Skip to content

R
rules
Commit f9098b63 by Marc Rivero López Committed by GitHub
Options

Update APT_Sofacy_Jun16.yar

parent 1913ff66
Showing with 15 additions and 4 deletions
malware/APT_Sofacy_Jun16.yar
...@@ -7,7 +7,9 @@ ...@@ -7,7 +7,9 @@
/* Rule Set ----------------------------------------------------------------- */ /* Rule Set ----------------------------------------------------------------- */
rule Sofacy_Jun16_Sample1 : Sofacy APT APT28 { rule Sofacy_Jun16_Sample1
{
meta: meta:
description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report" description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
author = "Florian Roth" author = "Florian Roth"
...@@ -15,14 +17,18 @@ rule Sofacy_Jun16_Sample1 : Sofacy APT APT28 { ...@@ -15,14 +17,18 @@ rule Sofacy_Jun16_Sample1 : Sofacy APT APT28 {
date = "2016-06-14" date = "2016-06-14"
score = 85 score = 85
hash1 = "be1cfa10fcf2668ae01b98579b345ebe87dab77b6b1581c368d1aba9fd2f10a0" hash1 = "be1cfa10fcf2668ae01b98579b345ebe87dab77b6b1581c368d1aba9fd2f10a0"
strings: strings:
$s1 = "clconfg.dll" fullword ascii $s1 = "clconfg.dll" fullword ascii
$s2 = "ASijnoKGszdpodPPiaoaghj8127391" fullword wide $s2 = "ASijnoKGszdpodPPiaoaghj8127391" fullword wide
condition: condition:
( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($s*) ) ) or ( all of them ) ( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($s*) ) ) or ( all of them )
} }
rule Sofacy_Jun16_Sample2 : Sofacy APT APT28 { rule Sofacy_Jun16_Sample2
{
meta: meta:
description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report" description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
author = "Florian Roth" author = "Florian Roth"
...@@ -32,19 +38,22 @@ rule Sofacy_Jun16_Sample2 : Sofacy APT APT28 { ...@@ -32,19 +38,22 @@ rule Sofacy_Jun16_Sample2 : Sofacy APT APT28 {
hash1 = "57d230ddaf92e2d0504e5bb12abf52062114fb8980c5ecc413116b1d6ffedf1b" hash1 = "57d230ddaf92e2d0504e5bb12abf52062114fb8980c5ecc413116b1d6ffedf1b"
hash2 = "69940a20ab9abb31a03fcefe6de92a16ed474bbdff3288498851afc12a834261" hash2 = "69940a20ab9abb31a03fcefe6de92a16ed474bbdff3288498851afc12a834261"
hash3 = "aeeab3272a2ed2157ebf67f74c00fafc787a2b9bbaa17a03be1e23d4cb273632" hash3 = "aeeab3272a2ed2157ebf67f74c00fafc787a2b9bbaa17a03be1e23d4cb273632"
strings: strings:
$x1 = "DGMNOEP" fullword ascii $x1 = "DGMNOEP" fullword ascii
$x2 = "/%s%s%s/?%s=" fullword ascii $x2 = "/%s%s%s/?%s=" fullword ascii
$s1 = "Control Panel\\Dehttps=https://%snetwork.proxy.ht2" fullword ascii $s1 = "Control Panel\\Dehttps=https://%snetwork.proxy.ht2" fullword ascii
$s2 = "http=http://%s:%Control Panel\\Denetwork.proxy.ht&ol1mS9" fullword ascii $s2 = "http=http://%s:%Control Panel\\Denetwork.proxy.ht&ol1mS9" fullword ascii
$s3 = "svchost.dll" fullword wide $s3 = "svchost.dll" fullword wide
$s4 = "clconfig.dll" fullword wide $s4 = "clconfig.dll" fullword wide
condition: condition:
( uint16(0) == 0x5a4d and filesize < 100KB and ( all of ($x*) ) ) or ( 3 of them ) ( uint16(0) == 0x5a4d and filesize < 100KB and ( all of ($x*) ) ) or ( 3 of them )
} }
rule Sofacy_Jun16_Sample3 : Sofacy APT APT28 { rule Sofacy_Jun16_Sample3
{
meta: meta:
description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report" description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
author = "Florian Roth" author = "Florian Roth"
...@@ -52,8 +61,10 @@ rule Sofacy_Jun16_Sample3 : Sofacy APT APT28 { ...@@ -52,8 +61,10 @@ rule Sofacy_Jun16_Sample3 : Sofacy APT APT28 {
date = "2016-06-14" date = "2016-06-14"
score = 85 score = 85
hash1 = "c2551c4e6521ac72982cb952503a2e6f016356e02ee31dea36c713141d4f3785" hash1 = "c2551c4e6521ac72982cb952503a2e6f016356e02ee31dea36c713141d4f3785"
strings: strings:
$s1 = "ASLIiasiuqpssuqkl713h" fullword wide $s1 = "ASLIiasiuqpssuqkl713h" fullword wide
condition: condition:
uint16(0) == 0x5a4d and filesize < 200KB and $s1 uint16(0) == 0x5a4d and filesize < 200KB and $s1
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment