shotgunner101

Yara Rule to Detect Ursnif

Jul 18th, 2017
382
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2. Yara Rule Set
  3. Author: Ruben Dodge - www.dodgethissecurity.com
  4. Date: 2017-07-13
  5. Identifier:
  6. */
  7.  
  8. /* Rule Set ----------------------------------------------------------------- */
  9.  
  10. rule PossibleUrsnifEncryptedWordDocument {
  11. meta:
  12. description = "Rule created to detect Ursnif Word Documents while still in their encrypted state."
  13. author = "Ruben Dodge"
  14. reference = "not set"
  15. date = "2017-07-13"
  16. rev = 1
  17. weight = 100
  18. strings:
  19. $x1 = "<dataIntegrity encryptedHmacKey=" ascii /* Document Encryption Check 1 */
  20. $x2 = "<encryption xmlns=\"http://schemas.microsoft.com/office/2006/encryption\" xmlns:p=\"http://schemas.microsoft.com/office/2006/key" ascii /* Document Encryption Check 2 */
  21. $s3 = "Microsoft.Container.EncryptionTransform" fullword wide /* Document Encryption Check 3 */
  22. $s4 = "EncryptedPackage2" fullword wide /* Document Encryption Check 4 */
  23. $s5 = "StrongEncryptionDataSpace" fullword wide /* Document Encryption Check 5 */
  24. $s6 = "{FF9A3F03-56EF-4613-BDD5-5A41C1D07246}N" fullword wide /* Unknown ID used in each of the encrypted documents, most likely it corresponds to a unique identifier for encryption settings */
  25. $s7 = "cipherAlgorithm=\"AES" fullword ascii /* Check for AES encryption as the chosen encryption algorithm */
  26. $s8 = "hashAlgorithm=\"SHA512" fullword ascii /* Check for SHA512 hashing algorithm as the chosen algorithm, this is not the default hashing algorithm choice. */
  27. $s9 = "keyBits=\"256" fullword ascii /* Key bits, it should be noted this is not the default setting for encryption 128 is the default. */
  28. $s10 = "cipherChaining=\"ChainingModeCBC" fullword ascii /* Cipher Chaining Algorithm */
  29. $s11 = "<keyData saltSize=\"16" fullword ascii /* Document Encryption Check 6 */
  30. $s12 = "blockSize=\"16" fullword ascii /* Document Encryption Check 7 */
  31. $s13 = "hashSize=\"64" fullword ascii /* Document Encryption Check 8 */
  32. $s14 = "DocumentSummaryInformation" fullword wide /* Check for the existence of the purposely filled out Document metadata. */
  33. $s15 = "<p:encryptedKey spinCount=\"100000" fullword ascii /* The Encryption key spin count used to make decryption more difficult of AES encrypted data. This is a default setting. */
  34. $s16 = "SummaryInformation" fullword wide /* Second check for purposely filled out metadata. */
  35. condition:
  36. ( uint16(0) == 0xcfd0 and ( all of ($x*) and all of ($s*) ) ) and ( filesize < 200KB )
  37. }
RAW Paste Data