Update Miscelanea.yar

Add UACElevator rule
Add UACME_Akagi rule
Add Win7Elevatev2 rule

malware/Miscelanea.yar

@@ -698,3 +698,87 @@ rule PUP_InstallRex_AntiFWb {
 	condition:
 		uint16(0) == 0x5a4d and all of them
 }
+
+rule Win7Elevatev2 {
+	meta:
+		description = "Detects Win7Elevate - Windows UAC bypass utility"
+		author = "Florian Roth"
+		reference = "http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html"
+		date = "2015-05-14"
+		hash1 = "4f53ff6a04e46eda92b403faf42219a545c06c29" /* x64 */
+		hash2 = "808d04c187a524db402c5b2be17ce799d2654bd1" /* x86 */
+		score = 60
+	strings:
+		$x1 = "This program attempts to bypass Windows 7's default UAC settings to run " wide
+		$x2 = "Win7ElevateV2\\x64\\Release\\" ascii
+		$x3 = "Run the command normally (without code injection)" wide	
+		$x4 = "Inject file copy && elevate command" fullword wide
+		$x5 = "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html" fullword wide
+		$x6 = "For injection, pick any unelevated Windows process with ASLR on:" fullword wide
+		
+		$s1 = "\\cmd.exe" wide
+		$s2 = "runas" wide
+		$s3 = "explorer.exe" wide
+		$s4 = "Couldn't load kernel32.dll" wide
+		$s5 = "CRYPTBASE.dll" wide
+		$s6 = "shell32.dll" wide
+		$s7 = "ShellExecuteEx" ascii
+		$s8 = "COMCTL32.dll" ascii 
+		$s9 = "ShellExecuteEx" ascii
+		$s10 = "HeapAlloc" ascii
+	condition:
+		uint16(0) == 0x5a4d and ( 1 of ($x*) or all of ($s*) )
+}
+
+rule UACME_Akagi {
+	meta:
+		description = "Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor"
+		author = "Florian Roth"
+		reference = "https://github.com/hfiref0x/UACME"
+		date = "2015-05-14"
+		hash1 = "edd2138bbd9e76c343051c6dc898054607f2040a"
+		hash2 = "e3a919ccc2e759e618208ededa8a543954d49f8a"
+		score = 60
+	strings:
+		$x1 = "UACMe injected, Fubuki at your service." wide fullword
+		$x3 = "%temp%\\Hibiki.dll" fullword wide
+		$x4 = "[UCM] Cannot write to the target process memory." fullword wide
+		
+		$s1 = "%systemroot%\\system32\\cmd.exe" wide
+		$s2 = "D:(A;;GA;;;WD)" wide
+		$s3 = "%systemroot%\\system32\\sysprep\\sysprep.exe" fullword wide
+		$s4 = "/c wusa %ws /extract:%%windir%%\\system32" fullword wide
+		$s5 = "Fubuki.dll" ascii fullword
+		
+		$l1 = "ntdll.dll" ascii
+		$l2 = "Cabinet.dll" ascii
+		$l3 = "GetProcessHeap" ascii
+		$l4 = "WriteProcessMemory" ascii
+		$l5 = "ShellExecuteEx" ascii
+	condition:
+		( 1 of ($x*) ) or ( 3 of ($s*) and all of ($l*) ) 
+}
+
+rule UACElevator {
+	meta:
+		description = "UACElevator bypassing UAC - file UACElevator.exe"
+		author = "Florian Roth"
+		reference = "https://github.com/MalwareTech/UACElevator"
+		date = "2015-05-14"
+		hash = "fd29d5a72d7a85b7e9565ed92b4d7a3884defba6"
+	strings:
+		$x1 = "\\UACElevator.pdb" ascii
+		
+		$s1 = "%userprofile%\\Downloads\\dwmapi.dll" fullword ascii
+		$s2 = "%windir%\\system32\\dwmapi.dll" fullword ascii
+		$s3 = "Infection module: %s" fullword ascii
+		$s4 = "Could not save module to %s" fullword ascii
+		$s5 = "%s%s%p%s%ld%s%d%s" fullword ascii
+		$s6 = "Stack area around _alloca memory reserved by this function is corrupted" fullword ascii
+		$s7 = "Stack around the variable '" fullword ascii
+		$s8 = "MSVCR120D.dll" fullword wide
+		$s9 = "Address: 0x" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 172KB and 
+			( $x1 or 8 of ($s*) )
+}