Skip to content

R
rules
Commit f1d9f781 by Marc Rivero López Committed by GitHub
Options

Update APT_FiveEyes.yar 

fixed style rule
parent a2f7d48f
Showing with 46 additions and 9 deletions
malware/APT_FiveEyes.yar
...@@ -8,13 +8,16 @@ import "pe" ...@@ -8,13 +8,16 @@ import "pe"
/* FIVE EYES ------------------------------------------------------------------------------- */ /* FIVE EYES ------------------------------------------------------------------------------- */
rule FiveEyes_QUERTY_Malwareqwerty_20121 { rule FiveEyes_QUERTY_Malwareqwerty_20121
{
meta: meta:
description = "FiveEyes QUERTY Malware - file 20121.xml" description = "FiveEyes QUERTY Malware - file 20121.xml"
author = "Florian Roth" author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf" reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18" date = "2015/01/18"
hash = "8263fb58350f3b1d3c4220a602421232d5e40726" hash = "8263fb58350f3b1d3c4220a602421232d5e40726"
strings: strings:
$s0 = "<configFileName>20121_cmdDef.xml</configFileName>" fullword ascii $s0 = "<configFileName>20121_cmdDef.xml</configFileName>" fullword ascii
$s1 = "<name>20121.dll</name>" fullword ascii $s1 = "<name>20121.dll</name>" fullword ascii
...@@ -27,34 +30,42 @@ rule FiveEyes_QUERTY_Malwareqwerty_20121 { ...@@ -27,34 +30,42 @@ rule FiveEyes_QUERTY_Malwareqwerty_20121 {
$s8 = "</platform>" fullword ascii $s8 = "</platform>" fullword ascii
$s9 = "</lpConfig>" fullword ascii $s9 = "</lpConfig>" fullword ascii
$s10 = "<lpConfig>" fullword ascii $s10 = "<lpConfig>" fullword ascii
condition: condition:
9 of them 9 of them
} }
rule FiveEyes_QUERTY_Malwaresig_20123_sys { rule FiveEyes_QUERTY_Malwaresig_20123_sys
{
meta: meta:
description = "FiveEyes QUERTY Malware - file 20123.sys.bin" description = "FiveEyes QUERTY Malware - file 20123.sys.bin"
author = "Florian Roth" author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf" reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18" date = "2015/01/18"
hash = "a0f0087bd1f8234d5e847363d7e15be8a3e6f099" hash = "a0f0087bd1f8234d5e847363d7e15be8a3e6f099"
strings: strings:
$s0 = "20123.dll" fullword ascii $s0 = "20123.dll" fullword ascii
$s1 = "kbdclass.sys" fullword wide $s1 = "kbdclass.sys" fullword wide
$s2 = "IoFreeMdl" fullword ascii $s2 = "IoFreeMdl" fullword ascii
$s3 = "ntoskrnl.exe" fullword ascii $s3 = "ntoskrnl.exe" fullword ascii
$s4 = "KfReleaseSpinLock" fullword ascii $s4 = "KfReleaseSpinLock" fullword ascii
condition: condition:
all of them all of them
} }
rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef { rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef
{
meta: meta:
description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml" description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml"
author = "Florian Roth" author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf" reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18" date = "2015/01/18"
hash = "7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd" hash = "7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd"
strings: strings:
$s0 = "<shortDescription>Keystroke Collector</shortDescription>" fullword ascii $s0 = "<shortDescription>Keystroke Collector</shortDescription>" fullword ascii
$s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys.</description>" fullword ascii $s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys.</description>" fullword ascii
...@@ -77,30 +88,39 @@ rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef { ...@@ -77,30 +88,39 @@ rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef {
$s18 = "<?xml-stylesheet type=\"text/xsl\" href=\"../XSLT/pluginHTML.xsl\"?>" fullword ascii $s18 = "<?xml-stylesheet type=\"text/xsl\" href=\"../XSLT/pluginHTML.xsl\"?>" fullword ascii
$s19 = "<pluginsDepend>U_HookManager v1.0, Kernel Covert Store v1.0</pluginsDepend>" fullword ascii $s19 = "<pluginsDepend>U_HookManager v1.0, Kernel Covert Store v1.0</pluginsDepend>" fullword ascii
$s20 = "<plugin id=\"20123\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi" ascii $s20 = "<plugin id=\"20123\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi" ascii
condition: condition:
14 of them 14 of them
} }
rule FiveEyes_QUERTY_Malwaresig_20121_dll { rule FiveEyes_QUERTY_Malwaresig_20121_dll
{
meta: meta:
description = "FiveEyes QUERTY Malware - file 20121.dll.bin" description = "FiveEyes QUERTY Malware - file 20121.dll.bin"
author = "Florian Roth" author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf" reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18" date = "2015/01/18"
hash = "89504d91c5539a366e153894c1bc17277116342b" hash = "89504d91c5539a366e153894c1bc17277116342b"
strings: strings:
$s0 = "WarriorPride\\production2.0\\package\\E_Wzowski" ascii $s0 = "WarriorPride\\production2.0\\package\\E_Wzowski" ascii
$s1 = "20121.dll" fullword ascii $s1 = "20121.dll" fullword ascii
condition: condition:
all of them all of them
} }
rule FiveEyes_QUERTY_Malwareqwerty_20123 {
rule FiveEyes_QUERTY_Malwareqwerty_20123
{
meta: meta:
description = "FiveEyes QUERTY Malware - file 20123.xml" description = "FiveEyes QUERTY Malware - file 20123.xml"
author = "Florian Roth" author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf" reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18" date = "2015/01/18"
hash = "edc7228b2e27df9e7ff9286bddbf4e46adb51ed9" hash = "edc7228b2e27df9e7ff9286bddbf4e46adb51ed9"
strings: strings:
$s0 = "<!-- edited with XMLSPY v5 rel. 4 U (http://www.xmlspy.com) by TEAM (RENEGADE) -" ascii $s0 = "<!-- edited with XMLSPY v5 rel. 4 U (http://www.xmlspy.com) by TEAM (RENEGADE) -" ascii
$s1 = "<configFileName>20123_cmdDef.xml</configFileName>" fullword ascii $s1 = "<configFileName>20123_cmdDef.xml</configFileName>" fullword ascii
...@@ -114,17 +134,21 @@ rule FiveEyes_QUERTY_Malwareqwerty_20123 { ...@@ -114,17 +134,21 @@ rule FiveEyes_QUERTY_Malwareqwerty_20123 {
$s9 = "</platform>" fullword ascii $s9 = "</platform>" fullword ascii
$s10 = "</lpConfig>" fullword ascii $s10 = "</lpConfig>" fullword ascii
$s11 = "<lpConfig>" fullword ascii $s11 = "<lpConfig>" fullword ascii
condition: condition:
9 of them 9 of them
} }
rule FiveEyes_QUERTY_Malwaresig_20120_dll { rule FiveEyes_QUERTY_Malwaresig_20120_dll
{
meta: meta:
description = "FiveEyes QUERTY Malware - file 20120.dll.bin" description = "FiveEyes QUERTY Malware - file 20120.dll.bin"
author = "Florian Roth" author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf" reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18" date = "2015/01/18"
hash = "6811bfa3b8cda5147440918f83c40237183dbd25" hash = "6811bfa3b8cda5147440918f83c40237183dbd25"
strings: strings:
$s0 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.txt" fullword wide $s0 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.txt" fullword wide
$s1 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.xml" fullword wide $s1 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.xml" fullword wide
...@@ -147,17 +171,21 @@ rule FiveEyes_QUERTY_Malwaresig_20120_dll { ...@@ -147,17 +171,21 @@ rule FiveEyes_QUERTY_Malwaresig_20120_dll {
$s18 = "- Log files were NOT generated!" fullword wide $s18 = "- Log files were NOT generated!" fullword wide
$s19 = "Windows 2000/XP: Armenian. This is Unicode only." fullword wide $s19 = "Windows 2000/XP: Armenian. This is Unicode only." fullword wide
$s20 = "- This machine is using a PS/2 Keyboard - Continue on using QWERTY" fullword wide $s20 = "- This machine is using a PS/2 Keyboard - Continue on using QWERTY" fullword wide
condition: condition:
10 of them 10 of them
} }
rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef { rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef
{
meta: meta:
description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml" description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml"
author = "Florian Roth" author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf" reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18" date = "2015/01/18"
hash = "cda9ceaf0a39d6b8211ce96307302a53dfbd71ea" hash = "cda9ceaf0a39d6b8211ce96307302a53dfbd71ea"
strings: strings:
$s0 = "This PPC gets the current keystroke log." fullword ascii $s0 = "This PPC gets the current keystroke log." fullword ascii
$s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii $s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii
...@@ -180,17 +208,21 @@ rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef { ...@@ -180,17 +208,21 @@ rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef {
$s18 = "<command id=\"7\">" fullword ascii $s18 = "<command id=\"7\">" fullword ascii
$s19 = "<command id=\"1\">" fullword ascii $s19 = "<command id=\"1\">" fullword ascii
$s20 = "<command id=\"4\">" fullword ascii $s20 = "<command id=\"4\">" fullword ascii
condition: condition:
10 of them 10 of them
} }
rule FiveEyes_QUERTY_Malwareqwerty_20120 { rule FiveEyes_QUERTY_Malwareqwerty_20120
{
meta: meta:
description = "FiveEyes QUERTY Malware - file 20120.xml" description = "FiveEyes QUERTY Malware - file 20120.xml"
author = "Florian Roth" author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf" reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18" date = "2015/01/18"
hash = "597082f05bfd3225587d480c30f54a7a1326a892" hash = "597082f05bfd3225587d480c30f54a7a1326a892"
strings: strings:
$s0 = "<configFileName>20120_cmdDef.xml</configFileName>" fullword ascii $s0 = "<configFileName>20120_cmdDef.xml</configFileName>" fullword ascii
$s1 = "<name>20120.dll</name>" fullword ascii $s1 = "<name>20120.dll</name>" fullword ascii
...@@ -203,17 +235,21 @@ rule FiveEyes_QUERTY_Malwareqwerty_20120 { ...@@ -203,17 +235,21 @@ rule FiveEyes_QUERTY_Malwareqwerty_20120 {
$s8 = "</platform>" fullword ascii $s8 = "</platform>" fullword ascii
$s9 = "</lpConfig>" fullword ascii $s9 = "</lpConfig>" fullword ascii
$s10 = "<lpConfig>" fullword ascii $s10 = "<lpConfig>" fullword ascii
condition: condition:
all of them all of them
} }
rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef { rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef
{
meta: meta:
description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml" description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml"
author = "Florian Roth" author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf" reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18" date = "2015/01/18"
hash = "64ac06aa4e8d93ea6063eade7ce9687b1d035907" hash = "64ac06aa4e8d93ea6063eade7ce9687b1d035907"
strings: strings:
$s0 = "<shortDescription>Keystroke Logger Plugin.</shortDescription>" fullword ascii $s0 = "<shortDescription>Keystroke Logger Plugin.</shortDescription>" fullword ascii
$s1 = "<message>Failed to get File Time</message>" fullword ascii $s1 = "<message>Failed to get File Time</message>" fullword ascii
...@@ -236,6 +272,7 @@ rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef { ...@@ -236,6 +272,7 @@ rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef {
$s18 = "<minorType>0</minorType>" fullword ascii $s18 = "<minorType>0</minorType>" fullword ascii
$s19 = "<code>00001002</code>" fullword ascii $s19 = "<code>00001002</code>" fullword ascii
$s20 = "<code>00001001</code>" fullword ascii $s20 = "<code>00001001</code>" fullword ascii
condition: condition:
12 of them 12 of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment