Skip to content

R
rules
Commit d757ab9a by Marc Rivero López Committed by GitHub
Options

Update APT_Bluetermite_Emdivi.yar 

Fixed rule style
parent 1170ceac
Showing with 27 additions and 14 deletions
malware/APT_Bluetermite_Emdivi.yar
...@@ -3,7 +3,9 @@ ...@@ -3,7 +3,9 @@
*/ */
rule Emdivi_SFX { rule Emdivi_SFX
{
meta: meta:
description = "Detects Emdivi malware in SFX Archive" description = "Detects Emdivi malware in SFX Archive"
author = "Florian Roth @Cyber0ps" author = "Florian Roth @Cyber0ps"
...@@ -12,20 +14,21 @@ rule Emdivi_SFX { ...@@ -12,20 +14,21 @@ rule Emdivi_SFX {
score = 70 score = 70
hash1 = "7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196" hash1 = "7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196"
hash2 = "8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b" hash2 = "8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b"
strings: strings:
$x1 = "Setup=unsecess.exe" fullword ascii $x1 = "Setup=unsecess.exe" fullword ascii
$x2 = "Setup=leassnp.exe" fullword ascii $x2 = "Setup=leassnp.exe" fullword ascii
$s1 = "&Enter password for the encrypted file:" fullword wide $s1 = "&Enter password for the encrypted file:" fullword wide
$s2 = ";The comment below contains SFX script commands" fullword ascii $s2 = ";The comment below contains SFX script commands" fullword ascii
$s3 = "Path=%temp%" fullword ascii $s3 = "Path=%temp%" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and filesize < 740KB and (1 of ($x*) and all of ($s*)) uint16(0) == 0x5a4d and filesize < 740KB and (1 of ($x*) and all of ($s*))
} }
/* Super Rules ------------------------------------------------------------- */ rule Emdivi_Gen1
{
rule Emdivi_Gen1 {
meta: meta:
description = "Detects Emdivi Malware" description = "Detects Emdivi Malware"
author = "Florian Roth @Cyber0ps" author = "Florian Roth @Cyber0ps"
...@@ -37,11 +40,11 @@ rule Emdivi_Gen1 { ...@@ -37,11 +40,11 @@ rule Emdivi_Gen1 {
hash2 = "3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1" hash2 = "3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1"
hash3 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662" hash3 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662"
hash4 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86" hash4 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86"
strings: strings:
$x1 = "wmic nteventlog where filename=\"SecEvent\" call cleareventlog" fullword wide $x1 = "wmic nteventlog where filename=\"SecEvent\" call cleareventlog" fullword wide
$s0 = "del %Temp%\\*.exe %Temp%\\*.dll %Temp%\\*.bat %Temp%\\*.ps1 %Temp%\\*.cmd /f /q" fullword wide $s0 = "del %Temp%\\*.exe %Temp%\\*.dll %Temp%\\*.bat %Temp%\\*.ps1 %Temp%\\*.cmd /f /q" fullword wide
$x3 = "userControl-v80.exe" fullword ascii $x3 = "userControl-v80.exe" fullword ascii
$s1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" fullword wide $s1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" fullword wide
$s2 = "http://www.msftncsi.com" fullword wide $s2 = "http://www.msftncsi.com" fullword wide
$s3 = "net use | find /i \"c$\"" fullword wide $s3 = "net use | find /i \"c$\"" fullword wide
...@@ -50,11 +53,14 @@ rule Emdivi_Gen1 { ...@@ -50,11 +53,14 @@ rule Emdivi_Gen1 {
$s6 = "/ncsi.txt" fullword wide $s6 = "/ncsi.txt" fullword wide
$s7 = "Dcmd /c" fullword wide $s7 = "Dcmd /c" fullword wide
$s8 = "/PROXY" fullword wide $s8 = "/PROXY" fullword wide
condition: condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of them uint16(0) == 0x5a4d and filesize < 800KB and all of them
} }
rule Emdivi_Gen2 { rule Emdivi_Gen2
{
meta: meta:
description = "Detects Emdivi Malware" description = "Detects Emdivi Malware"
author = "Florian Roth @Cyber0ps" author = "Florian Roth @Cyber0ps"
...@@ -65,6 +71,7 @@ rule Emdivi_Gen2 { ...@@ -65,6 +71,7 @@ rule Emdivi_Gen2 {
hash1 = "9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1" hash1 = "9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1"
hash2 = "a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012" hash2 = "a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012"
hash3 = "9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4" hash3 = "9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4"
strings: strings:
$s1 = "%TEMP%\\IELogs\\" fullword ascii $s1 = "%TEMP%\\IELogs\\" fullword ascii
$s2 = "MSPUB.EXE" fullword ascii $s2 = "MSPUB.EXE" fullword ascii
...@@ -73,11 +80,14 @@ rule Emdivi_Gen2 { ...@@ -73,11 +80,14 @@ rule Emdivi_Gen2 {
$s5 = "%4d-%02d-%02d %02d:%02d:%02d " fullword ascii $s5 = "%4d-%02d-%02d %02d:%02d:%02d " fullword ascii
$s6 = "INTERNET_OPEN_TYPE_PRECONFIG" fullword ascii $s6 = "INTERNET_OPEN_TYPE_PRECONFIG" fullword ascii
$s7 = "%4d%02d%02d%02d%02d%02d" fullword ascii $s7 = "%4d%02d%02d%02d%02d%02d" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and filesize < 1300KB and 6 of them uint16(0) == 0x5a4d and filesize < 1300KB and 6 of them
} }
rule Emdivi_Gen3 { rule Emdivi_Gen3
{
meta: meta:
description = "Detects Emdivi Malware" description = "Detects Emdivi Malware"
author = "Florian Roth @Cyber0ps" author = "Florian Roth @Cyber0ps"
...@@ -87,24 +97,23 @@ rule Emdivi_Gen3 { ...@@ -87,24 +97,23 @@ rule Emdivi_Gen3 {
score = 80 score = 80
hash1 = "008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e" hash1 = "008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e"
hash2 = "a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d" hash2 = "a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d"
strings: strings:
$x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" fullword ascii $x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" fullword ascii
$s2 = "\\Mozilla\\Firefox\\Profiles\\" fullword ascii $s2 = "\\Mozilla\\Firefox\\Profiles\\" fullword ascii
$s4 = "\\auto.cfg" fullword ascii $s4 = "\\auto.cfg" fullword ascii
$s5 = "/ncsi.txt" fullword ascii $s5 = "/ncsi.txt" fullword ascii
$s6 = "/en-us/default.aspx" fullword ascii $s6 = "/en-us/default.aspx" fullword ascii
$s7 = "cmd /c" fullword ascii $s7 = "cmd /c" fullword ascii
$s9 = "APPDATA" fullword ascii /* Goodware String - occured 25 times */ $s9 = "APPDATA" fullword ascii /* Goodware String - occured 25 times */
condition: condition:
uint16(0) == 0x5a4d and filesize < 850KB and uint16(0) == 0x5a4d and filesize < 850KB and (( $x1 and 1 of ($s*)) or ( 4 of ($s*)))
(
( $x1 and 1 of ($s*) ) or
( 4 of ($s*) )
)
} }
rule Emdivi_Gen4 { rule Emdivi_Gen4
{
meta: meta:
description = "Detects Emdivi Malware" description = "Detects Emdivi Malware"
author = "Florian Roth @Cyber0ps" author = "Florian Roth @Cyber0ps"
...@@ -118,6 +127,7 @@ rule Emdivi_Gen4 { ...@@ -118,6 +127,7 @@ rule Emdivi_Gen4 {
hash4 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662" hash4 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662"
hash5 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86" hash5 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86"
hash6 = "a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d" hash6 = "a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d"
strings: strings:
$s1 = ".http_port\", " fullword wide $s1 = ".http_port\", " fullword wide
$s2 = "UserAgent: " fullword ascii $s2 = "UserAgent: " fullword ascii
...@@ -128,6 +138,9 @@ rule Emdivi_Gen4 { ...@@ -128,6 +138,9 @@ rule Emdivi_Gen4 {
$s7 = ".proxy" fullword wide $s7 = ".proxy" fullword wide
$s8 = "AuthType: " fullword ascii $s8 = "AuthType: " fullword ascii
$s9 = ".no_proxies_on\", \"" fullword wide $s9 = ".no_proxies_on\", \"" fullword wide
condition: condition:
uint16(0) == 0x5a4d and filesize < 853KB and all of them uint16(0) == 0x5a4d and filesize < 853KB and all of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment