forked from Neo23x0/yarGen
-
Notifications
You must be signed in to change notification settings - Fork 0
/
apt_cheshirecat.yar
98 lines (88 loc) · 3.98 KB
/
apt_cheshirecat.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-08-08
Identifier: Cheshire Cat
Version: 0.1
*/
/* Rule Set ----------------------------------------------------------------- */
rule CheshireCat_Sample2 {
meta:
description = "Auto-generated rule - file dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8"
author = "Florian Roth"
reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
date = "2015-08-08"
hash = "dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8"
strings:
$s0 = "mpgvwr32.dll" fullword ascii
$s1 = "Unexpected failure of wait! (%d)" fullword ascii
$s2 = "\"%s\" /e%d /p%s" fullword ascii
$s4 = "error in params!" fullword ascii
$s5 = "sscanf" fullword ascii
$s6 = "<>Param : 0x%x" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 4 of ($s*)
}
/* Generic Rules ----------------------------------------------------------- */
/* Gen1 is more exact than Gen2 - until now I had no FPs with Gen2 */
rule CheshireCat_Gen1 {
meta:
description = "Auto-generated rule - file ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
author = "Florian Roth"
reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
date = "2015-08-08"
hash1 = "ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
hash2 = "32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a"
hash3 = "63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
hash4 = "c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532"
strings:
$x1 = "CAPESPN.DLL" fullword wide
$x2 = "WINF.DLL" fullword wide
$x3 = "NCFG.DLL" fullword wide
$x4 = "msgrthlp.dll" fullword wide
$x5 = "Local\\{c0d9770c-9841-430d-b6e3-575dac8a8ebf}" fullword ascii
$x6 = "Local\\{1ef9f94a-5664-48a6-b6e8-c3748db459b4}" fullword ascii
$a1 = "Interface\\%s\\info" fullword ascii
$a2 = "Interface\\%s\\info\\%s" fullword ascii
$a3 = "CLSID\\%s\\info\\%s" fullword ascii
$a4 = "CLSID\\%s\\info" fullword ascii
$b1 = "Windows Shell Icon Handler" fullword wide
$b2 = "Microsoft Shell Icon Handler" fullword wide
$s1 = "\\StringFileInfo\\%s\\FileVersion" fullword ascii
$s2 = "CLSID\\%s\\AuxCLSID" fullword ascii
$s3 = "lnkfile\\shellex\\IconHandler" fullword ascii
$s4 = "%s: %s, %.2hu %s %hu %2.2hu:%2.2hu:%2.2hu GMT" fullword ascii
$s5 = "%sMutex" fullword ascii
$s6 = "\\ShellIconCache" fullword ascii
$s7 = "+6Service Pack " fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 350KB and 7 of ($s*) and 2 of ($a*) and 1 of ($b*) and 1 of ($x*)
}
rule CheshireCat_Gen2 {
meta:
description = "Auto-generated rule - from files 32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a, 63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
author = "Florian Roth"
reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
date = "2015-08-08"
super_rule = 1
hash1 = "ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
hash2 = "32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a"
hash3 = "63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
hash4 = "c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532"
strings:
$a1 = "Interface\\%s\\info" fullword ascii
$a2 = "Interface\\%s\\info\\%s" fullword ascii
$a3 = "CLSID\\%s\\info\\%s" fullword ascii
$a4 = "CLSID\\%s\\info" fullword ascii
$b1 = "Windows Shell Icon Handler" fullword wide
$b2 = "Microsoft Shell Icon Handler" fullword wide
$s1 = "\\StringFileInfo\\%s\\FileVersion" fullword ascii
$s2 = "CLSID\\%s\\AuxCLSID" fullword ascii
$s3 = "lnkfile\\shellex\\IconHandler" fullword ascii
$s4 = "%s: %s, %.2hu %s %hu %2.2hu:%2.2hu:%2.2hu GMT" fullword ascii
$s5 = "%sMutex" fullword ascii
$s6 = "\\ShellIconCache" fullword ascii
$s7 = "+6Service Pack " fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 7 of ($s*) and 2 of ($a*) and 1 of ($b*)
}