-
Notifications
You must be signed in to change notification settings - Fork 8
/
Inception.yar
148 lines (141 loc) · 3.94 KB
/
Inception.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
rule InceptionDLL
{
meta:
author = "Blue Coat Systems, Inc"
reference = "http://goo.gl/qr7BP4"
date = "12/10/2014"
description = "Used by unknown APT actors: Inception"
strings:
$a = "dll.polymorphed.dll"
$b = { 83 7d 08 00 0f 84 cf 00 00 00 83 7d 0c 00 0f 84 c5 00
00 00 83 7d 10 00 0f 84 bb 00 00 00 83 7d 14 08 0f 82
b1 00 00 00 c7 45 fc 00 00 00 00 8b 45 10 89 45 dc 68
00 00 }
$c = { FF 15 ?? ?? ?? ?? 8b 4d 08 8b 11 c7 42 14 00 00 00 00
8b 45 08 8b 08 8b 55 14 89 51 18 8b 45 08 8b 08 8b 55
0c 89 51 1c 8b 45 08 8b 08 8b 55 10 89 51 20 8b 45 08
8b 08 }
$d = { 68 10 27 00 00 FF 15 ?? ?? ?? ?? 83 7d CC 0a 0f 8d 47
01 00 00 83 7d d0 00 0f 85 3d 01 00 00 6a 20 6a 00 8d
4d d4 51 e8 ?? ?? ?? ?? 83 c4 0c 8b 55 08 89 55 e8 c7
45 d8 }
$e = { 55 8b ec 8b 45 08 8b 88 ac 23 03 00 51 8b 55 0c 52 8b
45 0c 8b 48 04 ff d1 83 c4 08 8b 55 08 8b 82 14 bb 03
00 50 8b 4d 0c 51 8b 55 0c 8b 42 04 }
condition:
any of them
}
rule InceptionRTF {
meta:
author = "Blue Coat Systems, Inc"
reference = "http://goo.gl/qr7BP4"
date = "12/10/2014"
description = "Used by unknown APT actors: Inception"
strings:
$a = "}}PT@T"
$b = "XMLVERSION \"3.1.11.5604.5606"
$c = "objclass Word.Document.12}\\objw9355"
condition:
all of them
}
rule InceptionMips {
meta:
author = "Blue Coat Systems, Inc"
reference = "http://goo.gl/qr7BP4"
date = "12/10/2014"
description = "Used by unknown APT actors: Inception"
strings:
$a = "start_sockat" ascii wide
$b = "start_sockss" ascii wide
$c = "13CStatusServer" ascii wide
condition:
all of them
}
rule InceptionVBS {
meta:
author = "Blue Coat Systems, Inc; modified by Florian Roth"
reference = "http://goo.gl/qr7BP4"
date = "12/10/2014"
description = "Used by unknown APT actors: Inception"
strings:
$a = "c = Crypt(c,k)"
$b = "fso.BuildPath( WshShell.ExpandEnvironmentStrings(a)"
$c = "Dim p(4)" fullword ascii
condition:
all of them
}
rule InceptionBlackberry {
meta:
author = "Blue Coat Systems, Inc; modified by Florian Roth"
reference = "http://goo.gl/qr7BP4"
date = "12/10/2014"
description = "Used by unknown APT actors: Inception"
strings:
$a1 = "POSTALCODE:"
$a2 = "SecurityCategory:"
$a3 = "amount of free flash:"
$a4 = { 24 d8 37 31 7c 27 31 27 7c 3a } /* replaced non ascii character srtring $Ø71|'1'|: */
$b1 = "God_Save_The_Queen"
$b2 = "UrlBlog"
condition:
all of ($a*) or all of ($b*)
}
rule InceptionAndroid {
meta:
author = "Blue Coat Systems, Inc"
reference = "http://goo.gl/qr7BP4"
date = "12/10/2014"
description = "Used by unknown APT actors: Inception"
strings:
$a1 = "BLOGS AVAILABLE="
$a2 = "blog-index"
$a3 = "Cant create dex="
condition:
all of them
}
rule InceptionIOS {
meta:
author = "Blue Coat Systems, Inc"
reference = "http://goo.gl/qr7BP4"
date = "12/10/2014"
description = "Used by unknown APT actors: Inception"
strings:
$a1 = "Developer/iOS/JohnClerk/"
$b1 = "SkypeUpdate"
$b2 = "/Syscat/"
$b3 = "WhatsAppUpdate"
condition:
$a1 and any of ($b*)
}
rule InceptionCloudMe {
meta:
author = "Florian Roth"
reference = "http://goo.gl/qr7BP4"
date = "12/10/2014"
score = 65
description = "Compromised CloudMe accounts from BlueCoat operation Inception"
strings:
$s1 = "franko7046" fullword
$s2 = "sanmorinostar" fullword
$s3 = "tem5842" fullword
$s4 = "bimm4276" fullword
$s5 = "carter0648" fullword
$s6 = "depp3353" fullword
$s7 = "frogs6352" fullword
$s8 = "daw0996" fullword
$s9 = "chak2488" fullword
$s10 = "corn6814" fullword
$s11 = "james9611" fullword
$s12 = "lisa.walker" fullword
$s13 = "billder1405" fullword
$s14 = "droll5587" fullword
$s15 = "samantha2064" fullword
$s16 = "chloe7400" fullword
$s17 = "browner8674935" fullword
$s18 = "parker2339915" fullword
$s19 = "young0498814" fullword
$s20 = "hurris4124867" fullword
$x1 = "cloudme" nocase fullword
condition:
1 of ($s*) and $x1
}