| Details |
Yara rule |
1 |
|
rule ReportGenerate_jsp {
strings:
$s1 = "decrypt(fpath)"
$s2 = "decrypt(fcontext)"
$s3 = "decrypt(commandEnc)"
$s4 = "upload failed!"
$s5 = "sevck"
$s6 = "newid"
condition:
filesize < 15KB and 4 of them
} |
| Details |
Yara rule |
1 |
|
rule EncryptJSP {
strings:
$s1 = "AEScrypt"
$s2 = "AES/CBC/PKCS5Padding"
$s3 = "SecretKeySpec"
$s4 = "FileOutputStream"
$s5 = "getParameter"
$s6 = "new ProcessBuilder"
$s7 = "new BufferedReader"
$s8 = "readLine()"
condition:
filesize < 15KB and 6 of them
} |
| Details |
Yara rule |
1 |
|
rule Generic_PDF_Contains_Batch_Script {
strings:
$pdf_anchor = "PDF Comment '%PDF"
$bat_1 = /\\b[a-z0-9]+\\.bat/ nocase
condition:
$pdf_anchor at 0 and any of ($bat_*)
} |
| Details |
Yara rule |
1 |
|
rule Generic_PDF_Contains_VBScript {
strings:
$pdf_anchor = "PDF Comment '%PDF"
$vb_1 = /\\b[a-z0-9]+\\.vbs/ nocase
condition:
$pdf_anchor at 0 and any of ($vb_*)
} |
| Details |
Yara rule |
1 |
|
rule Generic_PDF_Contains_PowerShell_Reference {
strings:
$pdf_anchor = "PDF Comment '%PDF"
$ps_1 = "powershell" nocase
condition:
$pdf_anchor at 0 and any of ($ps_*)
} |
| Details |
Yara rule |
1 |
|
rule Win_DarkGate {
meta:
author = "0xToxin"
description = "DarkGate Strings Decoding Routine"
date = "2023-08-01"
strings:
$chunk_1 = { 8B 55 ?? 8A 4D ?? 80 E1 3F C1 E1 02 8A 5D ?? 80 E3 30 81 E3 FF 00 00 00 C1 EB 04 02 CB 88 4C 10 ?? FF 45 ?? 80 7D ?? 40 74 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8A 4D ?? 80 E1 0F C1 E1 04 8A 5D ?? 80 E3 3C 81 E3 FF 00 00 00 C1 EB 02 02 CB 88 4C 10 ?? FF 45 ?? 80 7D ?? 40 74 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8A 4D ?? 80 E1 03 C1 E1 06 8A 5D ?? 80 E3 3F 02 CB 88 4C 10 ?? FF 45 ?? }
condition:
any of them
} |
| Details |
Yara rule |
2 |
|
rule wellmess_botlib_function_names {
meta:
description = "Rule to detect WellMess Golang samples based on the
function names used by the actor"
author = "NCSC"
hash = "8749c1495af4fd73ccfc84b32f56f5e78549d81feefb0c1d1c3475a74345f6a8"
strings:
$s1 = "botlib.wellMess" ascii wide
$s2 = "botlib.saveFile" ascii wide
$s3 = "botlib.reply" ascii wide
$s4 = "botlib.init" ascii wide
$s5 = "botlib.generateRandomString" ascii wide
$s6 = "botlib.encrypt" ascii wide
$s7 = "botlib.deleteFile" ascii wide
$s8 = "botlib.convertFromString" ascii wide
$s9 = "botlib.chunksM" ascii wide
$s10 = "botlib.Work" ascii wide
$s11 = "botlib.UnpackB" ascii wide
$s12 = "botlib.Unpack" ascii wide
$s13 = "botlib.UDFile" ascii wide
$s14 = "botlib.Split" ascii wide
$s15 = "botlib.Service" ascii wide
$s16 = "botlib.SendMessage" ascii wide
$s17 = "botlib.Send.func1" ascii wide
$s18 = "botlib.Send" ascii wide
$s19 = "botlib.ReceiveMessage" ascii wide
$s20 = "botlib.RandStringBytes" ascii wide
$s21 = "botlib.RandInt" ascii wide
$s22 = "botlib.Post" ascii wide
$s23 = "botlib.Parse" ascii wide
$s24 = "botlib.Pad" ascii wide
$s25 = "botlib.Pack" ascii wide
$s26 = "botlib.New" ascii wide
$s27 = "botlib.KeySizeError.Error" ascii wide
$s28 = "botlib.Key" ascii wide
$s29 = "botlib.Join" ascii wide
$s30 = "botlib.GetRandomBytes" ascii wide
$s31 = "botlib.GenerateSymmKey" ascii wide
$s32 = "botlib.FromNormalToBase64" ascii wide
$s33 = "botlib.EncryptText" ascii wide
$s34 = "botlib.Download" ascii wide
$s35 = "botlib.Decipher" ascii wide
$s36 = "botlib.Command" ascii wide
$s37 = "botlib.Cipher" ascii wide
$s38 = "botlib.CalculateMD5Hash" ascii wide
$s39 = "botlib.Base64ToNormal" ascii wide
$s40 = "botlib.AES_Encrypt" ascii wide
$s41 = "botlib.AES_Decrypt" ascii wide
$s42 = "botlib.(*rc6cipher).Encrypt" ascii wide
$s43 = "botlib.(*rc6cipher).Decrypt" ascii wide
$s44 = "botlib.(*rc6cipher).BlockSize" ascii wide
$s45 = "botlib.(*KeySizeError).Error" ascii wide
$s46 = "botlib.DownloadDNS" ascii wide
$s47 = "botlib.JoinDnsChunks" ascii wide
$s48 = "botlib.SendDNS" ascii wide
$s49 = "botlib.CreateDNSName" ascii wide
condition:
((uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550) or uint32(0) == 0x464c457f) and any of them
} |
| Details |
Yara rule |
3 |
|
rule wellmess_certificate_base64_snippets {
meta:
description = "Rule for detection of WellMess based on base64
snippets of certificates used"
author = "NCSC"
hash = "8749c1495af4fd73ccfc84b32f56f5e78549d81feefb0c1d1c3475a74345f6a8"
strings:
$a1 = "BgNVHQ4EBwQFAQIDBA"
$a2 = "YDVR0OBAcEBQECAwQG"
$a3 = "GA1UdDgQHBAUBAgMEB"
$b1 = "BgNVBAYTBVR1bmlzMQswCQYDVQQKEwJJVD"
$b2 = "YDVQQGEwVUdW5pczELMAkGA1UEChMCSVQx"
$b3 = "GA1UEBhMFVHVuaXMxCzAJBgNVBAoTAklUM"
condition:
((uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550) or uint32(0) == 0x464c457f) and any of ($a*) and any of ($b*)
} |
| Details |
Yara rule |
2 |
|
rule wellmess_regex_used_for_parsing_beacons {
meta:
description = "Detects WellMess Golang and .NET samples based on the
regex they used to parse commands and beacon information"
author = "NCSC"
hash = "8749c1495af4fd73ccfc84b32f56f5e78549d81feefb0c1d1c3475a74345f6a8"
strings:
$a = "fileName:(?<fn>.*?)\\sargs:(?<arg>.*)\\snotwait:(?<nw>.*)" ascii wide
$b = "<;(?<key>[^;]*?);>(?<value>[^<]*?)<;[^;]*?;>" ascii wide
condition:
((uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550) or uint32(0) == 0x464c457f) and any of them
} |
| Details |
Yara rule |
2 |
|
rule wellmail_unique_strings {
meta:
description = "Rule for detection of WellMail based on unique strings
contained in the binary"
author = "NCSC"
hash = "0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494"
strings:
$a = "C:\\Server\\Mail\\App_Data\\Temp\\agent.sh\\src"
$b = "C:/Server/Mail/App_Data/Temp/agent.sh/src/main.go"
$c = "HgQdbx4qRNv"
$d = "042a51567eea19d5aca71050b4535d33d2ed43ba"
$e = "main.zipit"
$f = "@[^\\s]+?\\s(?P<tar>.*?)\\s"
condition:
uint32(0) == 0x464C457F and 3 of them
} |
| Details |
Yara rule |
3 |
|
rule wellmail_certificate_base64_snippets {
meta:
description = "Rule for detection of WellMail based on base64
snippets of certificates used"
author = "NCSC"
hash = "0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494"
strings:
$a1 = "BgNVHQ4EBwQFAQIDBA"
$a2 = "YDVR0OBAcEBQECAwQG"
$a3 = "GA1UdDgQHBAUBAgMEB"
$b1 = "BgNVBAoTE0dNTyBHbG9iYWxTaWduLCBJbm"
$b2 = "YDVQQKExNHTU8gR2xvYmFsU2lnbiwgSW5j"
$b3 = "GA1UEChMTR01PIEdsb2JhbFNpZ24sIEluY"
condition:
uint32(0) == 0x464C457F and any of ($a*) and any of ($b*)
} |
| Details |
Yara rule |
2 |
|
rule sorefang_directory_enumeration_output_strings {
meta:
description = "Rule to detect SoreFang based on formatted string
output for directory enumeration"
author = "NCSC"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
strings:
$ = "----------All usres directory----------"
$ = "----------Desktop directory----------"
$ = "----------Documents directory----------"
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
} |
| Details |
Yara rule |
1 |
|
rule Hive_v3 {
meta:
author = "Andrey Zhdanov"
company = "Group-IB"
family = "ransomware.hive"
description = "Hive v3 ransomware Windows/Linux/FreeBSD payload"
severity = 10
score = 100
strings:
$h0 = { B? 03 52 DA 8D [6-12] 69 ?? 00 70 0E 00 [14-20] 8D ?? 00 90 01 00 }
$h1 = { B? 37 48 60 80 [4-12] 69 ?? 00 F4 0F 00 [2-10] 8D ?? 00 0C 00 00 }
$h2 = { B? 3E 0A D7 A3 [2-6] C1 E? ( 0F | 2F 4? ) 69 ?? 00 90 01 00 }
condition:
(((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or (uint32(0) == 0x464C457F)) and ((2 of ($h*)))
} |
| Details |
Yara rule |
1 |
|
rule Hive_ESXi_v3 {
meta:
author = "Andrey Zhdanov"
company = "Group-IB"
family = "ransomware.hive.esxi"
description = "Hive v3 ransomware ESXI payload"
severity = 10
score = 100
strings:
$h0 = { 48 69 ?? B5 B4 1B 01 48 C1 E? 20 69 ?? 00 70 0E 00 29 ?? }
$h1 = { 48 69 ?? 25 30 40 00 48 C1 E? 20 69 ?? 00 F4 0F 00 29 ?? }
$a0 = "\\.(vm|vs)\\w+$\x00"
$a1 = "vim-cmd vmsvc/getallvms | grep -o -E '^[0-9]+' | xargs -r -n 1 vim-cmd vmsvc/power.off"
$b0 = "\x00%s.key.%s\x00"
$b1 = "\x00! export %s"
$b2 = "\x00+ export %s"
$b3 = "HOW_TO_DECRYPT.txt\x00"
$b4 = "\x00+notify /etc/motd\x00"
$b5 = "\x00+notify %s"
$b6 = "\x00+ prenotify %s"
$b7 = "\x00Stopping VMs\x00"
condition:
(uint32(0) == 0x464C457F) and ((2 of ($h*)) or ((1 of ($a*)) and (2 of ($b*))))
} |
| Details |
Yara rule |
2 |
|
rule sorefang_encryption_key_2b62 {
meta:
description = "Rule to detect SoreFang based on hardcoded encryption
key"
author = "NCSC"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
strings:
$ = "2b6233eb3e872ff78988f4a8f3f6a3ba"
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
} |
| Details |
Yara rule |
1 |
|
rule poweliks_injected {
meta:
description = "system infected with poweliks"
in_the_wild = true
strings:
$s1 = "http://%s/q"
$s2 = /(syswow64|system32)\\dllhost\.exe/ wide
$s3 = "%1d.%1d.%04d_%1d.%1d"
$s4 = "%x%x%x%x%x%x"
$s5 = "builddate"
$t1 = /windowspowershell\\[a-z0-9]{1,3}\.[a-z0-
Figure 51: POWELIKSs HTTP connections.
Figure 52: Noti
cation for blocking suspicious software, in this case, POWELIKS.
DOING MORE WITH LESS: A STUDY OF FILELESS INFECTION ATTACKS RIVERA & INOCENCIO
88
VIRUS BULLETIN CONFERENCE SEPTEMBER 2015
9]{1,2}\\powershell\.exe/ wide
$t2 = "powershell.exe"
condition:
all of ($s*) and any of ($t*)
} |
| Details |
Yara rule |
1 |
|
rule BazarDGA {
strings:
$bazar_tld = { 2E [4-12] 62 [4-12] 61 [4-12] 7A [4-12] 61 [4-12] 72 }
condition:
$bazar_tld
} |
| Details |
Yara rule |
1 |
|
rule SPICA__Strings {
meta:
author = "Google TAG"
description = "Rust backdoor using websockets for c2 and embedded decoy PDF"
hash = "37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9"
strings:
$s1 = "os_win.c:%d: (%lu) %s(%s) - %s"
$s2 = "winWrite1"
$s3 = "winWrite2"
$s4 = "DNS resolution panicked"
$s5 = "struct Dox"
$s6 = "struct Telegram"
$s8 = "struct Download"
$s9 = "spica"
$s10 = "Failed to open the subkey after setting the value."
$s11 = "Card Holder: Bull Gayts"
$s12 = "Card Number: 7/ 3310 0195 4865"
$s13 = "CVV: 592"
$s14 = "Card Expired: 03/28"
$a0 = "agent\\src\\archive.rs"
$a1 = "agent\\src\\main.rs"
$a2 = "agent\\src\\utils.rs"
$a3 = "agent\\src\\command\\dox.rs"
$a4 = "agent\\src\\command\\shell.rs"
$a5 = "agent\\src\\command\\telegram.rs"
$a6 = "agent\\src\\command\\mod.rs"
$a7 = "agent\\src\\command\\mod.rs"
$a8 = "agent\\src\\command\\cookie\\mod.rs"
$a9 = "agent\\src\\command\\cookie\\browser\\mod.rs"
$a10 = "agent\\src\\command\\cookie\\browser\\browser_name.rs"
condition:
7 of ($s*) or 5 of ($a*)
} |
| Details |
Yara rule |
2 |
|
rule sorefang_encryption_round_function {
meta:
description = "Rule to detect SoreFang based on the encryption round
function"
author = "NCSC"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
strings:
$ = { 8A E9 8A FB 8A 5D 0F 02 C9 88 45 0F FE C1 0F BE C5 88 6D F3 8D 14 45 01 00 00 00 0F AF D0 0F BE C5 0F BE C9 0F AF C8 C1 FA 1B C0 E1 05 0A D1 8B 4D EC 0F BE C1 89 55 E4 8D 14 45 01 00 00 00 0F AF D0 8B C1 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
} |
| Details |
Yara rule |
2 |
|
rule sorefang_modify_alphabet_custom_encode {
meta:
description = "Rule to detect SoreFang based on arguments passed into
custom encoding algorithm function"
author = "NCSC"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
strings:
$ = { 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
} |
| Details |
Yara rule |
1 |
|
rule CMTDownLoader {
meta:
description = "CMTDownLoader"
author = "LAC Co., Ltd."
strings:
$code1 = { 00 3C 21 2D 2D }
$code2 = { 0D 0A 2D 2D 3E 00 }
$str2 = "cmd /c echo"
$str3 = ".exe"
$str4 = ".bat"
condition:
uint16(0) == 0x5A4D and (all of them)
} |
| Details |
Yara rule |
1 |
|
rule InetDownLoader {
meta:
description = "CMTDownLoader"
author = "LAC Co., Ltd."
strings:
$str1 = "ReleaseInetDownLoader.pdb"
$str2 = "hello.exe"
condition:
uint16(0) == 0x5A4D and ($str1 and $str2)
} |
| Details |
Yara rule |
1 |
|
rule TinyCmdPipeRAT {
meta:
description = "TinyCmdPipeRAT"
author = "LAC Co., Ltd."
strings:
$str1 = "%s%s.mui"
$str2 = "endshell"
$str3 = "InitSecurityInte"
$mov_str1 = { 6D 33 32 5C C7 44 ?? ?? 63 6D 64 2E C7 44 ?? ?? 65 78 65 00 }
$mov_str2 = { 63 6D 64 2E C7 45 ?? ?? 78 65 2E C7 45 ?? ?? 75 69 00 }
$mov_str3 = { C7 85 ?? 00 00 00 43 66 67 4D C7 85 ?? 00 00 00 67 72 2E 65 66 C7 85 ?? 00 00 00 78 65 }
condition:
uint16(0) == 0x5A4D and (all of them)
} |
| Details |
Yara rule |
1 |
|
rule CmdPipeRAT {
meta:
description = "CmdPipeRAT"
author = "LAC Co., Ltd."
strings:
$str1 = "%syeah.htm" ascii wide
$str2 = "Mozilla/5.0 (Windows NT 6.1; WOW64)"
$str3 = "Content-Type: %02x%02x%02x%02x%02x%02x"
$rc4_key = { 20 4E 00 00 1E 2D 33 44 54 62 71 8E 9F AC BF CD D8 E3 F0 04 EE FD 03 54 44 22 11 EE DF 1C 0F 3D 98 73 00 34 32 30 31 39 30 39 32 33 23 }
$mov_str1 = { C7 85 ?? FB FF FF 5C 63 6F 6E C7 85 ?? FB FF FF 73 6F 6C 65 C7 85 ?? FB FF FF 33 32 2E 65 66 C7 85 ?? FB FF FF 78 65 }
$mov_str2 = { C7 85 ?? FB FF FF 5C 63 6D 64 C7 85 ?? FB FF FF 2E 65 78 65 }
$mov_str3 = { C7 85 ?? FB FF FF 5C 65 6E 2D C7 85 ?? FB FF FF 55 53 5C 63 C7 85 ?? FB FF FF 6D 64 2E 65 C7 85 ?? FB FF FF 78 65 2E 6D C7 85 ?? FB FF FF 75 69 00 00 C7 85 ?? FB FF FF 5C 65 6E 2D 66 C7 85 ?? FB FF FF 55 53 }
$mov_str4 = { C7 85 ?? FB FF FF 5C 63 6F 6E C7 85 ?? FB FF FF 73 6F 6C 65 C7 85 ?? FB FF FF 33 32 2E 65 C7 85 ?? FB FF FF 78 65 2E 6D C7 85 ?? FB FF FF 75 69 00 00 }
condition:
uint16(0) == 0x5A4D and (all of them)
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule coyote_nimloader {
meta:
author = "Blackberry Threat Research and Intelligence"
hash = "110b616bc12c29b070b0dc60c197a4d63b3e3caae6bb80a25b8864489a51da79"
hash = "1bed3755276abd9b54db13882fcf29c543ebf604be3b7fcf060cbd6d68bcd23f"
strings:
$nim1 = "strformat.nim" ascii fullword
$nim2 = "fatal.nim" ascii fullword
$nim3 = "io.nim" ascii fullword
$export_name = "chrome_elf.dll" ascii fullword
condition:
pe.characteristics & pe.DLL and pe.number_of_sections > 8 and $export_name and (2 of ($nim*))
} |