API tools faq
paste
Advertisement
JohnGalt14

Operation Cleaver Yara Rules

JohnGalt14
Dec 2nd, 2014
963
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 8.13 KB | None | 0 0
raw download clone embed print report
  1. /*
  2.  
  3. Yara Rules Extracted from the Cylance Report on Operation Cleaver
  4. http://www.cylance.com/operation-cleaver/
  5.  
  6. + 2 additional rules based on strings mentioned in the report
  7.  
  8. */
  9.  
  10. rule OPCLEAVER_BackDoorLogger
  11. {
  12.     meta:
  13.         description = "Keylogger used by attackers in Operation Cleaver"
  14.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  15.         date = "2014/12/02"
  16.         author = "Cylance Inc."
  17.     strings:
  18.         $s1 = "BackDoorLogger"
  19.         $s2 = "zhuAddress"
  20.     condition:
  21.         all of them
  22. }
  23.  
  24. rule OPCLEAVER_Jasus
  25. {
  26.     meta:
  27.         description = "ARP cache poisoner used by attackers in Operation Cleaver"
  28.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  29.         date = "2014/12/02"
  30.         author = "Cylance Inc."
  31.     strings:
  32.         $s1 = "pcap_dump_open"
  33.         $s2 = "Resolving IPs to poison..."
  34.         $s3 = "WARNNING: Gateway IP can not be found"
  35.     condition:
  36.         all of them
  37. }
  38.  
  39. rule OPCLEAVER_LoggerModule
  40. {
  41.     meta:
  42.         description = "Keylogger used by attackers in Operation Cleaver"
  43.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  44.         date = "2014/12/02"
  45.         author = "Cylance Inc."
  46.     strings:
  47.         $s1 = "%s-%02d%02d%02d%02d%02d.r"
  48.         $s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
  49.     condition:
  50.         all of them
  51. }
  52.  
  53. rule OPCLEAVER_NetC
  54. {
  55.     meta:
  56.         description = "Net Crawler used by attackers in Operation Cleaver"
  57.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  58.         date = "2014/12/02"
  59.         author = "Cylance Inc."
  60.     strings:
  61.         $s1 = "NetC.exe" wide
  62.         $s2 = "Net Service"
  63.     condition:
  64.         all of them
  65. }
  66.  
  67. rule OPCLEAVER_ShellCreator2
  68. {
  69.     meta:
  70.         description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
  71.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  72.         date = "2014/12/02"
  73.         author = "Cylance Inc."
  74.     strings:
  75.         $s1 = "ShellCreator2.Properties"
  76.         $s2 = "set_IV"
  77.     condition:
  78.         all of them
  79. }
  80.  
  81. rule OPCLEAVER_SmartCopy2
  82. {
  83.     meta:
  84.         description = "Malware or hack tool used by attackers in Operation Cleaver"
  85.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  86.         date = "2014/12/02"
  87.         author = "Cylance Inc."
  88.     strings:
  89.         $s1 = "SmartCopy2.Properties"
  90.         $s2 = "ZhuFrameWork"
  91.     condition:
  92.         all of them
  93. }
  94.  
  95. rule OPCLEAVER_SynFlooder
  96. {
  97.     meta:
  98.         description = "Malware or hack tool used by attackers in Operation Cleaver"
  99.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  100.         date = "2014/12/02"
  101.         author = "Cylance Inc."
  102.     strings:
  103.         $s1 = "Unable to resolve [ %s ]. ErrorCode %d"
  104.         $s2 = "your target’s IP is : %s"
  105.         $s3 = "Raw TCP Socket Created successfully."
  106.     condition:
  107.         all of them
  108. }
  109.  
  110. rule OPCLEAVER_TinyZBot
  111. {
  112.     meta:
  113.         description = "Tiny Bot used by attackers in Operation Cleaver"
  114.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  115.         date = "2014/12/02"
  116.         author = "Cylance Inc."
  117.     strings:
  118.         $s1 = "NetScp" wide
  119.         $s2 = "TinyZBot.Properties.Resources.resources"
  120.         $s3 = "Aoao WaterMark"
  121.         $s4 = "Run_a_exe"
  122.         $s5 = "netscp.exe"
  123.         $s6 = "get_MainModule_WebReference_DefaultWS"
  124.         $s7 = "remove_CheckFileMD5Completed"
  125.         $s8 = "http://tempuri.org/"
  126.         $s9 = "Zhoupin_Cleaver"
  127.     condition:
  128.         (($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
  129. }
  130.  
  131. rule OPCLEAVER_ZhoupinExploitCrew
  132. {
  133.     meta:
  134.         description = "Keywords used by attackers in Operation Cleaver"
  135.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  136.         date = "2014/12/02"
  137.         author = "Cylance Inc."
  138.     strings:
  139.         $s1 = "zhoupin exploit crew" nocase
  140.         $s2 = "zhopin exploit crew" nocase
  141.     condition:
  142.         1 of them
  143. }
  144.  
  145. rule OPCLEAVER_antivirusdetector
  146. {
  147.     meta:
  148.         description = "Hack tool used by attackers in Operation Cleaver"
  149.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  150.         date = "2014/12/02"
  151.         author = "Cylance Inc."
  152.     strings:
  153.         $s1 = "getShadyProcess"
  154.         $s2 = "getSystemAntiviruses"
  155.         $s3 = "AntiVirusDetector"
  156.     condition:
  157.         all of them
  158. }
  159.  
  160. rule OPCLEAVER_csext
  161. {
  162.     meta:
  163.         description = "Backdoor used by attackers in Operation Cleaver"
  164.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  165.         date = "2014/12/02"
  166.         author = "Cylance Inc."
  167.     strings:
  168.         $s1 = "COM+ System Extentions"
  169.         $s2 = "csext.exe"
  170.         $s3 = "COM_Extentions_bin"
  171.     condition:
  172.         all of them
  173. }
  174.  
  175. rule OPCLEAVER_kagent
  176. {
  177.     meta:
  178.         description = "Backdoor used by attackers in Operation Cleaver"
  179.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  180.         date = "2014/12/02"
  181.         author = "Cylance Inc."
  182.     strings:
  183.         $s1 = "kill command is in last machine, going back"
  184.         $s2 = "message data length in B64: %d Bytes"
  185.     condition:
  186.         all of them
  187. }
  188.  
  189. rule OPCLEAVER_mimikatzWrapper
  190. {
  191.     meta:
  192.         description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
  193.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  194.         date = "2014/12/02"
  195.         author = "Cylance Inc."
  196.     strings:
  197.         $s1 = "mimikatzWrapper"
  198.         $s2 = "get_mimikatz"
  199.     condition:
  200.         all of them
  201. }
  202.  
  203. rule OPCLEAVER_pvz_in
  204. {
  205.     meta:
  206.         description = "Parviz tool used by attackers in Operation Cleaver"
  207.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  208.         date = "2014/12/02"
  209.         author = "Cylance Inc."
  210.     strings:
  211.         $s1 = "LAST_TIME=00/00/0000:00:00PM$"
  212.         $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
  213.     condition:
  214.         all of them
  215. }
  216.  
  217. rule OPCLEAVER_pvz_out
  218. {
  219.     meta:
  220.         description = "Parviz tool used by attackers in Operation Cleaver"
  221.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  222.         date = "2014/12/02"
  223.         author = "Cylance Inc."
  224.     strings:
  225.         $s1 = "Network Connectivity Module" wide
  226.         $s2 = "OSPPSVC" wide
  227.     condition:
  228.         all of them
  229. }
  230.  
  231. rule OPCLEAVER_wndTest
  232. {
  233.     meta:
  234.         description = "Backdoor used by attackers in Operation Cleaver"
  235.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  236.         date = "2014/12/02"
  237.         author = "Cylance Inc."
  238.     strings:
  239.         $s1 = "[Alt]" wide
  240.         $s2 = "<< %s >>:" wide
  241.         $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
  242.     condition:
  243.         all of them
  244. }
  245.  
  246. rule OPCLEAVER_zhCat
  247. {
  248.     meta:
  249.         description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
  250.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  251.         date = "2014/12/02"
  252.         author = "Cylance Inc."
  253.     strings:
  254.         $s1 = "zhCat -l -h -tp 1234"
  255.         $s2 = "ABC ( A Big Company )" wide
  256.     condition:
  257.         all of them
  258. }
  259.  
  260. rule OPCLEAVER_zhLookUp
  261. {
  262.     meta:
  263.         description = "Hack tool used by attackers in Operation Cleaver"
  264.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  265.         date = "2014/12/02"
  266.         author = "Cylance Inc."
  267.     strings:
  268.         $s1 = "zhLookUp.Properties"
  269.     condition:
  270.         all of them
  271. }
  272.  
  273. rule OPCLEAVER_zhmimikatz
  274. {
  275.     meta:
  276.         description = "Mimikatz wrapper used by attackers in Operation Cleaver"
  277.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  278.         date = "2014/12/02"
  279.         author = "Cylance Inc."
  280.     strings:
  281.         $s1 = "MimikatzRunner"
  282.         $s2 = "zhmimikatz"
  283.     condition:
  284.         all of them
  285. }
  286.  
  287. rule OPCLEAVER_Parviz_Developer
  288. {
  289.     meta:
  290.         description = "Parviz developer known from Operation Cleaver"
  291.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  292.         date = "2014/12/02"
  293.         author = "Florian Roth"
  294.         score = "70"
  295.     strings:
  296.         $s1 = "Users\\parviz\\documents\\" nocase
  297.     condition:
  298.         $s1
  299. }
  300.  
  301. rule OPCLEAVER_CCProxy_Config
  302. {
  303.     meta:
  304.         description = "CCProxy config known from Operation Cleaver"
  305.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  306.         date = "2014/12/02"
  307.         author = "Florian Roth"
  308.         score = "70"
  309.     strings:
  310.         $s1 = "UserName=User-001" fullword ascii
  311.         $s2 = "Web=1" fullword ascii
  312.         $s3 = "Mail=1" fullword ascii
  313.         $s4 = "FTP=0" fullword ascii
  314.         $x1 = "IPAddressLow=78.109.194.114" fullword ascii
  315.     condition:
  316.         all of ($s*) or $x1
  317. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!