//MZ header //PE signature //The malware family seems to share many exports //but this is the new kid on the block.
uint16(0) == 0x5A4D and
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and pe.exports("cfsUpdate")
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 200KB and
//The malware family seems to share many exports
//but this is the new kid on the block.
pe.exports("cfsUpdate")
}
}
rule new_keyboy_header_codes
rule new_keyboy_header_codes
{
{
meta:
meta:
author = "Matt Brooks, @cmatthewbrooks"
author = "Matt Brooks, @cmatthewbrooks"
desc = "Matches the 2016 sample's header codes"
desc = "Matches the 2016 sample's header codes"
...
@@ -96,17 +89,8 @@ rule new_keyboy_header_codes
...
@@ -96,17 +89,8 @@ rule new_keyboy_header_codes
$s7 = "*h*" wide fullword
$s7 = "*h*" wide fullword
condition:
condition:
//MZ header
//MZ header //PE signature
uint16(0) == 0x5A4D and
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and all of them
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 200KB and
all of them
}
}
...
@@ -120,6 +104,7 @@ rule new_keyboy_header_codes
...
@@ -120,6 +104,7 @@ rule new_keyboy_header_codes
rule keyboy_commands
rule keyboy_commands
{
{
meta:
meta:
author = "Matt Brooks, @cmatthewbrooks"
author = "Matt Brooks, @cmatthewbrooks"
desc = "Matches the 2016 sample's sent and received commands"
desc = "Matches the 2016 sample's sent and received commands"
...
@@ -141,21 +126,13 @@ rule keyboy_commands
...
@@ -141,21 +126,13 @@ rule keyboy_commands
$s12 = "FileManager" wide fullword
$s12 = "FileManager" wide fullword
condition:
condition:
//MZ header
//MZ header //PE signature
uint16(0) == 0x5A4D and
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and 6 of them
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 200KB and
6 of them
}
}
rule keyboy_errors
rule keyboy_errors
{
{
meta:
meta:
author = "Matt Brooks, @cmatthewbrooks"
author = "Matt Brooks, @cmatthewbrooks"
desc = "Matches the sample's shell error2 log statements"
desc = "Matches the sample's shell error2 log statements"
...
@@ -191,22 +168,14 @@ rule keyboy_errors
...
@@ -191,22 +168,14 @@ rule keyboy_errors
$s22 = "WriteFile [%s} Error(%d)..." ascii wide
$s22 = "WriteFile [%s} Error(%d)..." ascii wide
condition:
condition:
//MZ header
//MZ header //PE signature
uint16(0) == 0x5A4D and
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and $error and 3 of ($s*)
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 200KB and
$error and 3 of ($s*)
}
}
rule keyboy_systeminfo
rule keyboy_systeminfo
{
{
meta:
meta:
author = "Matt Brooks, @cmatthewbrooks"
author = "Matt Brooks, @cmatthewbrooks"
desc = "Matches the system information format before sending to C2"
desc = "Matches the system information format before sending to C2"
...
@@ -230,25 +199,15 @@ rule keyboy_systeminfo
...
@@ -230,25 +199,15 @@ rule keyboy_systeminfo
$s13 = "DisplayMode: %d x %d, %dHz, %dbit" ascii wide
$s13 = "DisplayMode: %d x %d, %dHz, %dbit" ascii wide
$s14 = "Uptime: %d Days %02u:%02u:%02u" ascii wide
$s14 = "Uptime: %d Days %02u:%02u:%02u" ascii wide
condition:
condition:
//MZ header
//MZ header //PE signature
uint16(0) == 0x5A4D and
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and 7 of them
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 200KB and
7 of them
}
}
rule keyboy_related_exports
rule keyboy_related_exports
{
{
meta:
meta:
author = "Matt Brooks, @cmatthewbrooks"
author = "Matt Brooks, @cmatthewbrooks"
desc = "Matches the new 2016 sample's export"
desc = "Matches the new 2016 sample's export"
...
@@ -256,52 +215,24 @@ rule keyboy_related_exports
...
@@ -256,52 +215,24 @@ rule keyboy_related_exports
md5 = "495adb1b9777002ecfe22aaf52fcee93"
md5 = "495adb1b9777002ecfe22aaf52fcee93"
condition:
condition:
//MZ header
//MZ header //PE signature //The malware family seems to share many exports //but this is the new kid on the block.
uint16(0) == 0x5A4D and
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and pe.exports("Embedding") or pe.exports("SSSS") or pe.exports("GetUP")
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 200KB and
//The malware family seems to share many exports
//but this is the new kid on the block.
pe.exports("Embedding") or
pe.exports("SSSS") or
pe.exports("GetUP")
}
}
// Note: The use of the .Init section has been observed in nearly
// Note: The use of the .Init section has been observed in nearly
// all samples with the exception of the 2013 VN dropper from the
// all samples with the exception of the 2013 VN dropper from the
// Rapid7 blog. The config data was stored in that sample's .data
// Rapid7 blog. The config data was stored in that sample's .data
// section.
// section.
rule keyboy_init_config_section
rule keyboy_init_config_section
{
{
meta:
meta:
author = "Matt Brooks, @cmatthewbrooks"
author = "Matt Brooks, @cmatthewbrooks"
desc = "Matches the Init section where the config is stored"
desc = "Matches the Init section where the config is stored"
date = "2016-08-28"
date = "2016-08-28"
condition:
condition:
//MZ header
//MZ header //PE signature //Payloads are normally smaller but the new dropper we spotted //is a bit larger. //Observed virtual sizes of the .Init section vary but they've //always been 1024, 2048, or 4096 bytes.
uint16(0) == 0x5A4D and
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 300KB and for any i in (0..pe.number_of_sections - 1): (pe.sections[i].name == ".Init" and pe.sections[i].virtual_size % 1024 == 0)
//PE signature
uint32(uint32(0x3C)) == 0x00004550 and
//Payloads are normally smaller but the new dropper we spotted
//is a bit larger.
filesize < 300KB and
//Observed virtual sizes of the .Init section vary but they've
