Skip to content

R
rules
Commit b047b622 by Marc Rivero López Committed by GitHub
Options

Update APT_HackingTeam.yar 

Fixed rule style
parent f1d9f781
Showing with 81 additions and 71 deletions
malware/APT_HackingTeam.yar
...@@ -2,98 +2,105 @@ ...@@ -2,98 +2,105 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/ */
rule bin_ndisk : disk HackingTeam { rule bin_ndisk
meta: {
description = "Hacking Team Disclosure Sample - file ndisk.sys"
author = "Florian Roth" meta:
reference = "https://www.virustotal.com/en/file/a03a6ed90b89945a992a8c69f716ec3c743fa1d958426f4c50378cca5bef0a01/analysis/1436184181/" description = "Hacking Team Disclosure Sample - file ndisk.sys"
date = "2015-07-07" author = "Florian Roth"
hash = "cf5089752ba51ae827971272a5b761a4ab0acd84" reference = "https://www.virustotal.com/en/file/a03a6ed90b89945a992a8c69f716ec3c743fa1d958426f4c50378cca5bef0a01/analysis/1436184181/"
strings: date = "2015-07-07"
$s1 = "\\Registry\\Machine\\System\\ControlSet00%d\\services\\ndisk.sys" fullword wide hash = "cf5089752ba51ae827971272a5b761a4ab0acd84"
$s2 = "\\Registry\\Machine\\System\\ControlSet00%d\\Enum\\Root\\LEGACY_NDISK.SYS" fullword wide
$s3 = "\\Driver\\DeepFrz" fullword wide strings:
$s4 = "Microsoft Kernel Disk Manager" fullword wide $s1 = "\\Registry\\Machine\\System\\ControlSet00%d\\services\\ndisk.sys" fullword wide
$s5 = "ndisk.sys" fullword wide $s2 = "\\Registry\\Machine\\System\\ControlSet00%d\\Enum\\Root\\LEGACY_NDISK.SYS" fullword wide
$s6 = "\\Device\\MSH4DEV1" fullword wide $s3 = "\\Driver\\DeepFrz" fullword wide
$s7 = "\\DosDevices\\MSH4DEV1" fullword wide $s4 = "Microsoft Kernel Disk Manager" fullword wide
$s8 = "built by: WinDDK" fullword wide $s5 = "ndisk.sys" fullword wide
condition: $s6 = "\\Device\\MSH4DEV1" fullword wide
uint16(0) == 0x5a4d and filesize < 30KB and 6 of them $s7 = "\\DosDevices\\MSH4DEV1" fullword wide
$s8 = "built by: WinDDK" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 30KB and 6 of them
} }
rule Hackingteam_Elevator_DLL : dll HackingTeam { rule Hackingteam_Elevator_DLL
meta: {
description = "Hacking Team Disclosure Sample - file elevator.dll"
author = "Florian Roth" meta:
reference = "http://t.co/EG0qtVcKLh" description = "Hacking Team Disclosure Sample - file elevator.dll"
date = "2015-07-07" author = "Florian Roth"
hash = "b7ec5d36ca702cc9690ac7279fd4fea28d8bd060" reference = "http://t.co/EG0qtVcKLh"
strings: date = "2015-07-07"
$s1 = "\\sysnative\\CI.dll" fullword ascii hash = "b7ec5d36ca702cc9690ac7279fd4fea28d8bd060"
$s2 = "setx TOR_CONTROL_PASSWORD" fullword ascii
$s3 = "mitmproxy0" fullword ascii strings:
$s4 = "\\insert_cert.exe" fullword ascii $s1 = "\\sysnative\\CI.dll" fullword ascii
$s5 = "elevator.dll" fullword ascii $s2 = "setx TOR_CONTROL_PASSWORD" fullword ascii
$s6 = "CRTDLL.DLL" fullword ascii $s3 = "mitmproxy0" fullword ascii
$s7 = "fail adding cert" fullword ascii $s4 = "\\insert_cert.exe" fullword ascii
$s8 = "DownloadingFile" fullword ascii $s5 = "elevator.dll" fullword ascii
$s9 = "fail adding cert: %s" fullword ascii $s6 = "CRTDLL.DLL" fullword ascii
$s10 = "InternetOpenA fail" fullword ascii $s7 = "fail adding cert" fullword ascii
condition: $s8 = "DownloadingFile" fullword ascii
uint16(0) == 0x5a4d and filesize < 1000KB and 6 of them $s9 = "fail adding cert: %s" fullword ascii
$s10 = "InternetOpenA fail" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 6 of them
} }
rule HackingTeam_Elevator_EXE : HackingTeam { rule HackingTeam_Elevator_EXE
meta: {
description = "Hacking Team Disclosure Sample - file elevator.exe"
author = "Florian Roth" meta:
reference = "Hacking Team Disclosure elevator.c" description = "Hacking Team Disclosure Sample - file elevator.exe"
date = "2015-07-07" author = "Florian Roth"
hash1 = "40a10420b9d49f87527bc0396b19ec29e55e9109e80b52456891243791671c1c" reference = "Hacking Team Disclosure elevator.c"
hash2 = "92aec56a859679917dffa44bd4ffeb5a8b2ee2894c689abbbcbe07842ec56b8d" date = "2015-07-07"
hash = "9261693b67b6e379ad0e57598602712b8508998c0cb012ca23139212ae0009a1" hash1 = "40a10420b9d49f87527bc0396b19ec29e55e9109e80b52456891243791671c1c"
strings: hash2 = "92aec56a859679917dffa44bd4ffeb5a8b2ee2894c689abbbcbe07842ec56b8d"
$x1 = "CRTDLL.DLL" fullword ascii hash = "9261693b67b6e379ad0e57598602712b8508998c0cb012ca23139212ae0009a1"
$x2 = "\\sysnative\\CI.dll" fullword ascii
$x3 = "\\SystemRoot\\system32\\CI.dll" fullword ascii strings:
$x4 = "C:\\\\Windows\\\\Sysnative\\\\ntoskrnl.exe" fullword ascii /* PEStudio Blacklist: strings */ $x1 = "CRTDLL.DLL" fullword ascii
$x2 = "\\sysnative\\CI.dll" fullword ascii
$s1 = "[*] traversing processes" fullword ascii /* PEStudio Blacklist: strings */ $x3 = "\\SystemRoot\\system32\\CI.dll" fullword ascii
$s2 = "_getkprocess" fullword ascii /* PEStudio Blacklist: strings */ $x4 = "C:\\\\Windows\\\\Sysnative\\\\ntoskrnl.exe" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "[*] LoaderConfig %p" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "[*] traversing processes" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "loader.obj" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "_getkprocess" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3" ascii /* PEStudio Blacklist: strings */ $s3 = "[*] LoaderConfig %p" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "[*] token restore" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "loader.obj" fullword ascii /* PEStudio Blacklist: strings */
$s7 = "elevator.obj" fullword ascii $s5 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3" ascii /* PEStudio Blacklist: strings */
$s8 = "_getexport" fullword ascii /* PEStudio Blacklist: strings */ $s6 = "[*] token restore" fullword ascii /* PEStudio Blacklist: strings */
condition: $s7 = "elevator.obj" fullword ascii
uint16(0) == 0x5a4d and filesize < 3000KB and all of ($x*) and 3 of ($s*) $s8 = "_getexport" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of ($x*) and 3 of ($s*)
} }
import "pe"
rule RCS_Backdoor rule RCS_Backdoor
{ {
meta: meta:
description = "Hacking Team RCS Backdoor" description = "Hacking Team RCS Backdoor"
author = "botherder https://github.com/botherder" author = "botherder https://github.com/botherder"
strings: strings:
$filter1 = "$debug3" $filter1 = "$debug3"
$filter2 = "$log2" $filter2 = "$log2"
$filter3 = "error2" $filter3 = "error2"
$debug1 = /\- (C)hecking components/ wide ascii $debug1 = /\- (C)hecking components/ wide ascii
$debug2 = /\- (A)ctivating hiding system/ wide ascii $debug2 = /\- (A)ctivating hiding system/ wide ascii
$debug3 = /(f)ully operational/ wide ascii $debug3 = /(f)ully operational/ wide ascii
$log1 = /\- Browser activity \(FF\)/ wide ascii $log1 = /\- Browser activity \(FF\)/ wide ascii
$log2 = /\- Browser activity \(IE\)/ wide ascii $log2 = /\- Browser activity \(IE\)/ wide ascii
// Cause false positives. // Cause false positives.
//$log3 = /\- About to call init routine at %p/ wide ascii //$log3 = /\- About to call init routine at %p/ wide ascii
//$log4 = /\- Calling init routine at %p/ wide ascii //$log4 = /\- Calling init routine at %p/ wide ascii
$error1 = /\[Unable to deploy\]/ wide ascii $error1 = /\[Unable to deploy\]/ wide ascii
$error2 = /\[The system is already monitored\]/ wide ascii $error2 = /\[The system is already monitored\]/ wide ascii
...@@ -103,9 +110,10 @@ rule RCS_Backdoor ...@@ -103,9 +110,10 @@ rule RCS_Backdoor
rule RCS_Scout rule RCS_Scout
{ {
meta: meta:
description = "Hacking Team RCS Scout" description = "Hacking Team RCS Scout"
author = "botherder https://github.com/botherder" author = "botherder https://github.com/botherder"
strings: strings:
$filter1 = "$engine5" $filter1 = "$engine5"
...@@ -132,8 +140,10 @@ rule RCS_Scout ...@@ -132,8 +140,10 @@ rule RCS_Scout
$lookma3 = /(P)lease insert a disk in drive A:/ wide $lookma3 = /(P)lease insert a disk in drive A:/ wide
$lookma4 = /(U)pdating CPU microcode/ wide $lookma4 = /(U)pdating CPU microcode/ wide
$lookma5 = /(N)ot sure what's happening/ wide $lookma5 = /(N)ot sure what's happening/ wide
$lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide $lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide
condition: condition:
(all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*) (all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*)
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment