Skip to content

R
rules
Commit 74844809 by Marc Rivero López Committed by GitHub
Options

Update MALW_Andromeda.yar

parent 838ba051
Showing with 30 additions and 21 deletions
malware/MALW_Andromeda.yar
...@@ -2,41 +2,50 @@ ...@@ -2,41 +2,50 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
long as you use it under this license. long as you use it under this license.
*/ */
rule andromeda : binary bot
rule andromeda
{ {
meta: meta:
author = "Brian Wallace @botnet_hunter" author = "Brian Wallace @botnet_hunter"
author_email = "bwall@ballastsecurity.net" author_email = "bwall@ballastsecurity.net"
date = "2014-03-13" date = "2014-03-13"
description = "Identify Andromeda" description = "Identify Andromeda"
strings: strings:
$config = {1c 1c 1d 03 49 47 46} $config = {1c 1c 1d 03 49 47 46}
$c1 = "hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst" $c1 = "hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst"
condition: condition:
all of them all of them
} }
rule Worm_Gamarue {
meta: rule Worm_Gamarue
author = "Centro Criptológico Nacional (CCN)" {
ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
description = "Gamarue_Andromeda" meta:
strings: author = "Centro Criptológico Nacional (CCN)"
$a = { 69 E1 2A B0 2D 80 44 E3 2D 80 44 E3 2D 80 44 E3 EE 8F 1B E3 2A 80 44 E3 EE 8F 19 E3 3A 80 44 E3 2D 80 45 E3 CD 81 44 E3 0A 46 39 E3 34 80 44 E3 0A 46 29 E3 A5 80 44 E3 0A 46 2A E3 5C 80 44 E3 0A 46 36 E3 2C 80 44 E3 0A 46 3C E3 2C 80 44 E3 } ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
condition: description = "Gamarue_Andromeda"
$a
strings:
$a = { 69 E1 2A B0 2D 80 44 E3 2D 80 44 E3 2D 80 44 E3 EE 8F 1B E3 2A 80 44 E3 EE 8F 19 E3 3A 80 44 E3 2D 80 45 E3 CD 81 44 E3 0A 46 39 E3 34 80 44 E3 0A 46 29 E3 A5 80 44 E3 0A 46 2A E3 5C 80 44 E3 0A 46 36 E3 2C 80 44 E3 0A 46 3C E3 2C 80 44 E3 }
condition:
$a
} }
rule andromeda_bot rule andromeda_bot
{ {
meta: meta:
maltype = "Andromeda bot" maltype = "Andromeda bot"
author = "https://github.com/reed1713" author = "https://github.com/reed1713"
description = "IOC looks for the creation or termination of a process associated with the Andromeda Trojan. The malware will execute the msiexec.exe within the suspicious directory. Shortly after, it creates and injects itself into the wuauctl.exe (windows update) process. It then attempts to beacon to its C2." description = "IOC looks for the creation or termination of a process associated with the Andromeda Trojan. The malware will execute the msiexec.exe within the suspicious directory. Shortly after, it creates and injects itself into the wuauctl.exe (windows update) process. It then attempts to beacon to its C2."
strings:
$type="Microsoft-Windows-Security-Auditing" strings:
$eventid="4688" $type="Microsoft-Windows-Security-Auditing"
$data="AppData\\Local\\Temp\\_.net_\\msiexec.exe" $eventid="4688"
$data="AppData\\Local\\Temp\\_.net_\\msiexec.exe"
condition: condition:
all of them all of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment