Common Information
Type Value
Value
import "pe"

rule lazarus_dtrack {
	meta:
		description = "lazarus - dtrack on nuclear implant KKNPP"
		date = "2019-11-02"
		hash1 = "bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364"
	strings:
		$x1 = "move /y %s \\\\10.38.1.35\\C$\\Windows\\Temp\\MpLogs\\" ascii fullword
		$x2 = "Execute_%s.log" ascii fullword
		$x3 = "%s\\%s\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" ascii fullword
		$s4 = "CCS_/c ping -n 3 127.0.0.1 >NUL & echo EEEE > \"%s\"" ascii fullword
		$s5 = "%s\\%s\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" ascii fullword
		$s6 = "Usage: .system COMMAND" ascii fullword
		$s7 = "Usage: .dump ?--preserve-rowids? ?--newlines? ?LIKE-PATTERN?" ascii fullword
		$s8 = "CCS_shell32.dll" ascii fullword
		$s9 = "%s:%d: expected %d columns but found %d - filling the rest with NULL" ascii fullword
		$s10 = "%s:%d: expected %d columns but found %d - extras ignored" ascii fullword
		$s11 = "%s\\%s\\AppData\\Application Data\\Mozilla\\Firefox\\Profiles" ascii fullword
		$s12 = "net use \\\\10.38.1.35\\C$ su.controller5kk /user:KKNPP\\administrator" ascii fullword
		$s13 = "VALUES(0,'memo','Missing SELFTEST table - default checks only',''),      (1,'run','PRAGMA integrity_check','ok')" ascii fullword
		$s14 = "CCS_Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" ascii fullword
		$s15 = "Usage %s sub-command ?switches...?" ascii fullword
		$s16 = "Usage: .log FILENAME" ascii fullword
		$s17 = "Content-Disposition: form-data; name=\"result\"; filename=\"%s.bmp\"" ascii fullword
		$s18 = "%z%sSELECT pti.name FROM \"%w\".sqlite_master AS sm JOIN pragma_table_info(sm.name,%Q) AS pti WHERE sm.type='table'" ascii fullword
		$s19 = "CCS_kernel32.dll" ascii fullword
		$s20 = "CCS_Advapi32.dll" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 2000KB and (pe.imphash() == "75171549224b4292974d6ee3cf397db8" or (1 of ($x*) or 4 of them))
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2019-11-04 19 Is Lazarus/APT38 Targeting Critical Infrastructures ?