ec04f069ccc8331d01fdf31132a4bc8f6fd3830ac94739df95ee093c555c"
+	strings:
+		$x1 = "\\objfre_w2k_x86\\i386\\guava.pdb" ascii
+		$x2 = "MRxCls.sys" fullword wide
+		$x3 = "MRXNET.Sys" fullword wide
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 80KB and 1 of them ) or ( all of them )
+}
+
+rule Stuxnet_maindll_decrypted_unpacked {
+	meta:
+		description = "Stuxnet Sample - file maindll.decrypted.unpacked.dll_"
+		author = "Florian Roth"
+		reference = "Internal Research"
+		date = "2016-07-09"
+		hash1 = "4c3d7b38339d7b8adf73eaf85f0eb9fab4420585c6ab6950ebd360428af11712"
+	strings:
+		$s1 = "%SystemRoot%\\system32\\Drivers\\mrxsmb.sys;%SystemRoot%\\system32\\Drivers\\*.sys" fullword wide
+		$s2 = "<Actions Context=\"%s\"><Exec><Command>%s</Command><Arguments>%s,#%u</Arguments></Exec></Actions>" fullword wide
+		$s3 = "%SystemRoot%\\inf\\oem7A.PNF" fullword wide
+		$s4 = "%SystemRoot%\\inf\\mdmcpq3.PNF" fullword wide
+		$s5 = "%SystemRoot%\\inf\\oem6C.PNF" fullword wide
+		$s6 = "@abf varbinary(4096) EXEC @hr = sp_OACreate 'ADODB.Stream', @aods OUT IF @hr <> 0 GOTO endq EXEC @hr = sp_OASetProperty @" wide
+		$s7 = "STORAGE#Volume#1&19f7e59c&0&" fullword wide
+		$s8 = "view MCPVREADVARPERCON as select VARIABLEID,VARIABLETYPEID,FORMATFITTING,SCALEID,VARIABLENAME,ADDRESSPARAMETER,PROTOKOLL,MAXLIMI" ascii
+	condition:
+		 6 of them
+}
+
+rule Stuxnet_s7hkimdb {
+	meta:
+		description = "Stuxnet Sample - file s7hkimdb.dll"
+		author = "Florian Roth"
+		reference = "Internal Research"
+		date = "2016-07-09"
+		hash1 = "4071ec265a44d1f0d42ff92b2fa0b30aafa7f6bb2160ed1d0d5372d70ac654bd"
+	strings:
+		$x1 = "S7HKIMDX.DLL" fullword wide
+
+		/* Opcodes by Binar.ly */
+
+		// 0x10001778 8b 45 08  mov     eax, dword ptr [ebp + 8]
+		// 0x1000177b 35 dd 79 19 ae    xor     eax, 0xae1979dd
+		// 0x10001780 33 c9     xor     ecx, ecx
+		// 0x10001782 8b 55 08  mov     edx, dword ptr [ebp + 8]
+		// 0x10001785 89 02     mov     dword ptr [edx], eax
+		// 0x10001787 89 ?? ??  mov     dword ptr [edx + 4], ecx
+		$op1 = { 8b 45 08 35 dd 79 19 ae 33 c9 8b 55 08 89 02 89 }
+		// 0x10002045 74 36     je      0x1000207d
+		// 0x10002047 8b 7f 08  mov     edi, dword ptr [edi + 8]
+		// 0x1000204a 83 ff 00  cmp     edi, 0
+		// 0x1000204d 74 2e     je      0x1000207d
+		// 0x1000204f 0f b7 1f  movzx   ebx, word ptr [edi]
+		// 0x10002052 8b 7f 04  mov     edi, dword ptr [edi + 4]
+		$op2 = { 74 36 8b 7f 08 83 ff 00 74 2e 0f b7 1f 8b 7f 04 }
+		// 0x100020cf 74 70     je      0x10002141
+		// 0x100020d1 81 78 05 8d 54 24 04      cmp     dword ptr [eax + 5], 0x424548d
+		// 0x100020d8 75 1b     jne     0x100020f5
+		// 0x100020da 81 78 08 04 cd ?? ??      cmp     dword ptr [eax + 8], 0xc22ecd04
+		$op3 = { 74 70 81 78 05 8d 54 24 04 75 1b 81 78 08 04 cd }
+
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 40KB and $x1 and all of ($op*) )
+}

malware/APT_fancybear_dnc.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule COZY_FANCY_BEAR_Hunt {
+	meta:
+		description = "Detects Cozy Bear / Fancy Bear C2 Server IPs"
+		author = "Florian Roth"
+		reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
+		date = "2016-06-14"
+	strings:
+		$s1 = "185.100.84.134" ascii wide fullword
+		$s2 = "58.49.58.58" ascii wide fullword
+		$s3 = "218.1.98.203" ascii wide fullword
+		$s4 = "187.33.33.8" ascii wide fullword
+		$s5 = "185.86.148.227" ascii wide fullword
+		$s6 = "45.32.129.185" ascii wide fullword
+		$s7 = "23.227.196.217" ascii wide fullword
+	condition:
+		uint16(0) == 0x5a4d and 1 of them
+}
+
+rule COZY_FANCY_BEAR_pagemgr_Hunt {
+	meta:
+		description = "Detects a pagemgr.exe as mentioned in the CrowdStrike report"
+		author = "Florian Roth"
+		reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
+		date = "2016-06-14"
+	strings:
+		$s1 = "pagemgr.exe" wide fullword
+	condition:
+		uint16(0) == 0x5a4d and 1 of them
+}
+
+rule COZY_FANCY_BEAR_modified_VmUpgradeHelper {
+	meta:
+		description = "Detects a malicious VmUpgradeHelper.exe as mentioned in the CrowdStrike report"
+		author = "Florian Roth"
+		reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
+		date = "2016-06-14"
+	strings:
+		$s1 = "VMware, Inc." wide fullword
+		$s2 = "Virtual hardware upgrade helper service" fullword wide
+		$s3 = "vmUpgradeHelper\\vmUpgradeHelper.pdb" ascii
+	condition:
+		uint16(0) == 0x5a4d and
+		filename == "VmUpgradeHelper.exe" and
+		not all of ($s*)
+}

malware/APT_furtim.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule Furtim_nativeDLL {
+	meta:
+		description = "Detects Furtim malware - file native.dll"
+		author = "Florian Roth"
+		reference = "MISP 3971"
+		date = "2016-06-13"
+		hash1 = "4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948"
+	strings:
+		$s1 = "FqkVpTvBwTrhPFjfFF6ZQRK44hHl26" fullword ascii
+
+		$op0 = { e0 b3 42 00 c7 84 24 ac } /* Opcode */
+		$op1 = { a1 e0 79 44 00 56 ff 90 10 01 00 00 a1 e0 79 44 } /* Opcode */
+		$op2 = { bf d0 25 44 00 57 89 4d f0 ff 90 d4 02 00 00 59 } /* Opcode */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 900KB and $s1 or all of ($op*)
+}
+
+rule Furtim_Parent_1 {
+	meta:
+		description = "Detects Furtim Parent Malware"
+		author = "Florian Roth"
+		reference = "https://sentinelone.com/blogs/sfg-furtims-parent/"
+		date = "2016-07-16"
+		hash1 = "766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963"
+	strings:
+		/* RC4 encryption password */
+		$x1 = "dqrChZonUF" fullword ascii
+		/* Other strings */
+		$s1 = "Egistec" fullword wide
+		$s2 = "Copyright (C) 2016" fullword wide
+		/* Op Code */
+		$op1 = { c0 ea 02 88 55 f8 8a d1 80 e2 03 }
+		$op2 = { 5d fe 88 55 f9 8a d0 80 e2 0f c0 }
+		$op3 = { c4 0c 8a d9 c0 eb 02 80 e1 03 88 5d f8 8a d8 c0 }
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 900KB and
+		( $x1 or ( all of ($s*) and all of ($op*) ) ) ) or
+		all of them
+}

malware/MALW_Miscelanea.yar

@@ -638,3 +638,49 @@ $my_hex_string2 = {89 45 E8 3B 7D E8 7C 0F 8B 45 E8 05 FF 00 00 00 2B C7 89 45 E
  condition:
 $my_hex_string and $my_hex_string2
 }
+
+
+rule Typical_Malware_String_Transforms {
+	meta:
+		description = "Detects typical strings in a reversed or otherwise modified form"
+		author = "Florian Roth"
+		reference = "Internal Research"
+		date = "2016-07-31"
+		score = 60
+	strings:
+		/* Executables */
+		$e1 = "exe.tsohcvs" fullword ascii
+		$e2 = "exe.ssasl" fullword ascii
+		$e3 = "exe.rerolpxe" fullword ascii
+		$e4 = "exe.erolpxei" fullword ascii
+		$e5 = "exe.23lldnur" fullword ascii
+		$e6 = "exe.dmc" fullword ascii
+		$e7 = "exe.llikksat" fullword ascii
+
+		/* Libraries */
+		$l1 = "lld.23lenreK" fullword ascii
+		$l2 = "lld.ESABLENREK" fullword ascii
+		$l3 = "lld.esabtpyrc" fullword ascii
+		$l4 = "lld.trcvsm" fullword ascii
+		$l5 = "LLD.LLDTN" fullword ascii
+
+		/* Imports */
+		$i1 = "paeHssecorPteG" fullword ascii
+		$i2 = "sserddAcorPteG" fullword ascii
+		$i3 = "AyrarbiLdaoL" fullword ascii
+
+		/* Registry */
+		$r1 = "teSlortnoCtnerruC" fullword ascii
+		$r2 = "nuR\\noisreVtnerruC" fullword ascii
+
+		/* Folders */
+		$f1 = "\\23metsys\\" ascii
+		$f2 = "\\23metsyS\\" ascii
+		$f3 = "niB.elcyceR$" fullword ascii
+		$f4 = "%tooRmetsyS%" fullword ascii
+
+		/* False Positives */
+		$fp1 = "Application Impact Telemetry Static Analyzer" fullword wide
+	condition:
+		( uint16(0) == 0x5a4d and 1 of them and not 1 of ($fp*) )
+}