API tools faq
paste
Advertisement
James_inthe_box

Some phobos work

James_inthe_box
Feb 9th, 2019
886
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.65 KB | None | 0 0
raw download clone embed print report
  1. https://www.hybrid-analysis.com/yara-search/results/6e0f149bbab7043a756d8414d2bd3b1b140dc2cac6cca6519140236f4bcc323b
  2.  
  3. ~~~
  4. import "pe"
  5. import "hash"
  6.  
  7. rule UNORDERED_ARRAY {
  8. condition:
  9. pe.rich_signature.toolid(171,40219)
  10. and pe.rich_signature.toolid(158,40219)
  11. and pe.rich_signature.toolid(170,40219)
  12. and pe.rich_signature.toolid(147,30729)
  13. and pe.rich_signature.toolid(1,0)
  14. and pe.rich_signature.toolid(174,40219)
  15. and pe.rich_signature.toolid(157,40219)
  16. }
  17. rule ORDERED_XOR {
  18. strings:
  19. $entry1 = { 71 82 2D 48 }
  20. $entry2 = { 71 82 18 48 }
  21. $entry3 = { 71 82 2C 48 }
  22. $entry4 = { 63 67 15 48 }
  23. $entry5 = { 6A 1F 87 48 }
  24. $entry6 = { 71 82 28 48 }
  25. $entry7 = { 71 82 1B 48 }
  26. condition:
  27. @entry1[1] < @entry2[1]
  28. and
  29. @entry2[1] < @entry3[1]
  30. and
  31. @entry3[1] < @entry4[1]
  32. and
  33. @entry4[1] < @entry5[1]
  34. and
  35. @entry5[1] < @entry6[1]
  36. and
  37. @entry6[1] < @entry7[1]
  38. }
  39. rule XOR_KEY {
  40. condition:
  41. pe.rich_signature.key == 0x48861F6A
  42. }
  43. rule CLEAR_DATA {
  44. condition:
  45. hash.sha256(pe.rich_signature.clear_data) == "7f73991dc669016d9c280382589b382d9b626c2c218f98f5a31868feb1624bb3"
  46. }
  47. ~~~
  48.  
  49. should match the k.txt variant floating around
  50. ~~~
  51. rule phobos
  52. {
  53. meta:
  54. description = "Phobos"
  55. author = "James_inthe_box"
  56. reference = "1fb74c647bd1320d2290a34db318de7afefe5906b2b6035cc711b60f563eb59b"
  57. date = "2019/01"
  58. maltype = "Ransomware"
  59.  
  60. strings:
  61. $mz = { 4d 5a }
  62. $string1 = "kernel32.dll"
  63. $string2 = "LoadLibraryA"
  64. $string3 = "GetProcAddress"
  65. $string4 = "ExitProcess"
  66. $string5 = "GetModuleHandleW"
  67. $string6 = "GetCommandLineA"
  68. $string7 = "HeapSetInformation"
  69. $string8 = "TerminateProcess"
  70. $string9 = "GetCurrentProcess"
  71. $string10 = "UnhandledExceptionFilter"
  72. $string11 = "SetUnhandledExceptionFilter"
  73. $string12 = "IsDebuggerPresent"
  74. $string13 = "EnterCriticalSection"
  75. $string14 = "LeaveCriticalSection"
  76. $string15 = "DecodePointer"
  77. $string16 = "EncodePointer"
  78. $string17 = "ReadFile"
  79. $string18 = "WriteFile"
  80. $string19 = "FlushFileBuffers"
  81. $string20 = "CloseHandle"
  82. $string21 = "SetFilePointer"
  83. $string22 = "DeleteFileA"
  84. $string23 = "k.txt"
  85. $string24 = "HRichj"
  86. $string25 = "QSVW"
  87.  
  88. condition:
  89. ($mz at 0) and (all of ($string*)) and filesize == 117KB
  90. }
  91. ~~~
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!