/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule EnfalCode : Enfal Family
{
meta:
description = "Enfal code tricks"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
// mov al, 20h; sub al, bl; add [ebx+esi], al; push esi; inc ebx; call edi; cmp ebx, eax
$decrypt = { B0 20 2A C3 00 04 33 56 43 FF D7 3B D8 }
condition:
any of them
}
rule EnfalStrings : Enfal Family
{
meta:
description = "Enfal Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$ = "D:\\work\\\xe6\xba\x90\xe5\x93\xa5\xe5\x85\x8d\xe6\x9d\x80\\tmp\\Release\\ServiceDll.pdb"
$ = "e:\\programs\\LuridDownLoader"
$ = "LuridDownloader for Falcon"
$ = "DllServiceTrojan"
$ = "\\k\\\xe6\xa1\x8c\xe8\x9d\xa2\\"
$ = "EtenFalcon\xef\xbc\x88\xe4\xbf\xae\xe6\x94\xb9\xef\xbc\x89"
$ = "Madonna\x00Jesus"
$ = "/iupw82/netstate"
$ = "fuckNodAgain"
$ = "iloudermao"
$ = "Crpq2.cgi"
$ = "Clnpp5.cgi"
$ = "Dqpq3ll.cgi"
$ = "dieosn83.cgi"
$ = "Rwpq1.cgi"
$ = "/Ccmwhite"
$ = "/Cmwhite"
$ = "/Crpwhite"
$ = "/Dfwhite"
$ = "/Query.txt"
$ = "/Ufwhite"
$ = "/cgl-bin/Clnpp5.cgi"
$ = "/cgl-bin/Crpq2.cgi"
$ = "/cgl-bin/Dwpq3ll.cgi"
$ = "/cgl-bin/Owpq4.cgi"
$ = "/cgl-bin/Rwpq1.cgi"
$ = "/trandocs/mm/"
$ = "/trandocs/netstat"
$ = "NFal.exe"
$ = "LINLINVMAN"
$ = "7NFP4R9W"
condition:
any of them
}
rule Enfal : Family
{
meta:
description = "Enfal"
author = "Seth Hardy"
last_modified = "2014-06-19"
condition:
EnfalCode or EnfalStrings
}
rule Enfal_Malware {
meta:
description = "Detects a certain type of Enfal Malware"
author = "Florian Roth"
reference = "not set"
date = "2015/02/10"
hash = "9639ec9aca4011b2724d8e7ddd13db19913e3e16"
score = 60
strings:
$s0 = "POWERPNT.exe" fullword ascii
$s1 = "%APPDATA%\\Microsoft\\Windows\\" fullword ascii
$s2 = "%HOMEPATH%" fullword ascii
$s3 = "Server2008" fullword ascii
$s4 = "Server2003" fullword ascii
$s5 = "Server2003R2" fullword ascii
$s6 = "Server2008R2" fullword ascii
$s9 = "%HOMEDRIVE%" fullword ascii
$s13 = "%ComSpec%" fullword ascii
condition:
all of them
}
rule Enfal_Malware_Backdoor {
meta:
description = "Generic Rule to detect the Enfal Malware"
author = "Florian Roth"
date = "2015/02/10"
super_rule = 1
hash0 = "6d484daba3927fc0744b1bbd7981a56ebef95790"
hash1 = "d4071272cc1bf944e3867db299b3f5dce126f82b"
hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41"
score = 60
strings:
$mz = { 4d 5a }
$x1 = "Micorsoft Corportation" fullword wide
$x2 = "IM Monnitor Service" fullword wide
$s1 = "imemonsvc.dll" fullword wide
$s2 = "iphlpsvc.tmp" fullword
$z1 = "urlmon" fullword
$z2 = "Registered trademarks and service marks are the property of their respec" wide
$z3 = "XpsUnregisterServer" fullword
$z4 = "XpsRegisterServer" fullword
$z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword
condition:
( $mz at 0 ) and
(
1 of ($x*) or
( all of ($s*) and all of ($z*) )
)
}
rule ce_enfal_cmstar_debug_msg
{
meta:
Author = "rfalcone"
Date = "2015.05.10"
Description = "Detects the static debug strings within CMSTAR"
Reference = "http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin"
strings:
$d1 = "EEE\x0d\x0a" fullword
$d2 = "TKE\x0d\x0a" fullword
$d3 = "VPE\x0d\x0a" fullword
$d4 = "VPS\x0d\x0a" fullword
$d5 = "WFSE\x0d\x0a" fullword
$d6 = "WFSS\x0d\x0a" fullword
$d7 = "CM**\x0d\x0a" fullword
condition:
uint16(0) == 0x5a4d and all of ($d*)
}