Thursday, November 9, 2017

Some equation group RAT's

rule Arcom
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/Arcom"
family = "arcom"
tags = "rat, arcom"
strings:
$a1 = "CVu3388fnek3W(3ij3fkp0930di"
$a2 = "ZINGAWI2"
$a3 = "clWebLightGoldenrodYellow"
$a4 = "Ancestor for '%s' not found" wide
$a5 = "Control-C hit" wide
$a6 = {A3 24 25 21}
condition:
all of them
}
rule adWind
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/adWind"
family = "adwind"
tags = "rat, adwind"
strings:
$meta = "META-INF"
$conf = "config.xml"
$a = "Adwind.class"
$b = "Principal.adwind"
condition:
all of them
}
rule Adzok
{
meta:
author = " Kevin Breen "
Description = "Adzok Rat"
Versions = "Free 1.0.0.3,"
date = "2015/05"
ref = "http://malwareconfig.com/stats/Adzok"
maltype = "Remote Access Trojan"
filetype = "jar"
family = "adzok"
tags = "rat, adzok"
strings:
$a1 = "config.xmlPK"
$a2 = "key.classPK"
$a3 = "svd$1.classPK"
$a4 = "svd$2.classPK"
$a5 = "Mensaje.classPK"
$a6 = "inic$ShutdownHook.class"
$a7 = "Uninstall.jarPK"
$a8 = "resources/icono.pngPK"
condition:
7 of ($a*)
}
rule Ap0calypse
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/Ap0calypse"
family = "ap0calypse"
tags = "rat, apocalypse"
strings:
$a = "Ap0calypse"
$b = "Sifre"
$c = "MsgGoster"
$d = "Baslik"
$e = "Dosyalars"
$f = "Injecsiyon"
condition:
all of them
}
rule Albertino
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/AAR"
family = "albertino"
tags = "rat, albertino"
strings:
$a = "Hashtable"
$b = "get_IsDisposed"
$c = "TripleDES"
$d = "testmemory.FRMMain.resources"
$e = "$this.Icon" wide
$f = "{11111-22222-20001-00001}" wide
$g = "@@@@@@@@@@@"
condition:
all of them
}
rule AlienSpy
{
meta:
author = " Kevin Breen "
date = "2015/03"
ref = "http://malwareconfig.com/stats/AlienSpy"
maltype = "Remote Access Trojan"
filetype = "jar"
family = "alienspy"
tags = "rat, alienspy"
strings:
$a1 = "Main.classPK"
$a2 = "MANIFEST.MFPK"
$a3 = "plugins/Server.classPK"
$a4 = "META-INF/MANIFEST.MF"
$a5 = "ID"
$b1 = "config.xml"
$b2 = "options/PK"
$b3 = "plugins/PK"
$b4 = "util/PK"
$b5 = "util/OSHelper/PK"
$b6 = "Start.class"
$b7 = "AlienSpy"
condition:
all of ($a*) or all of ($b*)
}
rule Bandook
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/Bandook"
maltype = "Remote Access Trojan"
family = "bandook"
tags = "rat, bandook"
strings:
$a = "aaaaaa1|"
$b = "aaaaaa2|"
$c = "aaaaaa3|"
$d = "aaaaaa4|"
$e = "aaaaaa5|"
$f = "%s%d.exe"
$g = "astalavista"
$h = "givemecache"
$i = "%s\\system32\\drivers\\blogs\\*"
$j = "bndk13me"
condition:
all of them
}
rule BlackNix
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/BlackNix"
family = "blacknix"
tags = "rat, blacknix"
strings:
$a1 = "SETTINGS" wide
$a2 = "Mark Adler"
$a3 = "Random-Number-Here"
$a4 = "RemoteShell"
$a5 = "SystemInfo"
condition:
all of them
}
rule Bozok
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/Bozok"
family = "bozok"
tags = "rat, bozok"
strings:
$a = "getVer" nocase
$b = "StartVNC" nocase
$c = "SendCamList" nocase
$d = "untPlugin" nocase
$e = "gethostbyname" nocase
condition:
all of them
}
rule BlueBanana
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/BlueBanana"
maltype = "Remote Access Trojan"
filetype = "Java"
family = "bluebanana"
tags = "rat, bluebanane"
strings:
$meta = "META-INF"
$conf = "config.txt"
$a = "a/a/a/a/f.class"
$b = "a/a/a/a/l.class"
$c = "a/a/a/b/q.class"
$d = "a/a/a/b/v.class"
condition:
all of them
}
rule BlackShades
{
meta:
author = "Brian Wallace (@botnet_hunter)"
date = "2014/04"
ref = "http://malwareconfig.com/stats/PoisonIvy"
ref = "http://blog.cylance.com/a-study-in-bots-blackshades-net"
family = "blackshades"
tags = "rat blackshades"
strings:
$string1 = "bss_server"
$string2 = "txtChat"
$string3 = "UDPFlood"
condition:
all of them
}
rule ClientMesh
{
meta:
author = "Kevin Breen "
date = "2014/06"
ref = "http://malwareconfig.com/stats/ClientMesh"
family = "clientmesh"
tags = "rat, clientmesh"
strings:
$string1 = "machinedetails"
$string2 = "MySettings"
$string3 = "sendftppasswords"
$string4 = "sendbrowserpasswords"
$string5 = "arma2keyMass"
$string6 = "keylogger"
$conf = {00 00 00 00 00 00 00 00 00 7E}
condition:
all of them
}
rule Crimson
{
meta:
author = " Kevin Breen "
Description = "Crimson Rat"
date = "2015/05"
ref = "http://malwareconfig.com/stats/Crimson"
maltype = "Remote Access Trojan"
filetype = "jar"
family = "crimson"
tags = "rat, crimson"
strings:
$a1 = "com/crimson/PK"
$a2 = "com/crimson/bootstrapJar/PK"
$a3 = "com/crimson/permaJarMulti/PermaJarReporter$1.classPK"
$a4 = "com/crimson/universal/containers/KeyloggerLog.classPK"
$a5 = "com/crimson/universal/UploadTransfer.classPK"
condition:
all of ($a*)
}
rule CyberGate
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/CyberGate"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "cybergate"
tags = "rat, cybergate"
strings:
$string1 = {23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23}
$string2 = {23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23}
$string3 = "EditSvr"
$string4 = "TLoader"
$string5 = "Stroks"
$string6 = "####@####"
$res1 = "XX-XX-XX-XX"
$res2 = "CG-CG-CG-CG"
condition:
all of ($string*) and any of ($res*)
}
rule DarkComet
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/DarkComet"
family = "darkcomet"
tags = "rat, darkcomet"
strings:
// Versions 2x
$a1 = "#BOT#URLUpdate"
$a2 = "Command successfully executed!"
$a3 = "MUTEXNAME" wide
$a4 = "NETDATA" wide
// Versions 3x & 4x & 5x
$b1 = "FastMM Borland Edition"
$b2 = "%s, ClassID: %s"
$b3 = "I wasn't able to open the hosts file"
$b4 = "#BOT#VisitUrl"
$b5 = "#KCMDDC"
condition:
all of ($a*) or all of ($b*)
}
rule DarkRAT
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/DarkRAT"
maltype = "Remote Access Trojan"
family = "darkrat"
tags = "rat, darkrat"
strings:
$a = "@1906dark1996coder@"
$b = "SHEmptyRecycleBinA"
$c = "mciSendStringA"
$d = "add_Shutdown"
$e = "get_SaveMySettingsOnExit"
$f = "get_SpecialDirectories"
$g = "Client.My"
condition:
all of them
}
rule Greame
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/Greame"
maltype = "Remote Access Trojan"
family = "greame"
tags = "rat, greame"
strings:
$a = {23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23}
$b = {23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23}
$c = "EditSvr"
$d = "TLoader"
$e = "Stroks"
$f = "Avenger by NhT"
$g = "####@####"
$h = "GREAME"
condition:
all of them
}
rule HawkEye
{
meta:
author = " Kevin Breen "
date = "2015/06"
ref = "http://malwareconfig.com/stats/HawkEye"
maltype = "KeyLogger"
filetype = "exe"
family = "hawkeye"
tags = "rat, hawkeye"
strings:
$key = "HawkEyeKeylogger" wide
$salt = "099u787978786" wide
$string1 = "HawkEye_Keylogger" wide
$string2 = "holdermail.txt" wide
$string3 = "wallet.dat" wide
$string4 = "Keylog Records" wide
$string5 = "" wide
$string6 = "\\pidloc.txt" wide
$string7 = "BSPLIT" wide
condition:
$key and $salt and all of ($string*)
}
rule Imminent
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/Imminent"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "imminent"
tags = "rat, imminent"
strings:
$v1a = "DecodeProductKey"
$v1b = "StartHTTPFlood"
$v1c = "CodeKey"
$v1d = "MESSAGEBOX"
$v1e = "GetFilezillaPasswords"
$v1f = "DataIn"
$v1g = "UDPzSockets"
$v1h = {52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41}
$v2a = "k__BackingField"
$v2b = "k__BackingField"
$v2c = "DownloadAndExecute"
$v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide
$v2e = "england.png" wide
$v2f = "Showed Messagebox" wide
condition:
all of ($v1*) or all of ($v2*)
}
rule Infinity
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/Infinity"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "infinity"
tags = "rat, infinity"
strings:
$a = "CRYPTPROTECT_PROMPTSTRUCT"
$b = "discomouse"
$c = "GetDeepInfo"
$d = "AES_Encrypt"
$e = "StartUDPFlood"
$f = "BATScripting" wide
$g = "FBqINhRdpgnqATxJ.html" wide
$i = "magic_key" wide
condition:
all of them
}
rule jRat
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/jRat"
maltype = "Remote Access Trojan"
filetype = "Java"
family = "jrat"
tags = "rat, jrat"
strings:
$meta = "META-INF"
$key = "key.dat"
$conf = "config.dat"
$jra1 = "enc.dat"
$jra2 = "a.class"
$jra3 = "b.class"
$jra4 = "c.class"
$reClass1 = /[a-z]\.class/
$reClass2 = /[a-z][a-f]\.class/
condition:
($meta and $key and $conf and #reClass1 > 10 and #reClass2 > 10) or ($meta and $key and all of ($jra*))
}
rule LostDoor
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/LostDoor"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "lostdoor"
tags = "rat, lostdoor"
strings:
$a0 = {0D 0A 2A 45 44 49 54 5F 53 45 52 56 45 52 2A 0D 0A}
$a1 = "*mlt* = %"
$a2 = "*ip* = %"
$a3 = "*victimo* = %"
$a4 = "*name* = %"
$b5 = "[START]"
$b6 = "[DATA]"
$b7 = "We Control Your Digital World" wide ascii
$b8 = "RC4Initialize" wide ascii
$b9 = "RC4Decrypt" wide ascii
condition:
all of ($a*) or all of ($b*)
}
rule LuminosityLink
{
meta:
author = " Kevin Breen "
date = "2015/06"
ref = "http://malwareconfig.com/stats/LuminosityLink"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "luminositylink"
tags = "rat, luminositylink"
strings:
$a = "SMARTLOGS" wide
$b = "RUNPE" wide
$c = "b.Resources" wide
$d = "CLIENTINFO*" wide
$e = "Invalid Webcam Driver Download URL, or Failed to Download File!" wide
$f = "Proactive Anti-Malware has been manually activated!" wide
$g = "REMOVEGUARD" wide
$h = "C0n1f8" wide
$i = "Luminosity" wide
$j = "LuminosityCryptoMiner" wide
$k = "MANAGER*CLIENTDETAILS*" wide
condition:
all of them
}
rule LuxNet
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/LuxNet"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "luxnet"
tags = "rat, luxnet"
strings:
$a = "GetHashCode"
$b = "Activator"
$c = "WebClient"
$d = "op_Equality"
$e = "dickcursor.cur" wide
$f = "{0}|{1}|{2}" wide
condition:
all of them
}
rule NanoCore
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/NanoCore"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "nanocore"
tags = "rat, nanocore"
strings:
$a = "NanoCore"
$b = "ClientPlugin"
$c = "ProjectData"
$d = "DESCrypto"
$e = "KeepAlive"
$f = "IPNETROW"
$g = "LogClientMessage"
$key = {43 6f 24 cb 95 30 38 39}
condition:
6 of them
}
rule NetWire
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/NetWire"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "netwire"
tags = "rat, netwire"
strings:
$string1 = "[Scroll Lock]"
$string2 = "[Shift Lock]"
$string3 = "200 OK"
$string4 = "%s.Identifier"
$string5 = "sqlite3_column_text"
$string6 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
condition:
all of them
}
rule njRat
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/njRat"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "njrat"
tags = "rat, njrat"
strings:
$s1 = {7C 00 27 00 7C 00 27 00 7C} // |'|'|
$s2 = "netsh firewall add allowedprogram" wide
$s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide
$s4 = "yyyy-MM-dd" wide
$v1 = "cmd.exe /k ping 0 & del" wide
$v2 = "cmd.exe /c ping 127.0.0.1 & del" wide
$v3 = "cmd.exe /c ping 0 -n 2 & del" wide
condition:
all of ($s*) and any of ($v*)
}
rule Pandora
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/Pandora"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "pandora"
tags = "rat, pandora"
strings:
$a = "Can't get the Windows version"
$b = "=M=Q=U=Y=]=a=e=i=m=q=u=y=}="
$c = "JPEG error #%d" wide
$d = "Cannot assign a %s to a %s" wide
$g = "%s, ProgID:"
$h = "clave"
$i = "Shell_TrayWnd"
$j = "melt.bat"
$k = "\\StubPath"
$l = "\\logs.dat"
$m = "1027|Operation has been canceled!"
$n = "466|You need to plug-in! Double click to install... |"
$0 = "33|[Keylogger Not Activated!]"
condition:
all of them
}
rule Paradox
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/Paradox"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "paradox"
tags = "rat, paradox"
strings:
$a = "ParadoxRAT"
$b = "Form1"
$c = "StartRMCam"
$d = "Flooders"
$e = "SlowLaris"
$f = "SHITEMID"
$g = "set_Remote_Chat"
condition:
all of them
}
rule PoisonIvy
{
meta:
author = "Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/PoisonIvy"
family = "poisonivy"
tags = "rat, poisonivy"
strings:
$stub = {04 08 00 53 74 75 62 50 61 74 68 18 04}
$string1 = "CONNECT %s:%i HTTP/1.0"
$string2 = "ws2_32"
$string3 = "cks=u"
$string4 = "thj@h"
$string5 = "advpack"
condition:
$stub at 0x1620 and all of ($string*) or (all of them)
}
rule PredatorPain
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/PredatorPain"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "predatorpain"
tags = "rat, predatorpain"
strings:
$string1 = "holderwb.txt" wide
$string3 = "There is a file attached to this email" wide
$string4 = "screens\\screenshot" wide
$string5 = "Disablelogger" wide
$string6 = "\\pidloc.txt" wide
$string7 = "clearie" wide
$string8 = "clearff" wide
$string9 = "emails should be sent to you shortly" wide
$string10 = "jagex_cache\\regPin" wide
$string11 = "open=Sys.exe" wide
$ver1 = "PredatorLogger" wide
$ver2 = "EncryptedCredentials" wide
$ver3 = "Predator Pain" wide
condition:
7 of ($string*) and any of ($ver*)
}
rule Punisher
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/Punisher"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "punisher"
tags = "rat, punisher"
strings:
$a = "abccba"
$b = {5C 00 68 00 66 00 68 00 2E 00 76 00 62 00 73}
$c = {5C 00 73 00 63 00 2E 00 76 00 62 00 73}
$d = "SpyTheSpy" wide ascii
$e = "wireshark" wide
$f = "apateDNS" wide
$g = "abccbaDanabccb"
condition:
all of them
}
rule PythoRAT
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/PythoRAT"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "pythorat"
tags = "rat, pythorat"
strings:
$a = "TKeylogger"
$b = "uFileTransfer"
$c = "TTDownload"
$d = "SETTINGS"
$e = "Unknown" wide
$f = "#@#@#"
$g = "PluginData"
$i = "OnPluginMessage"
condition:
all of them
}
rule SmallNet
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/SmallNet"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "smallnet"
tags = "rat, smallnet"
strings:
$split1 = "!!<3safia td="">
$split2 = "!!ElMattadorDz!!"
$a1 = "stub_2.Properties"
$a2 = "stub.exe" wide
$a3 = "get_CurrentDomain"
condition:
($split1 or $split2) and (all of ($a*))
}
rule SpyGate
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/SpyGate"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "spygate"
tags = "rat, spygate"
strings:
$split = "abccba"
$a1 = "abccbaSpyGateRATabccba" //$a = Version 0.2.6
$a2 = "StubX.pdb"
$a3 = "abccbaDanabccb"
$b1 = "monikerString" nocase //$b = Version 2.0
$b2 = "virustotal1"
$b3 = "get_CurrentDomain"
$c1 = "shutdowncomputer" wide //$c = Version 2.9
$c2 = "shutdown -r -t 00" wide
$c3 = "set cdaudio door closed" wide
$c4 = "FileManagerSplit" wide
$c5 = "Chating With >> [~Hacker~]" wide
condition:
(all of ($a*) and #split > 40) or (all of ($b*) and #split > 10) or (all of ($c*))
}
rule Sub7Nation
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/Sub7Nation"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "sub7nation"
tags = "rat, sub7nation"
strings:
$a = "EnableLUA /t REG_DWORD /d 0 /f"
$b = "*A01*"
$c = "*A02*"
$d = "*A03*"
$e = "*A04*"
$f = "*A05*"
$g = "*A06*"
$h = "#@#@#"
$i = "HostSettings"
$verSpecific1 = "sevane.tmp"
$verSpecific2 = "cmd_.bat"
$verSpecific3 = "a2b7c3d7e4"
$verSpecific4 = "cmd.dll"
condition:
all of them
}
rule unrecom
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/AAR"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "unrecom"
tags = "rat, unrecom"
strings:
$meta = "META-INF"
$conf = "load/ID"
$a = "load/JarMain.class"
$b = "load/MANIFEST.MF"
$c = "plugins/UnrecomServer.class"
condition:
all of them
}
rule Vertex
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/Vertex"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "vertex"
tags = "rat, vertex"
strings:
$string1 = "DEFPATH"
$string2 = "HKNAME"
$string3 = "HPORT"
$string4 = "INSTALL"
$string5 = "IPATH"
$string6 = "MUTEX"
$res1 = "PANELPATH"
$res2 = "ROOTURL"
condition:
all of them
}
rule VirusRat
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/VirusRat"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "virusrat"
tags = "rat, virusrat"
strings:
$string0 = "virustotal"
$string1 = "virusscan"
$string2 = "abccba"
$string3 = "pronoip"
$string4 = "streamWebcam"
$string5 = "DOMAIN_PASSWORD"
$string6 = "Stub.Form1.resources"
$string7 = "ftp://{0}@{1}" wide
$string8 = "SELECT * FROM moz_logins" wide
$string9 = "SELECT * FROM moz_disabledHosts" wide
$string10 = "DynDNS\\Updater\\config.dyndns" wide
$string11 = "|BawaneH|" wide
condition:
all of them
}
rule xRAT
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/xRat"
maltype = "Remote Access Trojan"
filetype = "exe"
family = "xrat"
tags = "rat, xrat"
strings:
$v1a = "DecodeProductKey"
$v1b = "StartHTTPFlood"
$v1c = "CodeKey"
$v1d = "MESSAGEBOX"
$v1e = "GetFilezillaPasswords"
$v1f = "DataIn"
$v1g = "UDPzSockets"
$v1h = {52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41}
$v2a = "k__BackingField"
$v2b = "k__BackingField"
$v2c = "DownloadAndExecute"
$v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide
$v2e = "england.png" wide
$v2f = "Showed Messagebox" wide
condition:
all of ($v1*) or all of ($v2*)
}
rule XtremeRAT
{
meta:
author = " Kevin Breen "
date = "2014/04"
ref = "http://malwareconfig.com/stats/Xtreme"
family = "xtreme"
tags = "rat, xtreme"
strings:
$a = "XTREME" wide
$b = "ServerStarted" wide
$c = "XtremeKeylogger" wide
$d = "x.html" wide
$e = "Xtreme RAT" wide
condition:
all of them
}
rule winnti
{
meta:
autor = "S2R2"
family = "winnti"
strings:
$tcp = { 60 62 63 64 }
$http = { 62 62 63 64 }
$https = { 63 62 63 64 }
condition:
$tcp at (filesize + 196 - uint32(filesize - 4)) or $http at (filesize + 196 - uint32(filesize - 4)) or $https at (filesize + 196 - uint32(filesize - 4))
} https://github.com/viper-framework/viper/blob/master/data/yara/rats.yara
at No comments:

During Infection. ================= When WannaCry is first run, the process take a fair bit of time (about a minute on my VM) before all files are encrypted. Firstly, it creates a bunch of files in its initial directory: b.wnry = background image c.wnry = tor browser link f.wnry = list of files (“free” list?) r.wnry = “your files are encrypted” text s.wnry = zip file of tor thingy t.wnry = looks like zipped file u.wnry = contains RSA2 and “mail to” stuff /msg folder and fills this with different files containing shitty message in different languages.

t also creates the following which are crypto key related: 00000000.eky 00000000.pky 00000000.res And the following that I couldn’t be bothered about investigating: taskdl.exe taskse.exe @WanaDecryptor@.exe

 @echo off echo SET ow = WScript.CreateObject(“WScript.Shell”)> m.vbs echo SET om = ow.CreateShortcut(“%s%s”)>> m.vbs echo om.TargetPath = “%s%s”>> m.vbs echo om.Save>> m.vbs cscript.exe //nologo m.vbs del m.vbs

 The following registry entry is created: HKEY_LOCAL_MACHINE\SOFTWARE\WanaCrypt0r but the key I cannot remember. Either sd or md or wd or something. The following registry entry is read too: [insert key here – I can’t remember it – it is the RSA provider key held at “SOFTWARE/Microsoft/Crypto provider” or something] …or just look at this… Stack SS:[0012F7B8]=001546A0, (ASCII “SOFTWARE\Microsoft\Cryptography\Defaults\Provider\”) EDI=00154730, (ASCII “Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)”)

 Also, the computer name and also user accounts (S-1-5-etc.) are read and stored. 0012F39C 0012F3A8 šó . UNICODE “S-1-5-XX-XXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXX” (no, the X’s weren’t on the original pasting)

 So, once these files have been created, the following steps are run for each ‘victim’ file it wants to encrypt:
  • Get size of file.ext (in hex)

  • Get times of file.ext (creation,access,modify)

  • Reads 8 bytes from file

  • Creates file.ext.WNCRYT

  • Writes 8 bytes containing “WANACRY!” to file.ext.WNCRYT

  • Writes 4 bytes containing hex “00 01 00 00” to file.ext.WNCRYT (this didn’t change in my tests)


0012E008 00 01 00 00 . .
  • Writes 0x100 (256) bytes to file.ext.WNCRYT (obviously, this changes)

  • 0012DE00 44 12 4B E6 3E C0 E6 F2 C9 14 4A 82 86 2E 8E B4 D Kæ>ÀæòÉ J‚†.ŽŽ 0012DE10 84 0B 71 B2 14 87 F2 36 D9 B5 79 F3 9F 0E 64 FC „ q² ‡ò6ÙµyóŸ dü 0012DE20 C6 A5 28 DA 34 75 91 10 64 78 B5 9F 22 3A C3 02 Æ¥(Ú4u‘ dxµŸ”:à0012DE30 1E B7 96 27 56 C9 EA 94 B6 06 3C 1D 57 5D 81 8B ·–’VÉꔶ < W]‹ 0012DE40 31 59 0B D7 5C 03 FE B7 73 C7 BE 4F 62 EB C9 E9 1Y ×\ þ·sÇŸObëÉé 0012DE50 E1 19 7B 1E 4F A0 09 9D 8C B6 4B 2B BB 7B 93 6F á { O .Œ¶K+»{“o 0012DE60 DF FC 4F 68 FA 70 76 CE 40 13 6D FC 0B EB 81 1F ßüOhúpvÎ@ mü ë 0012DE70 6D 0E EB 18 B9 7C 57 98 DE F9 25 BD 5B D3 C5 AA m ë ¹|W˜Þù%œ[ÓŪ 0012DE80 5A 6F A8 A4 C8 28 A3 9F 02 FF EA 0B 1E 05 6A 10 Zoš€È(£Ÿ ÿê j 0012DE90 88 58 72 42 2E C5 3C 28 B0 0C BD 49 7F 4D 16 23 ˆXrB.Å<(°.œIM # 0012DEA0 91 21 7D 5F D1 10 D8 71 82 36 20 46 95 EB 59 6D ‘! }_Ñ Øq‚6 F•ëYm 0012DEB0 56 D1 82 1C 6A 22 E3 CB B1 E2 08 AF D3 E7 17 19 VÑ‚ j”ã˱⠯Óç 0012DEC0 43 8F 7F F1 74 FF E4 FC 47 62 74 A1 0D 93 9F 85 CñtÿäüGbt¡.“Ÿ… 0012DED0 E7 C7 FC 2C A5 33 70 33 A0 05 85 6B 7D 21 58 E1 çÇü,¥3p3 …k}!Xá 0012DEE0 E0 51 FC DC 46 53 E8 CE 7E FF 41 9D 02 30 07 8A àQüÜFSèÎ~ÿA 0 Š 0012DEF0 4D FB 31 1A 30 23 13 43 A5 39 18 7E AB A0 71 8E Mû1 0# C¥9 ~« qŽ
  • Writes 4 bytes to file.ext.WNCRYT
  • (guessing it was 04 00 00 00) or something, maybe a counter?
  • Writes 8 bytes (size of file as this matches original file count in hex) to file.ext.WNCRYT
  • 0012E034 13 00 00 00 00 00 00 00 …….
  • Reads 1048576 bytes from file.ext (guessing this is done in “blocks”, a bit like several encryption algorithms… 😉)
  • ***ENCRYPTION OCCURS*** follow:
  • 10002055 E8 E6480000 CALL 10006940
  • ***** AFTER ENCRYPTION *****
  • Writes 32 bytes to file.ext.WNCRYT
  • 01570020 75 6F A7 CE 5A BD 5F 84 38 47 39 AF 7C 4B 70 68 uo§ÎZœ_„8G9¯|Kph 01570030 79 E9 63 18 3C 6B CC 5E 83 E3 12 3A B2 A4 01 09 yéc
  • Sets the file time of file.ext.WNCRYT to what was stored earlier

  • Closes file handle for file.ext

  • Changes extension from file.ext.WNCRYT to file.ext.WNCRY
  • Sets file attributes of file.ext.WNCRY to “NORMAL”

  • Reopens file.ext

  • Gets file size of file.ext

  • Uses CryptGenRandom with the below to acquire data the size of file.
  • 0016DD10 46 FB 00 68 17 F0 00 68 B1 AF 00 68 86 D0 00 68 Fû.h ð.h±¯.h†Ð.h 0016DD20 60 94 00 68 38 96 00 68 22 9A 00 68 24 BA 00 68 `”.h8–.h”š.h$º.h 0016DD30 8A BF 00 68 8E 6C 00 68 00 71 00 68 BA 74 00 68 Š¿.hŽl.h.q.hºt.h 0016DD40 56 7E 00 68 A0 7F 00 68 D1 82 00 68 22 DA 00 68 V~.h .hÑ‚.h”Ú.h 0016DD50 0A DF 00 68 A7 D7 00 68 62 95 00 68 6D 9E 00 68 .ß.h§×.hb•.hmž.h 0016DD60 9C 9F 00 68 6F A5 00 68 91 C8 00 68 00 00 00 00 œŸ.ho¥.h‘È.h…. 0016DD70 AE AA 00 68 2E 85 00 68 00 00 00 00 00 00 00 68 ®ª.h.….h…….h 0016DD80 4C A2 4F E3 11 11 11 11 01 00 00 00 01 00 00 00 L¢Oã … … 0016DD90 AB AB AB AB AB AB AB AB 00 00 00 00 00 00 00 00 ««««««««…….. 0016DDA0 0C 00 13 00 CF 07 1E 00 .. .Ï . ….which, in this example, returns 0x13 (19) bytes: 000EE324 F3 4C 12 35 C5 5F E3 41 30 8A B5 F5 E0 2A FB C4 óL 5Å_ãA0Šµõà*ûÄ 000EE334 63 F3 DF cóß
  • Writes “random” data to file.ext
  • Flushes file buffer of file.ext

  • Set file pointer to 0 null
  • Writes “random” data to file (again)? – makes no difference to file or timestamp.

  • Close file handle.
    • So, in a nutshell it: copies an encrypted version of the file encapsulated with its own details of the file then overwites the original file with random data before deleting it. Sneaky bastards trying to get round those wanting to get back the file with forensic software such as Foremost and Scalpel.
    Which files are affected? ========================== WannaCry only targets files that have the following extensions:
    .der .pfx .key .crt .csr .p12 .pem .odt .ott .sxw .stw .uot .3ds .max .3dm .ods .ots .sxc .stc .dif .slk .wb2 .odp .otp .sxd .std .uop .odg .otg .sxm .mml .lay .lay6 .asc .sqlite3 .sqlitedb .sql .accdb .mdb .db .dbf .odb .frm .myd .myi .ibd .mdf .ldf .sln .suo .cs .c .cpp .pas .h .asm .js .cmd .bat .ps1 .vbs .vb .pl .dip .dch .sch .brd .jsp .php .asp .rb .java .jar .class .sh .mp3 .wav .swf .fla .wmv .mpg .vob .mpeg .asf .avi .mov .mp4 .3gp .mkv .3g2 .flv .wma .mid .m3u .m4u .djvu .svg .ai .psd .nef .tiff .tif .cgm .raw .gif .png .bmp .jpg .jpeg .vcd .iso .backup .zip .rar .7z .gz .tgz .tar .bak .tbk .bz2 .PAQ .ARC .aes .gpg .vmx .vmdk .vdi .sldm .sldx .sti .sxi .602 .hwp .snt .onetoc2 .dwg .pdf .wk1 .wks .123 .rtf .csv .txt .vsdx .vsd .edb .eml .msg .ost .pst .potm .potx .ppam .ppsx .ppsm .pps .pot .pptm .pptx .ppt .xltm .xltx .xlc .xlm .xlt .xlw .xlsb .xlsm .xlsx .xls .dotx .dotm .dot .docm .docb .docx .doc And that’s about it.
at No comments:

Wednesday, November 8, 2017

(about forgery money) you want an easy exit ? "pratical sense of terrorism"? than you spray the watermark...and no pen detects its fake. Do you rember 220 aspects of forgery money? question is, I want to the deposit at the swiss bank in Geneve...that's "terrorism"


at No comments:
Subscribe to: Posts (Atom)