API tools faq
paste
Advertisement
JohnGalt14

Targeted Destructive Malware - Yara Rules - US-CERT

JohnGalt14
Dec 20th, 2014
729
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 14.00 KB | None | 0 0
raw download clone embed print report
  1. /*
  2.    Yara Rules from the US-CERT Alert TA14-353A
  3.    Destructive Malware (probably from the SONY Hack)
  4.    Reference:  https://www.us-cert.gov/ncas/alerts/TA14-353A
  5.    
  6.    The rules are extended and changed because the published rules contained some errors.
  7.    Most of the errors were easy to fix:
  8.    OC to 0C
  9.    uintl6 to uint16
  10.  
  11.    But some rules had to be changed more extensively and may be broken now.
  12.    These rules are:
  13.    Destructive_MalwareUsed_1
  14.    Destructive_Target_Cleaning_Tool_3
  15.    Destructive_Target_Cleaning_Tool_4
  16.  
  17.    Thanks to the US-CERT for the publication.
  18.    Follow us on Twitter @MalwrSignatures
  19. */
  20.  
  21. rule SMB_Worm_Tool {
  22.     meta:
  23.         description = "Targeted Destructive Malware - SMB Worm Tool"
  24.         author = "US-CERT"
  25.         date = "12/19/2014"
  26.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  27.     strings:
  28.         $STR1 = "Global\\FwtSqmSession106829323_S-1-5-19"
  29.         $STR2 ="EVERYONE"
  30.         $STR3 = "y0uar3@s!llyid!07,ou74n60u7f001"
  31.         $STR4 = "\\KB25468.dat"
  32.     condition:
  33.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) ==0xC3D4 or
  34.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  35. }
  36.  
  37. rule Lightweight_Backdoor_1 {
  38.     meta:
  39.         description = "Targeted Destructive Malware - Lightweight Backdoor"
  40.         author = "US-CERT"
  41.         date = "12/19/2014"
  42.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  43.     strings:
  44.         $STR1 = "NetMgStart"
  45.         $STR2 = "Netmgmt.srg"
  46.     condition:
  47.         (uint16(0) == 0x5A4D) and all of them
  48. }
  49.  
  50. rule Lightweight_Backdoor_2 {
  51.     meta:
  52.         description = "Targeted Destructive Malware - Lightweight Backdoor"
  53.         author = "US-CERT"
  54.         date = "12/19/2014"
  55.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  56.     strings:
  57.         $STR1 = "prxTroy" ascii wide nocase
  58.     condition:
  59.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  60. }
  61.  
  62. rule Lightweight_Backdoor_3 {
  63.     meta:
  64.         description = "Targeted Destructive Malware - Lightweight Backdoor"
  65.         author = "US-CERT"
  66.         date = "12/19/2014"
  67.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  68.     strings:
  69.         $strl  = { C6 45 E8 64 C6 45 E9 61 C6 45 EA 79 C6 45 EB 69 C6 45 EC 70 C6 45 ED 6D C6 45 EE 72 C6 45 EF 2E C6 45 F0 74 C6 45 F1  62 C6 45 F2 6C } // 'dayipmr.tbl' being moved to ebp
  70.     condition:
  71.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  72.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  73. }
  74.  
  75. rule Lightweight_Backdoor_4 {
  76.     meta:
  77.         description = "Targeted Destructive Malware - Lightweight Backdoor"
  78.         author = "US-CERT"
  79.         date = "12/19/2014"
  80.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  81.     strings:
  82.         $strl  = { C6 45 F4 61 C6 45 F5 6E C6 45 F6 73 C6 45 F7 69 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'ansi.nls' being moved to ebp
  83.     condition:
  84.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  85.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  86. }
  87.  
  88. rule Lightweight_Backdoor_5 {
  89.     meta:
  90.         description = "Targeted Destructive Malware - Lightweight Backdoor"
  91.         author = "US-CERT"
  92.         date = "12/19/2014"
  93.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  94.     strings:
  95.         $strl  = { C6 45 F4 74 C6 45 F5 6C C6 45 F6 76 C6 45 F7 63 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'tlvc.nls' being moved to ebp
  96.     condition:
  97.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  98.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  99. }
  100.  
  101. rule Lightweight_Backdoor_6 {
  102.     meta:
  103.         description = "Targeted Destructive Malware - Lightweight Backdoor"
  104.         author = "US-CERT"
  105.         date = "12/19/2014"
  106.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  107.     strings:
  108.         $STR1 = { 8A 10 80 ?? 4E 80 ?? 79 88 10}
  109.         $STR2 = { 5A 10 80?? 79 80 ?? 4E 88 10}
  110.     condition:
  111.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  112.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  113. }
  114.  
  115. rule Proxy_Tool_1 {
  116.     meta:
  117.         description = "Targeted Destructive Malware - Proxy Tool"
  118.         author = "US-CERT"
  119.         date = "12/19/2014"
  120.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  121.     strings:
  122.         $STR1 = "pmsconfig.msi" wide
  123.         $STR2 = "pmslog.msi" wide
  124.     condition:
  125.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  126.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them
  127. }
  128.  
  129. rule Proxy_Tool_2 {
  130.     meta:
  131.         description = "Targeted Destructive Malware - Proxy Tool"
  132.         author = "US-CERT"
  133.         date = "12/19/2014"
  134.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  135.     strings:
  136.         $STR1 = { 82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94
  137.             95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00 } // '%SystemRoot%\System32\svchost.exe -k' xor A7
  138.     condition:
  139.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  140.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  141. }
  142.  
  143. rule Proxy_Tool_3 {
  144.     meta:
  145.         description = "Targeted Destructive Malware - Proxy Tool"
  146.         author = "US-CERT"
  147.         date = "12/19/2014"
  148.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  149.     strings:
  150.         $STR2 = {8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF}
  151.     condition:
  152.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  153.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and $STR2
  154. }
  155.  
  156. rule Destructive_Harddrive_Tool_1 {
  157.     meta:
  158.         description = "Targeted Destructive Malware - Destructive Harddrive Tool"
  159.         author = "US-CERT"
  160.         date = "12/19/2014"
  161.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  162.     strings:
  163.         $str0= "MZ"
  164.         $str1 = {c6 84 24 ?? ( 00 | 01 ) 00 00 }
  165.         $xorInLoop = { 83 EC 20 B9 08 00 00 00 33 D2 56 8B 74 24 30 57 8D 7C 24 08
  166.             F3 A5 8B 7C 24 30 85 FF 7E 3A 8B 74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A
  167.             5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C
  168.             88 5C 0C 0D 49 83 F9 FF 7F F2 42 88 44 24 0C 3B D7 7C D0 5B 5F 5E 83 C4
  169.             20 C3 }
  170.     condition:
  171.         $str0 at 0 and $xorInLoop and #str1 > 300
  172. }
  173.  
  174. rule Destructive_Target_Cleaning_Tool_1 {
  175.     meta:
  176.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  177.         author = "US-CERT"
  178.         date = "12/19/2014"
  179.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  180.     strings:
  181.         $s1 = {d3000000 [4] 2c000000 [12] 95000000 [4] 6a000000 [8] 07000000}
  182.     condition:
  183.         (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
  184. }
  185.  
  186. rule Destructive_Target_Cleaning_Tool_2 {
  187.     meta:
  188.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  189.         author = "US-CERT"
  190.         date = "12/19/2014"
  191.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  192.     strings:
  193.         $secureWipe = { 83 EC 34 53 55 8B 6C 24 40 56 57 83 CE FF 55 C7 44 24 2C D3 00 00 00 C7 44 24 30 2C 00 00 00 89 74 24 34 89 74 24 38 C7 44 24 3C 95 00 00 00 C7 44 24 40 6A 00 00 00 89 74 24 44 C7 44 24 14 07 00 00 00 FF 15 ?? ?? ?? ?? 3B C6 89 44 24 1C 0F 84 (D8 | d9) 01 00 00 33 FF 68 00 00 01 00 57 FF 15 ?? ?? ?? ?? 8B D8 3B DF 89 5C 24 14 0F 84 (BC | BD) 01 00 00 8B 44 24 1C A8 01 74 0A 24 FE 50 55 FF 15 ?? ?? ?? ?? 8B 44 24 4C 2B C7 74 20 48 74 0F 83 E8 02 75 1C C7 44 24 10 03 00 00 00 EB 12 C7 44 24 10 01 00 00 00 89 74 24 28 EB 04 89 7C 24 10 8B 44 24 10 89 7C 24 1C 3B C7 0F 8E ( 5C | 5d ) 01 00 00 8D 44 24 28 89 44 24 4C EB 03 83 CE FF 8B 4C 24 4C 8B 01 3B C6 74 17 8A D0 B9 00 40 00 00 8A F2 8B FB 8B C2 C1 E0 10 66 8B C2 F3 AB EB ( 13 | 14) 33 F6 (E8 | ff 15) ?? ?? ?? ?? 88 04 1E 46 81 FE 00 00 01 00 7C ( EF | ee) 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 55 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 0F 84 FA 00 00 00 8D 44 24 20 50 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A 02 6A 00 6A FF 56 FF D5 8D 4C 24 18 6A 00 51 6A 01 53 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 8B 44 24 24 8B 54 24 20 33 FF 33 DB 85 C0 7C 5A 7F 0A 85 D2 76 54 EB 04 8B 54 24 20 8B CA BD 00 00 01 00 2B CF 1B C3 85 C0 7F 0A 7C 04 3B CD 73 04 2B D7 8B EA 8B 44 24 14 8D 54 24 18 6A 00 52 55 50 56 FF 15 ?? ?? ?? ?? 8B 6C 24 18 8B 44 24 24 03 FD 83 D3 00 3B D8 7C BE 7F 08 8B 54 24 20 3B FA 72 B8 8B 2D ?? ?? ?? ?? 8B 5C 24 10 8B 7C 24 1C 8D 4B FF 3B F9 75 17 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 4C 24 4C 8B 6C 24 48 47 83 C1 04 3B FB 8B 5C 24 14 89 7C 24 1C 89 4C 24 4C 0F 8C ( AE | AD) FE FF FF 6A 00 55 E8 ?? ?? ?? ?? 83 C4 08 53 FF 15 ?? ?? ?? ?? 5F 5E 5D 5B 83 C4 34 C3 }
  194.     condition:
  195.         $secureWipe
  196. }
  197.  
  198. rule Destructive_Target_Cleaning_Tool_3 {
  199.     meta:
  200.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  201.         author = "US-CERT"
  202.         date = "12/19/2014"
  203.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  204.     strings:
  205.         $S1_CMD_Arg = "/install" fullword
  206.         $S2_CMD_Parse= "\"%s /install \"%s\"" fullword
  207.         $S3_CMD_Builder= "\"%s\" \"%s\" \"%s\" %s" fullword
  208.     condition:
  209.         all of them
  210. }
  211.  
  212. rule Destructive_Target_Cleaning_Tool_4 {
  213.     meta:
  214.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  215.         author = "US-CERT"
  216.         date = "12/19/2014"
  217.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  218.     strings:
  219.         $BATCH_SCRIPT_LN1_0 = "goto x" fullword
  220.         $BATCH_SCRIPT_LN1_1 = "del" fullword
  221.         $BATCH_SCRIPT_LN2_0 = "if exist" fullword
  222.         $BATCH_SCRIPT_LN3_0 = ":x" fullword
  223.         $BATCH_SCRIPT_LN4_0 = "zz%d.bat" fullword
  224.     condition:
  225.         (#BATCH_SCRIPT_LN1_1 == 2) and all of them
  226. }
  227.  
  228. rule Destructive_Target_Cleaning_Tool_5 {
  229.     meta:
  230.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  231.         author = "US-CERT"
  232.         date = "12/19/2014"
  233.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  234.     strings:
  235.         $MCU_DLL_ZLIB_COMPRESSED2 = {5CECABAE813CC9BCD5A542F454910428343479806F
  236.             71D5521E2A0D}
  237.     condition:
  238.         $MCU_DLL_ZLIB_COMPRESSED2
  239. }
  240.  
  241. rule Destructive_Target_Cleaning_Tool_6 {
  242.     meta:
  243.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  244.         author = "US-CERT"
  245.         date = "12/19/2014"
  246.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  247.     strings:
  248.         $MCU_INF_StartHexDec = {010346080A30D63633000B6263750A5052322A00103D1B570A30E67F2A00130952690A503A0D2A000E00A26E15104556766572636C7669642E657865}
  249.         $MCU_INF_StartHexEnc = {6C3272386958BF075230780A0A54676166024968790C7A6779588F5E47312739310163615B3D59686721CF5F2120263E1F5413531F1E004543544C55}
  250.     condition:
  251.         $MCU_INF_StartHexEnc or $MCU_INF_StartHexDec
  252. }
  253.  
  254. rule Destructive_Target_Cleaning_Tool_7 {
  255.     meta:
  256.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  257.         author = "US-CERT"
  258.         date = "12/19/2014"
  259.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  260.     strings:
  261.         $ = "SetFilePointer"
  262.         $ = "SetEndOfFile"
  263.         $ = {75 17 56 ff 15 ?? ?? ?? ?? 6a 00 6a 00 6a 00 56 ffD5 56 ff 15?? ?? ?? ?? 56}
  264.     condition:
  265.         (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
  266. }
  267.  
  268. rule Destructive_Target_Cleaning_Tool_8 {
  269.     meta:
  270.         description = "Targeted Destructive Malware - Destructive Target Cleaning Tool"
  271.         author = "US-CERT"
  272.         date = "12/19/2014"
  273.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  274.     strings:
  275.         $license = {E903FFFF820050006F007200740069006F006E007300200063006F007000790072006900670068007400200052006F006200650072007400200064006500200042006100740068002C0020004A006F007200690073002000760061006E002000520061006E007400770069006A006B002C002000440065006C00690061006E000000000000000250000000000A002200CE000800EA03FFFF8200}
  276.         $PuTTY = {50007500540054005900}
  277.     condition:
  278.         (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $license and not $PuTTY
  279. }
  280.  
  281. rule Destructive_MalwareUsed_1 {
  282.     meta:
  283.         description = "Targeted Destructive Malware - Malware used by Cyber Threat Actor"
  284.         author = "US-CERT"
  285.         date = "12/19/2014"
  286.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  287.     strings:
  288.         $heapCreateFunction_0 = { 33C06A003944240868001000000F94C050FF15????????85C0A3???????07436E893FEFFFF83F803A3???????0750D68F8030000E8??00000059EB0A83F8027518E8????000085C0750FFF35???????0FF15???????033C0C36A0158C3}
  289.         // buggy hex - don't know hot to fix it
  290.         // $heapCreateFunction = { 558BECB82C120000E8????FFFF8D8568FFFFFF5350C78568FFFFFF94000000FF1????????085C0741A83BD78FFFFFF02751183BD6CFFFFFF0572086A0158E9020100008D85D4EDFFF68901000005068???????0FF15???????085C00F84D000000033DB8D8DD4EDFFFF389DD4EDFFFF74138A013C617C083C7A7F042C20880141381975ED8D85D4EDFFFF6A165068???????0E8????000083C40C85C075088D85D4EDFFFFEB498D8564FEFFFF68040100005053FF15???????0389D64FEFFFF8D8D64FEFFFF74138A013C617C083C7A7F042C20880141381975ED8D8564FEFFFF508D85D4EDFFFF50E8????????59593BC3743E6A2C50E8????????593BC3597430408BC83818740E80393B75048819EB0141381975F26A0A5350E8????000083C40C83F802741D83F803741883F80174138D45FC50E898FEFFFF807DFC06591BC083C0035BC9C3 }
  291.         $getMajorMinorLinker = { 568B7424086A00832600FF15???????06681384D5A75148B483C85C9740D03C18A481A880E8A401B8846015EC3}
  292.         $openServiceManager = {FF15???0?0?08B?885??74????????????????5?FF15???0?0?08B?????0?0?08BF?85F?74}
  293.     condition:
  294.         all of them
  295. }
  296.  
  297. rule Destructive_MalwareUsed_2 {
  298.     meta:
  299.         description = "Targeted Destructive Malware - Malware used by Cyber Threat Actor"
  300.         author = "US-CERT"
  301.         date = "12/19/2014"
  302.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  303.     strings:
  304.         $str1 = "_quit"
  305.         $str2 = "_exe"
  306.         $str3 = "_put"
  307.         $str4 = "_got"
  308.         $str5 = "_get"
  309.         $str6 ="_del"
  310.         $str7 = "_dir"
  311.         $str8 = { C7 44 24 18 1F F7}
  312.     condition:
  313.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0  or uint16(0) == 0xC3D4 or
  314.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  315. }
  316.  
  317. rule Destructive_MalwareUsed_3 {
  318.     meta:
  319.         description = "Targeted Destructive Malware - Malware used by Cyber Threat Actor"
  320.         author = "US-CERT"
  321.         date = "12/19/2014"
  322.         reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
  323.     strings:
  324.         $STR1 = { 50 68 80 00 00 00 68 FF FF 00 00 51 C7 44 24 1C 3a 8b 00 00 }
  325.     condition:
  326.         (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
  327.         uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
  328. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!