-
Notifications
You must be signed in to change notification settings - Fork 0
/
test
152 lines (135 loc) · 4.05 KB
/
test
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
as
sa
as
sd
as
as
a
dsa
s
da
s
as
a
addas
wf
w
f
fwf
fq
qwf
f
wq
wfq
wqfw
q
qwf
qwf
"rule APT_HKTL_Wiper_WhisperGate_Jan22_1 {
meta:
date = ""2022-01-16""
score = 85
hash1 = ""a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92""
strings:
/* AAAAA\x00Your hard drive has been corrupted. */
$xc1 = { 41 41 41 41 41 00 59 6F 75 72 20 68 61 72 64 20
64 72 69 76 65 20 68 61 73 20 62 65 65 6E 20 63
6F 72 72 75 70 74 65 64 }
$op1 = { 89 34 24 e8 3f ff ff ff 50 8d 65 f4 31 c0 59 5e 5f }
$op2 = { 8d bd e8 df ff ff e8 04 de ff ff b9 00 08 00 00 f3 a5 c7 44 24 18 00 00 00 00 c7 44 24 14 00 00 00 00 c7 44 24 10 03 00 00 00 c7 44 24 0c 00 00 00 00 }
$op3 = { c7 44 24 0c 00 00 00 00 c7 44 24 08 00 02 00 00 89 44 24 04 e8 aa fe ff ff 83 ec 14 89 34 24 e8 3f ff ff ff 50 }
condition:
uint16(0) == 0x5a4d and
filesize < 100KB and ( 1 of ($x*) or 2 of them ) or all of them
}ccczcss
cs
sc
scsscs
c
ssc
s
s
c
c
sc
sc
rule APT_HKTL_Wiper_WhisperGate_Jan22_2 {
meta:
date = ""2022-01-16""
score = 90
hash1 = ""dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78""
strings:
/* powershell -enc UwB0AGEAcgB0AC */
$sc1 = { 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00
6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00
55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00
63 00 67 00 42 00 30 00 41 00 43 }
/* Ylfwdwgmpilzyaph */
$sc2 = { 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00
70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68 }
$s1 = ""xownxloxadDxatxxax"" wide
$s2 = ""0AUwBsAGUAZQBwACAALQBzACAAMQAwAA=="" wide /* Decoded with base64, UTF-16-LE: Sleep -s 10 */
$s3 = ""https://cdn.discordapp.com/attachments/"" wide
$s4 = ""fffxfff.fff"" ascii fullword
$op1 = { 20 6b 85 b9 03 20 14 19 91 52 61 65 20 e1 ae f1 }
$op2 = { aa ae 74 20 d9 7c 71 04 59 20 71 cc 13 91 61 20 97 3c 2a c0 }
$op3 = { 38 9c f3 ff ff 20 f2 96 4d e9 20 5d ae d9 ce 58 20 4f 45 27 }
$op4 = { d4 67 d4 61 80 1c 00 00 04 38 35 02 00 00 20 27 c0 db 56 65 20 3d eb 24 de 61 }
condition:
uint16(0) == 0x5a4d and
filesize < 1000KB and 5 of them
or 7 of them
}
rule APT_HKTL_Wiper_WhisperGate_Stage3_Jan22 {
meta:
date = ""2022-01-16""
hash1 = ""9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d""
strings:
$xc1 = { 65 31 63 70 00 31 79 72 61 72 62 69 4c 73 73 61 6c 43 00 6e 69 61 4d }
$s1 = ""lld."" wide
condition:
uint16(filesize-2) == 0x4d5a and
filesize < 5000KB and all of them
}
rule MAL_OBFUSC_Unknown_Jan22_1 {
meta:
date = ""2022-01-16""
hash1 = ""9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d""
strings:
$xc1 = { 37 00 63 00 38 00 63 00 62 00 35 00 35 00 39 00
38 00 65 00 37 00 32 00 34 00 64 00 33 00 34 00
33 00 38 00 34 00 63 00 63 00 65 00 37 00 34 00
30 00 32 00 62 00 31 00 31 00 66 00 30 00 65 }
$xc2 = { 4D 61 69 6E 00 43 6C 61 73 73 4C 69 62 72 61 72
79 31 00 70 63 31 65 }
$s1 = "".dll"" wide
$s2 = ""%&%,%s%"" ascii fullword
$op1 = { a2 87 fa b1 44 a5 f5 12 da a7 49 11 5c 8c 26 d4 75 }
$op2 = { d7 af 52 38 c7 47 95 c8 0e 88 f3 d5 0b }
$op3 = { 6c 05 df d6 b8 ac 11 f2 67 16 cb b7 34 4d b6 91 }
condition:
uint16(0) == 0x5a4d and
filesize < 1000KB and ( 1 of ($x*) or 3 of them )
}
rule MAL_Unknown_Discord_Characteristics_Jan22_1 {
meta:
description = ""Detects unknown malware with a few indicators also found in Wiper malware""
date = ""2022-01-16""
score = 75
hash1 = ""dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78""
strings:
$x1 = ""xownxloxadDxatxxax"" wide
$s2 = ""https://cdn.discordapp.com/attachments/"" wide
condition:
uint16(0) == 0x5a4d and
filesize < 1000KB and all of them
}"
fdlndjkfne
efjkbjwebwk
jebwjkebkwe
ebkwebkw
s
s
fa
sa
s