Skip to content

R
rules
Commit f9098b63 by Marc Rivero López Committed by GitHub
Options

Update APT_Sofacy_Jun16.yar

parent 1913ff66
Showing with 56 additions and 45 deletions
malware/APT_Sofacy_Jun16.yar
...@@ -7,53 +7,64 @@ ...@@ -7,53 +7,64 @@
/* Rule Set ----------------------------------------------------------------- */ /* Rule Set ----------------------------------------------------------------- */
rule Sofacy_Jun16_Sample1 : Sofacy APT APT28 { rule Sofacy_Jun16_Sample1
meta: {
description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
author = "Florian Roth" meta:
reference = "http://goo.gl/mzAa97" description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
date = "2016-06-14" author = "Florian Roth"
score = 85 reference = "http://goo.gl/mzAa97"
hash1 = "be1cfa10fcf2668ae01b98579b345ebe87dab77b6b1581c368d1aba9fd2f10a0" date = "2016-06-14"
strings: score = 85
$s1 = "clconfg.dll" fullword ascii hash1 = "be1cfa10fcf2668ae01b98579b345ebe87dab77b6b1581c368d1aba9fd2f10a0"
$s2 = "ASijnoKGszdpodPPiaoaghj8127391" fullword wide
condition: strings:
( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($s*) ) ) or ( all of them ) $s1 = "clconfg.dll" fullword ascii
$s2 = "ASijnoKGszdpodPPiaoaghj8127391" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($s*) ) ) or ( all of them )
} }
rule Sofacy_Jun16_Sample2 : Sofacy APT APT28 { rule Sofacy_Jun16_Sample2
meta: {
description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
author = "Florian Roth" meta:
reference = "http://goo.gl/mzAa97" description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
date = "2016-06-14" author = "Florian Roth"
score = 85 reference = "http://goo.gl/mzAa97"
hash1 = "57d230ddaf92e2d0504e5bb12abf52062114fb8980c5ecc413116b1d6ffedf1b" date = "2016-06-14"
hash2 = "69940a20ab9abb31a03fcefe6de92a16ed474bbdff3288498851afc12a834261" score = 85
hash3 = "aeeab3272a2ed2157ebf67f74c00fafc787a2b9bbaa17a03be1e23d4cb273632" hash1 = "57d230ddaf92e2d0504e5bb12abf52062114fb8980c5ecc413116b1d6ffedf1b"
strings: hash2 = "69940a20ab9abb31a03fcefe6de92a16ed474bbdff3288498851afc12a834261"
$x1 = "DGMNOEP" fullword ascii hash3 = "aeeab3272a2ed2157ebf67f74c00fafc787a2b9bbaa17a03be1e23d4cb273632"
$x2 = "/%s%s%s/?%s=" fullword ascii
strings:
$s1 = "Control Panel\\Dehttps=https://%snetwork.proxy.ht2" fullword ascii $x1 = "DGMNOEP" fullword ascii
$s2 = "http=http://%s:%Control Panel\\Denetwork.proxy.ht&ol1mS9" fullword ascii $x2 = "/%s%s%s/?%s=" fullword ascii
$s3 = "svchost.dll" fullword wide $s1 = "Control Panel\\Dehttps=https://%snetwork.proxy.ht2" fullword ascii
$s4 = "clconfig.dll" fullword wide $s2 = "http=http://%s:%Control Panel\\Denetwork.proxy.ht&ol1mS9" fullword ascii
condition: $s3 = "svchost.dll" fullword wide
( uint16(0) == 0x5a4d and filesize < 100KB and ( all of ($x*) ) ) or ( 3 of them ) $s4 = "clconfig.dll" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and ( all of ($x*) ) ) or ( 3 of them )
} }
rule Sofacy_Jun16_Sample3 : Sofacy APT APT28 { rule Sofacy_Jun16_Sample3
meta: {
description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
author = "Florian Roth" meta:
reference = "http://goo.gl/mzAa97" description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
date = "2016-06-14" author = "Florian Roth"
score = 85 reference = "http://goo.gl/mzAa97"
hash1 = "c2551c4e6521ac72982cb952503a2e6f016356e02ee31dea36c713141d4f3785" date = "2016-06-14"
strings: score = 85
$s1 = "ASLIiasiuqpssuqkl713h" fullword wide hash1 = "c2551c4e6521ac72982cb952503a2e6f016356e02ee31dea36c713141d4f3785"
condition:
uint16(0) == 0x5a4d and filesize < 200KB and $s1 strings:
$s1 = "ASLIiasiuqpssuqkl713h" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 200KB and $s1
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment