Update APT_ThreatGroup3390.yar

c47b4d51 · Marc Rivero López · GitHub · 0b49008c · c47b4d51
Commit c47b4d51 authored Jan 23, 2017 by Marc Rivero López Committed by GitHub Jan 23, 2017
Show whitespace changes
Inline Side-by-side

Showing with 41 additions and 10 deletions

APT_ThreatGroup3390.yar malware/APT_ThreatGroup3390.yar +41 -10

No files found.
--- a/malware/APT_ThreatGroup3390.yar
+++ b/malware/APT_ThreatGroup3390.yar
@@ -9,7 +9,9 @@
 	Identifier: Threat Group 3390
 */

-rule HttpBrowser_RAT_dropper_Gen1 : RAT Dropper APT {
+rule HttpBrowser_RAT_dropper_Gen1 
+{
+
    meta:
        description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
        author = "Florian Roth"
@@ -23,6 +25,7 @@ rule HttpBrowser_RAT_dropper_Gen1 : RAT Dropper APT {
        hash5 = "8cd8159f6e4689f572e2087394452e80e62297af02ca55fe221fe5d7570ad47b"
        hash6 = "10de38419c9a02b80ab7bf2f1f1f15f57dbb0fbc9df14b9171dc93879c5a0c53"
        hash7 = "c2fa67e970d00279cec341f71577953d49e10fe497dae4f298c2e9abdd3a48cc"
+  
    strings:
        $x1 = "1001=cmd.exe" fullword ascii 
        $x2 = "1003=ShellExecuteA" fullword ascii 
@@ -45,11 +48,14 @@ rule HttpBrowser_RAT_dropper_Gen1 : RAT Dropper APT {
        $op3 = { 8b 45 0c 83 38 00 0f 84 98 } /* Opcode */
        $op4 = { 89 7e 0c ff 15 a0 50 40 00 59 8b d8 6a 20 59 8d } /* Opcode */
        $op5 = { 56 8d 85 cd fc ff ff 53 50 88 9d cc fc ff ff e8 } /* Opcode */
+    
    condition:
        uint16(0) == 0x5a4d and filesize < 400KB and all of ($x*) and 1 of ($op*)
 }

-rule HttpBrowser_RAT_Sample1  : RAT APT  {
+rule HttpBrowser_RAT_Sample1 
+{
+
    meta:
        description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com"
        author = "Florian Roth"
@@ -58,13 +64,17 @@ rule HttpBrowser_RAT_Sample1  : RAT APT  {
        score = 80
        hash1 = "be334d1f8fa65a723af65200a166c2bbdb06690c8b30fafe772600e4662fc68b"
        hash2 = "1052ad7f4d49542e4da07fa8ea59c15c40bc09a4d726fad023daafdf05866ebb"
+   
    strings:
        $s0 = "update.hancominc.com" fullword wide 
+   
    condition:
        uint16(0) == 0x5a4d and filesize < 100KB and $s0
 }

-rule HttpBrowser_RAT_Sample2  : RAT APT {
+rule HttpBrowser_RAT_Sample2  
+{
+
    meta:
        description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample"
        author = "Florian Roth"
@@ -72,16 +82,20 @@ rule HttpBrowser_RAT_Sample2  : RAT APT {
        date = "2015-08-06"
        score = 80
        hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992"
+   
    strings:
        $s0 = "nKERNEL32.DLL" fullword wide
        $s1 = "WUSER32.DLL" fullword wide
        $s2 = "mscoree.dll" fullword wide
        $s3 = "VPDN_LU.exeUT" fullword ascii
+   
    condition:
        uint16(0) == 0x5a4d and filesize < 250KB and all of them
 }

-rule HttpBrowser_RAT_Gen : RAT APT  {
+rule HttpBrowser_RAT_Gen 
+{
+
    meta:
        description = "Threat Group 3390 APT Sample - HttpBrowser RAT Generic"
        author = "Florian Roth"
@@ -110,16 +124,20 @@ rule HttpBrowser_RAT_Gen : RAT APT  {
        hash20 = "36c49f18ce3c205152eef82887eb3070e9b111d35a42b534b2fb2ee535b543c0"
        hash21 = "3eeb1fd1f0d8ab33f34183893c7346ddbbf3c19b94ba3602d377fa2e84aaad81"
        hash22 = "3fa8d13b337671323e7fe8b882763ec29b6786c528fa37da773d95a057a69d9a"
+  
    strings:
        $s0 = "%d|%s|%04d/%02d/%02d %02d:%02d:%02d|%ld|%d" fullword wide 
        $s1 = "HttpBrowser/1.0" fullword wide
        $s2 = "set cmd : %s" ascii fullword
        $s3 = "\\config.ini" wide fullword
+  
    condition:
        uint16(0) == 0x5a4d and filesize < 45KB and filesize > 20KB and all of them
 }

-rule PlugX_NvSmartMax_Gen : PlugX APT {
+rule PlugX_NvSmartMax_Gen 
+{
+
    meta:
        description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic"
        author = "Florian Roth"
@@ -131,6 +149,7 @@ rule PlugX_NvSmartMax_Gen : PlugX APT {
        hash3 = "555952aa5bcca4fa5ad5a7269fece99b1a04816d104ecd8aefabaa1435f65fa5"
        hash4 = "71f7a9da99b5e3c9520bc2cc73e520598d469be6539b3c243fb435fe02e44338"
        hash5 = "65bbf0bd8c6e1ccdb60cf646d7084e1452cb111d97d21d6e8117b1944f3dc71e"
+    
    strings:
        $s0 = "NvSmartMax.dll" fullword ascii
        $s1 = "NvSmartMax.dll.url" fullword ascii
@@ -139,15 +158,17 @@ rule PlugX_NvSmartMax_Gen : PlugX APT {
        $s5 = "CryptUnprotectMemory failed" fullword ascii 
        $s7 = "r%.*s(%d)%s" fullword wide
        $s8 = " %s CRC " fullword wide
-
        $op0 = { c6 05 26 49 42 00 01 eb 4a 8d 85 00 f8 ff ff 50 } /* Opcode */
        $op1 = { 8d 85 c8 fe ff ff 50 8d 45 c8 50 c6 45 47 00 e8 } /* Opcode */
        $op2 = { e8 e6 65 00 00 50 68 10 43 41 00 e8 56 84 00 00 } /* Opcode */
+ 
    condition:
        uint16(0) == 0x5a4d and filesize < 800KB and all of ($s*) and 1 of ($op*)
 }

-rule HttpBrowser_RAT_dropper_Gen2 : Dropper RAT {
+rule HttpBrowser_RAT_dropper_Gen2 
+{
+
    meta:
        description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
        author = "Florian Roth"
@@ -156,6 +177,7 @@ rule HttpBrowser_RAT_dropper_Gen2 : Dropper RAT {
        score = 70
        hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992"
        hash2 = "dfa984174268a9f364d856fd47cfaca75804640f849624d69d81fcaca2b57166"
+   
    strings:
        $s1 = "navlu.dll.urlUT" fullword ascii
        $s2 = "VPDN_LU.exeUT" fullword ascii
@@ -164,40 +186,47 @@ rule HttpBrowser_RAT_dropper_Gen2 : Dropper RAT {
        $s5 = "/c del /q %s" fullword ascii
        $s6 = "\\setup.exe" fullword ascii 
        $s7 = "msi.dllUT" fullword ascii
-
        $op0 = { 8b 45 0c 83 38 00 0f 84 98 } /* Opcode */
        $op1 = { e8 dd 07 00 00 ff 35 d8 fb 40 00 8b 35 7c a0 40 } /* Opcode */
        $op2 = { 83 fb 08 75 2c 8b 0d f8 af 40 00 89 4d dc 8b 0d } /* Opcode */
        $op3 = { c7 43 18 8c 69 40 00 e9 da 01 00 00 83 7d f0 00 } /* Opcode */
        $op4 = { 6a 01 e9 7c f8 ff ff bf 1a 40 00 96 1b 40 00 01 } /* Opcode */
+
    condition:
        uint16(0) == 0x5a4d and filesize < 400KB and 3 of ($s*) and 1 of ($op*)
 }

-rule ThreatGroup3390_Strings : APT {
+rule ThreatGroup3390_Strings 
+{
+
    meta:
        description = "Threat Group 3390 APT - Strings"
        author = "Florian Roth"
        reference = "http://snip.ly/giNB"
        date = "2015-08-06"
        score = 60
+ 
    strings:
        $s1 = "\"cmd\" /c cd /d \"c:\\Windows\\Temp\\\"&copy" ascii
        $s2 = "svchost.exe a -k -r -s -m5 -v1024000 -padmin-windows2014"
        $s3 = "ren *.rar *.zip" fullword ascii
        $s4 = "c:\\temp\\ipcan.exe" fullword ascii
        $s5 = "<%eval(Request.Item(\"admin-na-google123!@#" ascii
+ 
    condition:
        1 of them and filesize < 30KB
 }

-rule ThreatGroup3390_C2 : C2 APT {
+rule ThreatGroup3390_C2
+{
+
    meta:
        description = "Threat Group 3390 APT - C2 Server"
        author = "Florian Roth"
        reference = "http://snip.ly/giNB"
        date = "2015-08-06"
        score = 60
+
    strings:
        $s1 = "api.apigmail.com"
        $s2 = "apigmail.com"
@@ -306,6 +335,8 @@ rule ThreatGroup3390_C2 : C2 APT {
        $s105 = "ykcaihyl@163.com"
        $s106 = "working_success@163.com"
        $s107 = "yuming@yinsibaohu.aliyun.com"
+   
    condition:
        uint16(0) == 0x5a4d and 1 of them
 }
+