forked from mandiant/capa-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
encrypt-data-using-aes.yml
43 lines (43 loc) · 3.34 KB
/
encrypt-data-using-aes.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# generated using capa explorer for IDA Pro
rule:
meta:
name: encrypt data using AES
namespace: data-manipulation/encryption/aes
authors:
- Ivan Kwiatkowski (@JusticeRage)
scopes:
static: function
dynamic: unsupported # requires bytes features
att&ck:
- Defense Evasion::Obfuscated Files or Information [T1027]
mbc:
- Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05]
- Cryptography::Encrypt Data::AES [C0027.001]
references:
- https://github.com/JusticeRage/Manalyze/blob/8e77642c911d5d82b5f43b198667ab8c77a88763/bin/yara_rules/findcrypt.yara#L351
- https://github.com/creaktive/tsh/blob/53b822b9a07d8cc65f1f31c915cf834a2944e833/aes.c
features:
- or:
- bytes: 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 = AES_SBOX_ENC
- bytes: 63 00 00 00 00 00 00 00 7c 00 00 00 00 00 00 00 77 00 00 00 00 00 00 00 7b 00 00 00 00 00 00 00 f2 00 00 00 00 00 00 00 6b 00 00 00 00 00 00 00 6f 00 00 00 00 00 00 00 c5 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 67 00 00 00 00 00 00 00 2b 00 00 00 00 00 00 00 fe 00 00 00 00 00 00 00 d7 00 00 00 00 00 00 00 ab 00 00 00 00 00 00 00 76 = AES_SBOX_ENC
- bytes: 52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb = AES_SBOX_DEC
- bytes: 52 00 00 00 00 00 00 00 09 00 00 00 00 00 00 00 6a 00 00 00 00 00 00 00 d5 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 36 00 00 00 00 00 00 00 a5 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 bf 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 a3 00 00 00 00 00 00 00 9e 00 00 00 00 00 00 00 81 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00 d7 00 00 00 00 00 00 00 fb = AES_SBOX_DEC
- bytes: a5 63 63 c6 84 7c 7c f8 99 77 77 ee 8d 7b 7b f6 = AES_T0_ENC
- bytes: a5 63 63 c6 00 00 00 00 84 7c 7c f8 00 00 00 00 99 77 77 ee 00 00 00 00 8d 7b 7b f6 = AES_T0_ENC
- bytes: 63 63 c6 a5 7c 7c f8 84 77 77 ee 99 7b 7b f6 8d = AES_T1_ENC
- bytes: 63 63 c6 a5 00 00 00 00 7c 7c f8 84 00 00 00 00 77 77 ee 99 00 00 00 00 7b 7b f6 8d = AES_T1_ENC
- bytes: 63 c6 a5 63 7c f8 84 7c 77 ee 99 77 7b f6 8d 7b = AES_T2_ENC
- bytes: 63 c6 a5 63 00 00 00 00 7c f8 84 7c 00 00 00 00 77 ee 99 77 00 00 00 00 7b f6 8d 7b = AES_T2_ENC
- bytes: c6 a5 63 63 f8 84 7c 7c ee 99 77 77 f6 8d 7b 7b = AES_T3_ENC
- bytes: c6 a5 63 63 00 00 00 00 f8 84 7c 7c 00 00 00 00 ee 99 77 77 00 00 00 00 f6 8d 7b 7b = AES_T3_ENC
- bytes: 63 63 63 63 7c 7c 7c 7c 77 77 77 77 7b 7b 7b 7b = AES_T4_ENC
- bytes: 50 a7 f4 51 53 65 41 7e c3 a4 17 1a 96 5e 27 3a = AES_T0_DEC
- bytes: 50 a7 f4 51 00 00 00 00 53 65 41 7e 00 00 00 00 c3 a4 17 1a 00 00 00 00 96 5e 27 3a = AES_T0_DEC
- bytes: a7 f4 51 50 65 41 7e 53 a4 17 1a c3 5e 27 3a 96 = AES_T1_DEC
- bytes: a7 f4 51 50 00 00 00 00 65 41 7e 53 00 00 00 00 a4 17 1a c3 00 00 00 00 5e 27 3a 96 = AES_T1_DEC
- bytes: f4 51 50 a7 41 7e 53 65 17 1a c3 a4 27 3a 96 5e = AES_T2_DEC
- bytes: f4 51 50 a7 00 00 00 00 41 7e 53 65 00 00 00 00 17 1a c3 a4 00 00 00 00 27 3a 96 5e = AES_T2_DEC
- bytes: 51 50 a7 f4 7e 53 65 41 1a c3 a4 17 3a 96 5e 27 = AES_T3_DEC
- bytes: 51 50 a7 f4 00 00 00 00 7e 53 65 41 00 00 00 00 1a c3 a4 17 00 00 00 00 3a 96 5e 27 = AES_T3_DEC
- bytes: 52 52 52 52 09 09 09 09 6a 6a 6a 6a d5 d5 d5 d5 = AES_T4_DEC