Overview - Yara rules

rule Windows_Trojan_DoorMe {
	meta:
		author = "Elastic Security"
		creation_date = "2022-12-09"
		last_modified = "2022-12-15"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "DoorMe"
		threat_name = "Windows.Trojan.DoorMe"
		reference_sample = "96b226e1dcfb8ea2155c2fa508125472c8c767569d009a881ab4c39453e4fe7f"
	strings:
		$seq_aes_crypto = { 8B 6C 24 ?? C1 E5 ?? 8B 5C 24 ?? 8D 34 9D ?? ?? ?? ?? 0F B6 04 31 32 44 24 ?? 88 04 29 8D 04 9D ?? ?? ?? ?? 0F B6 04 01 32 44 24 ?? 88 44 29 ?? 8D 04 9D ?? ?? ?? ?? 0F B6 04 01 44 30 F8 88 44 29 ?? 8D 04 9D ?? ?? ?? ?? 0F B6 04 01 44 30 E0 88 44 29 ?? 8B 74 24 ?? }
		$seq_copy_str = { 48 8B 44 24 ?? 48 89 58 ?? 48 89 F1 4C 89 F2 49 89 D8 E8 ?? ?? ?? ?? C6 04 1E ?? }
		$seq_md5 = { 89 F8 44 21 C8 44 89 C9 F7 D1 21 F1 44 01 C0 01 C8 44 8B AC 24 ?? ?? ?? ?? 8B 9C 24 ?? ?? ?? ?? 48 89 B4 24 ?? ?? ?? ?? 44 89 44 24 ?? 46 8D 04 28 41 81 C0 ?? ?? ?? ?? 4C 89 AC 24 ?? ?? ?? ?? 41 C1 C0 ?? 45 01 C8 44 89 C1 44 21 C9 44 89 C2 F7 D2 21 FA 48 89 BC 24 ?? ?? ?? ?? 8D 2C 1E 49 89 DC 01 D5 01 E9 81 C1 ?? ?? ?? ?? C1 C1 ?? 44 01 C1 89 CA 44 21 C2 89 CD F7 D5 44 21 CD 8B 84 24 ?? ?? ?? ?? 48 89 44 24 ?? 8D 1C 07 01 EB 01 DA 81 C2 ?? ?? ?? ?? C1 C2 ?? }
		$seq_calc_key = { 31 FF 48 8D 1D ?? ?? ?? ?? 48 83 FF ?? 4C 89 F8 77 ?? 41 0F B6 34 3E 48 89 F1 48 C1 E9 ?? 44 0F B6 04 19 BA ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 83 E6 ?? 44 0F B6 04 1E BA ?? ?? ?? ?? 48 8B 4D ?? E8 ?? ?? ?? ?? 48 83 C7 ?? }
		$seq_base64 = { 8A 45 ?? 8A 4D ?? C0 E0 ?? 89 CA C0 EA ?? 80 E2 ?? 08 C2 88 55 ?? C0 E1 ?? 8A 45 ?? C0 E8 ?? 24 ?? 08 C8 88 45 ?? 41 83 C4 ?? 31 F6 44 39 E6 7D ?? 66 90 }
		$str_0 = ".?AVDoorme@@" ascii fullword
	condition:
		3 of ($seq*) or 1 of ($str*)
}

rule CyclopsBlink_modified_install_upgrade {
	meta:
		author = "NCSC"
		description = "Detects notable strings identified within the modified 
install_upgrade executable, embedded within Cyclops Blink"
		hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
		hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
		hash3 = "7d61c0dd0cd901221a9dff9df09bb90810754f10"
		hash4 = "438cd40caca70cafe5ca436b36ef7d3a6321e858"
	strings:
		$ = "/pending/%010lu_%06d_%03d_p1"
		$ = "/pending/sysa_code_dir/test_%d_%d_%d_%d_%d_%d"
		$ = "etaonrishdlcupfm"
		$ = "/pending/WGUpgrade-dl.new"
		$ = "/pending/bin/install_upgraded"
		$ = { 38 80 4C 00 }
		$ = { 38 80 4C 05 }
		$ = { 38 80 4C 04 }
		$ = { 3C 00 48 4D 60 00 41 43 90 09 00 00 }
	condition:
		(uint32(0) == 0x464c457f) and (6 of them)
}

rule EXP_CVE_2020_35730 {
	meta:
		author = "Insikt Group, Recorded Future"
		date = "2023-06-13"
		description = "Detects CVE-2020-35730 use in EML files"
		version = "1"
	strings:
		$ = "[<script>" base64
		$ = "</script>]:##str_replacement_" base64
		$ = "From:"
		$ = "To:"
		$ = "Subject:"
	condition:
		all of them
}

rule CyclopsBlink_handle_mod_0x51_command {
	meta:
		author = "NCSC"
		description = "Detects the code bytes used to check commands sent to 
module ID 0x51 and notable strings relating to the Cyclops Blink update 
process"
		hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
		hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
	strings:
		$cmd_check = { 88 1F [2] 54 00 06 3E 2F 80 00 ( 01 | 02 | 03 ) }
		$path1 = "/etc/wg/configd-hash.xml"
		$path2 = "/etc/wg/config.xml"
		$mnt_arg1 = "ext2"
		$mnt_arg2 = "errors=continue"
		$mnt_arg3 = { 38 C0 0C 20 }
		$mnt_arg4 = { 38 C0 0C 21 }
	condition:
		(uint32(0) == 0x464c457f) and (#cmd_check == 3) and ((@cmd_check[3] - @cmd_check[1]) < 0x200) and (all of ($path*)) and (all of ($mnt_arg*))
}

rule APT_MAL_LNX_Turla_Apr202004_1 {
	meta:
		description = "Detects Turla Linux malware x64 x32"
		date = "2020-04-24"
		hash1 = "67d9556c695ef6c51abf6fbab17acb3466e3149cf4d20cb64d6d34dc969b6502"
		hash2 = "8ccc081d4940c5d8aa6b782c16ed82528c0885bbb08210a8d0a8c519c54215bc"
		hash3 = "8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667"
		hash4 = "1d5e4466a6c5723cd30caf8b1c3d33d1a3d4c94c25e2ebe186c02b8b41daf905"
		hash5 = "2dabb2c5c04da560a6b56dbaa565d1eab8189d1fa4a85557a22157877065ea08"
		hash6 = "3e138e4e34c6eed3506efc7c805fce19af13bd62aeb35544f81f111e83b5d0d4"
		hash7 = "5a204263cac112318cd162f1c372437abf7f2092902b05e943e8784869629dd8"
		hash8 = "8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667"
		hash9 = "d49690ccb82ff9d42d3ee9d7da693fd7d302734562de088e9298413d56b86ed0"
	strings:
		$s1 = "/root/.hsperfdata" ascii fullword
		$s2 = "Desc|     Filename     |  size  |state|" ascii fullword
		$s3 = "VS filesystem: %s" ascii fullword
		$s4 = "File already exist on remote filesystem !" ascii fullword
		$s5 = "/tmp/.sync.pid" ascii fullword
		$s6 = "rem_fd: ssl " ascii fullword
		$s7 = "TREX_PID=%u" ascii fullword
		$s8 = "/tmp/.xdfg" ascii fullword
		$s9 = "__we_are_happy__" ascii fullword
		$s10 = "/root/.sess" ascii fullword
		$s11 = "ZYSZLRTS^Z@@NM@@G_Y_FE" ascii fullword
	condition:
		uint16(0) == 0x457f and filesize < 5000KB and 4 of them
}

rule SideWinderRTF {
	meta:
		author = "AT&T Alien Labs"
		description = "Detects SideWinder RTF Files"
		reference = "https://otx.alienvault.com/pulse/5f21d5b84d529ed134127a66"
	strings:
		$s1 = { 42 31 30 43 46 31 33 30 35 41 39 37 33 37 46 45 45 33 36 30 35 36 36 38 37 42 44 31 39 42 44 36 33 31 44 39 35 35 45 36 39 44 46 31 46 45 30 45 31 42 35 37 31 43 43 41 43 46 33 42 37 37 41 43 36 30 43 45 38 31 43 41 46 36 30 30 33 32 35 42 34 44 31 31 38 43 36 36 34 41 31 35 43 34 46 37 45 46 37 }
		$s2 = { 30 30 36 31 30 30 30 31 30 35 30 30 30 30 30 30 30 30 30 30 30 30 7D 7B 5C 72 65 73 75 6C 74 20 20 7D 7D 7B 5C 6F 62 6A 65 63 74 5C 6F 62 6A }
		$s3 = { 44 33 43 30 43 37 31 32 39 42 39 42 32 35 37 46 42 39 42 43 41 42 38 36 38 36 46 36 46 39 43 38 45 41 39 42 44 36 45 38 35 45 33 33 38 46 32 35 31 33 31 43 37 34 34 43 34 42 30 39 41 41 33 46 44 30 43 41 31 44 46 33 43 30 38 41 30 43 46 37 38 39 30 36 45 37 30 45 31 33 45 43 35 38 46 30 39 33 }
	condition:
		uint16(0) == 0x5c7b and all of them
}

rule Adwind_JAR_PACKA {
	meta:
		author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com"
		last_modified = "2015-11-30"
	strings:
		$b1 = ".class"
		$b2 = "c/a/a/"
		$b3 = "b/a/"
		$b4 = "a.dat"
		$b5 = "META-INF/MANIFEST.MF"
	condition:
		int16(0) == 0x4B50 and ($b1 and $b2 and $b3 and $b4 and $b5)
}

rule w3ll_admin_panel_old {
	meta:
		description = "The old admin login page for the W3LL 
panel."
		author = "Anton Ushakov"
	strings:
		$a = "<div class=\"card-header text-center\">Login 
to Panel</div>"
		$b = "placeholder=\"Private Key\""
		$c = "background-color: #000000"
	condition:
		all of them
}

rule w3ll_phishing_verification_page {
	meta:
		description = "The W3LL Panel verification page"
		author = "Victor Okorokov"
	strings:
		$a = "<title>Verification"
		$b = "function isBot()"
	condition:
		all of them
}

import "pe"

rule MAL_IsaacWiper {
	meta:
		author = "CNANCE, Insikt Group, Recorded Future"
		date = "2022-03-08"
		description = "Detects IsaacWiper destructive malware"
		version = "1.0"
		reference = "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-
ukraine/"
		hash = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
		hash = "7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0"
		RF_MALWARE = "IsaacWiper"
		RF_MALWARE_ID = "lzQ5GL"
	strings:
		$physical_drive_check = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 80 8D ?? CC 50 FF D? 8B F0 83 FE FF 0F 84 ?? ?? ?? ?? 6A 00 8D ?? E4 C7 4? ?? 00 00 00 00 50 6A 0C 8D ?? AC 50 6A 00 6A 00 68 80 10 2D 00 56 FF 15 ?? ?? ?? ?? 83 F8 01 0F 94 ?? 75 ?? 33 C0 83 7? ?? 07 0F 44 4? ?? 89 4? ?? 56 FF 15 ?? ?? ?? ?? 84 DB EB ?? 84 C9 0F 84 ?? ?? ?? ?? 8B 5? ?? 8B D3 8B 4? ?? 6A 01 E8 }
	condition:
		uint16(0) == 0x5a4d and filesize > 170KB and pe.imphash() == "a4b162717c197e11b76a4d9bc58ea25d" and pe.exports("_start@4") and pe.imports("kernel32.dll", "DeviceIoControl") and $physical_drive_check
}

rule PoS_Malware_RawPOS2015_service : RawPOS2015_service {
	meta:
		author = "Trend Micro, Inc."
		date = "2015-03-10"
		description = "Used to detect RawPOS RAM service, including 2015 sample set"
		sample_filetype = "exe"
	strings:
		$string0 = "OpenService failed - %s"
		$string1 = "OpenSCManager failed - %s"
		$string2 = "Unable to install %s - %s"
		$string3 = "File already exists"
		$string4 = "Stopping %s."
		$string5 = "This may take several seconds.  Please wait."
		$string6 = "%s failed to stop."
		$string7 = "%s removed."
		$string8 = "Debugging %s."
		$string9 = "Could not create registery key"
		$string10 = "\\\\.\\pipe\\susrv"
		$string11 = "SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\%s"
	condition:
		all of ($string*)
}

rule PoS_Malware_RawPOS2015_dumper_old : RawPOS2015_dumper_old {
	meta:
		author = "Trend Micro, Inc."
		date = "2015-03-10"
		description = "Used to detect RawPOS memory dumper, pre-2012"
		sample_filetype = "exe"
	strings:
		$string0 = " Full private dump of all running processes"
		$string1 = " show info on Process like Path"
		$string2 = " Show this help"
		$string3 = " List all running processes"
		$string4 = "Dumping private memory for pid %s to %s.dmp..."
		$string5 = "%s-%d.dmp"
		$string6 = "memdump\\%s-%d.dmp"
		$string7 = "del memdump\\"
		$string8 = "Process Memory Dumper"
		$string9 = "Base size: %u"
		$string10 = "Module ID: %u"
		$string11 = "Hex: %xh"
	condition:
		all of ($string*)
}

rule final_policy_key {
	strings:
		$str1 = "Providers" nocase
		$str2 = "Trust" nocase
		$str3 = "FinalPolicy" nocase
	condition:
		all of them
}