Skip to content

R
rules
Commit ea59b2e1 by Marc Rivero López Committed by GitHub
Options

Update APT_Casper.yar 

fixed rule style
parent 04c22d97
Showing with 97 additions and 87 deletions
malware/APT_Casper.yar
...@@ -5,97 +5,107 @@ ...@@ -5,97 +5,107 @@
import "pe" import "pe"
rule Casper_Backdoor_x86 : APT Backdoor { rule Casper_Backdoor_x86
meta: {
description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
author = "Florian Roth" meta:
reference = "http://goo.gl/VRJNLo" description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
date = "2015/03/05" author = "Florian Roth"
hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0" reference = "http://goo.gl/VRJNLo"
score = 80 date = "2015/03/05"
strings: hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0"
$s1 = "\"svchost.exe\"" fullword wide score = 80
$s2 = "firefox.exe" fullword ascii
$s3 = "\"Host Process for Windows Services\"" fullword wide strings:
$s1 = "\"svchost.exe\"" fullword wide
$x1 = "\\Users\\*" fullword ascii $s2 = "firefox.exe" fullword ascii
$x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii $s3 = "\"Host Process for Windows Services\"" fullword wide
$x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii $x1 = "\\Users\\*" fullword ascii
$x4 = "\\Documents and Settings\\*" fullword ascii $x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
$x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
$y1 = "%s; %S=%S" fullword wide $x4 = "\\Documents and Settings\\*" fullword ascii
$y2 = "%s; %s=%s" fullword ascii $y1 = "%s; %S=%S" fullword wide
$y3 = "Cookie: %s=%s" fullword ascii $y2 = "%s; %s=%s" fullword ascii
$y4 = "http://%S:%d" fullword wide $y3 = "Cookie: %s=%s" fullword ascii
$y4 = "http://%S:%d" fullword wide
$z1 = "http://google.com/" fullword ascii $z1 = "http://google.com/" fullword ascii
$z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii $z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
$z3 = "Operating System\"" fullword wide $z3 = "Operating System\"" fullword wide
condition: condition:
( all of ($s*) ) or ( all of ($s*) ) or ( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
} }
rule Casper_EXE_Dropper : Dropper { rule Casper_EXE_Dropper
meta: {
description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
author = "Florian Roth" meta:
reference = "http://goo.gl/VRJNLo" description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
date = "2015/03/05" author = "Florian Roth"
hash = "e4cc35792a48123e71a2c7b6aa904006343a157a" reference = "http://goo.gl/VRJNLo"
score = 80 date = "2015/03/05"
strings: hash = "e4cc35792a48123e71a2c7b6aa904006343a157a"
$s0 = "<Command>" fullword ascii score = 80
$s1 = "</Command>" fullword ascii
$s2 = "\" /d \"" fullword ascii strings:
$s4 = "'%s' %s" fullword ascii $s0 = "<Command>" fullword ascii
$s5 = "nKERNEL32.DLL" fullword wide $s1 = "</Command>" fullword ascii
$s6 = "@ReturnValue" fullword wide $s2 = "\" /d \"" fullword ascii
$s7 = "ID: 0x%x" fullword ascii $s4 = "'%s' %s" fullword ascii
$s8 = "Name: %S" fullword ascii $s5 = "nKERNEL32.DLL" fullword wide
condition: $s6 = "@ReturnValue" fullword wide
7 of them $s7 = "ID: 0x%x" fullword ascii
$s8 = "Name: %S" fullword ascii
condition:
7 of them
} }
rule Casper_Included_Strings { rule Casper_Included_Strings
meta: {
description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
author = "Florian Roth" meta:
reference = "http://goo.gl/VRJNLo" description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
date = "2015/03/06" author = "Florian Roth"
score = 50 reference = "http://goo.gl/VRJNLo"
strings: date = "2015/03/06"
$a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST" score = 50
$a1 = "& SYSTEMINFO) ELSE EXIT"
strings:
$mz = { 4d 5a } $a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
$c1 = "domcommon.exe" wide fullword // File Name $a1 = "& SYSTEMINFO) ELSE EXIT"
$c2 = "jpic.gov.sy" fullword // C2 Server $mz = { 4d 5a }
$c3 = "aiomgr.exe" wide fullword // File Name $c1 = "domcommon.exe" wide fullword // File Name
$c4 = "perfaudio.dat" fullword // Temp File Name $c2 = "jpic.gov.sy" fullword // C2 Server
$c5 = "Casper_DLL.dll" fullword // Name $c3 = "aiomgr.exe" wide fullword // File Name
$c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } // Decryption Key $c4 = "perfaudio.dat" fullword // Temp File Name
$c7 = "{4216567A-4512-9825-7745F856}" fullword // Mutex $c5 = "Casper_DLL.dll" fullword // Name
condition: $c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } // Decryption Key
all of ($a*) or $c7 = "{4216567A-4512-9825-7745F856}" fullword // Mutex
( $mz at 0 ) and ( 1 of ($c*) )
condition:
all of ($a*) or ( $mz at 0 ) and ( 1 of ($c*) )
} }
rule Casper_SystemInformation_Output { rule Casper_SystemInformation_Output
meta: {
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
author = "Florian Roth" meta:
reference = "http://goo.gl/VRJNLo" description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
date = "2015/03/06" author = "Florian Roth"
score = 70 reference = "http://goo.gl/VRJNLo"
strings: date = "2015/03/06"
$a0 = "***** SYSTEM INFORMATION ******" score = 70
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: " strings:
$a3 = "Firewall: " $a0 = "***** SYSTEM INFORMATION ******"
$a4 = "***** EXECUTION CONTEXT ******" $a1 = "***** SECURITY INFORMATION ******"
$a5 = "Identity: " $a2 = "Antivirus: "
$a6 = "<CONFIG TIMESTAMP=" $a3 = "Firewall: "
condition: $a4 = "***** EXECUTION CONTEXT ******"
all of them $a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment