MenuPass Uppercut rule added

7f36e9ff · Colin Cowie · 8f91f125 · 7f36e9ff
Commit 7f36e9ff authored Sep 17, 2018 by Colin Cowie
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 0 deletions

APT_Uppercut.yar malware/APT_Uppercut.yar +24 -0

No files found.
--- a/malware/APT_Uppercut.yar
+++ b/malware/APT_Uppercut.yar
+import "hash"
+
+rule APT_Uppercut {
+  meta:
+     description = "Detects APT10 MenuPass Uppercut"
+     author = "Colin Cowie"
+     reference = "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html"
+     date = "2018-09-13"
+  strings:
+     $ip1 = "51.106.53.147"
+     $ip2 = "153.92.210.208"
+     $ip3 = "eservake.jetos.com"
+     $c1 = "0x97A168D9697D40DD" wide
+     $c2 = "0x7CF812296CCC68D5" wide
+     $c3 = "0x652CB1CEFF1C0A00" wide
+     $c4 = "0x27595F1F74B55278" wide
+     $c5 = "0xD290626C85FB1CE3" wide
+     $c6 = "0x409C7A89CFF0A727" wide
+  condition:
+     any of them or
+     hash.md5(0, filesize) == "aa3f303c3319b14b4829fe2faa5999c1" or
+     hash.md5(0, filesize) == "126067d634d94c45084cbe1d9873d895" or
+     hash.md5(0, filesize) == "fce54b4886cac5c61eda1e7605483ca3"
+}