Overview - Yara rules

Details Type #Events CTI Value
Details Yara rule 1 
rule CheekyChipmunk_amsi_avoidance_strings {
	meta:
		author = "NCSC"
		description = "Detects Cheeky Chipmunk loader AMSI avoidance 
strings"
		date = "2022-01-24"
		hash1 = "50c0bf9479efc93fa9cf1aa99bdca923273b71a1"
	strings:
		$functionname = "FindAmsiFun"
		$x86found = "x32 protection detected"
		$x64found = "x64 protection detected"
	condition:
		all of them
}
Details Yara rule 1 
rule CheekyChipmunk_namedpipe_stackstring {
	meta:
		author = "NCSC"
		description = "Detects stack string for Cheeky Chipmunk named 
pipe"
		date = "2022-01-24"
		hash1 = "52c8cbd0545caab7596c1382c7fc5a479209851d"
	strings:
		$stackstring = { B8 5C 00 00 00 66 89 84 24 80 00 00 00 B8 70 00 00 00 66 89 84 24 82 00 00 00 B8 69 00 00 00 66 89 84 24 84 00 00 00 B8 70 00 00 00 66 89 84 24 86 00 00 00 B8 65 00 00 00 66 89 84 24 88 00 00 00 B8 5C 00 00 00 66 89 84 24 8A 00 00 00 B8 70 00 00 00 66 89 84 24 8C 00 00 00 B8 6E 00 00 00 66 89 84 24 8E 00 00 00 B8 72 00 00 00 66 89 84 24 90 00 00 00 B8 73 00 00 00 66 89 84 24 92 00 00 00 B8 76 00 00 00 66 89 84 24 94 00 00 00 B8 63 00 00 00 66 89 84 24 96 00 00 00 33 C0 66 89 84 24 98 00 00 00 }
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x00004550 and all of them
}
Details Yara rule 1 
rule CheekyChipmunk_xor_function_code {
	meta:
		author = "NCSC"
		description = "Detects Cheeky Chipmunk XOR function"
		date = "2022-01-24"
		hash1 = "52c8cbd0545caab7596c1382c7fc5a479209851d"
	strings:
		$funccode = { 8B 44 24 04 48 8B 4C 24 20 0F B6 04 01 8B 0C 24 03 C8 8B C1 89 04 24 8B 44 24 04 48 8B 4C 24 20 0F B6 04 01 83 F0 55 8B 4C 24 04 48 8B 54 24 20 88 04 0A B8 01 00 00 00 48 6B C0 00 48 8B 4C 24 20 0F B6 04 01 8B 0C 24 03 C8 8B C1 89 04 24 }
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x00004550 and all of them
}
Details Yara rule 1 
rule GootLoader_Malware {
	strings:
		$a = "GootLoader" ascii wide nocase
	condition:
		$a
}
Details Yara rule 1 
rule apt_NK_Lazarus_Fall2017_payload_minCondition {
	meta:
		desc = "Minimal condition set to detect payloads from Fall 2017 Lazarus 
Campaign against Cryptocurrency Exchanges and Friends of MOFA 11"
		author = "JAGS, Insikt Group, Recorded Future"
		version = "2.0"
		TLP = "Green"
		md5 = "46d1d1f6e396a1908471e8a8d8b38417"
		md5 = "6b061267c7ddeb160368128a933d38be"
		md5 = "afa40517d264d1b03ac5c4d2fef8fc32"
		md5 = "c270eb96deaf27dd2598bc4e9afd99da"
		md5 = "d897b4b8e729a408f64911524e8647db"
		md5 = "e1cc2dcb40e729b2b61cf436d20d8ee5"
	strings:
		$sub1800115A0 = { 48 8D 54 24 60 48 8D 8D B0 05 00 00 41 FF 94 24 88 20 00 00 4C 8B E8 48 83 F8 FF 0F 84 EA 01 00 00 48 8D 8D C0 07 00 00 33 D2 41 B8 00 40 00 00 E8 }
		$sub18000A720 = { 33 C0 48 8B BC 24 98 02 00 00 48 8B 9C 24 90 02 00 00 48 8B 8D 60 01 00 00 48 33 CC E8 }
	condition:
		uint16(0) == 0x5A4D and filesize < 5MB and any of them
}
Details Yara rule 1 
rule apt_ext4_linuxlistener {
	meta:
		description = "Detects Unique Linux Backdoor, Ext4"
		author = "Insikt Group, Recorded Future"
		TLP = "White"
		date = "2018-08-14"
		md5_x64 = "d08de00e7168a441052672219e717957"
	strings:
		$s1 = "rm /tmp/0baaf161db39"
		$op1 = { 3C 61 0F }
		$op2 = { 3C 6E 0F }
		$op3 = { 3C 74 0F }
		$op4 = { 3C 69 0F }
		$op5 = { 3C 3A 0F }
	condition:
		all of them
}
Details Yara rule 1 
import "pe"

rule APT_VN_APT32_DLLSideloading_Oct2020 {
	meta:
		description = "Track DLL Sideloading Technique Used by APT32/OceanLotus in October 2020"
		author = "Insikt Group, Recorded Future"
		hash1 = "d873bdb08c45378650761bad71df7418c7b542adb13ccd4a87df2001801f4808"
		hash2 = "75c61d9d8da4a87882ccdd37b664953c10a186b5545c5152fd1b6bf788a1a846"
		date = "2020-10-22"
	strings:
		$s1 = "SoftwareUpdateFilesLocalized.dll"
		$s2 = "SoftwareUpdateFiles.locale" wide
		$s3 = "This indicates a bug in your application."
	condition:
		uint16(0) == 0x5a4d and filesize < 60KB and ((all of them and pe.timestamp == 4294967295000) or pe.imphash() == "3937374c70baa93e1fd75d8e894faf94" or pe.rich_signature.key == 0x6597ead6)
}
Details Yara rule 1 
rule YARA_CN_APT10_Trochilus_RC4Salsa20_decrypted_payload {
	meta:
		description = "Rule to identify Trochilus variant configured with RC4+Salsa20 encrypted C2 comms used by APT10 in 2018"
		author = "Insikt Group, Recorded Future"
		tlp = "white"
		date = "2019-01-10"
		hash1 = "42b5eb1f77a25ad73202d3be14e1833ef0502b0b6ae7ab54f5d4b5c2283429c6"
	strings:
		$s1 = "NASDKJF7832Hnkjsadf878UHds89iujkhNHKJDHJDH8UIYE98uihwjshewde8w"
		$s2 = "www.miphomanager.com"
		$s3 = { 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 }
		$s4 = { 65 06 06 67 06 08 69 06 0A 6B 06 0C }
	condition:
		(uint16(0) == 0x5a4d and filesize < 1000KB and (2 of them))
}
Details Yara rule 1 
import "pe"

rule YARA_CN_APT10_Trochilus_vcruntime140_dll_injector {
	meta:
		description = "Malicious DLL vcruntime140.dll launched using benign CASTSP.exe to inject encrypted shellcode containing 
Trochilus payload"
		author = "Insikt Group, Recorded Future"
		tlp = "white"
		date = "2019-01-16"
		hash1 = "eed0c7f7d36e75382c83e945a8b00abf01d3762b973c952dec05ceccb34b487d"
	strings:
		$s1 = "vcruntime140.dll" ascii fullword
		$s2 = "AppPolicyGetProcessTerminationMethod" ascii fullword
		$s3 = "CASTSP.exe" ascii fullword
		$s4 = "operator co_await" ascii fullword
		$s5 = "api-ms-win-appmodel-runtime-l1-1-2" wide fullword
		$s6 = "<!<(<3<=<E<" ascii fullword
		$s7 = "RUTLFJPBTJSFZZAOJTYP" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 300KB and (pe.imphash() == "c326c208bc65e6309413d8e699062a39" or all of them)
}
Details Yara rule 1 
import "pe"

rule YARA_CN_APT10_Trochilus_version_dll_injector {
	meta:
		description = "Malicious DLL version.dll launched using benign CASTSP.exe to inject encrypted shellcode containing 
Trochilus payload"
		author = "Insikt Group, Recorded Future"
		tlp = "white"
		date = "2019-01-16"
		hash1 = "10182f0e64b765db989c158402c76eb1e0e862cab407f7c5cec133d8e5cb73e3"
	strings:
		$s1 = "AppPolicyGetProcessTerminationMethod" ascii fullword
		$s2 = "CASTSP.exe" ascii fullword
		$s3 = "(p!xLq {Lp Lq h*r!iLq h*t!`Lq h*u!tLq G+y!~Lq G+u!xLq G+q!zLq G+s!zLq Rich{Lq " ascii fullword
		$s4 = "operator co_await" ascii fullword
		$s5 = "api-ms-win-appmodel-runtime-l1-1-2" wide fullword
		$s6 = "CZYSOYKPOIKKZGUFOIUI" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 300KB and (pe.imphash() == "0df4d1c641594cfb0df9e8869fa35db8" or all of them)
}
Details Yara rule 1 
rule Generic_PDF_Contains_Batch_Script {
	strings:
		$pdf_anchor = "PDF Comment '%PDF"
		$bat_1 = /\\b[a-z0-9]+\\.bat/ nocase
	condition:
		$pdf_anchor at 0 and any of ($bat_*)
}
Details Yara rule 1 
rule Generic_PDF_Contains_VBScript {
	strings:
		$pdf_anchor = "PDF Comment '%PDF"
		$vb_1 = /\\b[a-z0-9]+\\.vbs/ nocase
	condition:
		$pdf_anchor at 0 and any of ($vb_*)
}
Details Yara rule 1 
rule Generic_PDF_Contains_PowerShell_Reference {
	strings:
		$pdf_anchor = "PDF Comment '%PDF"
		$ps_1 = "powershell" nocase
	condition:
		$pdf_anchor at 0 and any of ($ps_*)
}
Details Yara rule 2 
rule wellmail_unique_strings {
	meta:
		description = "Rule for detection of WellMail based on unique strings 
contained in the binary"
		author = "NCSC"
		hash = "0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494"
	strings:
		$a = "C:\\Server\\Mail\\App_Data\\Temp\\agent.sh\\src"
		$b = "C:/Server/Mail/App_Data/Temp/agent.sh/src/main.go"
		$c = "HgQdbx4qRNv"
		$d = "042a51567eea19d5aca71050b4535d33d2ed43ba"
		$e = "main.zipit"
		$f = "@[^\\s]+?\\s(?P<tar>.*?)\\s"
	condition:
		uint32(0) == 0x464C457F and 3 of them
}