-
Notifications
You must be signed in to change notification settings - Fork 1
/
APT_Duqu2.yar
162 lines (138 loc) · 6.17 KB
/
APT_Duqu2.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule apt_duqu2_loaders
{
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Duqu 2.0 samples"
last_modified = "2015-06-09"
version = "1.0"
strings:
$a1 = "{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide
$a2 = "\\\\.\\pipe\\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide
$a4 = "\\\\.\\pipe\\{AB6172ED-8105-4996-9D2A-597B5F827501}" wide
$a5 = "Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" wide
$a8 = "SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" wide
$a9 = "SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" wide
$a7 = "SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" wide
$b1 = "MSI.dll"
$b2 = "msi.dll"
$b3 = "StartAction"
$c1 = "msisvc_32@" wide
$c2 = "PROP=" wide
$c3 = "-Embedding" wide
$c4 = "S:(ML;;NW;;;LW)" wide
$d1 = "NameTypeBinaryDataCustomActionActionSourceTargetInstallExecuteSequenceConditionSequencePropertyValueMicrosoftManufacturer" nocase
$d2 = {2E 3F 41 56 3F 24 5F 42 69 6E 64 40 24 30 30 58 55 3F 24 5F 50 6D 66 5F 77 72 61 70 40 50 38 43 4C 52 ?? 40 40 41 45 58 58 5A 58 56 31 40 24 24 24 56 40 73 74 64 40 40 51 41 56 43 4C 52 ?? 40 40 40 73 74 64 40 40}
condition:
( (uint16(0) == 0x5a4d) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) ) and filesize < 100000 ) or ( (uint32(0) == 0xe011cfd0) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) or (any of ($d*)) ) and filesize < 20000000 )
}
rule apt_duqu2_drivers
{
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Duqu 2.0 drivers"
last_modified = "2015-06-09"
version = "1.0"
strings:
$a1 = "\\DosDevices\\port_optimizer" wide nocase
$a2 = "romanian.antihacker"
$a3 = "PortOptimizerTermSrv" wide
$a4 = "ugly.gorilla1"
$b1 = "NdisIMCopySendCompletePerPacketInfo"
$b2 = "NdisReEnumerateProtocolBindings"
$b3 = "NdisOpenProtocolConfiguration"
condition:
uint16(0) == 0x5A4D and (any of ($a*) ) and (2 of ($b*)) and filesize < 100000
}
/* Action Loader Samples --------------------------------------------------- */
rule Duqu2_Generic1
{
meta:
description = "Kaspersky APT Report - Duqu2 Sample - Generic Rule"
author = "Florian Roth"
reference = "https://goo.gl/7yKyOj"
date = "2015-06-10"
super_rule = 1
hash0 = "3f9168facb13429105a749d35569d1e91465d313"
hash1 = "0a574234615fb2382d85cd6d1a250d6c437afecc"
hash2 = "38447ed1d5e3454fe17699f86c0039f30cc64cde"
hash3 = "5282d073ee1b3f6ce32222ccc2f6066e2ca9c172"
hash4 = "edfca3f0196788f7fde22bd92a8817a957c10c52"
hash5 = "6a4ffa6ca4d6fde8a30b6c8739785f4bd2b5c415"
hash6 = "00170bf9983e70e8dd4f7afe3a92ce1d12664467"
hash7 = "32f8689fd18c723339414618817edec6239b18f3"
hash8 = "f860acec9920bc009a1ad5991f3d5871c2613672"
hash9 = "413ba509e41c526373f991d1244bc7c7637d3e13"
hash10 = "29cd99a9b6d11a09615b3f9ef63f1f3cffe7ead8"
hash11 = "dfe1cb775719b529138e054e7246717304db00b1"
strings:
$s0 = "Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" fullword wide
$s1 = "SetSecurityDescriptorSacl" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 189 times */
$s2 = "msisvc_32@" fullword wide
$s3 = "CompareStringA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 1392 times */
$s4 = "GetCommandLineW" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 1680 times */
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}
rule APT_Kaspersky_Duqu2_procexp
{
meta:
description = "Kaspersky APT Report - Duqu2 Sample - Malicious MSI"
author = "Florian Roth"
reference = "https://goo.gl/7yKyOj"
date = "2015-06-10"
hash1 = "2422835716066b6bcecb045ddd4f1fbc9486667a"
hash2 = "b120620b5d82b05fee2c2153ceaf305807fa9f79"
hash3 = "288ebfe21a71f83b5575dfcc92242579fb13910d"
strings:
$x1 = "svcmsi_32.dll" fullword wide
$x2 = "msi3_32.dll" fullword wide
$x3 = "msi4_32.dll" fullword wide
$x4 = "MSI.dll" fullword ascii
$s1 = "SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" fullword wide
$s2 = "Sysinternals installer" fullword wide /* PEStudio Blacklist: strings */
$s3 = "Process Explorer" fullword wide /* PEStudio Blacklist: strings */ /* Goodware String - occured 5 times */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) ) and ( all of ($s*) )
}
rule APT_Kaspersky_Duqu2_SamsungPrint
{
meta:
description = "Kaspersky APT Report - Duqu2 Sample - file 2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69"
author = "Florian Roth"
reference = "https://goo.gl/7yKyOj"
date = "2015-06-10"
hash = "ce39f41eb4506805efca7993d3b0b506ab6776ca"
strings:
$s0 = "Installer for printer drivers and applications" fullword wide /* PEStudio Blacklist: strings */
$s1 = "msi4_32.dll" fullword wide
$s2 = "HASHVAL" fullword wide
$s3 = "SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" fullword wide
$s4 = "ca.dll" fullword ascii
$s5 = "Samsung Electronics Co., Ltd." fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 82KB and all of them
}
rule APT_Kaspersky_Duqu2_msi3_32
{
meta:
description = "Kaspersky APT Report - Duqu2 Sample - file d8a849654ab97debaf28ae5b749c3b1ff1812ea49978713853333db48c3972c3"
author = "Florian Roth"
reference = "https://goo.gl/7yKyOj"
date = "2015-06-10"
hash = "53d9ef9e0267f10cc10f78331a9e491b3211046b"
strings:
$s0 = "ProcessUserAccounts" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "SELECT `UserName`, `Password`, `Attributes` FROM `CustomUserAccounts`" fullword wide /* PEStudio Blacklist: strings */
$s2 = "SELECT `UserName` FROM `CustomUserAccounts`" fullword wide /* PEStudio Blacklist: strings */
$s3 = "SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" fullword wide
$s4 = "msi3_32.dll" fullword wide
$s5 = "RunDLL" fullword ascii
$s6 = "MSI Custom Action v3" fullword wide
$s7 = "msi3_32" fullword wide
$s8 = "Operating System" fullword wide /* PEStudio Blacklist: strings */ /* Goodware String - occured 9203 times */
condition:
uint16(0) == 0x5a4d and filesize < 72KB and all of them
}