How to Write Simple but Sound Yara Rules - Part 2 - Nextron Systems
Tags
| attack-pattern: | Data Ip Addresses - T1590.005 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Software - T1592.002 Tool - T1588.002 Sudo - T1169 |
Common Information
| Type | Value |
|---|---|
| UUID | 5d8689ef-0fc9-44f2-b35c-6dbdd30446e7 |
| Fingerprint | 2e362abaadfef0fc |
| Analysis status | DONE |
| Considered CTI value | -2 |
| Text language | |
| Published | Oct. 17, 2015, 4:53 p.m. |
| Added to db | Sept. 26, 2022, 9:30 a.m. |
| Last updated | Nov. 17, 2024, 2:56 a.m. |
| Headline | How to Write Simple but Sound Yara Rules – Part 2 |
| Title | How to Write Simple but Sound Yara Rules - Part 2 - Nextron Systems |
| Detected Hints/Tags/Attributes | 38/1/21 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 12 | blog.gdatasoftware.com |
|
| Details | Domain | 80 | goo.gl |
|
| Details | Domain | 4 | yargen.py |
|
| Details | File | 2 | imemonsvc.dll |
|
| Details | File | 2 | iphlpsvc.tmp |
|
| Details | File | 2 | wwwlib.dll |
|
| Details | File | 1 | analysis-of-project-cobra.html |
|
| Details | File | 2 | kmsvc.dll |
|
| Details | File | 1 | svchostservicedll_w2k3.dll |
|
| Details | File | 3 | msimghlp.dll |
|
| Details | File | 7 | ab.exe |
|
| Details | File | 4 | yargen.py |
|
| Details | sha1 | 2 | 6d484daba3927fc0744b1bbd7981a56ebef95790 |
|
| Details | sha1 | 2 | d4071272cc1bf944e3867db299b3f5dce126f82b |
|
| Details | sha1 | 2 | 6c7c8b804cc76e2c208c6e3b6453cb134d01fa41 |
|
| Details | sha1 | 2 | a28164de29e51f154be12d163ce5818fceb69233 |
|
| Details | sha256 | 1 | d5696b32d32177cf70eaaa5a28d1c5823526d87e20d3c62b747517c6d41656f7 |
|
| Details | Url | 1 | https://blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html |
|
| Details | Url | 1 | https://goo.gl/zuzv2s |
|
| Details | Yara rule | 1 | rule Enfal_Malware_Backdoor {
meta:
description = "Generic Rule to detect the Enfal Malware"
author = "Florian Roth"
date = "2015/02/10"
super_rule = 1
hash0 = "6d484daba3927fc0744b1bbd7981a56ebef95790"
hash1 = "d4071272cc1bf944e3867db299b3f5dce126f82b"
hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41"
score = 60
strings:
$x1 = "Micorsoft Corportation" wide fullword
$x2 = "IM Monnitor Service" wide fullword
$a1 = "imemonsvc.dll" wide fullword
$a2 = "iphlpsvc.tmp" fullword
$a3 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword
$s1 = "urlmon" fullword
$s2 = "Registered trademarks and service marks are the property of their" wide
$s3 = "XpsUnregisterServer" fullword
$s4 = "XpsRegisterServer" fullword
condition:
uint16(0) == 0x5A4D and ((1 of ($x*)) or (2 of ($a*) and all of ($s*)))
} |
|
| Details | Yara rule | 1 | rule Cobra_Trojan_Stage1 {
meta:
description = "Cobra Trojan Stage 1"
author = "Florian Roth"
reference = "https://blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html"
date = "2015/02/18"
hash = "a28164de29e51f154be12d163ce5818fceb69233"
strings:
$x1 = "KmSvc.DLL" wide fullword
$x2 = "SVCHostServiceDll_W2K3.dll" ascii fullword
$s1 = "Microsoft Corporation. All rights reserved." wide fullword
$s2 = "srservice" wide fullword
$s3 = "Key Management Service" wide fullword
$s4 = "msimghlp.dll" wide fullword
$s5 = "_ServiceCtrlHandler@16" ascii fullword
$s6 = "ModuleStart" ascii fullword
$s7 = "ModuleStop" ascii fullword
$s8 = "5.2.3790.3959 (srv03.sp2.070216-1710)" wide fullword
condition:
uint16(0) == 0x5A4D and filesize < 50000 and 1 of ($x*) and 6 of ($s*)
} |