daily pastebin goal
5%
SHARE
TWEET

Some phobos work

James_inthe_box Feb 9th, 2019 440 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. https://www.hybrid-analysis.com/yara-search/results/6e0f149bbab7043a756d8414d2bd3b1b140dc2cac6cca6519140236f4bcc323b
  2.  
  3. ~~~
  4. import "pe"
  5. import "hash"
  6.  
  7. rule UNORDERED_ARRAY {
  8.     condition:    
  9.         pe.rich_signature.toolid(171,40219)
  10.         and pe.rich_signature.toolid(158,40219)
  11.         and pe.rich_signature.toolid(170,40219)
  12.         and pe.rich_signature.toolid(147,30729)
  13.         and pe.rich_signature.toolid(1,0)
  14.         and pe.rich_signature.toolid(174,40219)
  15.         and pe.rich_signature.toolid(157,40219)
  16. }
  17. rule ORDERED_XOR {
  18.     strings:    
  19.         $entry1 = { 71 82 2D 48 }
  20.         $entry2 = { 71 82 18 48 }
  21.         $entry3 = { 71 82 2C 48 }
  22.         $entry4 = { 63 67 15 48 }
  23.         $entry5 = { 6A 1F 87 48 }
  24.         $entry6 = { 71 82 28 48 }
  25.         $entry7 = { 71 82 1B 48 }
  26.     condition:
  27.         @entry1[1] < @entry2[1]
  28.         and
  29.         @entry2[1] < @entry3[1]
  30.         and
  31.         @entry3[1] < @entry4[1]
  32.         and
  33.         @entry4[1] < @entry5[1]
  34.         and
  35.         @entry5[1] < @entry6[1]
  36.         and
  37.         @entry6[1] < @entry7[1]
  38. }
  39. rule XOR_KEY {
  40.     condition:
  41.         pe.rich_signature.key == 0x48861F6A
  42. }
  43. rule CLEAR_DATA {
  44.     condition:
  45.         hash.sha256(pe.rich_signature.clear_data) == "7f73991dc669016d9c280382589b382d9b626c2c218f98f5a31868feb1624bb3"
  46. }
  47. ~~~
  48.  
  49. should match the k.txt variant floating around
  50. ~~~
  51. rule phobos
  52. {
  53.     meta:
  54.         description = "Phobos"
  55.         author = "James_inthe_box"
  56.         reference = "1fb74c647bd1320d2290a34db318de7afefe5906b2b6035cc711b60f563eb59b"
  57.         date = "2019/01"
  58.         maltype = "Ransomware"
  59.    
  60.     strings:
  61.         $mz = { 4d 5a }
  62.         $string1 = "kernel32.dll"
  63.         $string2 = "LoadLibraryA"
  64.         $string3 = "GetProcAddress"
  65.         $string4 = "ExitProcess"
  66.         $string5 = "GetModuleHandleW"
  67.         $string6 = "GetCommandLineA"
  68.         $string7 = "HeapSetInformation"
  69.         $string8 = "TerminateProcess"
  70.         $string9 = "GetCurrentProcess"
  71.         $string10 = "UnhandledExceptionFilter"
  72.         $string11 = "SetUnhandledExceptionFilter"
  73.         $string12 = "IsDebuggerPresent"
  74.         $string13 = "EnterCriticalSection"
  75.         $string14 = "LeaveCriticalSection"
  76.         $string15 = "DecodePointer"
  77.         $string16 = "EncodePointer"
  78.         $string17 = "ReadFile"
  79.         $string18 = "WriteFile"
  80.         $string19 = "FlushFileBuffers"
  81.         $string20 = "CloseHandle"
  82.         $string21 = "SetFilePointer"
  83.         $string22 = "DeleteFileA"
  84.         $string23 = "k.txt"
  85.         $string24 = "HRichj"
  86.         $string25 = "QSVW"
  87.  
  88.     condition:
  89.         ($mz at 0) and (all of ($string*)) and filesize == 117KB
  90. }
  91. ~~~
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top