JohnGalt14

Targeted Destructive Malware - Yara Rules - US-CERT

Dec 20th, 2014
482
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.    Yara Rules from the US-CERT Alert TA14-353A
  3.    Destructive Malware (probably from the SONY Hack)
  4.    Reference:  https://www.us-cert.gov/ncas/alerts/TA14-353A
  5.    
  6.    The rules are extended and changed because the published rules contained some errors.
  7.    Most of the errors were easy to fix:
  8.    OC to 0C
  9.    uintl6 to uint16
  10.  
  11.    But some rules had to be changed more extensively and may be broken now.
  12.    These rules are:
  13.    Destructive_MalwareUsed_1
  14.    Destructive_Target_Cleaning_Tool_3
  15.    Destructive_Target_Cleaning_Tool_4
  16.  
  17.    Thanks to the US-CERT for the publication.
  18.    Follow us on Twitter @MalwrSignatures
  19. */
  20.  
  21. rule SMB_Worm_Tool {
  22.     meta:
  23.         description = "Targeted Destructive Malware - SMB Worm Tool"
  24.         author = "US-CERT"
  25.         date = "12/19/2014"
  26.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  27.     strings:
  28.         $STR1 = "Global\\FwtSqmSession106829323_S-1-5-19"
  29.         $STR2 ="EVERYONE"
  30.         $STR3 = "y0uar3@s!llyid!07,ou74n60u7f001"
  31.         $STR4 = "\\KB25468.dat"
  32.     condition:
  33.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) ==0xC3D4 or
  34.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  35. }
  36.  
  37. rule Lightweight_Backdoor_1 {
  38.     meta:
  39.         description = "Targeted Destructive Malware - Lightweight Backdoor"
  40.         author = "US-CERT"
  41.         date = "12/19/2014"
  42.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  43.     strings:
  44.         $STR1 = "NetMgStart"
  45.         $STR2 = "Netmgmt.srg"
  46.     condition:
  47.         (uint16(0) == 0x5A4D) and all of them
  48. }
  49.  
  50. rule Lightweight_Backdoor_2 {
  51.     meta:
  52.         description = "Targeted Destructive Malware - Lightweight Backdoor"
  53.         author = "US-CERT"
  54.         date = "12/19/2014"
  55.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  56.     strings:
  57.         $STR1 = "prxTroy" ascii wide nocase
  58.     condition:
  59.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  60. }
  61.  
  62. rule Lightweight_Backdoor_3 {
  63.     meta:
  64.         description = "Targeted Destructive Malware - Lightweight Backdoor"
  65.         author = "US-CERT"
  66.         date = "12/19/2014"
  67.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  68.     strings:
  69.         $strl  = { C6 45 E8 64 C6 45 E9 61 C6 45 EA 79 C6 45 EB 69 C6 45 EC 70 C6 45 ED 6D C6 45 EE 72 C6 45 EF 2E C6 45 F0 74 C6 45 F1  62 C6 45 F2 6C } // 'dayipmr.tbl' being moved to ebp
  70.     condition:
  71.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  72.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  73. }
  74.  
  75. rule Lightweight_Backdoor_4 {
  76.     meta:
  77.         description = "Targeted Destructive Malware - Lightweight Backdoor"
  78.         author = "US-CERT"
  79.         date = "12/19/2014"
  80.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  81.     strings:
  82.         $strl  = { C6 45 F4 61 C6 45 F5 6E C6 45 F6 73 C6 45 F7 69 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'ansi.nls' being moved to ebp
  83.     condition:
  84.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  85.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  86. }
  87.  
  88. rule Lightweight_Backdoor_5 {
  89.     meta:
  90.         description = "Targeted Destructive Malware - Lightweight Backdoor"
  91.         author = "US-CERT"
  92.         date = "12/19/2014"
  93.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  94.     strings:
  95.         $strl  = { C6 45 F4 74 C6 45 F5 6C C6 45 F6 76 C6 45 F7 63 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'tlvc.nls' being moved to ebp
  96.     condition:
  97.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  98.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  99. }
  100.  
  101. rule Lightweight_Backdoor_6 {
  102.     meta:
  103.         description = "Targeted Destructive Malware - Lightweight Backdoor"
  104.         author = "US-CERT"
  105.         date = "12/19/2014"
  106.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  107.     strings:
  108.         $STR1 = { 8A 10 80 ?? 4E 80 ?? 79 88 10}
  109.         $STR2 = { 5A 10 80?? 79 80 ?? 4E 88 10}
  110.     condition:
  111.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  112.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  113. }
  114.  
  115. rule Proxy_Tool_1 {
  116.     meta:
  117.         description = "Targeted Destructive Malware - Proxy Tool"
  118.         author = "US-CERT"
  119.         date = "12/19/2014"
  120.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  121.     strings:
  122.         $STR1 = "pmsconfig.msi" wide
  123.         $STR2 = "pmslog.msi" wide
  124.     condition:
  125.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  126.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them
  127. }
  128.  
  129. rule Proxy_Tool_2 {
  130.     meta:
  131.         description = "Targeted Destructive Malware - Proxy Tool"
  132.         author = "US-CERT"
  133.         date = "12/19/2014"
  134.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  135.     strings:
  136.         $STR1 = { 82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94
  137.             95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00 } // '%SystemRoot%\System32\svchost.exe -k' xor A7
  138.     condition:
  139.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  140.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  141. }
  142.  
  143. rule Proxy_Tool_3 {
  144.     meta:
  145.         description = "Targeted Destructive Malware - Proxy Tool"
  146.         author = "US-CERT"
  147.         date = "12/19/2014"
  148.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  149.     strings:
  150.         $STR2 = {8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF}
  151.     condition:
  152.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  153.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and $STR2
  154. }
  155.  
  156. rule Destructive_Harddrive_Tool_1 {
  157.     meta:
  158.         description = "Targeted Destructive Malware - Destructive Harddrive Tool"
  159.         author = "US-CERT"
  160.         date = "12/19/2014"
  161.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  162.     strings:
  163.         $str0= "MZ"
  164.         $str1 = {c6 84 24 ?? ( 00 | 01 ) 00 00 }
  165.         $xorInLoop = { 83 EC 20 B9 08 00 00 00 33 D2 56 8B 74 24 30 57 8D 7C 24 08
  166.             F3 A5 8B 7C 24 30 85 FF 7E 3A 8B 74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A
  167.             5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C
  168.             88 5C 0C 0D 49 83 F9 FF 7F F2 42 88 44 24 0C 3B D7 7C D0 5B 5F 5E 83 C4
  169.             20 C3 }
  170.     condition:
  171.         $str0 at 0 and $xorInLoop and #str1 > 300
  172. }
  173.  
  174. rule Destructive_Target_Cleaning_Tool_1 {
  175.     meta:
  176.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  177.         author = "US-CERT"
  178.         date = "12/19/2014"
  179.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  180.     strings:
  181.         $s1 = {d3000000 [4] 2c000000 [12] 95000000 [4] 6a000000 [8] 07000000}
  182.     condition:
  183.         (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
  184. }
  185.  
  186. rule Destructive_Target_Cleaning_Tool_2 {
  187.     meta:
  188.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  189.         author = "US-CERT"
  190.         date = "12/19/2014"
  191.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  192.     strings:
  193.         $secureWipe = { 83 EC 34 53 55 8B 6C 24 40 56 57 83 CE FF 55 C7 44 24 2C D3 00 00 00 C7 44 24 30 2C 00 00 00 89 74 24 34 89 74 24 38 C7 44 24 3C 95 00 00 00 C7 44 24 40 6A 00 00 00 89 74 24 44 C7 44 24 14 07 00 00 00 FF 15 ?? ?? ?? ?? 3B C6 89 44 24 1C 0F 84 (D8 | d9) 01 00 00 33 FF 68 00 00 01 00 57 FF 15 ?? ?? ?? ?? 8B D8 3B DF 89 5C 24 14 0F 84 (BC | BD) 01 00 00 8B 44 24 1C A8 01 74 0A 24 FE 50 55 FF 15 ?? ?? ?? ?? 8B 44 24 4C 2B C7 74 20 48 74 0F 83 E8 02 75 1C C7 44 24 10 03 00 00 00 EB 12 C7 44 24 10 01 00 00 00 89 74 24 28 EB 04 89 7C 24 10 8B 44 24 10 89 7C 24 1C 3B C7 0F 8E ( 5C | 5d ) 01 00 00 8D 44 24 28 89 44 24 4C EB 03 83 CE FF 8B 4C 24 4C 8B 01 3B C6 74 17 8A D0 B9 00 40 00 00 8A F2 8B FB 8B C2 C1 E0 10 66 8B C2 F3 AB EB ( 13 | 14) 33 F6 (E8 | ff 15) ?? ?? ?? ?? 88 04 1E 46 81 FE 00 00 01 00 7C ( EF | ee) 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 55 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 0F 84 FA 00 00 00 8D 44 24 20 50 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A 02 6A 00 6A FF 56 FF D5 8D 4C 24 18 6A 00 51 6A 01 53 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 8B 44 24 24 8B 54 24 20 33 FF 33 DB 85 C0 7C 5A 7F 0A 85 D2 76 54 EB 04 8B 54 24 20 8B CA BD 00 00 01 00 2B CF 1B C3 85 C0 7F 0A 7C 04 3B CD 73 04 2B D7 8B EA 8B 44 24 14 8D 54 24 18 6A 00 52 55 50 56 FF 15 ?? ?? ?? ?? 8B 6C 24 18 8B 44 24 24 03 FD 83 D3 00 3B D8 7C BE 7F 08 8B 54 24 20 3B FA 72 B8 8B 2D ?? ?? ?? ?? 8B 5C 24 10 8B 7C 24 1C 8D 4B FF 3B F9 75 17 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 4C 24 4C 8B 6C 24 48 47 83 C1 04 3B FB 8B 5C 24 14 89 7C 24 1C 89 4C 24 4C 0F 8C ( AE | AD) FE FF FF 6A 00 55 E8 ?? ?? ?? ?? 83 C4 08 53 FF 15 ?? ?? ?? ?? 5F 5E 5D 5B 83 C4 34 C3 }
  194.     condition:
  195.         $secureWipe
  196. }
  197.  
  198. rule Destructive_Target_Cleaning_Tool_3 {
  199.     meta:
  200.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  201.         author = "US-CERT"
  202.         date = "12/19/2014"
  203.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  204.     strings:
  205.         $S1_CMD_Arg = "/install" fullword
  206.         $S2_CMD_Parse= "\"%s /install \"%s\"" fullword
  207.         $S3_CMD_Builder= "\"%s\" \"%s\" \"%s\" %s" fullword
  208.     condition:
  209.         all of them
  210. }
  211.  
  212. rule Destructive_Target_Cleaning_Tool_4 {
  213.     meta:
  214.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  215.         author = "US-CERT"
  216.         date = "12/19/2014"
  217.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  218.     strings:
  219.         $BATCH_SCRIPT_LN1_0 = "goto x" fullword
  220.         $BATCH_SCRIPT_LN1_1 = "del" fullword
  221.         $BATCH_SCRIPT_LN2_0 = "if exist" fullword
  222.         $BATCH_SCRIPT_LN3_0 = ":x" fullword
  223.         $BATCH_SCRIPT_LN4_0 = "zz%d.bat" fullword
  224.     condition:
  225.         (#BATCH_SCRIPT_LN1_1 == 2) and all of them
  226. }
  227.  
  228. rule Destructive_Target_Cleaning_Tool_5 {
  229.     meta:
  230.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  231.         author = "US-CERT"
  232.         date = "12/19/2014"
  233.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  234.     strings:
  235.         $MCU_DLL_ZLIB_COMPRESSED2 = {5CECABAE813CC9BCD5A542F454910428343479806F
  236.             71D5521E2A0D}
  237.     condition:
  238.         $MCU_DLL_ZLIB_COMPRESSED2
  239. }
  240.  
  241. rule Destructive_Target_Cleaning_Tool_6 {
  242.     meta:
  243.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  244.         author = "US-CERT"
  245.         date = "12/19/2014"
  246.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  247.     strings:
  248.         $MCU_INF_StartHexDec = {010346080A30D63633000B6263750A5052322A00103D1B570A30E67F2A00130952690A503A0D2A000E00A26E15104556766572636C7669642E657865}
  249.         $MCU_INF_StartHexEnc = {6C3272386958BF075230780A0A54676166024968790C7A6779588F5E47312739310163615B3D59686721CF5F2120263E1F5413531F1E004543544C55}
  250.     condition:
  251.         $MCU_INF_StartHexEnc or $MCU_INF_StartHexDec
  252. }
  253.  
  254. rule Destructive_Target_Cleaning_Tool_7 {
  255.     meta:
  256.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  257.         author = "US-CERT"
  258.         date = "12/19/2014"
  259.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  260.     strings:
  261.         $ = "SetFilePointer"
  262.         $ = "SetEndOfFile"
  263.         $ = {75 17 56 ff 15 ?? ?? ?? ?? 6a 00 6a 00 6a 00 56 ffD5 56 ff 15?? ?? ?? ?? 56}
  264.     condition:
  265.         (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
  266. }
  267.  
  268. rule Destructive_Target_Cleaning_Tool_8 {
  269.     meta:
  270.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  271.         author = "US-CERT"
  272.         date = "12/19/2014"
  273.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  274.     strings:
  275.         $license = {E903FFFF820050006F007200740069006F006E007300200063006F007000790072006900670068007400200052006F006200650072007400200064006500200042006100740068002C0020004A006F007200690073002000760061006E002000520061006E007400770069006A006B002C002000440065006C00690061006E000000000000000250000000000A002200CE000800EA03FFFF8200}
  276.         $PuTTY = {50007500540054005900}
  277.     condition:
  278.         (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $license and not $PuTTY
  279. }
  280.  
  281. rule Destructive_MalwareUsed_1 {
  282.     meta:
  283.         description = "Targeted Destructive Malware - Malware used by Cyber Threat Actor"
  284.         author = "US-CERT"
  285.         date = "12/19/2014"
  286.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  287.     strings:
  288.         $heapCreateFunction_0 = { 33C06A003944240868001000000F94C050FF15????????85C0A3???????07436E893FEFFFF83F803A3???????0750D68F8030000E8??00000059EB0A83F8027518E8????000085C0750FFF35???????0FF15???????033C0C36A0158C3}
  289.         // buggy hex - don't know hot to fix it
  290.         // $heapCreateFunction = { 558BECB82C120000E8????FFFF8D8568FFFFFF5350C78568FFFFFF94000000FF1????????085C0741A83BD78FFFFFF02751183BD6CFFFFFF0572086A0158E9020100008D85D4EDFFF68901000005068???????0FF15???????085C00F84D000000033DB8D8DD4EDFFFF389DD4EDFFFF74138A013C617C083C7A7F042C20880141381975ED8D85D4EDFFFF6A165068???????0E8????000083C40C85C075088D85D4EDFFFFEB498D8564FEFFFF68040100005053FF15???????0389D64FEFFFF8D8D64FEFFFF74138A013C617C083C7A7F042C20880141381975ED8D8564FEFFFF508D85D4EDFFFF50E8????????59593BC3743E6A2C50E8????????593BC3597430408BC83818740E80393B75048819EB0141381975F26A0A5350E8????000083C40C83F802741D83F803741883F80174138D45FC50E898FEFFFF807DFC06591BC083C0035BC9C3 }
  291.         $getMajorMinorLinker = { 568B7424086A00832600FF15???????06681384D5A75148B483C85C9740D03C18A481A880E8A401B8846015EC3}
  292.         $openServiceManager = {FF15???0?0?08B?885??74????????????????5?FF15???0?0?08B?????0?0?08BF?85F?74}
  293.     condition:
  294.         all of them
  295. }
  296.  
  297. rule Destructive_MalwareUsed_2 {
  298.     meta:
  299.         description = "Targeted Destructive Malware - Malware used by Cyber Threat Actor"
  300.         author = "US-CERT"
  301.         date = "12/19/2014"
  302.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  303.     strings:
  304.         $str1 = "_quit"
  305.         $str2 = "_exe"
  306.         $str3 = "_put"
  307.         $str4 = "_got"
  308.         $str5 = "_get"
  309.         $str6 ="_del"
  310.         $str7 = "_dir"
  311.         $str8 = { C7 44 24 18 1F F7}
  312.     condition:
  313.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0  or uint16(0) == 0xC3D4 or
  314.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  315. }
  316.  
  317. rule Destructive_MalwareUsed_3 {
  318.     meta:
  319.         description = "Targeted Destructive Malware - Malware used by Cyber Threat Actor"
  320.         author = "US-CERT"
  321.         date = "12/19/2014"
  322.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  323.     strings:
  324.         $STR1 = { 50 68 80 00 00 00 68 FF FF 00 00 51 C7 44 24 1C 3a 8b 00 00 }
  325.     condition:
  326.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  327.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  328. }
RAW Paste Data