-
Notifications
You must be signed in to change notification settings - Fork 602
/
apt_lazarus_dec17.yar
89 lines (82 loc) · 3.87 KB
/
apt_lazarus_dec17.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-12-20
Identifier: Lazarus malware
Reference: https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new
*/
/* Rule Set ----------------------------------------------------------------- */
rule Lazarus_Dec_17_1 {
meta:
description = "Detects Lazarus malware from incident in Dec 2017"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/8U6fY2"
date = "2017-12-20"
hash1 = "d5f9a81df5061c69be9c0ed55fba7d796e1a8ebab7c609ae437c574bd7b30b48"
id = "f195ebf0-d7af-58e8-a544-769a0c8b628b"
strings:
$s1 = "::DataSpace/Storage/MSCompressed/Transform/" ascii
$s2 = "HHA Version 4." ascii
$s3 = { 74 45 58 74 53 6F 66 74 77 61 72 65 00 41 64 6F
62 65 20 49 6D 61 67 65 52 65 61 64 79 71 }
$s4 = "bUEeYE" fullword ascii
condition:
uint16(0) == 0x5449 and filesize < 4000KB and all of them
}
rule Lazarus_Dec_17_2 {
meta:
description = "Detects Lazarus malware from incident in Dec 2017"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/8U6fY2"
date = "2017-12-20"
hash1 = "cbebafb2f4d77967ffb1a74aac09633b5af616046f31dddf899019ba78a55411"
hash2 = "9ca3e56dcb2d1b92e88a0d09d8cab2207ee6d1f55bada744ef81e8b8cf155453"
id = "45127fb5-0f70-5140-acd9-46147d365dfe"
strings:
$s1 = "SkypeSetup.exe" fullword wide
$s2 = "%s\\SkypeSetup.exe" fullword ascii
$s3 = "Skype Technologies S.A." fullword wide
$a1 = "Microsoft Code Signing PCA" ascii wide
condition:
uint16(0) == 0x5a4d and filesize < 7000KB and (
all of ($s*) and not $a1
)
}
rule Lazarus_Dec_17_4 {
meta:
description = "Detects Lazarus malware from incident in Dec 2017ithumb.js"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/8U6fY2"
date = "2017-12-20"
hash1 = "8ff100ca86cb62117f1290e71d5f9c0519661d6c955d9fcfb71f0bbdf75b51b3"
hash2 = "7975c09dd436fededd38acee9769ad367bfe07c769770bd152f33a10ed36529e"
id = "fbdc6287-c177-53b5-83dd-979936f65192"
strings:
$s1 = "var _0xf5ed=[\"\\x57\\x53\\x63\\x72\\x69\\x70\\x74\\x2E\\x53\\x68\\x65\\x6C\\x6C\"," ascii
condition:
filesize < 9KB and 1 of them
}
rule Lazarus_Dec_17_5 {
meta:
description = "Detects Lazarus malware from incident in Dec 2017"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/8U6fY2"
date = "2017-12-20"
hash1 = "db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471"
id = "33bd8c08-123e-5a8e-b5dc-02af7291addc"
strings:
$x1 = "$ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList" fullword ascii
$x2 = "$respTxt = HttpRequestFunc_doprocess -szURI $szFullURL -szMethod $szMethod -contentData $contentData;" fullword ascii
$x3 = "[String]$PS_PATH = \"C:\\\\Users\\\\Public\\\\Documents\\\\ProxyAutoUpdate.ps1\";" fullword ascii
$x4 = "$cmdSchedule = 'schtasks /create /tn \"ProxyServerUpdater\"" ascii
$x5 = "/tr \"powershell.exe -ep bypass -windowstyle hidden -file " ascii
$x6 = "C:\\\\Users\\\\Public\\\\Documents\\\\tmp' + -join " ascii
$x7 = "$cmdResult = cmd.exe /c $cmdInst | Out-String;" fullword ascii
$x8 = "whoami /groups | findstr /c:\"S-1-5-32-544\"" fullword ascii
condition:
filesize < 500KB and 1 of them
}