Skip to content

R
rules
Commit 7de08342 by Marc Rivero López Committed by GitHub
Options

Update APT1 rules 

Rules indented correctly
parent 79102bd9
Showing with 153 additions and 63 deletions
malware/APT_APT1.yar
...@@ -5,7 +5,9 @@ ...@@ -5,7 +5,9 @@
import "pe" import "pe"
rule LIGHTDART_APT1 { rule LIGHTDART_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -16,11 +18,14 @@ rule LIGHTDART_APT1 { ...@@ -16,11 +18,14 @@ rule LIGHTDART_APT1 {
$s3 = "szURL Fail" wide ascii $s3 = "szURL Fail" wide ascii
$s4 = "szURL Successfully" wide ascii $s4 = "szURL Successfully" wide ascii
$s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii $s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii
condition: condition:
all of them all of them
} }
rule AURIGA_APT1 { rule AURIGA_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -33,11 +38,14 @@ rule AURIGA_APT1 { ...@@ -33,11 +38,14 @@ rule AURIGA_APT1 {
$s5 = "[End]" wide ascii $s5 = "[End]" wide ascii
$s6 = "!(*@)(!@KEY" wide ascii $s6 = "!(*@)(!@KEY" wide ascii
$s7 = "!(*@)(!@SID=" wide ascii $s7 = "!(*@)(!@SID=" wide ascii
condition: condition:
all of them all of them
} }
rule AURIGA_driver_APT1 { rule AURIGA_driver_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -54,7 +62,9 @@ rule AURIGA_driver_APT1 { ...@@ -54,7 +62,9 @@ rule AURIGA_driver_APT1 {
all of ($s*) or $pdb all of ($s*) or $pdb
} }
rule BANGAT_APT1 { rule BANGAT_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -76,7 +86,9 @@ rule BANGAT_APT1 { ...@@ -76,7 +86,9 @@ rule BANGAT_APT1 {
all of them all of them
} }
rule BISCUIT_GREENCAT_APT1 { rule BISCUIT_GREENCAT_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -93,7 +105,9 @@ rule BISCUIT_GREENCAT_APT1 { ...@@ -93,7 +105,9 @@ rule BISCUIT_GREENCAT_APT1 {
all of them all of them
} }
rule BOUNCER_APT1 { rule BOUNCER_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -101,16 +115,16 @@ rule BOUNCER_APT1 { ...@@ -101,16 +115,16 @@ rule BOUNCER_APT1 {
strings: strings:
$s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii $s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii
$s2 = "IDR_DATA%d" wide ascii $s2 = "IDR_DATA%d" wide ascii
$s3 = "asdfqwe123cxz" wide ascii $s3 = "asdfqwe123cxz" wide ascii
$s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii $s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii
condition: condition:
($s1 and $s2) or ($s3 and $s4) ($s1 and $s2) or ($s3 and $s4)
} }
rule BOUNCER_DLL_APT1 { rule BOUNCER_DLL_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -123,7 +137,9 @@ rule BOUNCER_DLL_APT1 { ...@@ -123,7 +137,9 @@ rule BOUNCER_DLL_APT1 {
all of them all of them
} }
rule CALENDAR_APT1 { rule CALENDAR_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -136,7 +152,6 @@ rule CALENDAR_APT1 { ...@@ -136,7 +152,6 @@ rule CALENDAR_APT1 {
$s5 = "DownRun success" wide ascii $s5 = "DownRun success" wide ascii
$s6 = "%s@gmail.com" wide ascii $s6 = "%s@gmail.com" wide ascii
$s7 = "<!--%s-->" wide ascii $s7 = "<!--%s-->" wide ascii
$b8 = "W4qKihsb+So=" wide ascii $b8 = "W4qKihsb+So=" wide ascii
$b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" wide ascii $b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" wide ascii
$b10 = "8oqKiqb5880/uJLzAsY=" wide ascii $b10 = "8oqKiqb5880/uJLzAsY=" wide ascii
...@@ -145,12 +160,15 @@ rule CALENDAR_APT1 { ...@@ -145,12 +160,15 @@ rule CALENDAR_APT1 {
all of ($s*) or all of ($b*) all of ($s*) or all of ($b*)
} }
rule COMBOS_APT1 { rule COMBOS_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$s1 = "Mozilla4.0 (compatible; MSIE 7.0; Win32)" wide ascii $s1 = "Mozilla4.0 (compatible; MSIE 7.0; Win32)" wide ascii
$s2 = "Mozilla5.1 (compatible; MSIE 8.0; Win32)" wide ascii $s2 = "Mozilla5.1 (compatible; MSIE 8.0; Win32)" wide ascii
$s3 = "Delay" wide ascii $s3 = "Delay" wide ascii
...@@ -159,12 +177,13 @@ rule COMBOS_APT1 { ...@@ -159,12 +177,13 @@ rule COMBOS_APT1 {
$s6 = "---[ Virtual Shell]---" wide ascii $s6 = "---[ Virtual Shell]---" wide ascii
$s7 = "Not Comming From Our Server %s." wide ascii $s7 = "Not Comming From Our Server %s." wide ascii
condition: condition:
all of them all of them
} }
rule DAIRY_APT1 { rule DAIRY_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -176,12 +195,13 @@ rule DAIRY_APT1 { ...@@ -176,12 +195,13 @@ rule DAIRY_APT1 {
$s4 = "pkkill" wide ascii $s4 = "pkkill" wide ascii
$s5 = "pklist" wide ascii $s5 = "pklist" wide ascii
condition: condition:
all of them all of them
} }
rule GLOOXMAIL_APT1 { rule GLOOXMAIL_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -191,14 +211,15 @@ rule GLOOXMAIL_APT1 { ...@@ -191,14 +211,15 @@ rule GLOOXMAIL_APT1 {
$s2 = "Kill process failed!" wide ascii $s2 = "Kill process failed!" wide ascii
$s3 = "Sleep success!" wide ascii $s3 = "Sleep success!" wide ascii
$s4 = "based on gloox" wide ascii $s4 = "based on gloox" wide ascii
$pdb = "glooxtest.pdb" wide ascii $pdb = "glooxtest.pdb" wide ascii
condition: condition:
all of ($s*) or $pdb all of ($s*) or $pdb
} }
rule GOGGLES_APT1 { rule GOGGLES_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -208,14 +229,14 @@ rule GOGGLES_APT1 { ...@@ -208,14 +229,14 @@ rule GOGGLES_APT1 {
$s2 = "Kill process failed!" wide ascii $s2 = "Kill process failed!" wide ascii
$s3 = "Sleep success!" wide ascii $s3 = "Sleep success!" wide ascii
$s4 = "based on gloox" wide ascii $s4 = "based on gloox" wide ascii
$pdb = "glooxtest.pdb" wide ascii $pdb = "glooxtest.pdb" wide ascii
condition: condition:
all of ($s*) or $pdb all of ($s*) or $pdb
} }
rule HACKSFASE1_APT1 { rule HACKSFASE1_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -227,7 +248,9 @@ rule HACKSFASE1_APT1 { ...@@ -227,7 +248,9 @@ rule HACKSFASE1_APT1 {
all of them all of them
} }
rule HACKSFASE2_APT1 { rule HACKSFASE2_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -241,7 +264,9 @@ rule HACKSFASE2_APT1 { ...@@ -241,7 +264,9 @@ rule HACKSFASE2_APT1 {
all of them all of them
} }
rule KURTON_APT1 { rule KURTON_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -256,7 +281,9 @@ rule KURTON_APT1 { ...@@ -256,7 +281,9 @@ rule KURTON_APT1 {
all of them all of them
} }
rule LONGRUN_APT1 { rule LONGRUN_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -271,7 +298,9 @@ rule LONGRUN_APT1 { ...@@ -271,7 +298,9 @@ rule LONGRUN_APT1 {
all of them all of them
} }
rule MACROMAIL_APT1 { rule MACROMAIL_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -286,7 +315,9 @@ rule MACROMAIL_APT1 { ...@@ -286,7 +315,9 @@ rule MACROMAIL_APT1 {
all of them all of them
} }
rule MANITSME_APT1 { rule MANITSME_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -296,12 +327,10 @@ rule MANITSME_APT1 { ...@@ -296,12 +327,10 @@ rule MANITSME_APT1 {
$s2 = "The Dll file that to be released." wide ascii $s2 = "The Dll file that to be released." wide ascii
$s3 = "SYSTEM\\CurrentControlSet\\Services\\" wide ascii $s3 = "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
$s4 = "svchost.exe" wide ascii $s4 = "svchost.exe" wide ascii
$e1 = "Man,it's me" wide ascii $e1 = "Man,it's me" wide ascii
$e2 = "Oh,shit" wide ascii $e2 = "Oh,shit" wide ascii
$e3 = "Hallelujah" wide ascii $e3 = "Hallelujah" wide ascii
$e4 = "nRet == SOCKET_ERROR" wide ascii $e4 = "nRet == SOCKET_ERROR" wide ascii
$pdb1 = "rouji\\release\\Install.pdb" wide ascii $pdb1 = "rouji\\release\\Install.pdb" wide ascii
$pdb2 = "rouji\\SvcMain.pdb" wide ascii $pdb2 = "rouji\\SvcMain.pdb" wide ascii
...@@ -309,7 +338,9 @@ rule MANITSME_APT1 { ...@@ -309,7 +338,9 @@ rule MANITSME_APT1 {
(all of ($s*)) or (all of ($e*)) or $pdb1 or $pdb2 (all of ($s*)) or (all of ($e*)) or $pdb1 or $pdb2
} }
rule MINIASP_APT1 { rule MINIASP_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -321,12 +352,13 @@ rule MINIASP_APT1 { ...@@ -321,12 +352,13 @@ rule MINIASP_APT1 {
$s4 = "command is null!" wide ascii $s4 = "command is null!" wide ascii
$s5 = "device_input.asp?device_t=" wide ascii $s5 = "device_input.asp?device_t=" wide ascii
condition: condition:
all of them all of them
} }
rule NEWSREELS_APT1 { rule NEWSREELS_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -341,12 +373,13 @@ rule NEWSREELS_APT1 { ...@@ -341,12 +373,13 @@ rule NEWSREELS_APT1 {
$s7 = "active" wide ascii $s7 = "active" wide ascii
$s8 = "hello" wide ascii $s8 = "hello" wide ascii
condition: condition:
all of them all of them
} }
rule SEASALT_APT1 { rule SEASALT_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -358,13 +391,13 @@ rule SEASALT_APT1 { ...@@ -358,13 +391,13 @@ rule SEASALT_APT1 {
$s4 = "upfileer" wide ascii $s4 = "upfileer" wide ascii
$s5 = "fxftest" wide ascii $s5 = "fxftest" wide ascii
condition: condition:
all of them all of them
} }
rule STARSYPOUND_APT1
{
rule STARSYPOUND_APT1 {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -375,12 +408,13 @@ rule STARSYPOUND_APT1 { ...@@ -375,12 +408,13 @@ rule STARSYPOUND_APT1 {
$s3 = "cmd.exe" wide ascii $s3 = "cmd.exe" wide ascii
$s4 = "*(SY)#" wide ascii $s4 = "*(SY)#" wide ascii
condition: condition:
all of them all of them
} }
rule SWORD_APT1 { rule SWORD_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -391,13 +425,13 @@ rule SWORD_APT1 { ...@@ -391,13 +425,13 @@ rule SWORD_APT1 {
$s3 = "down:" wide ascii $s3 = "down:" wide ascii
$s4 = "*========== Bye Bye ! ==========*" wide ascii $s4 = "*========== Bye Bye ! ==========*" wide ascii
condition: condition:
all of them all of them
} }
rule thequickbrow_APT1
{
rule thequickbrow_APT1 {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -405,13 +439,13 @@ rule thequickbrow_APT1 { ...@@ -405,13 +439,13 @@ rule thequickbrow_APT1 {
strings: strings:
$s1 = "thequickbrownfxjmpsvalzydg" wide ascii $s1 = "thequickbrownfxjmpsvalzydg" wide ascii
condition: condition:
all of them all of them
} }
rule TABMSGSQL_APT1
{
rule TABMSGSQL_APT1 {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -429,6 +463,7 @@ rule TABMSGSQL_APT1 { ...@@ -429,6 +463,7 @@ rule TABMSGSQL_APT1 {
rule CCREWBACK1 rule CCREWBACK1
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -452,6 +487,7 @@ rule CCREWBACK1 ...@@ -452,6 +487,7 @@ rule CCREWBACK1
rule TrojanCookies_CCREW rule TrojanCookies_CCREW
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -463,13 +499,13 @@ rule TrojanCookies_CCREW ...@@ -463,13 +499,13 @@ rule TrojanCookies_CCREW
$d = "savepath=" wide ascii $d = "savepath=" wide ascii
$e = "command=" wide ascii $e = "command=" wide ascii
condition: condition:
4 of ($a,$b,$c,$d,$e) 4 of ($a,$b,$c,$d,$e)
} }
rule GEN_CCREW1 rule GEN_CCREW1
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -484,6 +520,7 @@ rule GEN_CCREW1 ...@@ -484,6 +520,7 @@ rule GEN_CCREW1
rule Elise rule Elise
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -497,6 +534,7 @@ rule Elise ...@@ -497,6 +534,7 @@ rule Elise
rule EclipseSunCloudRAT rule EclipseSunCloudRAT
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -515,6 +553,7 @@ rule EclipseSunCloudRAT ...@@ -515,6 +553,7 @@ rule EclipseSunCloudRAT
rule MoonProject rule MoonProject
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -531,6 +570,7 @@ rule MoonProject ...@@ -531,6 +570,7 @@ rule MoonProject
rule ccrewDownloader1 rule ccrewDownloader1
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -544,6 +584,7 @@ rule ccrewDownloader1 ...@@ -544,6 +584,7 @@ rule ccrewDownloader1
rule ccrewDownloader2 rule ccrewDownloader2
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -557,13 +598,14 @@ rule ccrewDownloader2 ...@@ -557,13 +598,14 @@ rule ccrewDownloader2
any of them any of them
} }
rule ccrewMiniasp rule ccrewMiniasp
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$a = "MiniAsp.pdb" wide ascii $a = "MiniAsp.pdb" wide ascii
$b = "device_t=" wide ascii $b = "device_t=" wide ascii
...@@ -572,7 +614,6 @@ rule ccrewMiniasp ...@@ -572,7 +614,6 @@ rule ccrewMiniasp
any of them any of them
} }
rule ccrewSSLBack2 rule ccrewSSLBack2
{ {
meta: meta:
...@@ -588,6 +629,7 @@ rule ccrewSSLBack2 ...@@ -588,6 +629,7 @@ rule ccrewSSLBack2
rule ccrewSSLBack3 rule ccrewSSLBack3
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -599,9 +641,9 @@ rule ccrewSSLBack3 ...@@ -599,9 +641,9 @@ rule ccrewSSLBack3
any of them any of them
} }
rule ccrewSSLBack1 rule ccrewSSLBack1
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -616,6 +658,7 @@ rule ccrewSSLBack1 ...@@ -616,6 +658,7 @@ rule ccrewSSLBack1
rule ccrewDownloader3 rule ccrewDownloader3
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -628,13 +671,14 @@ rule ccrewDownloader3 ...@@ -628,13 +671,14 @@ rule ccrewDownloader3
$e = "Ljpltmivvdcbb" wide ascii $e = "Ljpltmivvdcbb" wide ascii
$f = "frfogjviirr" wide ascii $f = "frfogjviirr" wide ascii
$g = "ximhttoskop" wide ascii $g = "ximhttoskop" wide ascii
condition: condition:
4 of them 4 of them
} }
rule ccrewQAZ rule ccrewQAZ
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -648,6 +692,7 @@ rule ccrewQAZ ...@@ -648,6 +692,7 @@ rule ccrewQAZ
rule metaxcd rule metaxcd
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -661,20 +706,22 @@ rule metaxcd ...@@ -661,20 +706,22 @@ rule metaxcd
rule MiniASP rule MiniASP
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$KEY = { 71 30 6E 63 39 77 38 65 64 61 6F 69 75 6B 32 6D 7A 72 66 79 33 78 74 31 70 35 6C 73 36 37 67 34 62 76 68 6A } $KEY = { 71 30 6E 63 39 77 38 65 64 61 6F 69 75 6B 32 6D 7A 72 66 79 33 78 74 31 70 35 6C 73 36 37 67 34 62 76 68 6A }
$PDB = "MiniAsp.pdb" nocase wide ascii $PDB = "MiniAsp.pdb" nocase wide ascii
condition: condition:
any of them any of them
} }
rule DownloaderPossibleCCrew rule DownloaderPossibleCCrew
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -692,6 +739,7 @@ rule DownloaderPossibleCCrew ...@@ -692,6 +739,7 @@ rule DownloaderPossibleCCrew
rule APT1_MAPIGET rule APT1_MAPIGET
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -709,6 +757,7 @@ rule APT1_MAPIGET ...@@ -709,6 +757,7 @@ rule APT1_MAPIGET
rule APT1_LIGHTBOLT rule APT1_LIGHTBOLT
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -718,12 +767,14 @@ rule APT1_LIGHTBOLT ...@@ -718,12 +767,14 @@ rule APT1_LIGHTBOLT
$str2 = "PDFBROW" wide ascii $str2 = "PDFBROW" wide ascii
$str3 = "Browser.exe" wide ascii $str3 = "Browser.exe" wide ascii
$str4 = "Protect!" wide ascii $str4 = "Protect!" wide ascii
condition: condition:
2 of them 2 of them
} }
rule APT1_GETMAIL rule APT1_GETMAIL
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -732,16 +783,17 @@ rule APT1_GETMAIL ...@@ -732,16 +783,17 @@ rule APT1_GETMAIL
$stra1 = "pls give the FULL path" wide ascii $stra1 = "pls give the FULL path" wide ascii
$stra2 = "mapi32.dll" wide ascii $stra2 = "mapi32.dll" wide ascii
$stra3 = "doCompress" wide ascii $stra3 = "doCompress" wide ascii
$strb1 = "getmail.dll" wide ascii $strb1 = "getmail.dll" wide ascii
$strb2 = "doCompress" wide ascii $strb2 = "doCompress" wide ascii
$strb3 = "love" wide ascii $strb3 = "love" wide ascii
condition: condition:
all of ($stra*) or all of ($strb*) all of ($stra*) or all of ($strb*)
} }
rule APT1_GDOCUPLOAD rule APT1_GDOCUPLOAD
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -751,12 +803,14 @@ rule APT1_GDOCUPLOAD ...@@ -751,12 +803,14 @@ rule APT1_GDOCUPLOAD
$str2 = "User-Agent: Shockwave Flash" wide ascii $str2 = "User-Agent: Shockwave Flash" wide ascii
$str3 = "add cookie failed..." wide ascii $str3 = "add cookie failed..." wide ascii
$str4 = ",speed=%f" wide ascii $str4 = ",speed=%f" wide ascii
condition: condition:
3 of them 3 of them
} }
rule APT1_WEBC2_Y21K rule APT1_WEBC2_Y21K
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -767,12 +821,14 @@ rule APT1_WEBC2_Y21K ...@@ -767,12 +821,14 @@ rule APT1_WEBC2_Y21K
$3 = "cXVpdA" wide ascii // quit $3 = "cXVpdA" wide ascii // quit
$4 = "Y21k" wide ascii // cmd $4 = "Y21k" wide ascii // cmd
$5 = "dW5zdXBwb3J0" wide ascii // unsupport $5 = "dW5zdXBwb3J0" wide ascii // unsupport
condition: condition:
4 of them 4 of them
} }
rule APT1_WEBC2_YAHOO rule APT1_WEBC2_YAHOO
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -781,12 +837,14 @@ rule APT1_WEBC2_YAHOO ...@@ -781,12 +837,14 @@ rule APT1_WEBC2_YAHOO
$http1 = "HTTP/1.0" wide ascii $http1 = "HTTP/1.0" wide ascii
$http2 = "Content-Type:" wide ascii $http2 = "Content-Type:" wide ascii
$uagent = "IPHONE8.5(host:%s,ip:%s)" wide ascii $uagent = "IPHONE8.5(host:%s,ip:%s)" wide ascii
condition: condition:
all of them all of them
} }
rule APT1_WEBC2_UGX rule APT1_WEBC2_UGX
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -798,12 +856,14 @@ rule APT1_WEBC2_UGX ...@@ -798,12 +856,14 @@ rule APT1_WEBC2_UGX
$cmd1 = "!@#tiuq#@!" wide ascii $cmd1 = "!@#tiuq#@!" wide ascii
$cmd2 = "!@#dmc#@!" wide ascii $cmd2 = "!@#dmc#@!" wide ascii
$cmd3 = "!@#troppusnu#@!" wide ascii $cmd3 = "!@#troppusnu#@!" wide ascii
condition: condition:
3 of them 3 of them
} }
rule APT1_WEBC2_TOCK rule APT1_WEBC2_TOCK
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -812,12 +872,14 @@ rule APT1_WEBC2_TOCK ...@@ -812,12 +872,14 @@ rule APT1_WEBC2_TOCK
$1 = "InprocServer32" wide ascii $1 = "InprocServer32" wide ascii
$2 = "HKEY_PERFORMANCE_DATA" wide ascii $2 = "HKEY_PERFORMANCE_DATA" wide ascii
$3 = "<!---[<if IE 5>]id=" wide ascii $3 = "<!---[<if IE 5>]id=" wide ascii
condition: condition:
all of them all of them
} }
rule APT1_WEBC2_TABLE rule APT1_WEBC2_TABLE
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -829,12 +891,14 @@ rule APT1_WEBC2_TABLE ...@@ -829,12 +891,14 @@ rule APT1_WEBC2_TABLE
$gif1 = /\w+\.gif/ $gif1 = /\w+\.gif/
*/ */
$gif2 = "GIF89" wide ascii $gif2 = "GIF89" wide ascii
condition: condition:
3 of them 3 of them
} }
rule APT1_WEBC2_RAVE rule APT1_WEBC2_RAVE
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -844,12 +908,14 @@ rule APT1_WEBC2_RAVE ...@@ -844,12 +908,14 @@ rule APT1_WEBC2_RAVE
$2 = "cmd.exe" wide ascii $2 = "cmd.exe" wide ascii
$3 = "SYSTEM\\CurrentControlSet\\Services\\DEVFS" wide ascii $3 = "SYSTEM\\CurrentControlSet\\Services\\DEVFS" wide ascii
$4 = "Device File System" wide ascii $4 = "Device File System" wide ascii
condition: condition:
3 of them 3 of them
} }
rule APT1_WEBC2_QBP rule APT1_WEBC2_QBP
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -860,12 +926,14 @@ rule APT1_WEBC2_QBP ...@@ -860,12 +926,14 @@ rule APT1_WEBC2_QBP
$3 = "URLDownloadToCacheFile" wide ascii $3 = "URLDownloadToCacheFile" wide ascii
$4 = "dnsapi.dll" wide ascii $4 = "dnsapi.dll" wide ascii
$5 = "urlmon.dll" wide ascii $5 = "urlmon.dll" wide ascii
condition: condition:
4 of them 4 of them
} }
rule APT1_WEBC2_HEAD rule APT1_WEBC2_HEAD
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -875,12 +943,14 @@ rule APT1_WEBC2_HEAD ...@@ -875,12 +943,14 @@ rule APT1_WEBC2_HEAD
$2 = "connect ok" wide ascii $2 = "connect ok" wide ascii
$3 = "WinHTTP 1.0" wide ascii $3 = "WinHTTP 1.0" wide ascii
$4 = "<head>" wide ascii $4 = "<head>" wide ascii
condition: condition:
all of them all of them
} }
rule APT1_WEBC2_GREENCAT rule APT1_WEBC2_GREENCAT
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -890,12 +960,14 @@ rule APT1_WEBC2_GREENCAT ...@@ -890,12 +960,14 @@ rule APT1_WEBC2_GREENCAT
$2 = "MS80547.bat" wide ascii $2 = "MS80547.bat" wide ascii
$3 = "ADR32" wide ascii $3 = "ADR32" wide ascii
$4 = "ControlService failed!" wide ascii $4 = "ControlService failed!" wide ascii
condition: condition:
3 of them 3 of them
} }
rule APT1_WEBC2_DIV rule APT1_WEBC2_DIV
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -905,12 +977,14 @@ rule APT1_WEBC2_DIV ...@@ -905,12 +977,14 @@ rule APT1_WEBC2_DIV
$2 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide ascii $2 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide ascii
$3 = "Hello from MFC!" wide ascii $3 = "Hello from MFC!" wide ascii
$4 = "Microsoft Internet Explorer" wide ascii $4 = "Microsoft Internet Explorer" wide ascii
condition: condition:
3 of them 3 of them
} }
rule APT1_WEBC2_CSON rule APT1_WEBC2_CSON
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -922,12 +996,14 @@ rule APT1_WEBC2_CSON ...@@ -922,12 +996,14 @@ rule APT1_WEBC2_CSON
$httpb2 = "Accept: text*/*" wide ascii $httpb2 = "Accept: text*/*" wide ascii
$exe1 = "xcmd.exe" wide ascii $exe1 = "xcmd.exe" wide ascii
$exe2 = "Google.exe" wide ascii $exe2 = "Google.exe" wide ascii
condition: condition:
1 of ($exe*) and 1 of ($httpa*) and all of ($httpb*) 1 of ($exe*) and 1 of ($httpa*) and all of ($httpb*)
} }
rule APT1_WEBC2_CLOVER rule APT1_WEBC2_CLOVER
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -940,6 +1016,7 @@ rule APT1_WEBC2_CLOVER ...@@ -940,6 +1016,7 @@ rule APT1_WEBC2_CLOVER
$msg5 = "insufficient lookahead" wide ascii $msg5 = "insufficient lookahead" wide ascii
$ua1 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" wide ascii $ua1 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" wide ascii
$ua2 = "Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12" wide ascii $ua2 = "Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12" wide ascii
condition: condition:
2 of ($msg*) and 1 of ($ua*) 2 of ($msg*) and 1 of ($ua*)
} }
...@@ -953,12 +1030,14 @@ rule APT1_WEBC2_BOLID ...@@ -953,12 +1030,14 @@ rule APT1_WEBC2_BOLID
strings: strings:
$vm = "VMProtect" wide ascii $vm = "VMProtect" wide ascii
$http = "http://[c2_location]/[page].html" wide ascii $http = "http://[c2_location]/[page].html" wide ascii
condition: condition:
all of them all of them
} }
rule APT1_WEBC2_ADSPACE rule APT1_WEBC2_ADSPACE
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -966,12 +1045,14 @@ rule APT1_WEBC2_ADSPACE ...@@ -966,12 +1045,14 @@ rule APT1_WEBC2_ADSPACE
strings: strings:
$1 = "<!---HEADER ADSPACE style=" wide ascii $1 = "<!---HEADER ADSPACE style=" wide ascii
$2 = "ERSVC.DLL" wide ascii $2 = "ERSVC.DLL" wide ascii
condition: condition:
all of them all of them
} }
rule APT1_WEBC2_AUSOV rule APT1_WEBC2_AUSOV
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -982,12 +1063,14 @@ rule APT1_WEBC2_AUSOV ...@@ -982,12 +1063,14 @@ rule APT1_WEBC2_AUSOV
$3 = "<!--DOCHTML" wide ascii $3 = "<!--DOCHTML" wide ascii
$4 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" wide ascii $4 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" wide ascii
$5 = "Ausov" wide ascii $5 = "Ausov" wide ascii
condition: condition:
4 of them 4 of them
} }
rule APT1_WARP rule APT1_WARP
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -998,12 +1081,14 @@ rule APT1_WARP ...@@ -998,12 +1081,14 @@ rule APT1_WARP
$err3 = "opened..." wide ascii $err3 = "opened..." wide ascii
$exe1 = "cmd.exe" wide ascii $exe1 = "cmd.exe" wide ascii
$exe2 = "ISUN32.EXE" wide ascii $exe2 = "ISUN32.EXE" wide ascii
condition: condition:
2 of ($err*) and all of ($exe*) 2 of ($err*) and all of ($exe*)
} }
rule APT1_TARSIP_ECLIPSE rule APT1_TARSIP_ECLIPSE
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -1013,12 +1098,14 @@ rule APT1_TARSIP_ECLIPSE ...@@ -1013,12 +1098,14 @@ rule APT1_TARSIP_ECLIPSE
$2 = "toobu.ini" wide ascii $2 = "toobu.ini" wide ascii
$3 = "Serverfile is not bigger than Clientfile" wide ascii $3 = "Serverfile is not bigger than Clientfile" wide ascii
$4 = "URL download success" wide ascii $4 = "URL download success" wide ascii
condition: condition:
3 of them 3 of them
} }
rule APT1_TARSIP_MOON rule APT1_TARSIP_MOON
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -1033,14 +1120,15 @@ rule APT1_TARSIP_MOON ...@@ -1033,14 +1120,15 @@ rule APT1_TARSIP_MOON
$msg4 = "Runas success!" wide ascii $msg4 = "Runas success!" wide ascii
$onec1 = "onec.php" wide ascii $onec1 = "onec.php" wide ascii
$onec2 = "/bin/onec" wide ascii $onec2 = "/bin/onec" wide ascii
condition: condition:
1 of ($s*) and 1 of ($msg*) and 1 of ($onec*) 1 of ($s*) and 1 of ($msg*) and 1 of ($onec*)
} }
// 20150909 - Issue #39 - Commented because of High FP rate
/* /*
rule APT1_payloads rule APT1_payloads
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -1080,6 +1168,7 @@ rule APT1_payloads ...@@ -1080,6 +1168,7 @@ rule APT1_payloads
$pay32 = "ISUN32.EXE" wide ascii $pay32 = "ISUN32.EXE" wide ascii
$pay33 = "AcroRD32.EXE" wide ascii $pay33 = "AcroRD32.EXE" wide ascii
$pay34 = "INETINFO.EXE" wide ascii $pay34 = "INETINFO.EXE" wide ascii
condition: condition:
1 of them 1 of them
} }
...@@ -1087,26 +1176,22 @@ rule APT1_payloads ...@@ -1087,26 +1176,22 @@ rule APT1_payloads
rule APT1_RARSilent_EXE_PDF rule APT1_RARSilent_EXE_PDF
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$winrar1 = "WINRAR.SFX" wide ascii $winrar1 = "WINRAR.SFX" wide ascii
/* $str2 = "Steup=" wide ascii
$winrar2 = ";The comment below contains SFX script commands" wide ascii
$winrar3 = "Silent=1" wide ascii
*/
/*$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/
*/
$str2 = "Steup=\"" wide ascii
condition: condition:
all of ($winrar*) and 1 of ($str*) all of them
} }
rule APT1_aspnetreport rule APT1_aspnetreport
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -1148,12 +1233,14 @@ rule APT1_aspnetreport ...@@ -1148,12 +1233,14 @@ rule APT1_aspnetreport
$pay32 = "ISUN32.EXE" wide ascii $pay32 = "ISUN32.EXE" wide ascii
$pay33 = "AcroRD32.EXE" wide ascii $pay33 = "AcroRD32.EXE" wide ascii
$pay34 = "INETINFO.EXE" wide ascii $pay34 = "INETINFO.EXE" wide ascii
condition: condition:
$url and $param and 1 of ($pay*) $url and $param and 1 of ($pay*)
} }
rule APT1_Revird_svc rule APT1_Revird_svc
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -1168,12 +1255,14 @@ rule APT1_Revird_svc ...@@ -1168,12 +1255,14 @@ rule APT1_Revird_svc
$svc3 = "RundllUninstallA" wide ascii $svc3 = "RundllUninstallA" wide ascii
$svc4 = "ServiceMain" wide ascii $svc4 = "ServiceMain" wide ascii
$svc5 = "UninstallService" wide ascii $svc5 = "UninstallService" wide ascii
condition: condition:
1 of ($dll*) and 2 of ($svc*) 1 of ($dll*) and 2 of ($svc*)
} }
rule APT1_dbg_mess rule APT1_dbg_mess
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -1220,23 +1309,24 @@ rule APT1_dbg_mess ...@@ -1220,23 +1309,24 @@ rule APT1_dbg_mess
$pay32 = "ISUN32.EXE" wide ascii $pay32 = "ISUN32.EXE" wide ascii
$pay33 = "AcroRD32.EXE" wide ascii $pay33 = "AcroRD32.EXE" wide ascii
$pay34 = "INETINFO.EXE" wide ascii $pay34 = "INETINFO.EXE" wide ascii
condition: condition:
4 of ($dbg*) and 1 of ($pay*) 4 of ($dbg*) and 1 of ($pay*)
} }
rule APT1_known_malicious_RARSilent rule APT1_known_malicious_RARSilent
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$str1 = "Analysis And Outlook.doc\"" wide ascii $str1 = "Analysis And Outlook.doc" wide ascii
$str2 = "North Korean launch.pdf\"" wide ascii $str2 = "North Korean launch.pdf" wide ascii
$str3 = "Dollar General.doc\"" wide ascii $str3 = "Dollar General.doc" wide ascii
$str4 = "Dow Corning Corp.pdf\"" wide ascii $str4 = "Dow Corning Corp.pdf" wide ascii
condition: condition:
1 of them and APT1_RARSilent_EXE_PDF 1 of them and APT1_RARSilent_EXE_PDF
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment