API tools faq
paste
Advertisement
shotgunner101

Yara Rule to Detect Ursnif

shotgunner101
Jul 18th, 2017
650
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.49 KB | None | 0 0
raw download clone embed print report
  1. /*
  2. Yara Rule Set
  3. Author: Ruben Dodge - www.dodgethissecurity.com
  4. Date: 2017-07-13
  5. Identifier:
  6. */
  7.  
  8. /* Rule Set ----------------------------------------------------------------- */
  9.  
  10. rule PossibleUrsnifEncryptedWordDocument {
  11. meta:
  12. description = "Rule created to detect Ursnif Word Documents while still in their encrypted state."
  13. author = "Ruben Dodge"
  14. reference = "not set"
  15. date = "2017-07-13"
  16. rev = 1
  17. weight = 100
  18. strings:
  19. $x1 = "<dataIntegrity encryptedHmacKey=" ascii /* Document Encryption Check 1 */
  20. $x2 = "<encryption xmlns=\"http://schemas.microsoft.com/office/2006/encryption\" xmlns:p=\"http://schemas.microsoft.com/office/2006/key" ascii /* Document Encryption Check 2 */
  21. $s3 = "Microsoft.Container.EncryptionTransform" fullword wide /* Document Encryption Check 3 */
  22. $s4 = "EncryptedPackage2" fullword wide /* Document Encryption Check 4 */
  23. $s5 = "StrongEncryptionDataSpace" fullword wide /* Document Encryption Check 5 */
  24. $s6 = "{FF9A3F03-56EF-4613-BDD5-5A41C1D07246}N" fullword wide /* Unknown ID used in each of the encrypted documents, most likely it corresponds to a unique identifier for encryption settings */
  25. $s7 = "cipherAlgorithm=\"AES" fullword ascii /* Check for AES encryption as the chosen encryption algorithm */
  26. $s8 = "hashAlgorithm=\"SHA512" fullword ascii /* Check for SHA512 hashing algorithm as the chosen algorithm, this is not the default hashing algorithm choice. */
  27. $s9 = "keyBits=\"256" fullword ascii /* Key bits, it should be noted this is not the default setting for encryption 128 is the default. */
  28. $s10 = "cipherChaining=\"ChainingModeCBC" fullword ascii /* Cipher Chaining Algorithm */
  29. $s11 = "<keyData saltSize=\"16" fullword ascii /* Document Encryption Check 6 */
  30. $s12 = "blockSize=\"16" fullword ascii /* Document Encryption Check 7 */
  31. $s13 = "hashSize=\"64" fullword ascii /* Document Encryption Check 8 */
  32. $s14 = "DocumentSummaryInformation" fullword wide /* Check for the existence of the purposely filled out Document metadata. */
  33. $s15 = "<p:encryptedKey spinCount=\"100000" fullword ascii /* The Encryption key spin count used to make decryption more difficult of AES encrypted data. This is a default setting. */
  34. $s16 = "SummaryInformation" fullword wide /* Second check for purposely filled out metadata. */
  35. condition:
  36. ( uint16(0) == 0xcfd0 and ( all of ($x*) and all of ($s*) ) ) and ( filesize < 200KB )
  37. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!