JohnGalt14

Operation Cleaver Yara Rules

Dec 2nd, 2014
746
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.  
  3. Yara Rules Extracted from the Cylance Report on Operation Cleaver
  4. http://www.cylance.com/operation-cleaver/
  5.  
  6. + 2 additional rules based on strings mentioned in the report
  7.  
  8. */
  9.  
  10. rule OPCLEAVER_BackDoorLogger
  11. {
  12.     meta:
  13.         description = "Keylogger used by attackers in Operation Cleaver"
  14.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  15.         date = "2014/12/02"
  16.         author = "Cylance Inc."
  17.     strings:
  18.         $s1 = "BackDoorLogger"
  19.         $s2 = "zhuAddress"
  20.     condition:
  21.         all of them
  22. }
  23.  
  24. rule OPCLEAVER_Jasus
  25. {
  26.     meta:
  27.         description = "ARP cache poisoner used by attackers in Operation Cleaver"
  28.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  29.         date = "2014/12/02"
  30.         author = "Cylance Inc."
  31.     strings:
  32.         $s1 = "pcap_dump_open"
  33.         $s2 = "Resolving IPs to poison..."
  34.         $s3 = "WARNNING: Gateway IP can not be found"
  35.     condition:
  36.         all of them
  37. }
  38.  
  39. rule OPCLEAVER_LoggerModule
  40. {
  41.     meta:
  42.         description = "Keylogger used by attackers in Operation Cleaver"
  43.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  44.         date = "2014/12/02"
  45.         author = "Cylance Inc."
  46.     strings:
  47.         $s1 = "%s-%02d%02d%02d%02d%02d.r"
  48.         $s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
  49.     condition:
  50.         all of them
  51. }
  52.  
  53. rule OPCLEAVER_NetC
  54. {
  55.     meta:
  56.         description = "Net Crawler used by attackers in Operation Cleaver"
  57.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  58.         date = "2014/12/02"
  59.         author = "Cylance Inc."
  60.     strings:
  61.         $s1 = "NetC.exe" wide
  62.         $s2 = "Net Service"
  63.     condition:
  64.         all of them
  65. }
  66.  
  67. rule OPCLEAVER_ShellCreator2
  68. {
  69.     meta:
  70.         description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
  71.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  72.         date = "2014/12/02"
  73.         author = "Cylance Inc."
  74.     strings:
  75.         $s1 = "ShellCreator2.Properties"
  76.         $s2 = "set_IV"
  77.     condition:
  78.         all of them
  79. }
  80.  
  81. rule OPCLEAVER_SmartCopy2
  82. {
  83.     meta:
  84.         description = "Malware or hack tool used by attackers in Operation Cleaver"
  85.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  86.         date = "2014/12/02"
  87.         author = "Cylance Inc."
  88.     strings:
  89.         $s1 = "SmartCopy2.Properties"
  90.         $s2 = "ZhuFrameWork"
  91.     condition:
  92.         all of them
  93. }
  94.  
  95. rule OPCLEAVER_SynFlooder
  96. {
  97.     meta:
  98.         description = "Malware or hack tool used by attackers in Operation Cleaver"
  99.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  100.         date = "2014/12/02"
  101.         author = "Cylance Inc."
  102.     strings:
  103.         $s1 = "Unable to resolve [ %s ]. ErrorCode %d"
  104.         $s2 = "your target’s IP is : %s"
  105.         $s3 = "Raw TCP Socket Created successfully."
  106.     condition:
  107.         all of them
  108. }
  109.  
  110. rule OPCLEAVER_TinyZBot
  111. {
  112.     meta:
  113.         description = "Tiny Bot used by attackers in Operation Cleaver"
  114.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  115.         date = "2014/12/02"
  116.         author = "Cylance Inc."
  117.     strings:
  118.         $s1 = "NetScp" wide
  119.         $s2 = "TinyZBot.Properties.Resources.resources"
  120.         $s3 = "Aoao WaterMark"
  121.         $s4 = "Run_a_exe"
  122.         $s5 = "netscp.exe"
  123.         $s6 = "get_MainModule_WebReference_DefaultWS"
  124.         $s7 = "remove_CheckFileMD5Completed"
  125.         $s8 = "http://tempuri.org/"
  126.         $s9 = "Zhoupin_Cleaver"
  127.     condition:
  128.         (($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
  129. }
  130.  
  131. rule OPCLEAVER_ZhoupinExploitCrew
  132. {
  133.     meta:
  134.         description = "Keywords used by attackers in Operation Cleaver"
  135.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  136.         date = "2014/12/02"
  137.         author = "Cylance Inc."
  138.     strings:
  139.         $s1 = "zhoupin exploit crew" nocase
  140.         $s2 = "zhopin exploit crew" nocase
  141.     condition:
  142.         1 of them
  143. }
  144.  
  145. rule OPCLEAVER_antivirusdetector
  146. {
  147.     meta:
  148.         description = "Hack tool used by attackers in Operation Cleaver"
  149.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  150.         date = "2014/12/02"
  151.         author = "Cylance Inc."
  152.     strings:
  153.         $s1 = "getShadyProcess"
  154.         $s2 = "getSystemAntiviruses"
  155.         $s3 = "AntiVirusDetector"
  156.     condition:
  157.         all of them
  158. }
  159.  
  160. rule OPCLEAVER_csext
  161. {
  162.     meta:
  163.         description = "Backdoor used by attackers in Operation Cleaver"
  164.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  165.         date = "2014/12/02"
  166.         author = "Cylance Inc."
  167.     strings:
  168.         $s1 = "COM+ System Extentions"
  169.         $s2 = "csext.exe"
  170.         $s3 = "COM_Extentions_bin"
  171.     condition:
  172.         all of them
  173. }
  174.  
  175. rule OPCLEAVER_kagent
  176. {
  177.     meta:
  178.         description = "Backdoor used by attackers in Operation Cleaver"
  179.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  180.         date = "2014/12/02"
  181.         author = "Cylance Inc."
  182.     strings:
  183.         $s1 = "kill command is in last machine, going back"
  184.         $s2 = "message data length in B64: %d Bytes"
  185.     condition:
  186.         all of them
  187. }
  188.  
  189. rule OPCLEAVER_mimikatzWrapper
  190. {
  191.     meta:
  192.         description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
  193.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  194.         date = "2014/12/02"
  195.         author = "Cylance Inc."
  196.     strings:
  197.         $s1 = "mimikatzWrapper"
  198.         $s2 = "get_mimikatz"
  199.     condition:
  200.         all of them
  201. }
  202.  
  203. rule OPCLEAVER_pvz_in
  204. {
  205.     meta:
  206.         description = "Parviz tool used by attackers in Operation Cleaver"
  207.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  208.         date = "2014/12/02"
  209.         author = "Cylance Inc."
  210.     strings:
  211.         $s1 = "LAST_TIME=00/00/0000:00:00PM$"
  212.         $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
  213.     condition:
  214.         all of them
  215. }
  216.  
  217. rule OPCLEAVER_pvz_out
  218. {
  219.     meta:
  220.         description = "Parviz tool used by attackers in Operation Cleaver"
  221.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  222.         date = "2014/12/02"
  223.         author = "Cylance Inc."
  224.     strings:
  225.         $s1 = "Network Connectivity Module" wide
  226.         $s2 = "OSPPSVC" wide
  227.     condition:
  228.         all of them
  229. }
  230.  
  231. rule OPCLEAVER_wndTest
  232. {
  233.     meta:
  234.         description = "Backdoor used by attackers in Operation Cleaver"
  235.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  236.         date = "2014/12/02"
  237.         author = "Cylance Inc."
  238.     strings:
  239.         $s1 = "[Alt]" wide
  240.         $s2 = "<< %s >>:" wide
  241.         $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
  242.     condition:
  243.         all of them
  244. }
  245.  
  246. rule OPCLEAVER_zhCat
  247. {
  248.     meta:
  249.         description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
  250.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  251.         date = "2014/12/02"
  252.         author = "Cylance Inc."
  253.     strings:
  254.         $s1 = "zhCat -l -h -tp 1234"
  255.         $s2 = "ABC ( A Big Company )" wide
  256.     condition:
  257.         all of them
  258. }
  259.  
  260. rule OPCLEAVER_zhLookUp
  261. {
  262.     meta:
  263.         description = "Hack tool used by attackers in Operation Cleaver"
  264.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  265.         date = "2014/12/02"
  266.         author = "Cylance Inc."
  267.     strings:
  268.         $s1 = "zhLookUp.Properties"
  269.     condition:
  270.         all of them
  271. }
  272.  
  273. rule OPCLEAVER_zhmimikatz
  274. {
  275.     meta:
  276.         description = "Mimikatz wrapper used by attackers in Operation Cleaver"
  277.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  278.         date = "2014/12/02"
  279.         author = "Cylance Inc."
  280.     strings:
  281.         $s1 = "MimikatzRunner"
  282.         $s2 = "zhmimikatz"
  283.     condition:
  284.         all of them
  285. }
  286.  
  287. rule OPCLEAVER_Parviz_Developer
  288. {
  289.     meta:
  290.         description = "Parviz developer known from Operation Cleaver"
  291.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  292.         date = "2014/12/02"
  293.         author = "Florian Roth"
  294.         score = "70"
  295.     strings:
  296.         $s1 = "Users\\parviz\\documents\\" nocase
  297.     condition:
  298.         $s1
  299. }
  300.  
  301. rule OPCLEAVER_CCProxy_Config
  302. {
  303.     meta:
  304.         description = "CCProxy config known from Operation Cleaver"
  305.         reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  306.         date = "2014/12/02"
  307.         author = "Florian Roth"
  308.         score = "70"
  309.     strings:
  310.         $s1 = "UserName=User-001" fullword ascii
  311.         $s2 = "Web=1" fullword ascii
  312.         $s3 = "Mail=1" fullword ascii
  313.         $s4 = "FTP=0" fullword ascii
  314.         $x1 = "IPAddressLow=78.109.194.114" fullword ascii
  315.     condition:
  316.         all of ($s*) or $x1
  317. }
RAW Paste Data