Skip to content

R
rules
Commit c47b4d51 by Marc Rivero López Committed by GitHub
Options

Update APT_ThreatGroup3390.yar

parent 0b49008c
Showing with 41 additions and 10 deletions
malware/APT_ThreatGroup3390.yar
...@@ -9,7 +9,9 @@ ...@@ -9,7 +9,9 @@
Identifier: Threat Group 3390 Identifier: Threat Group 3390
*/ */
rule HttpBrowser_RAT_dropper_Gen1 : RAT Dropper APT { rule HttpBrowser_RAT_dropper_Gen1
{
meta: meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper" description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
author = "Florian Roth" author = "Florian Roth"
...@@ -23,6 +25,7 @@ rule HttpBrowser_RAT_dropper_Gen1 : RAT Dropper APT { ...@@ -23,6 +25,7 @@ rule HttpBrowser_RAT_dropper_Gen1 : RAT Dropper APT {
hash5 = "8cd8159f6e4689f572e2087394452e80e62297af02ca55fe221fe5d7570ad47b" hash5 = "8cd8159f6e4689f572e2087394452e80e62297af02ca55fe221fe5d7570ad47b"
hash6 = "10de38419c9a02b80ab7bf2f1f1f15f57dbb0fbc9df14b9171dc93879c5a0c53" hash6 = "10de38419c9a02b80ab7bf2f1f1f15f57dbb0fbc9df14b9171dc93879c5a0c53"
hash7 = "c2fa67e970d00279cec341f71577953d49e10fe497dae4f298c2e9abdd3a48cc" hash7 = "c2fa67e970d00279cec341f71577953d49e10fe497dae4f298c2e9abdd3a48cc"
strings: strings:
$x1 = "1001=cmd.exe" fullword ascii $x1 = "1001=cmd.exe" fullword ascii
$x2 = "1003=ShellExecuteA" fullword ascii $x2 = "1003=ShellExecuteA" fullword ascii
...@@ -45,11 +48,14 @@ rule HttpBrowser_RAT_dropper_Gen1 : RAT Dropper APT { ...@@ -45,11 +48,14 @@ rule HttpBrowser_RAT_dropper_Gen1 : RAT Dropper APT {
$op3 = { 8b 45 0c 83 38 00 0f 84 98 } /* Opcode */ $op3 = { 8b 45 0c 83 38 00 0f 84 98 } /* Opcode */
$op4 = { 89 7e 0c ff 15 a0 50 40 00 59 8b d8 6a 20 59 8d } /* Opcode */ $op4 = { 89 7e 0c ff 15 a0 50 40 00 59 8b d8 6a 20 59 8d } /* Opcode */
$op5 = { 56 8d 85 cd fc ff ff 53 50 88 9d cc fc ff ff e8 } /* Opcode */ $op5 = { 56 8d 85 cd fc ff ff 53 50 88 9d cc fc ff ff e8 } /* Opcode */
condition: condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of ($x*) and 1 of ($op*) uint16(0) == 0x5a4d and filesize < 400KB and all of ($x*) and 1 of ($op*)
} }
rule HttpBrowser_RAT_Sample1 : RAT APT { rule HttpBrowser_RAT_Sample1
{
meta: meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com" description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com"
author = "Florian Roth" author = "Florian Roth"
...@@ -58,13 +64,17 @@ rule HttpBrowser_RAT_Sample1 : RAT APT { ...@@ -58,13 +64,17 @@ rule HttpBrowser_RAT_Sample1 : RAT APT {
score = 80 score = 80
hash1 = "be334d1f8fa65a723af65200a166c2bbdb06690c8b30fafe772600e4662fc68b" hash1 = "be334d1f8fa65a723af65200a166c2bbdb06690c8b30fafe772600e4662fc68b"
hash2 = "1052ad7f4d49542e4da07fa8ea59c15c40bc09a4d726fad023daafdf05866ebb" hash2 = "1052ad7f4d49542e4da07fa8ea59c15c40bc09a4d726fad023daafdf05866ebb"
strings: strings:
$s0 = "update.hancominc.com" fullword wide $s0 = "update.hancominc.com" fullword wide
condition: condition:
uint16(0) == 0x5a4d and filesize < 100KB and $s0 uint16(0) == 0x5a4d and filesize < 100KB and $s0
} }
rule HttpBrowser_RAT_Sample2 : RAT APT { rule HttpBrowser_RAT_Sample2
{
meta: meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample" description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample"
author = "Florian Roth" author = "Florian Roth"
...@@ -72,16 +82,20 @@ rule HttpBrowser_RAT_Sample2 : RAT APT { ...@@ -72,16 +82,20 @@ rule HttpBrowser_RAT_Sample2 : RAT APT {
date = "2015-08-06" date = "2015-08-06"
score = 80 score = 80
hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992" hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992"
strings: strings:
$s0 = "nKERNEL32.DLL" fullword wide $s0 = "nKERNEL32.DLL" fullword wide
$s1 = "WUSER32.DLL" fullword wide $s1 = "WUSER32.DLL" fullword wide
$s2 = "mscoree.dll" fullword wide $s2 = "mscoree.dll" fullword wide
$s3 = "VPDN_LU.exeUT" fullword ascii $s3 = "VPDN_LU.exeUT" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and filesize < 250KB and all of them uint16(0) == 0x5a4d and filesize < 250KB and all of them
} }
rule HttpBrowser_RAT_Gen : RAT APT { rule HttpBrowser_RAT_Gen
{
meta: meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Generic" description = "Threat Group 3390 APT Sample - HttpBrowser RAT Generic"
author = "Florian Roth" author = "Florian Roth"
...@@ -110,16 +124,20 @@ rule HttpBrowser_RAT_Gen : RAT APT { ...@@ -110,16 +124,20 @@ rule HttpBrowser_RAT_Gen : RAT APT {
hash20 = "36c49f18ce3c205152eef82887eb3070e9b111d35a42b534b2fb2ee535b543c0" hash20 = "36c49f18ce3c205152eef82887eb3070e9b111d35a42b534b2fb2ee535b543c0"
hash21 = "3eeb1fd1f0d8ab33f34183893c7346ddbbf3c19b94ba3602d377fa2e84aaad81" hash21 = "3eeb1fd1f0d8ab33f34183893c7346ddbbf3c19b94ba3602d377fa2e84aaad81"
hash22 = "3fa8d13b337671323e7fe8b882763ec29b6786c528fa37da773d95a057a69d9a" hash22 = "3fa8d13b337671323e7fe8b882763ec29b6786c528fa37da773d95a057a69d9a"
strings: strings:
$s0 = "%d|%s|%04d/%02d/%02d %02d:%02d:%02d|%ld|%d" fullword wide $s0 = "%d|%s|%04d/%02d/%02d %02d:%02d:%02d|%ld|%d" fullword wide
$s1 = "HttpBrowser/1.0" fullword wide $s1 = "HttpBrowser/1.0" fullword wide
$s2 = "set cmd : %s" ascii fullword $s2 = "set cmd : %s" ascii fullword
$s3 = "\\config.ini" wide fullword $s3 = "\\config.ini" wide fullword
condition: condition:
uint16(0) == 0x5a4d and filesize < 45KB and filesize > 20KB and all of them uint16(0) == 0x5a4d and filesize < 45KB and filesize > 20KB and all of them
} }
rule PlugX_NvSmartMax_Gen : PlugX APT { rule PlugX_NvSmartMax_Gen
{
meta: meta:
description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic" description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic"
author = "Florian Roth" author = "Florian Roth"
...@@ -131,6 +149,7 @@ rule PlugX_NvSmartMax_Gen : PlugX APT { ...@@ -131,6 +149,7 @@ rule PlugX_NvSmartMax_Gen : PlugX APT {
hash3 = "555952aa5bcca4fa5ad5a7269fece99b1a04816d104ecd8aefabaa1435f65fa5" hash3 = "555952aa5bcca4fa5ad5a7269fece99b1a04816d104ecd8aefabaa1435f65fa5"
hash4 = "71f7a9da99b5e3c9520bc2cc73e520598d469be6539b3c243fb435fe02e44338" hash4 = "71f7a9da99b5e3c9520bc2cc73e520598d469be6539b3c243fb435fe02e44338"
hash5 = "65bbf0bd8c6e1ccdb60cf646d7084e1452cb111d97d21d6e8117b1944f3dc71e" hash5 = "65bbf0bd8c6e1ccdb60cf646d7084e1452cb111d97d21d6e8117b1944f3dc71e"
strings: strings:
$s0 = "NvSmartMax.dll" fullword ascii $s0 = "NvSmartMax.dll" fullword ascii
$s1 = "NvSmartMax.dll.url" fullword ascii $s1 = "NvSmartMax.dll.url" fullword ascii
...@@ -139,15 +158,17 @@ rule PlugX_NvSmartMax_Gen : PlugX APT { ...@@ -139,15 +158,17 @@ rule PlugX_NvSmartMax_Gen : PlugX APT {
$s5 = "CryptUnprotectMemory failed" fullword ascii $s5 = "CryptUnprotectMemory failed" fullword ascii
$s7 = "r%.*s(%d)%s" fullword wide $s7 = "r%.*s(%d)%s" fullword wide
$s8 = " %s CRC " fullword wide $s8 = " %s CRC " fullword wide
$op0 = { c6 05 26 49 42 00 01 eb 4a 8d 85 00 f8 ff ff 50 } /* Opcode */ $op0 = { c6 05 26 49 42 00 01 eb 4a 8d 85 00 f8 ff ff 50 } /* Opcode */
$op1 = { 8d 85 c8 fe ff ff 50 8d 45 c8 50 c6 45 47 00 e8 } /* Opcode */ $op1 = { 8d 85 c8 fe ff ff 50 8d 45 c8 50 c6 45 47 00 e8 } /* Opcode */
$op2 = { e8 e6 65 00 00 50 68 10 43 41 00 e8 56 84 00 00 } /* Opcode */ $op2 = { e8 e6 65 00 00 50 68 10 43 41 00 e8 56 84 00 00 } /* Opcode */
condition: condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of ($s*) and 1 of ($op*) uint16(0) == 0x5a4d and filesize < 800KB and all of ($s*) and 1 of ($op*)
} }
rule HttpBrowser_RAT_dropper_Gen2 : Dropper RAT { rule HttpBrowser_RAT_dropper_Gen2
{
meta: meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper" description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
author = "Florian Roth" author = "Florian Roth"
...@@ -156,6 +177,7 @@ rule HttpBrowser_RAT_dropper_Gen2 : Dropper RAT { ...@@ -156,6 +177,7 @@ rule HttpBrowser_RAT_dropper_Gen2 : Dropper RAT {
score = 70 score = 70
hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992" hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992"
hash2 = "dfa984174268a9f364d856fd47cfaca75804640f849624d69d81fcaca2b57166" hash2 = "dfa984174268a9f364d856fd47cfaca75804640f849624d69d81fcaca2b57166"
strings: strings:
$s1 = "navlu.dll.urlUT" fullword ascii $s1 = "navlu.dll.urlUT" fullword ascii
$s2 = "VPDN_LU.exeUT" fullword ascii $s2 = "VPDN_LU.exeUT" fullword ascii
...@@ -164,40 +186,47 @@ rule HttpBrowser_RAT_dropper_Gen2 : Dropper RAT { ...@@ -164,40 +186,47 @@ rule HttpBrowser_RAT_dropper_Gen2 : Dropper RAT {
$s5 = "/c del /q %s" fullword ascii $s5 = "/c del /q %s" fullword ascii
$s6 = "\\setup.exe" fullword ascii $s6 = "\\setup.exe" fullword ascii
$s7 = "msi.dllUT" fullword ascii $s7 = "msi.dllUT" fullword ascii
$op0 = { 8b 45 0c 83 38 00 0f 84 98 } /* Opcode */ $op0 = { 8b 45 0c 83 38 00 0f 84 98 } /* Opcode */
$op1 = { e8 dd 07 00 00 ff 35 d8 fb 40 00 8b 35 7c a0 40 } /* Opcode */ $op1 = { e8 dd 07 00 00 ff 35 d8 fb 40 00 8b 35 7c a0 40 } /* Opcode */
$op2 = { 83 fb 08 75 2c 8b 0d f8 af 40 00 89 4d dc 8b 0d } /* Opcode */ $op2 = { 83 fb 08 75 2c 8b 0d f8 af 40 00 89 4d dc 8b 0d } /* Opcode */
$op3 = { c7 43 18 8c 69 40 00 e9 da 01 00 00 83 7d f0 00 } /* Opcode */ $op3 = { c7 43 18 8c 69 40 00 e9 da 01 00 00 83 7d f0 00 } /* Opcode */
$op4 = { 6a 01 e9 7c f8 ff ff bf 1a 40 00 96 1b 40 00 01 } /* Opcode */ $op4 = { 6a 01 e9 7c f8 ff ff bf 1a 40 00 96 1b 40 00 01 } /* Opcode */
condition: condition:
uint16(0) == 0x5a4d and filesize < 400KB and 3 of ($s*) and 1 of ($op*) uint16(0) == 0x5a4d and filesize < 400KB and 3 of ($s*) and 1 of ($op*)
} }
rule ThreatGroup3390_Strings : APT { rule ThreatGroup3390_Strings
{
meta: meta:
description = "Threat Group 3390 APT - Strings" description = "Threat Group 3390 APT - Strings"
author = "Florian Roth" author = "Florian Roth"
reference = "http://snip.ly/giNB" reference = "http://snip.ly/giNB"
date = "2015-08-06" date = "2015-08-06"
score = 60 score = 60
strings: strings:
$s1 = "\"cmd\" /c cd /d \"c:\\Windows\\Temp\\\"&copy" ascii $s1 = "\"cmd\" /c cd /d \"c:\\Windows\\Temp\\\"&copy" ascii
$s2 = "svchost.exe a -k -r -s -m5 -v1024000 -padmin-windows2014" $s2 = "svchost.exe a -k -r -s -m5 -v1024000 -padmin-windows2014"
$s3 = "ren *.rar *.zip" fullword ascii $s3 = "ren *.rar *.zip" fullword ascii
$s4 = "c:\\temp\\ipcan.exe" fullword ascii $s4 = "c:\\temp\\ipcan.exe" fullword ascii
$s5 = "<%eval(Request.Item(\"admin-na-google123!@#" ascii $s5 = "<%eval(Request.Item(\"admin-na-google123!@#" ascii
condition: condition:
1 of them and filesize < 30KB 1 of them and filesize < 30KB
} }
rule ThreatGroup3390_C2 : C2 APT { rule ThreatGroup3390_C2
{
meta: meta:
description = "Threat Group 3390 APT - C2 Server" description = "Threat Group 3390 APT - C2 Server"
author = "Florian Roth" author = "Florian Roth"
reference = "http://snip.ly/giNB" reference = "http://snip.ly/giNB"
date = "2015-08-06" date = "2015-08-06"
score = 60 score = 60
strings: strings:
$s1 = "api.apigmail.com" $s1 = "api.apigmail.com"
$s2 = "apigmail.com" $s2 = "apigmail.com"
...@@ -306,6 +335,8 @@ rule ThreatGroup3390_C2 : C2 APT { ...@@ -306,6 +335,8 @@ rule ThreatGroup3390_C2 : C2 APT {
$s105 = "ykcaihyl@163.com" $s105 = "ykcaihyl@163.com"
$s106 = "working_success@163.com" $s106 = "working_success@163.com"
$s107 = "yuming@yinsibaohu.aliyun.com" $s107 = "yuming@yinsibaohu.aliyun.com"
condition: condition:
uint16(0) == 0x5a4d and 1 of them uint16(0) == 0x5a4d and 1 of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment