Skip to content

R
rules
Commit b246887b by Marc Rivero López Committed by GitHub
Options

Update APT_UP007_SLServer.yar

parent ff29528e
Showing with 31 additions and 70 deletions
malware/APT_UP007_SLServer.yar
...@@ -5,6 +5,7 @@ ...@@ -5,6 +5,7 @@
rule dubseven_file_set rule dubseven_file_set
{ {
meta: meta:
author = "Matt Brooks, @cmatthewbrooks" author = "Matt Brooks, @cmatthewbrooks"
desc = "Searches for service files loading UP007" desc = "Searches for service files loading UP007"
...@@ -20,18 +21,14 @@ rule dubseven_file_set ...@@ -20,18 +21,14 @@ rule dubseven_file_set
$file8 = "\\Microsoft\\Internet Explorer\\runas.exe" $file8 = "\\Microsoft\\Internet Explorer\\runas.exe"
condition: condition:
//MZ header //MZ header //PE signature //Just a few of these as they differ
uint16(0) == 0x5A4D and
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
//Just a few of these as they differ uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 3 of ($file*)
3 of ($file*)
} }
rule dubseven_dropper_registry_checks : Dropper rule dubseven_dropper_registry_checks
{ {
meta: meta:
author = "Matt Brooks, @cmatthewbrooks" author = "Matt Brooks, @cmatthewbrooks"
desc = "Searches for registry keys checked for by the dropper" desc = "Searches for registry keys checked for by the dropper"
...@@ -46,17 +43,13 @@ rule dubseven_dropper_registry_checks : Dropper ...@@ -46,17 +43,13 @@ rule dubseven_dropper_registry_checks : Dropper
$reg7 = "SOFTWARE\\Micropoint\\Anti-Attack" $reg7 = "SOFTWARE\\Micropoint\\Anti-Attack"
condition: condition:
//MZ header //MZ header //PE signature
uint16(0) == 0x5A4D and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of ($reg*)
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
all of ($reg*)
} }
rule dubseven_dropper_dialog_remains : Dropper rule dubseven_dropper_dialog_remains
{ {
meta: meta:
author = "Matt Brooks, @cmatthewbrooks" author = "Matt Brooks, @cmatthewbrooks"
desc = "Searches for related dialog remnants. How rude." desc = "Searches for related dialog remnants. How rude."
...@@ -66,18 +59,13 @@ rule dubseven_dropper_dialog_remains : Dropper ...@@ -66,18 +59,13 @@ rule dubseven_dropper_dialog_remains : Dropper
$dia2 = "Rundll 1.0" wide $dia2 = "Rundll 1.0" wide
condition: condition:
//MZ header //MZ header //PE signature
uint16(0) == 0x5A4D and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and any of them
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
any of them
} }
rule maindll_mutex
rule maindll_mutex : Mutex
{ {
meta: meta:
author = "Matt Brooks, @cmatthewbrooks" author = "Matt Brooks, @cmatthewbrooks"
desc = "Matches on the maindll mutex" desc = "Matches on the maindll mutex"
...@@ -87,18 +75,13 @@ rule maindll_mutex : Mutex ...@@ -87,18 +75,13 @@ rule maindll_mutex : Mutex
$mutex = "h31415927tttt" $mutex = "h31415927tttt"
condition: condition:
//MZ header //MZ header //PE signature
uint16(0) == 0x5A4D and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $mutex
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$mutex
} }
rule SLServer_dialog_remains rule SLServer_dialog_remains
{ {
meta: meta:
author = "Matt Brooks, @cmatthewbrooks" author = "Matt Brooks, @cmatthewbrooks"
desc = "Searches for related dialog remnants." desc = "Searches for related dialog remnants."
...@@ -108,17 +91,13 @@ rule SLServer_dialog_remains ...@@ -108,17 +91,13 @@ rule SLServer_dialog_remains
$slserver = "SLServer" wide $slserver = "SLServer" wide
condition: condition:
//MZ header //MZ header //PE signature
uint16(0) == 0x5A4D and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $slserver
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$slserver
} }
rule SLServer_mutex : Mutex rule SLServer_mutex
{ {
meta: meta:
author = "Matt Brooks, @cmatthewbrooks" author = "Matt Brooks, @cmatthewbrooks"
desc = "Searches for the mutex." desc = "Searches for the mutex."
...@@ -128,17 +107,13 @@ rule SLServer_mutex : Mutex ...@@ -128,17 +107,13 @@ rule SLServer_mutex : Mutex
$mutex = "M&GX^DSF&DA@F" $mutex = "M&GX^DSF&DA@F"
condition: condition:
//MZ header //MZ header //PE signature
uint16(0) == 0x5A4D and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $mutex
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$mutex
} }
rule SLServer_command_and_control : C2 rule SLServer_command_and_control
{ {
meta: meta:
author = "Matt Brooks, @cmatthewbrooks" author = "Matt Brooks, @cmatthewbrooks"
desc = "Searches for the C2 server." desc = "Searches for the C2 server."
...@@ -148,13 +123,8 @@ rule SLServer_command_and_control : C2 ...@@ -148,13 +123,8 @@ rule SLServer_command_and_control : C2
$c2 = "safetyssl.security-centers.com" $c2 = "safetyssl.security-centers.com"
condition: condition:
//MZ header //MZ header //PE signature
uint16(0) == 0x5A4D and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $c2
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$c2
} }
rule SLServer_campaign_code rule SLServer_campaign_code
...@@ -168,13 +138,8 @@ rule SLServer_campaign_code ...@@ -168,13 +138,8 @@ rule SLServer_campaign_code
$campaign = "wthkdoc0106" $campaign = "wthkdoc0106"
condition: condition:
//MZ header //MZ header //PE signature
uint16(0) == 0x5A4D and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $campaign
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$campaign
} }
rule SLServer_unknown_string rule SLServer_unknown_string
...@@ -188,12 +153,8 @@ rule SLServer_unknown_string ...@@ -188,12 +153,8 @@ rule SLServer_unknown_string
$string = "test-b7fa835a39" $string = "test-b7fa835a39"
condition: condition:
//MZ header //MZ header //PE signature
uint16(0) == 0x5A4D and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $string
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
$string
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment