Adding malware/APT_Grasshopper.yar

d9c8783f · Xumeiquer · 35e8f200 · d9c8783f · d9c8783f · d9c8783f
Commit d9c8783f authored Apr 08, 2017 by Xumeiquer
16 changed files
--- a/Antidebug_AntiVM/antidebug_antivm.yar
+++ b/Antidebug_AntiVM/antidebug_antivm.yar
--- a/Antidebug_AntiVM_index.yar
+++ b/Antidebug_AntiVM_index.yar
 /*
 Generated by Yara-Rules
-On 04-02-2017
+On 08-04-2017
 */
 include "./Antidebug_AntiVM/antidebug_antivm.yar"
--- a/CVE_Rules/CVE-2010-0805.yar
+++ b/CVE_Rules/CVE-2010-0805.yar
@@ -8,7 +8,7 @@ rule MSIETabularActivex
        strings:
                $cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
                $cve20100805_2 = "DataURL" nocase fullword
-                $cve20100805_3 = /value\=\"http:\/\/(.*?)\"/ nocase fullword
+                $cve20100805_3 = true
        condition:
                ($cve20100805_1 and $cve20100805_3) or (all of them)
 }
--- a/CVE_Rules_index.yar
+++ b/CVE_Rules_index.yar
 /*
 Generated by Yara-Rules
-On 04-02-2017
+On 08-04-2017
 */
 include "./CVE_Rules/CVE-2010-0805.yar"
 include "./CVE_Rules/CVE-2010-0887.yar"

--- a/Crypto_index.yar
+++ b/Crypto_index.yar
 /*
 Generated by Yara-Rules
-On 04-02-2017
+On 08-04-2017
 */
 include "./Crypto/base64.yar"
 include "./Crypto/crypto_signatures.yar"
--- a/Exploit-Kits_index.yar
+++ b/Exploit-Kits_index.yar
 /*
 Generated by Yara-Rules
-On 04-02-2017
+On 08-04-2017
 */
 include "./Exploit-Kits/EK_Angler.yar"
 include "./Exploit-Kits/EK_Blackhole.yar"

--- a/Malicious_Documents_index.yar
+++ b/Malicious_Documents_index.yar
 /*
 Generated by Yara-Rules
-On 04-02-2017
+On 08-04-2017
 */
 include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
 include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"

--- a/Mobile_Malware_index.yar
+++ b/Mobile_Malware_index.yar
 /*
 Generated by Yara-Rules
-On 04-02-2017
+On 08-04-2017
 */
 include "./Mobile_Malware/Android_adware.yar"
 include "./Mobile_Malware/Android_AliPay_smsStealer.yar"

--- a/Packers_index.yar
+++ b/Packers_index.yar
 /*
 Generated by Yara-Rules
-On 04-02-2017
+On 08-04-2017
 */
 include "./Packers/Javascript_exploit_and_obfuscation.yar"
 include "./Packers/JJencode.yar"

--- a/Webshells_index.yar
+++ b/Webshells_index.yar
 /*
 Generated by Yara-Rules
-On 04-02-2017
+On 08-04-2017
 */
 include "./Webshells/WShell_APT_Laudanum.yar"
 include "./Webshells/Wshell_ChineseSpam.yar"

--- a/email_index.yar
+++ b/email_index.yar
 /*
 Generated by Yara-Rules
-On 04-02-2017
+On 08-04-2017
 */
 include "./email/attachment.yar"
 include "./email/bank_rule.yar"

--- a/index.yar
+++ b/index.yar
 /*
 Generated by Yara-Rules
-On 04-02-2017
+On 08-04-2017
 */
 include "./Antidebug_AntiVM/antidebug_antivm.yar"
 include "./Crypto/base64.yar"
@@ -71,6 +71,9 @@ include "./malware/APT_fancybear_dnc.yar"
 include "./malware/APT_FiveEyes.yar"
 include "./malware/APT_furtim.yar"
 include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
+include "./malware/APT_Grasshopper.yar"
+include "./malware/APT_Greenbug.yar"
+include "./malware/APT_Grizzlybear_uscert.yar"
 include "./malware/APT_HackingTeam.yar"
 include "./malware/APT_Hellsing.yar"
 include "./malware/APT_Hikit.yar"
@@ -99,6 +102,7 @@ include "./malware/APT_PutterPanda.yar"
 include "./malware/APT_Regin.yar"
 include "./malware/APT_Scarab_Scieron.yar"
 include "./malware/APT_Seaduke.yar"
+include "./malware/APT_Shamoon_StoneDrill.yar"
 include "./malware/APT_Snowglobe_Babar.yar"
 include "./malware/APT_Sofacy_Bundestag.yar"
 include "./malware/APT_Sofacy_Fysbis.yar"
@@ -218,6 +222,7 @@ include "./malware/MALW_Sendsafe.yar"
 include "./malware/MALW_Shamoon.yar"
 include "./malware/MALW_Shifu.yar"
 include "./malware/MALW_Skeleton.yar"
+include "./malware/MALW_Spora.yar"
 include "./malware/MALW_Sqlite.yar"
 include "./malware/MALW_Stealer.yar"
 include "./malware/MALW_Surtr.yar"

--- a/index_w_mobile.yar
+++ b/index_w_mobile.yar
 /*
 Generated by Yara-Rules
-On 04-02-2017
+On 08-04-2017
 */
 include "./Antidebug_AntiVM/antidebug_antivm.yar"
 include "./Crypto/base64.yar"
@@ -71,6 +71,9 @@ include "./malware/APT_fancybear_dnc.yar"
 include "./malware/APT_FiveEyes.yar"
 include "./malware/APT_furtim.yar"
 include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
+include "./malware/APT_Grasshopper.yar"
+include "./malware/APT_Greenbug.yar"
+include "./malware/APT_Grizzlybear_uscert.yar"
 include "./malware/APT_HackingTeam.yar"
 include "./malware/APT_Hellsing.yar"
 include "./malware/APT_Hikit.yar"
@@ -99,6 +102,7 @@ include "./malware/APT_PutterPanda.yar"
 include "./malware/APT_Regin.yar"
 include "./malware/APT_Scarab_Scieron.yar"
 include "./malware/APT_Seaduke.yar"
+include "./malware/APT_Shamoon_StoneDrill.yar"
 include "./malware/APT_Snowglobe_Babar.yar"
 include "./malware/APT_Sofacy_Bundestag.yar"
 include "./malware/APT_Sofacy_Fysbis.yar"
@@ -218,6 +222,7 @@ include "./malware/MALW_Sendsafe.yar"
 include "./malware/MALW_Shamoon.yar"
 include "./malware/MALW_Shifu.yar"
 include "./malware/MALW_Skeleton.yar"
+include "./malware/MALW_Spora.yar"
 include "./malware/MALW_Sqlite.yar"
 include "./malware/MALW_Stealer.yar"
 include "./malware/MALW_Surtr.yar"

--- a/malware/APT_Grasshopper.yar
+++ b/malware/APT_Grasshopper.yar
+/*
+Set of rules for Grasshopper APT.
+Infected DLL hashes of Stolen Goods 2.1.
+Ref: https://wikileaks.org/vault7/document/StolenGoods-2_1-UserGuide/StolenGoods-2_1-UserGuide.pdf
+
+Author: Jaume Martin
+Date: 07-04-2017
+*/
+
+rule Control32 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "b3dc808fc7cb4492669ec019911ef22a"
+}
+
+rule Control64 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "bec30379078d5c5c7845d3be33707b89"
+}
+
+rule GH_PM32 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "2f2c5b3f3b1f97908074f526ac90a28d"
+}
+
+rule GH_PM64 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "fe6c0097412b2c7b7f4b8a489004dd14"
+}
+
+rule MemStub32-GH1 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "0a579ad25fdd4db8110aac4dbb7d2da3"
+}
+
+rule MemStub32 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "8987652f26732607b769247adb4e9cce"
+}
+
+rule MemStub64-GH1 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "2350403a09e6928f0a7ba5d74da58cb9"
+}
+
+rule MemStub64 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "6b5b46d3212fc3fc5b455d9efd8d3ffa"
+}
+
+rule msvcrt_Win7AMD64 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "c8fc794cc5a22b5a1e0803b0b8acce77"
+}
+
+rule msvcrt_Win7x86 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "7713e5c5a48b020c9575b1b50f2e5e9e"
+}
+
+rule msvcrt_WIN8AMD64 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "33c59fcdf027470e0ab1d366f54a6ebf"
+}
+
+rule msvcrt_WIN8x86 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "95490c2b284a9bb63f0ee49254ab727e"
+}
+
+rule msvcrt_WinXPx86 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "b68f72d77754f8b76168ced0924a4174"
+}
+
+rule Network_Win7AMD64 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "eb92031a38f17d0e63285b5142b31966"
+}
+
+rule Network_Win7x86 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "548889baed7768b828d9c2f373abd225"
+}
+
+rule Network_WinXPx86 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "877341a16d5d223435c43a9db7f721bc"
+}
+
+rule RabbitStew32 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "a9d2e8ae5ddbf8f2842d96f7de2faef8"
+}
+
+rule RabbitStew64 {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "fa415b6280104e813770df520b303897"
+}
+
+rule Vbr {
+    meta:
+        author = "Jaume Martin"
+    condition:
+        hash.md5(0, filesize) == "961d2fd68fde2ae0b7c52e0c90767d0d"
+}
+
--- a/malware/MALW_Corkow.yar
+++ b/malware/MALW_Corkow.yar
--- a/malware_index.yar
+++ b/malware_index.yar
 /*
 Generated by Yara-Rules
-On 04-02-2017
+On 08-04-2017
 */
 include "./malware/APT_APT1.yar"
 include "./malware/APT_APT17.yar"
@@ -30,6 +30,9 @@ include "./malware/APT_fancybear_dnc.yar"
 include "./malware/APT_FiveEyes.yar"
 include "./malware/APT_furtim.yar"
 include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
+include "./malware/APT_Grasshopper.yar"
+include "./malware/APT_Greenbug.yar"
+include "./malware/APT_Grizzlybear_uscert.yar"
 include "./malware/APT_HackingTeam.yar"
 include "./malware/APT_Hellsing.yar"
 include "./malware/APT_Hikit.yar"
@@ -58,6 +61,7 @@ include "./malware/APT_PutterPanda.yar"
 include "./malware/APT_Regin.yar"
 include "./malware/APT_Scarab_Scieron.yar"
 include "./malware/APT_Seaduke.yar"
+include "./malware/APT_Shamoon_StoneDrill.yar"
 include "./malware/APT_Snowglobe_Babar.yar"
 include "./malware/APT_Sofacy_Bundestag.yar"
 include "./malware/APT_Sofacy_Fysbis.yar"
@@ -177,6 +181,7 @@ include "./malware/MALW_Sendsafe.yar"
 include "./malware/MALW_Shamoon.yar"
 include "./malware/MALW_Shifu.yar"
 include "./malware/MALW_Skeleton.yar"
+include "./malware/MALW_Spora.yar"
 include "./malware/MALW_Sqlite.yar"
 include "./malware/MALW_Stealer.yar"
 include "./malware/MALW_Surtr.yar"