Skip to content

R
rules
Commit 9a4841e3 by Marc Rivero López Committed by GitHub
Options

Update APT_Stuxnet.yar

parent 674da3a3
Showing with 41 additions and 9 deletions
malware/APT_Stuxnet.yar
...@@ -2,13 +2,17 @@ ...@@ -2,13 +2,17 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/ */
rule StuxNet_Malware_1 {
rule StuxNet_Malware_1
{
meta: meta:
description = "Stuxnet Sample - file malware.exe" description = "Stuxnet Sample - file malware.exe"
author = "Florian Roth" author = "Florian Roth"
reference = "Internal Research" reference = "Internal Research"
date = "2016-07-09" date = "2016-07-09"
hash1 = "9c891edb5da763398969b6aaa86a5d46971bd28a455b20c2067cb512c9f9a0f8" hash1 = "9c891edb5da763398969b6aaa86a5d46971bd28a455b20c2067cb512c9f9a0f8"
strings: strings:
// 0x10001778 8b 45 08 mov eax, dword ptr [ebp + 8] // 0x10001778 8b 45 08 mov eax, dword ptr [ebp + 8]
// 0x1000177b 35 dd 79 19 ae xor eax, 0xae1979dd // 0x1000177b 35 dd 79 19 ae xor eax, 0xae1979dd
...@@ -29,51 +33,66 @@ rule StuxNet_Malware_1 { ...@@ -29,51 +33,66 @@ rule StuxNet_Malware_1 {
// 0x100020d8 75 1b jne 0x100020f5 // 0x100020d8 75 1b jne 0x100020f5
// 0x100020da 81 78 08 04 cd ?? ?? cmp dword ptr [eax + 8], 0xc22ecd04 // 0x100020da 81 78 08 04 cd ?? ?? cmp dword ptr [eax + 8], 0xc22ecd04
$op3 = { 74 70 81 78 05 8d 54 24 04 75 1b 81 78 08 04 cd } $op3 = { 74 70 81 78 05 8d 54 24 04 75 1b 81 78 08 04 cd }
condition: condition:
all of them all of them
} }
rule Stuxnet_Malware_2 { rule Stuxnet_Malware_2
{
meta: meta:
description = "Stuxnet Sample - file 63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802" description = "Stuxnet Sample - file 63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802"
author = "Florian Roth" author = "Florian Roth"
reference = "Internal Research" reference = "Internal Research"
date = "2016-07-09" date = "2016-07-09"
hash1 = "63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802" hash1 = "63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802"
strings: strings:
$s1 = "\\SystemRoot\\System32\\hal.dll" fullword wide $s1 = "\\SystemRoot\\System32\\hal.dll" fullword wide
$s2 = "http://www.jmicron.co.tw0" fullword ascii $s2 = "http://www.jmicron.co.tw0" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and filesize < 70KB and all of them uint16(0) == 0x5a4d and filesize < 70KB and all of them
} }
rule StuxNet_dll { rule StuxNet_dll
{
meta: meta:
description = "Stuxnet Sample - file dll.dll" description = "Stuxnet Sample - file dll.dll"
author = "Florian Roth" author = "Florian Roth"
reference = "Internal Research" reference = "Internal Research"
date = "2016-07-09" date = "2016-07-09"
hash1 = "9e392277f62206098cf794ddebafd2817483cfd57ec03c2e05e7c3c81e72f562" hash1 = "9e392277f62206098cf794ddebafd2817483cfd57ec03c2e05e7c3c81e72f562"
strings: strings:
$s1 = "SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!" fullword ascii $s1 = "SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and filesize < 100KB and $s1 uint16(0) == 0x5a4d and filesize < 100KB and $s1
} }
rule Stuxnet_Shortcut_to { rule Stuxnet_Shortcut_to
{
meta: meta:
description = "Stuxnet Sample - file Copy of Shortcut to.lnk" description = "Stuxnet Sample - file Copy of Shortcut to.lnk"
author = "Florian Roth" author = "Florian Roth"
reference = "Internal Research" reference = "Internal Research"
date = "2016-07-09" date = "2016-07-09"
hash1 = "801e3b6d84862163a735502f93b9663be53ccbdd7f12b0707336fecba3a829a2" hash1 = "801e3b6d84862163a735502f93b9663be53ccbdd7f12b0707336fecba3a829a2"
strings: strings:
$x1 = "\\\\.\\STORAGE#Volume#_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP#5B6B098B97BE&0#{53f56307-b6bf-11d0-94f2-00a0c" wide $x1 = "\\\\.\\STORAGE#Volume#_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP#5B6B098B97BE&0#{53f56307-b6bf-11d0-94f2-00a0c" wide
condition: condition:
uint16(0) == 0x004c and filesize < 10KB and $x1 uint16(0) == 0x004c and filesize < 10KB and $x1
} }
rule Stuxnet_Malware_3 { rule Stuxnet_Malware_3
{
meta: meta:
description = "Stuxnet Sample - file ~WTR4141.tmp" description = "Stuxnet Sample - file ~WTR4141.tmp"
author = "Florian Roth" author = "Florian Roth"
...@@ -81,20 +100,23 @@ rule Stuxnet_Malware_3 { ...@@ -81,20 +100,23 @@ rule Stuxnet_Malware_3 {
date = "2016-07-09" date = "2016-07-09"
hash1 = "6bcf88251c876ef00b2f32cf97456a3e306c2a263d487b0a50216c6e3cc07c6a" hash1 = "6bcf88251c876ef00b2f32cf97456a3e306c2a263d487b0a50216c6e3cc07c6a"
hash2 = "70f8789b03e38d07584f57581363afa848dd5c3a197f2483c6dfa4f3e7f78b9b" hash2 = "70f8789b03e38d07584f57581363afa848dd5c3a197f2483c6dfa4f3e7f78b9b"
strings: strings:
$x1 = "SHELL32.DLL.ASLR." fullword wide $x1 = "SHELL32.DLL.ASLR." fullword wide
$s1 = "~WTR4141.tmp" fullword wide $s1 = "~WTR4141.tmp" fullword wide
$s2 = "~WTR4132.tmp" fullword wide $s2 = "~WTR4132.tmp" fullword wide
$s3 = "totalcmd.exe" fullword wide $s3 = "totalcmd.exe" fullword wide
$s4 = "wincmd.exe" fullword wide $s4 = "wincmd.exe" fullword wide
$s5 = "http://www.realtek.com0" fullword ascii $s5 = "http://www.realtek.com0" fullword ascii
$s6 = "{%08x-%08x-%08x-%08x}" fullword wide $s6 = "{%08x-%08x-%08x-%08x}" fullword wide
condition: condition:
( uint16(0) == 0x5a4d and filesize < 150KB and ( $x1 or 3 of ($s*) ) ) or ( 5 of them ) ( uint16(0) == 0x5a4d and filesize < 150KB and ( $x1 or 3 of ($s*) ) ) or ( 5 of them )
} }
rule Stuxnet_Malware_4 { rule Stuxnet_Malware_4
{
meta: meta:
description = "Stuxnet Sample - file 0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198" description = "Stuxnet Sample - file 0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198"
author = "Florian Roth" author = "Florian Roth"
...@@ -102,21 +124,26 @@ rule Stuxnet_Malware_4 { ...@@ -102,21 +124,26 @@ rule Stuxnet_Malware_4 {
date = "2016-07-09" date = "2016-07-09"
hash1 = "0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198" hash1 = "0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198"
hash2 = "1635ec04f069ccc8331d01fdf31132a4bc8f6fd3830ac94739df95ee093c555c" hash2 = "1635ec04f069ccc8331d01fdf31132a4bc8f6fd3830ac94739df95ee093c555c"
strings: strings:
$x1 = "\\objfre_w2k_x86\\i386\\guava.pdb" ascii $x1 = "\\objfre_w2k_x86\\i386\\guava.pdb" ascii
$x2 = "MRxCls.sys" fullword wide $x2 = "MRxCls.sys" fullword wide
$x3 = "MRXNET.Sys" fullword wide $x3 = "MRXNET.Sys" fullword wide
condition: condition:
( uint16(0) == 0x5a4d and filesize < 80KB and 1 of them ) or ( all of them ) ( uint16(0) == 0x5a4d and filesize < 80KB and 1 of them ) or ( all of them )
} }
rule Stuxnet_maindll_decrypted_unpacked { rule Stuxnet_maindll_decrypted_unpacked
{
meta: meta:
description = "Stuxnet Sample - file maindll.decrypted.unpacked.dll_" description = "Stuxnet Sample - file maindll.decrypted.unpacked.dll_"
author = "Florian Roth" author = "Florian Roth"
reference = "Internal Research" reference = "Internal Research"
date = "2016-07-09" date = "2016-07-09"
hash1 = "4c3d7b38339d7b8adf73eaf85f0eb9fab4420585c6ab6950ebd360428af11712" hash1 = "4c3d7b38339d7b8adf73eaf85f0eb9fab4420585c6ab6950ebd360428af11712"
strings: strings:
$s1 = "%SystemRoot%\\system32\\Drivers\\mrxsmb.sys;%SystemRoot%\\system32\\Drivers\\*.sys" fullword wide $s1 = "%SystemRoot%\\system32\\Drivers\\mrxsmb.sys;%SystemRoot%\\system32\\Drivers\\*.sys" fullword wide
$s2 = "<Actions Context=\"%s\"><Exec><Command>%s</Command><Arguments>%s,#%u</Arguments></Exec></Actions>" fullword wide $s2 = "<Actions Context=\"%s\"><Exec><Command>%s</Command><Arguments>%s,#%u</Arguments></Exec></Actions>" fullword wide
...@@ -126,17 +153,21 @@ rule Stuxnet_maindll_decrypted_unpacked { ...@@ -126,17 +153,21 @@ rule Stuxnet_maindll_decrypted_unpacked {
$s6 = "@abf varbinary(4096) EXEC @hr = sp_OACreate 'ADODB.Stream', @aods OUT IF @hr <> 0 GOTO endq EXEC @hr = sp_OASetProperty @" wide $s6 = "@abf varbinary(4096) EXEC @hr = sp_OACreate 'ADODB.Stream', @aods OUT IF @hr <> 0 GOTO endq EXEC @hr = sp_OASetProperty @" wide
$s7 = "STORAGE#Volume#1&19f7e59c&0&" fullword wide $s7 = "STORAGE#Volume#1&19f7e59c&0&" fullword wide
$s8 = "view MCPVREADVARPERCON as select VARIABLEID,VARIABLETYPEID,FORMATFITTING,SCALEID,VARIABLENAME,ADDRESSPARAMETER,PROTOKOLL,MAXLIMI" ascii $s8 = "view MCPVREADVARPERCON as select VARIABLEID,VARIABLETYPEID,FORMATFITTING,SCALEID,VARIABLENAME,ADDRESSPARAMETER,PROTOKOLL,MAXLIMI" ascii
condition: condition:
6 of them 6 of them
} }
rule Stuxnet_s7hkimdb { rule Stuxnet_s7hkimdb
{
meta: meta:
description = "Stuxnet Sample - file s7hkimdb.dll" description = "Stuxnet Sample - file s7hkimdb.dll"
author = "Florian Roth" author = "Florian Roth"
reference = "Internal Research" reference = "Internal Research"
date = "2016-07-09" date = "2016-07-09"
hash1 = "4071ec265a44d1f0d42ff92b2fa0b30aafa7f6bb2160ed1d0d5372d70ac654bd" hash1 = "4071ec265a44d1f0d42ff92b2fa0b30aafa7f6bb2160ed1d0d5372d70ac654bd"
strings: strings:
$x1 = "S7HKIMDX.DLL" fullword wide $x1 = "S7HKIMDX.DLL" fullword wide
...@@ -165,3 +196,4 @@ rule Stuxnet_s7hkimdb { ...@@ -165,3 +196,4 @@ rule Stuxnet_s7hkimdb {
condition: condition:
( uint16(0) == 0x5a4d and filesize < 40KB and $x1 and all of ($op*) ) ( uint16(0) == 0x5a4d and filesize < 40KB and $x1 and all of ($op*) )
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment