Skip to content

R
rules
Commit 7adbb738 by Marc Rivero López Committed by GitHub
Options

Update APT_Poseidon_Group.yar

parent 9a7f130f
Showing with 15 additions and 4 deletions
malware/APT_Poseidon_Group.yar
...@@ -10,7 +10,9 @@ ...@@ -10,7 +10,9 @@
Identifier: Poseidon Group APT Identifier: Poseidon Group APT
*/ */
rule PoseidonGroup_Malware { rule PoseidonGroup_Malware
{
meta: meta:
description = "Detects Poseidon Group Malware" description = "Detects Poseidon Group Malware"
author = "Florian Roth" author = "Florian Roth"
...@@ -24,6 +26,7 @@ rule PoseidonGroup_Malware { ...@@ -24,6 +26,7 @@ rule PoseidonGroup_Malware {
hash5 = "d090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f" hash5 = "d090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f"
hash6 = "d7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb" hash6 = "d7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb"
hash7 = "ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3" hash7 = "ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3"
strings: strings:
$s1 = "c:\\winnt\\system32\\cmd.exe" fullword ascii $s1 = "c:\\winnt\\system32\\cmd.exe" fullword ascii
$s2 = "c:\\windows\\system32\\cmd.exe" fullword ascii $s2 = "c:\\windows\\system32\\cmd.exe" fullword ascii
...@@ -36,7 +39,6 @@ rule PoseidonGroup_Malware { ...@@ -36,7 +39,6 @@ rule PoseidonGroup_Malware {
$s9 = "Server 2012" fullword ascii /* Goodware String - occured 1 times */ $s9 = "Server 2012" fullword ascii /* Goodware String - occured 1 times */
$s10 = "Server 2008" fullword ascii /* Goodware String - occured 1 times */ $s10 = "Server 2008" fullword ascii /* Goodware String - occured 1 times */
$s11 = "Server 2003" fullword ascii /* Goodware String - occured 1 times */ $s11 = "Server 2003" fullword ascii /* Goodware String - occured 1 times */
$a1 = "net.exe group \"Domain Admins\" /domain" fullword ascii $a1 = "net.exe group \"Domain Admins\" /domain" fullword ascii
$a2 = "net.exe group \"Admins. do Dom" fullword ascii $a2 = "net.exe group \"Admins. do Dom" fullword ascii
$a3 = "(SVRID=%d)" fullword ascii $a3 = "(SVRID=%d)" fullword ascii
...@@ -44,12 +46,15 @@ rule PoseidonGroup_Malware { ...@@ -44,12 +46,15 @@ rule PoseidonGroup_Malware {
$a5 = "(SVR=%s)" fullword ascii $a5 = "(SVR=%s)" fullword ascii
$a6 = "Set-Cookie:\\b*{.+?}\\n" fullword wide $a6 = "Set-Cookie:\\b*{.+?}\\n" fullword wide
$a7 = "net.exe localgroup Administradores" fullword ascii $a7 = "net.exe localgroup Administradores" fullword ascii
condition: condition:
( uint16(0) == 0x5a4d and filesize < 650KB and 6 of ($s*) ) or ( uint16(0) == 0x5a4d and filesize < 650KB and 6 of ($s*) ) or
( 4 of ($s*) and 1 of ($a*) ) ( 4 of ($s*) and 1 of ($a*) )
} }
rule PoseidonGroup_MalDoc_1 { rule PoseidonGroup_MalDoc_1
{
meta: meta:
description = "Detects Poseidon Group - Malicious Word Document" description = "Detects Poseidon Group - Malicious Word Document"
author = "Florian Roth" author = "Florian Roth"
...@@ -57,13 +62,17 @@ rule PoseidonGroup_MalDoc_1 { ...@@ -57,13 +62,17 @@ rule PoseidonGroup_MalDoc_1 {
date = "2016-02-09" date = "2016-02-09"
score = 80 score = 80
hash = "0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b" hash = "0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b"
strings: strings:
$s1 = "c:\\cmd32dll.exe" fullword ascii $s1 = "c:\\cmd32dll.exe" fullword ascii
condition: condition:
uint16(0) == 0xcfd0 and filesize < 500KB and all of them uint16(0) == 0xcfd0 and filesize < 500KB and all of them
} }
rule PoseidonGroup_MalDoc_2 { rule PoseidonGroup_MalDoc_2
{
meta: meta:
description = "Detects Poseidon Group - Malicious Word Document" description = "Detects Poseidon Group - Malicious Word Document"
author = "Florian Roth" author = "Florian Roth"
...@@ -76,12 +85,14 @@ rule PoseidonGroup_MalDoc_2 { ...@@ -76,12 +85,14 @@ rule PoseidonGroup_MalDoc_2 {
hash4 = "ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed" hash4 = "ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed"
hash5 = "27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778" hash5 = "27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778"
hash6 = "1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216" hash6 = "1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216"
strings: strings:
$s0 = "{\\*\\generator Msftedit 5.41." ascii $s0 = "{\\*\\generator Msftedit 5.41." ascii
$s1 = "Attachment 1: Complete Professional Background" ascii $s1 = "Attachment 1: Complete Professional Background" ascii
$s2 = "E-mail: \\cf1\\ul\\f1" $s2 = "E-mail: \\cf1\\ul\\f1"
$s3 = "Education:\\par" ascii $s3 = "Education:\\par" ascii
$s5 = "@gmail.com" ascii $s5 = "@gmail.com" ascii
condition: condition:
uint32(0) == 0x74725c7b and filesize < 500KB and 3 of them uint32(0) == 0x74725c7b and filesize < 500KB and 3 of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment