Skip to content

R
rules
Commit 5da0f19b by Marc Rivero López Committed by GitHub
Options

Update APT_PutterPanda.yar

parent 65201289
Showing with 53 additions and 25 deletions
malware/APT_PutterPanda.yar
......@@ -2,7 +2,10 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule APT_Malware_PutterPanda_Rel {
rule APT_Malware_PutterPanda_Rel
{
meta:
description = "Detects an APT malware related to PutterPanda"
author = "Florian Roth"
......@@ -10,10 +13,10 @@ rule APT_Malware_PutterPanda_Rel {
reference = "VT Analysis"
date = "2015-06-03"
hash = "5367e183df155e3133d916f7080ef973f7741d34"
strings:
$x0 = "app.stream-media.net" fullword ascii /* score: '12.03' */
$x1 = "File %s does'nt exist or is forbidden to acess!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.035' */
$s6 = "GetProcessAddresss of pHttpQueryInfoA Failed!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '32.02' */
$s7 = "Connect %s error!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.04' */
$s9 = "Download file %s successfully!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.03' */
......@@ -24,12 +27,15 @@ rule APT_Malware_PutterPanda_Rel {
$s18 = "File %s a Non-Pe File" fullword ascii /* score: '8.04' */
$s19 = "SendRequset error!" fullword ascii /* score: '8.04' */
$s20 = "filelist[%d]=%s" fullword ascii /* score: '7.015' */
condition:
( uint16(0) == 0x5a4d and 1 of ($x*) ) or ( 4 of ($s*) )
}
rule APT_Malware_PutterPanda_Rel_2 {
rule APT_Malware_PutterPanda_Rel_2
{
meta:
description = "APT Malware related to PutterPanda Group"
author = "Florian Roth"
......@@ -37,6 +43,7 @@ rule APT_Malware_PutterPanda_Rel_2 {
reference = "VT Analysis"
date = "2015-06-03"
hash = "f97e01ee04970d1fc4d988a9e9f0f223ef2a6381"
strings:
$s0 = "http://update.konamidata.com/test/zl/sophos/td/result/rz.dat?" fullword ascii /* PEStudio Blacklist: strings */ /* score: '28.01' */
$s1 = "http://update.konamidata.com/test/zl/sophos/td/index.dat?" fullword ascii /* PEStudio Blacklist: strings */ /* score: '28.01' */
......@@ -54,11 +61,14 @@ rule APT_Malware_PutterPanda_Rel_2 {
$s13 = "down file success" fullword ascii /* score: '7.035' */
$s15 = "error!" fullword ascii /* score: '6.04' */
$s18 = "Avaliable data:%u bytes" fullword ascii /* score: '5.025' */
condition:
uint16(0) == 0x5a4d and 6 of them
}
rule APT_Malware_PutterPanda_PSAPI {
rule APT_Malware_PutterPanda_PSAPI
{
meta:
description = "Detects a malware related to Putter Panda"
author = "Florian Roth"
......@@ -66,17 +76,21 @@ rule APT_Malware_PutterPanda_PSAPI {
reference = "VT Analysis"
date = "2015-06-03"
hash = "f93a7945a33145bb6c106a51f08d8f44eab1cdf5"
strings:
$s0 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */ /* score: '12.03' */
$s1 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '8.045' */
$s2 = "psapi.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 54 times */
$s3 = "urlmon.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 471 times */
$s4 = "WinHttpGetProxyForUrl" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 179 times */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule APT_Malware_PutterPanda_WUAUCLT {
rule APT_Malware_PutterPanda_WUAUCLT
{
meta:
description = "Detects a malware related to Putter Panda"
author = "Florian Roth"
......@@ -84,11 +98,11 @@ rule APT_Malware_PutterPanda_WUAUCLT {
reference = "VT Analysis"
date = "2015-06-03"
hash = "fd5ca5a2d444865fa8320337467313e4026b9f78"
strings:
$x0 = "WUAUCLT.EXE" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */
$x1 = "%s\\tmp%d.exe" fullword ascii /* score: '14.01' */
$x2 = "Microsoft Corporation. All rights reserved." fullword wide /* score: '8.04' */
$s1 = "Microsoft Windows Operating System" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 4 times */
$s2 = "InternetQueryOptionA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 166 times */
$s3 = "LookupPrivilegeValueA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 336 times */
......@@ -98,12 +112,14 @@ rule APT_Malware_PutterPanda_WUAUCLT {
$s7 = "Microsoft(R) Windows(R) Operating System" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 128 times */
$s8 = "CreatePipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 222 times */
$s9 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 410 times */
condition:
all of ($x*) or
(1 of ($x*) and all of ($s*) )
all of ($x*) or (1 of ($x*) and all of ($s*) )
}
rule APT_Malware_PutterPanda_Gen1 {
rule APT_Malware_PutterPanda_Gen1
{
meta:
description = "Detects a malware "
author = "YarGen Rule Generator"
......@@ -113,6 +129,7 @@ rule APT_Malware_PutterPanda_Gen1 {
hash0 = "bf1d385e637326a63c4d2f253dc211e6a5436b6a"
hash1 = "76459bcbe072f9c29bb9703bc72c7cd46a692796"
hash2 = "e105a7a3a011275002aec4b930c722e6a7ef52ad"
strings:
$s1 = "%s%duserid=%dthreadid=%dgroupid=%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '22.02' */
$s2 = "ssdpsvc.dll" fullword ascii /* score: '11.00' */
......@@ -121,11 +138,14 @@ rule APT_Malware_PutterPanda_Gen1 {
$s5 = "LsaServiceInit" fullword ascii /* score: '7.03' */
$s6 = "%-8d Fs %-12s Bs " fullword ascii /* score: '5.04' */
$s7 = "Microsoft DH SChannel Cryptographic Provider" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5.00' */ /* Goodware String - occured 5 times */
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 5 of them
}
rule Malware_MsUpdater_String_in_EXE : PutterPanda {
rule Malware_MsUpdater_String_in_EXE
{
meta:
description = "MSUpdater String in Executable"
author = "Florian Roth"
......@@ -133,6 +153,7 @@ rule Malware_MsUpdater_String_in_EXE : PutterPanda {
reference = "VT Analysis"
date = "2015-06-03"
hash = "b1a2043b7658af4d4c9395fa77fde18ccaf549bb"
strings:
$x1 = "msupdate.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */
// $x2 = "msupdate" fullword wide /* PEStudio Blacklist: strings */ /* score: '13.01' */
......@@ -140,15 +161,17 @@ rule Malware_MsUpdater_String_in_EXE : PutterPanda {
$x4 = "msupdater32.exe" fullword ascii
$x5 = "msupdater32.exe" fullword wide
$x6 = "msupdate.pif" fullword ascii
$fp1 = "_msupdate_" wide /* False Positive */
$fp2 = "_msupdate_" ascii /* False Positive */
$fp3 = "/kies" wide
condition:
uint16(0) == 0x5a4d and filesize < 500KB and ( 1 of ($x*) ) and not ( 1 of ($fp*) )
}
rule APT_Malware_PutterPanda_MsUpdater_3 {
rule APT_Malware_PutterPanda_MsUpdater_3
{
meta:
description = "Detects Malware related to PutterPanda - MSUpdater"
author = "Florian Roth"
......@@ -156,16 +179,20 @@ rule APT_Malware_PutterPanda_MsUpdater_3 {
reference = "VT Analysis"
date = "2015-06-03"
hash = "464149ff23f9c7f4ab2f5cadb76a4f41f969bed0"
strings:
$s0 = "msupdater.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '20.02' */
$s1 = "Explorer.exe \"" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.05' */
$s2 = "FAVORITES.DAT" fullword ascii /* score: '11.02' */
$s4 = "COMSPEC" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.82' */ /* Goodware String - occured 178 times */
condition:
uint16(0) == 0x5a4d and 3 of them
}
rule APT_Malware_PutterPanda_MsUpdater_1 {
rule APT_Malware_PutterPanda_MsUpdater_1
{
meta:
description = "Detects Malware related to PutterPanda - MSUpdater"
author = "Florian Roth"
......@@ -173,10 +200,10 @@ rule APT_Malware_PutterPanda_MsUpdater_1 {
reference = "VT Analysis"
date = "2015-06-03"
hash = "b55072b67543f58c096571c841a560c53d72f01a"
strings:
$x0 = "msupdate.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */
$x1 = "msupdate" fullword wide /* PEStudio Blacklist: strings */ /* score: '13.01' */
$s1 = "Microsoft Corporation. All rights reserved." fullword wide /* score: '8.04' */
$s2 = "Automatic Updates" fullword wide /* PEStudio Blacklist: strings */ /* score: '4.98' */ /* Goodware String - occured 22 times */
$s3 = "VirtualProtectEx" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.93' */ /* Goodware String - occured 68 times */
......@@ -184,11 +211,12 @@ rule APT_Malware_PutterPanda_MsUpdater_1 {
$s5 = "VirtualAllocEx" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 95 times */
$s6 = "WriteProcessMemory" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.87' */ /* Goodware String - occured 131 times */
condition:
( uint16(0) == 0x5a4d and 1 of ($x*) and 4 of ($s*) ) or
( 1 of ($x*) and all of ($s*) )
( uint16(0) == 0x5a4d and 1 of ($x*) and 4 of ($s*) ) or ( 1 of ($x*) and all of ($s*) )
}
rule APT_Malware_PutterPanda_MsUpdater_2 {
rule APT_Malware_PutterPanda_MsUpdater_2
{
meta:
description = "Detects Malware related to PutterPanda - MSUpdater"
author = "Florian Roth"
......@@ -196,6 +224,7 @@ rule APT_Malware_PutterPanda_MsUpdater_2 {
reference = "VT Analysis"
date = "2015-06-03"
hash = "365b5537e3495f8ecfabe2597399b1f1226879b1"
strings:
$s0 = "winsta0\\default" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.99' */ /* Goodware String - occured 6 times */
$s1 = "EXPLORER.EXE" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.98' */ /* Goodware String - occured 22 times */
......@@ -218,11 +247,14 @@ rule APT_Malware_PutterPanda_MsUpdater_2 {
$s18 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.59' */ /* Goodware String - occured 410 times */
$s19 = "PSAPI.DLL" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.58' */ /* Goodware String - occured 420 times */
$s20 = "SPSSSQ" fullword ascii /* score: '4.51' */
condition:
uint16(0) == 0x5a4d and filesize < 220KB and all of them
}
rule APT_Malware_PutterPanda_Gen4 {
rule APT_Malware_PutterPanda_Gen4
{
meta:
description = "Detects Malware related to PutterPanda"
author = "Florian Roth"
......@@ -235,16 +267,15 @@ rule APT_Malware_PutterPanda_Gen4 {
hash2 = "3c4a762175326b37035a9192a981f7f4cc2aa5f0"
hash3 = "598430b3a9b5576f03cc4aed6dc2cd8a43324e1e"
hash4 = "6522b81b38747f4aa09c98fdaedaed4b00b21689"
strings:
$x1 = "rz.dat" fullword ascii /* score: '10.00' */
$s0 = "Mozilla/4.0 (Compatible; MSIE 6.0;)" fullword ascii /* PEStudio Blacklist: agent */ /* score: '20.03' */
$s1 = "Internet connect error:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.04' */
$s2 = "Proxy-Authorization:Basic " fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.02' */
$s5 = "Invalid url" fullword ascii /* PEStudio Blacklist: strings */ /* score: '9.03' */
$s6 = "Create file failed" fullword ascii /* score: '8.04' */
$s7 = "myAgent" fullword ascii /* score: '8.03' */
$z1 = "%s%s%d%d" fullword ascii /* score: '8.00' */
$z2 = "HttpQueryInfo failed:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.02' */
$z3 = "read file error:%d" fullword ascii /* score: '11.04' */
......@@ -252,10 +283,7 @@ rule APT_Malware_PutterPanda_Gen4 {
$z5 = "kPStoreCreateInstance" fullword ascii /* score: '5.03' */
$z6 = "Avaliable data:%u bytes" fullword ascii /* score: '5.03' */
$z7 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" fullword ascii /* PEStudio Blacklist: guid */ /* score: '5.00' */ /* Goodware String - occured 2 times */
condition:
filesize < 300KB and
(
( uint16(0) == 0x5a4d and $x1 and 3 of ($s*) ) or
( 3 of ($s*) and 4 of ($z*) )
)
filesize < 300KB and (( uint16(0) == 0x5a4d and $x1 and 3 of ($s*) ) or ( 3 of ($s*) and 4 of ($z*) ))
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment