SHARE
TWEET

Yara Rule to Detect Ursnif

shotgunner101 Jul 18th, 2017 70 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.    Yara Rule Set
  3.    Author: Ruben Dodge - www.dodgethissecurity.com
  4.    Date: 2017-07-13
  5.    Identifier:
  6. */
  7.  
  8. /* Rule Set ----------------------------------------------------------------- */
  9.  
  10. rule PossibleUrsnifEncryptedWordDocument {
  11.    meta:
  12.       description = "Rule created to detect Ursnif Word Documents while still in their encrypted state."
  13.       author = "Ruben Dodge"
  14.       reference = "not set"
  15.       date = "2017-07-13"
  16.       rev = 1
  17.       weight = 100
  18.    strings:
  19.       $x1 = "<dataIntegrity encryptedHmacKey=" ascii /* Document Encryption Check 1 */
  20.       $x2 = "<encryption xmlns=\"http://schemas.microsoft.com/office/2006/encryption\" xmlns:p=\"http://schemas.microsoft.com/office/2006/key" ascii /* Document Encryption Check 2 */
  21.       $s3 = "Microsoft.Container.EncryptionTransform" fullword wide /* Document Encryption Check 3 */
  22.       $s4 = "EncryptedPackage2" fullword wide /* Document Encryption Check 4 */
  23.       $s5 = "StrongEncryptionDataSpace" fullword wide /* Document Encryption Check 5 */
  24.       $s6 = "{FF9A3F03-56EF-4613-BDD5-5A41C1D07246}N" fullword wide /* Unknown ID used in each of the encrypted documents, most likely it corresponds to a unique identifier for encryption settings */
  25.       $s7 = "cipherAlgorithm=\"AES" fullword ascii /* Check for AES encryption as the chosen encryption algorithm */
  26.       $s8 = "hashAlgorithm=\"SHA512" fullword ascii /* Check for SHA512 hashing algorithm as the chosen algorithm, this is not the default hashing algorithm choice. */
  27.       $s9 = "keyBits=\"256" fullword ascii /* Key bits, it should be noted this is not the default setting for encryption 128 is the default. */
  28.       $s10 = "cipherChaining=\"ChainingModeCBC" fullword ascii /* Cipher Chaining Algorithm */
  29.       $s11 = "<keyData saltSize=\"16" fullword ascii /* Document Encryption Check 6 */
  30.       $s12 = "blockSize=\"16" fullword ascii /* Document Encryption Check 7 */
  31.       $s13 = "hashSize=\"64" fullword ascii /* Document Encryption Check 8 */
  32.       $s14 = "DocumentSummaryInformation" fullword wide /* Check for the existence of the purposely filled out Document metadata. */
  33.       $s15 = "<p:encryptedKey spinCount=\"100000" fullword ascii /* The Encryption key spin count used to make decryption more difficult of AES encrypted data. This is a default setting. */
  34.       $s16 = "SummaryInformation" fullword wide /* Second check for purposely filled out metadata. */
  35.    condition:
  36.       ( uint16(0) == 0xcfd0 and ( all of ($x*) and all of ($s*) ) ) and ( filesize < 200KB )
  37. }
RAW Paste Data
Top