Skip to content

R
rules
Commit 7de08342 by Marc Rivero López Committed by GitHub
Options

Update APT1 rules 

Rules indented correctly
parent 79102bd9
Showing with 153 additions and 63 deletions
malware/APT_APT1.yar
......@@ -5,7 +5,9 @@
import "pe"
rule LIGHTDART_APT1 {
rule LIGHTDART_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -16,11 +18,14 @@ rule LIGHTDART_APT1 {
$s3 = "szURL Fail" wide ascii
$s4 = "szURL Successfully" wide ascii
$s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii
condition:
all of them
}
rule AURIGA_APT1 {
rule AURIGA_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -33,11 +38,14 @@ rule AURIGA_APT1 {
$s5 = "[End]" wide ascii
$s6 = "!(*@)(!@KEY" wide ascii
$s7 = "!(*@)(!@SID=" wide ascii
condition:
all of them
}
rule AURIGA_driver_APT1 {
rule AURIGA_driver_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -54,7 +62,9 @@ rule AURIGA_driver_APT1 {
all of ($s*) or $pdb
}
rule BANGAT_APT1 {
rule BANGAT_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -76,7 +86,9 @@ rule BANGAT_APT1 {
all of them
}
rule BISCUIT_GREENCAT_APT1 {
rule BISCUIT_GREENCAT_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -93,7 +105,9 @@ rule BISCUIT_GREENCAT_APT1 {
all of them
}
rule BOUNCER_APT1 {
rule BOUNCER_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -101,16 +115,16 @@ rule BOUNCER_APT1 {
strings:
$s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii
$s2 = "IDR_DATA%d" wide ascii
$s3 = "asdfqwe123cxz" wide ascii
$s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii
condition:
($s1 and $s2) or ($s3 and $s4)
}
rule BOUNCER_DLL_APT1 {
rule BOUNCER_DLL_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -123,7 +137,9 @@ rule BOUNCER_DLL_APT1 {
all of them
}
rule CALENDAR_APT1 {
rule CALENDAR_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -136,7 +152,6 @@ rule CALENDAR_APT1 {
$s5 = "DownRun success" wide ascii
$s6 = "%s@gmail.com" wide ascii
$s7 = "<!--%s-->" wide ascii
$b8 = "W4qKihsb+So=" wide ascii
$b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" wide ascii
$b10 = "8oqKiqb5880/uJLzAsY=" wide ascii
......@@ -145,12 +160,15 @@ rule CALENDAR_APT1 {
all of ($s*) or all of ($b*)
}
rule COMBOS_APT1 {
rule COMBOS_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "Mozilla4.0 (compatible; MSIE 7.0; Win32)" wide ascii
$s2 = "Mozilla5.1 (compatible; MSIE 8.0; Win32)" wide ascii
$s3 = "Delay" wide ascii
......@@ -159,12 +177,13 @@ rule COMBOS_APT1 {
$s6 = "---[ Virtual Shell]---" wide ascii
$s7 = "Not Comming From Our Server %s." wide ascii
condition:
all of them
}
rule DAIRY_APT1 {
rule DAIRY_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -176,12 +195,13 @@ rule DAIRY_APT1 {
$s4 = "pkkill" wide ascii
$s5 = "pklist" wide ascii
condition:
all of them
}
rule GLOOXMAIL_APT1 {
rule GLOOXMAIL_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -191,14 +211,15 @@ rule GLOOXMAIL_APT1 {
$s2 = "Kill process failed!" wide ascii
$s3 = "Sleep success!" wide ascii
$s4 = "based on gloox" wide ascii
$pdb = "glooxtest.pdb" wide ascii
condition:
all of ($s*) or $pdb
}
rule GOGGLES_APT1 {
rule GOGGLES_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -208,14 +229,14 @@ rule GOGGLES_APT1 {
$s2 = "Kill process failed!" wide ascii
$s3 = "Sleep success!" wide ascii
$s4 = "based on gloox" wide ascii
$pdb = "glooxtest.pdb" wide ascii
condition:
all of ($s*) or $pdb
}
rule HACKSFASE1_APT1 {
rule HACKSFASE1_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -227,7 +248,9 @@ rule HACKSFASE1_APT1 {
all of them
}
rule HACKSFASE2_APT1 {
rule HACKSFASE2_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -241,7 +264,9 @@ rule HACKSFASE2_APT1 {
all of them
}
rule KURTON_APT1 {
rule KURTON_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -256,7 +281,9 @@ rule KURTON_APT1 {
all of them
}
rule LONGRUN_APT1 {
rule LONGRUN_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -271,7 +298,9 @@ rule LONGRUN_APT1 {
all of them
}
rule MACROMAIL_APT1 {
rule MACROMAIL_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -286,7 +315,9 @@ rule MACROMAIL_APT1 {
all of them
}
rule MANITSME_APT1 {
rule MANITSME_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -296,12 +327,10 @@ rule MANITSME_APT1 {
$s2 = "The Dll file that to be released." wide ascii
$s3 = "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
$s4 = "svchost.exe" wide ascii
$e1 = "Man,it's me" wide ascii
$e2 = "Oh,shit" wide ascii
$e3 = "Hallelujah" wide ascii
$e4 = "nRet == SOCKET_ERROR" wide ascii
$pdb1 = "rouji\\release\\Install.pdb" wide ascii
$pdb2 = "rouji\\SvcMain.pdb" wide ascii
......@@ -309,7 +338,9 @@ rule MANITSME_APT1 {
(all of ($s*)) or (all of ($e*)) or $pdb1 or $pdb2
}
rule MINIASP_APT1 {
rule MINIASP_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -321,12 +352,13 @@ rule MINIASP_APT1 {
$s4 = "command is null!" wide ascii
$s5 = "device_input.asp?device_t=" wide ascii
condition:
all of them
}
rule NEWSREELS_APT1 {
rule NEWSREELS_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -341,12 +373,13 @@ rule NEWSREELS_APT1 {
$s7 = "active" wide ascii
$s8 = "hello" wide ascii
condition:
all of them
}
rule SEASALT_APT1 {
rule SEASALT_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -358,13 +391,13 @@ rule SEASALT_APT1 {
$s4 = "upfileer" wide ascii
$s5 = "fxftest" wide ascii
condition:
all of them
}
rule STARSYPOUND_APT1
{
rule STARSYPOUND_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -375,12 +408,13 @@ rule STARSYPOUND_APT1 {
$s3 = "cmd.exe" wide ascii
$s4 = "*(SY)#" wide ascii
condition:
all of them
}
rule SWORD_APT1 {
rule SWORD_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -391,13 +425,13 @@ rule SWORD_APT1 {
$s3 = "down:" wide ascii
$s4 = "*========== Bye Bye ! ==========*" wide ascii
condition:
all of them
}
rule thequickbrow_APT1
{
rule thequickbrow_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -405,13 +439,13 @@ rule thequickbrow_APT1 {
strings:
$s1 = "thequickbrownfxjmpsvalzydg" wide ascii
condition:
all of them
}
rule TABMSGSQL_APT1
{
rule TABMSGSQL_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -429,6 +463,7 @@ rule TABMSGSQL_APT1 {
rule CCREWBACK1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -452,6 +487,7 @@ rule CCREWBACK1
rule TrojanCookies_CCREW
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -463,13 +499,13 @@ rule TrojanCookies_CCREW
$d = "savepath=" wide ascii
$e = "command=" wide ascii
condition:
4 of ($a,$b,$c,$d,$e)
}
rule GEN_CCREW1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -484,6 +520,7 @@ rule GEN_CCREW1
rule Elise
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -497,6 +534,7 @@ rule Elise
rule EclipseSunCloudRAT
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -515,6 +553,7 @@ rule EclipseSunCloudRAT
rule MoonProject
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -531,6 +570,7 @@ rule MoonProject
rule ccrewDownloader1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -544,6 +584,7 @@ rule ccrewDownloader1
rule ccrewDownloader2
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -557,13 +598,14 @@ rule ccrewDownloader2
any of them
}
rule ccrewMiniasp
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "MiniAsp.pdb" wide ascii
$b = "device_t=" wide ascii
......@@ -572,7 +614,6 @@ rule ccrewMiniasp
any of them
}
rule ccrewSSLBack2
{
meta:
......@@ -588,6 +629,7 @@ rule ccrewSSLBack2
rule ccrewSSLBack3
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -599,9 +641,9 @@ rule ccrewSSLBack3
any of them
}
rule ccrewSSLBack1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -616,6 +658,7 @@ rule ccrewSSLBack1
rule ccrewDownloader3
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -628,13 +671,14 @@ rule ccrewDownloader3
$e = "Ljpltmivvdcbb" wide ascii
$f = "frfogjviirr" wide ascii
$g = "ximhttoskop" wide ascii
condition:
4 of them
}
rule ccrewQAZ
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -648,6 +692,7 @@ rule ccrewQAZ
rule metaxcd
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -661,20 +706,22 @@ rule metaxcd
rule MiniASP
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
strings:
$KEY = { 71 30 6E 63 39 77 38 65 64 61 6F 69 75 6B 32 6D 7A 72 66 79 33 78 74 31 70 35 6C 73 36 37 67 34 62 76 68 6A }
$PDB = "MiniAsp.pdb" nocase wide ascii
condition:
condition:
any of them
}
rule DownloaderPossibleCCrew
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -692,6 +739,7 @@ rule DownloaderPossibleCCrew
rule APT1_MAPIGET
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -709,6 +757,7 @@ rule APT1_MAPIGET
rule APT1_LIGHTBOLT
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -718,12 +767,14 @@ rule APT1_LIGHTBOLT
$str2 = "PDFBROW" wide ascii
$str3 = "Browser.exe" wide ascii
$str4 = "Protect!" wide ascii
condition:
2 of them
}
rule APT1_GETMAIL
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -732,16 +783,17 @@ rule APT1_GETMAIL
$stra1 = "pls give the FULL path" wide ascii
$stra2 = "mapi32.dll" wide ascii
$stra3 = "doCompress" wide ascii
$strb1 = "getmail.dll" wide ascii
$strb2 = "doCompress" wide ascii
$strb3 = "love" wide ascii
condition:
all of ($stra*) or all of ($strb*)
}
rule APT1_GDOCUPLOAD
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -751,12 +803,14 @@ rule APT1_GDOCUPLOAD
$str2 = "User-Agent: Shockwave Flash" wide ascii
$str3 = "add cookie failed..." wide ascii
$str4 = ",speed=%f" wide ascii
condition:
3 of them
}
rule APT1_WEBC2_Y21K
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -767,12 +821,14 @@ rule APT1_WEBC2_Y21K
$3 = "cXVpdA" wide ascii // quit
$4 = "Y21k" wide ascii // cmd
$5 = "dW5zdXBwb3J0" wide ascii // unsupport
condition:
4 of them
}
rule APT1_WEBC2_YAHOO
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -781,12 +837,14 @@ rule APT1_WEBC2_YAHOO
$http1 = "HTTP/1.0" wide ascii
$http2 = "Content-Type:" wide ascii
$uagent = "IPHONE8.5(host:%s,ip:%s)" wide ascii
condition:
all of them
}
rule APT1_WEBC2_UGX
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -798,12 +856,14 @@ rule APT1_WEBC2_UGX
$cmd1 = "!@#tiuq#@!" wide ascii
$cmd2 = "!@#dmc#@!" wide ascii
$cmd3 = "!@#troppusnu#@!" wide ascii
condition:
3 of them
}
rule APT1_WEBC2_TOCK
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -812,12 +872,14 @@ rule APT1_WEBC2_TOCK
$1 = "InprocServer32" wide ascii
$2 = "HKEY_PERFORMANCE_DATA" wide ascii
$3 = "<!---[<if IE 5>]id=" wide ascii
condition:
all of them
}
rule APT1_WEBC2_TABLE
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -829,12 +891,14 @@ rule APT1_WEBC2_TABLE
$gif1 = /\w+\.gif/
*/
$gif2 = "GIF89" wide ascii
condition:
3 of them
}
rule APT1_WEBC2_RAVE
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -844,12 +908,14 @@ rule APT1_WEBC2_RAVE
$2 = "cmd.exe" wide ascii
$3 = "SYSTEM\\CurrentControlSet\\Services\\DEVFS" wide ascii
$4 = "Device File System" wide ascii
condition:
3 of them
}
rule APT1_WEBC2_QBP
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -860,12 +926,14 @@ rule APT1_WEBC2_QBP
$3 = "URLDownloadToCacheFile" wide ascii
$4 = "dnsapi.dll" wide ascii
$5 = "urlmon.dll" wide ascii
condition:
4 of them
}
rule APT1_WEBC2_HEAD
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -875,12 +943,14 @@ rule APT1_WEBC2_HEAD
$2 = "connect ok" wide ascii
$3 = "WinHTTP 1.0" wide ascii
$4 = "<head>" wide ascii
condition:
all of them
}
rule APT1_WEBC2_GREENCAT
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -890,12 +960,14 @@ rule APT1_WEBC2_GREENCAT
$2 = "MS80547.bat" wide ascii
$3 = "ADR32" wide ascii
$4 = "ControlService failed!" wide ascii
condition:
3 of them
}
rule APT1_WEBC2_DIV
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -905,12 +977,14 @@ rule APT1_WEBC2_DIV
$2 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide ascii
$3 = "Hello from MFC!" wide ascii
$4 = "Microsoft Internet Explorer" wide ascii
condition:
3 of them
}
rule APT1_WEBC2_CSON
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -922,12 +996,14 @@ rule APT1_WEBC2_CSON
$httpb2 = "Accept: text*/*" wide ascii
$exe1 = "xcmd.exe" wide ascii
$exe2 = "Google.exe" wide ascii
condition:
1 of ($exe*) and 1 of ($httpa*) and all of ($httpb*)
}
rule APT1_WEBC2_CLOVER
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -940,6 +1016,7 @@ rule APT1_WEBC2_CLOVER
$msg5 = "insufficient lookahead" wide ascii
$ua1 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" wide ascii
$ua2 = "Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12" wide ascii
condition:
2 of ($msg*) and 1 of ($ua*)
}
......@@ -953,12 +1030,14 @@ rule APT1_WEBC2_BOLID
strings:
$vm = "VMProtect" wide ascii
$http = "http://[c2_location]/[page].html" wide ascii
condition:
all of them
}
rule APT1_WEBC2_ADSPACE
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -966,12 +1045,14 @@ rule APT1_WEBC2_ADSPACE
strings:
$1 = "<!---HEADER ADSPACE style=" wide ascii
$2 = "ERSVC.DLL" wide ascii
condition:
all of them
}
rule APT1_WEBC2_AUSOV
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -982,12 +1063,14 @@ rule APT1_WEBC2_AUSOV
$3 = "<!--DOCHTML" wide ascii
$4 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" wide ascii
$5 = "Ausov" wide ascii
condition:
4 of them
}
rule APT1_WARP
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -998,12 +1081,14 @@ rule APT1_WARP
$err3 = "opened..." wide ascii
$exe1 = "cmd.exe" wide ascii
$exe2 = "ISUN32.EXE" wide ascii
condition:
2 of ($err*) and all of ($exe*)
}
rule APT1_TARSIP_ECLIPSE
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -1013,12 +1098,14 @@ rule APT1_TARSIP_ECLIPSE
$2 = "toobu.ini" wide ascii
$3 = "Serverfile is not bigger than Clientfile" wide ascii
$4 = "URL download success" wide ascii
condition:
3 of them
}
rule APT1_TARSIP_MOON
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -1033,14 +1120,15 @@ rule APT1_TARSIP_MOON
$msg4 = "Runas success!" wide ascii
$onec1 = "onec.php" wide ascii
$onec2 = "/bin/onec" wide ascii
condition:
1 of ($s*) and 1 of ($msg*) and 1 of ($onec*)
}
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule APT1_payloads
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -1080,6 +1168,7 @@ rule APT1_payloads
$pay32 = "ISUN32.EXE" wide ascii
$pay33 = "AcroRD32.EXE" wide ascii
$pay34 = "INETINFO.EXE" wide ascii
condition:
1 of them
}
......@@ -1087,26 +1176,22 @@ rule APT1_payloads
rule APT1_RARSilent_EXE_PDF
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$winrar1 = "WINRAR.SFX" wide ascii
/*
$winrar2 = ";The comment below contains SFX script commands" wide ascii
$winrar3 = "Silent=1" wide ascii
*/
$str2 = "Steup=" wide ascii
/*$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/
*/
$str2 = "Steup=\"" wide ascii
condition:
all of ($winrar*) and 1 of ($str*)
all of them
}
rule APT1_aspnetreport
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -1148,12 +1233,14 @@ rule APT1_aspnetreport
$pay32 = "ISUN32.EXE" wide ascii
$pay33 = "AcroRD32.EXE" wide ascii
$pay34 = "INETINFO.EXE" wide ascii
condition:
$url and $param and 1 of ($pay*)
}
rule APT1_Revird_svc
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -1168,12 +1255,14 @@ rule APT1_Revird_svc
$svc3 = "RundllUninstallA" wide ascii
$svc4 = "ServiceMain" wide ascii
$svc5 = "UninstallService" wide ascii
condition:
1 of ($dll*) and 2 of ($svc*)
}
rule APT1_dbg_mess
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
......@@ -1220,23 +1309,24 @@ rule APT1_dbg_mess
$pay32 = "ISUN32.EXE" wide ascii
$pay33 = "AcroRD32.EXE" wide ascii
$pay34 = "INETINFO.EXE" wide ascii
condition:
4 of ($dbg*) and 1 of ($pay*)
}
rule APT1_known_malicious_RARSilent
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$str1 = "Analysis And Outlook.doc\"" wide ascii
$str2 = "North Korean launch.pdf\"" wide ascii
$str3 = "Dollar General.doc\"" wide ascii
$str4 = "Dow Corning Corp.pdf\"" wide ascii
$str1 = "Analysis And Outlook.doc" wide ascii
$str2 = "North Korean launch.pdf" wide ascii
$str3 = "Dollar General.doc" wide ascii
$str4 = "Dow Corning Corp.pdf" wide ascii
condition:
1 of them and APT1_RARSilent_EXE_PDF
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment