Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
608de9df
Unverified
Commit
608de9df
authored
Dec 28, 2020
by
Jaume Martin
Committed by
GitHub
Dec 28, 2020
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #388 from Xyl2k/patch-4
Create MALW_PurpleWave.yar
parents
f36eca9d
1ef31958
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
63 additions
and
0 deletions
+63
-0
MALW_PurpleWave.yar
malware/MALW_PurpleWave.yar
+63
-0
No files found.
malware/MALW_PurpleWave.yar
0 → 100644
View file @
608de9df
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or
organization, as long as you use it under this license.
*/
rule MALW_PurpleWave_v1
{
meta:
Description ="Generic rule to identify PurpleWave v1.0"
Author = "Xylitol <xylitol@temari.fr>"
date = "2020-08-01"
reference = "https://twitter.com/3xp0rtblog/status/1289125217751781376"
hash1 = "7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df"
hash2 = "76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304"
hash3 = "832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd"
hash4 = "917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9"
hash5 = "a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16"
hash6 = "d5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161"
hash7 = "d820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9"
hash8 = "d4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554"
hash9 = "4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d"
strings:
$MZ = {4D 5A}
$decoderoutine = { 8B 45 E8 33 C9 8A 04 07 28 04 1A 42 83 FF 07 8D 47 01 0F 45 C8 8B F9 3B D6 7C E5 }
/*
generic routine used to decode strings (bot name, bot version, mutex, c2 url, etc..)
/8B45 E8 /MOV EAX,[LOCAL.6]
|33C9 |XOR ECX,ECX
|8A0407 |MOV AL,BYTE PTR DS:[EDI+EAX]
|28041A |SUB BYTE PTR DS:[EDX+EBX],AL
|42 |INC EDX
|83FF 07 |CMP EDI,7
|8D47 01 |LEA EAX,DWORD PTR DS:[EDI+1]
|0F45C8 |CMOVNE ECX,EAX
|8BF9 |MOV EDI,ECX
|3BD6 |CMP EDX,ESI
\7C E5 \JL SHORT 76bffcf0.0135B57F
*/
// Regular strings that can be found into purplewave 1.0 samples
$string1 = " at t.me/LuckyStoreSupport |" fullword wide
$string2 = "][aes_key]" wide ascii
$string3 = "][passwords][" wide ascii
$string4 = "][is_encrypted]" wide ascii
$string5 = "][cards][" wide ascii
$string6 = "][number]" wide ascii
$string7 = "][domain]" wide ascii
$string8 = "][cookies][" wide ascii
$string9 = "][flag]" wide ascii
$string10 = "][histories][" wide ascii
$string11 = "D877F783D5D3EF8C" wide ascii
$alphabet1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
$alphabet2 = "0123456789abcdefghijklmnopqrstuvwxyz"
condition:
($MZ at 0 and $decoderoutine) and
(
(5 of ($string*) and all of ($alphabet*))
)
and filesize < 700KB // Standard size when not packed should be arround ~598/600kb
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
