Merge pull request #5 from nyx0/patch-1

Add Hellsing APT rules

Merge pull request #5 from nyx0/patch-1
Add Hellsing APT rules
9bd50ef3 · Yara Rules · b9655dd7 · 3cbea038 · 9bd50ef3
Commit 9bd50ef3 authored Apr 15, 2015 by Yara Rules
Show whitespace changes
Inline Side-by-side

Showing with 152 additions and 0 deletions

malware.yar malware.yar +152 -0

No files found.
--- a/malware.yar
+++ b/malware.yar
@@ -19551,3 +19551,155 @@ rule LinuxTsunami
    condition:
        $a or $b or $c
 }
+
+rule apt_hellsing_implantstrings : PE
+{ 
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing implants"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+	strings: 
+		$mz="MZ"
+
+		$a1="the file uploaded failed !" 
+		$a2="ping 127.0.0.1"
+		
+		$b1="the file downloaded failed !" 
+		$b2="common.asp"
+		
+		$c="xweber_server.exe" 
+		$d="action="
+
+		$debugpath1="d:\\Hellsing\\release\\msger\\" nocase 
+		$debugpath2="d:\\hellsing\\sys\\xrat\\" nocase 
+		$debugpath3="D:\\Hellsing\\release\\exe\\" nocase 
+		$debugpath4="d:\\hellsing\\sys\\xkat\\" nocase 
+		$debugpath5="e:\\Hellsing\\release\\clare" nocase 
+		$debugpath6="e:\\Hellsing\\release\\irene\\" nocase 
+		$debugpath7="d:\\hellsing\\sys\\irene\\" nocase
+
+		$e="msger_server.dll"
+		$f="ServiceMain"
+
+	condition:
+		($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
+}
+
+rule apt_hellsing_installer : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing xweber/msger installers"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" 
+
+	strings: 
+		$mz="MZ"
+		
+		$cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
+		
+		$a1="xweber_install_uac.exe"
+		$a2="system32\\cmd.exe" wide
+		$a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y=" 
+		$a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g="
+		$a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw==" 
+		$a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide 
+		$a10="%SystemRoot%\\system32\\cmd.exe" wide 
+		$a11="msger_install.dll"
+		$a12={00 65 78 2E 64 6C 6C 00}
+
+	condition:
+		($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
+}
+
+rule apt_hellsing_proxytool : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing proxy testing tool"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" 
+
+	strings: 
+		$mz="MZ"
+		$a1="PROXY_INFO: automatic proxy url => %s " 
+		$a2="PROXY_INFO: connection type => %d " 
+		$a3="PROXY_INFO: proxy server => %s " 
+		$a4="PROXY_INFO: bypass list => %s " 
+		$a5="InternetQueryOption failed with GetLastError() %d" 
+		$a6="D:\\Hellsing\\release\\exe\\exe\\" nocase
+
+	condition:
+		($mz at 0) and (2 of ($a*)) and filesize < 300000
+}
+
+rule apt_hellsing_xkat : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing xKat tool"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+	strings:
+		$mz="MZ"
+		$a1="\\Dbgv.sys"
+		$a2="XKAT_BIN"
+		$a3="release sys file error."
+		$a4="driver_load error. "
+		$a5="driver_create error."
+		$a6="delete file:%s error."
+		$a7="delete file:%s ok."
+		$a8="kill pid:%d error."
+		$a9="kill pid:%d ok."
+		$a10="-pid-delete"
+		$a11="kill and delete pid:%d error."
+		$a12="kill and delete pid:%d ok."
+
+	condition:
+		($mz at 0) and (6 of ($a*)) and filesize < 300000
+}
+
+rule apt_hellsing_msgertype2 : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing msger type 2 implants"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+	strings:
+		$mz="MZ"
+		$a1="%s\\system\\%d.txt"
+		$a2="_msger"
+		$a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
+		$a4="http://%s/data/%s.1000001000"
+		$a5="/lib/common.asp?action=user_upload&file="
+		$a6="%02X-%02X-%02X-%02X-%02X-%02X"
+	
+	condition:
+		($mz at 0) and (4 of ($a*)) and filesize < 500000
+}
+
+rule apt_hellsing_irene : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing msger irene installer"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+	strings: 
+		$mz="MZ"
+		$a1="\\Drivers\\usbmgr.tmp" wide
+		$a2="\\Drivers\\usbmgr.sys" wide
+		$a3="common_loadDriver CreateFile error! " 
+		$a4="common_loadDriver StartService error && GetLastError():%d! " 
+		$a5="irene" wide
+		$a6="aPLib v0.43 - the smaller the better" 
+
+	condition:
+		($mz at 0) and (4 of ($a*)) and filesize < 500000
+}