forked from chainguard-dev/malcontent
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Integrate bartblaze YARA rules (chainguard-dev#255)
* Integrate bartblaze YARA rules * make critical generics 'high' * address review comments and lint --------- Co-authored-by: Evan Gibler <[email protected]>
- Loading branch information
1 parent
ff19192
commit 5bc6a23
Showing
94 changed files
with
3,911 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
rule Confucius_B | ||
{ | ||
meta: | ||
id = "3AaavteplEPTLc29oIVtzm" | ||
fingerprint = "f7a7224bfdbb79208776c856eb05a59ed75112376d0d3b28776305efc94c0414" | ||
version = "1.0" | ||
creation_date = "2020-04-01" | ||
first_imported = "2021-12-30" | ||
last_modified = "2021-12-30" | ||
status = "RELEASED" | ||
sharing = "TLP:WHITE" | ||
source = "BARTBLAZE" | ||
author = "@bartblaze" | ||
description = "Identifies Confucius malware." | ||
category = "MALWARE" | ||
malware = "CONFUCIUS" | ||
malware_type = "BACKDOOR" | ||
reference = "https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" | ||
|
||
|
||
strings: | ||
$ = "----BONE-79A8DE0E314C50503FF2378aEB126363-" ascii wide | ||
$ = "----MUETA-%.08x%.04x%.04x%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x-" ascii wide | ||
$ = "C:\\Users\\DMITRY-PC\\Documents\\JKE-Agent-Win32\\JKE_Agent_DataCollectorPlugin\\output\\Debug\\JKE_Agent_DumbTestPlugin.dll" ascii wide | ||
condition: | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
import "pe" | ||
|
||
rule Cotx_RAT | ||
{ | ||
meta: | ||
id = "44kYl6i8SEYFPSxi2Q3Lz3" | ||
fingerprint = "47f671933c49fabc22117ef5e877efb33ba7fc0c437f6be3750ecca7cd27816a" | ||
version = "1.0" | ||
creation_date = "2019-07-01" | ||
first_imported = "2021-12-30" | ||
last_modified = "2021-12-30" | ||
status = "RELEASED" | ||
sharing = "TLP:WHITE" | ||
source = "BARTBLAZE" | ||
author = "@bartblaze" | ||
description = "Identifies Cotx RAT." | ||
category = "MALWARE" | ||
malware = "COTX" | ||
malware_type = "RAT" | ||
reference = "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology" | ||
|
||
strings: | ||
$ = "%4d-%02d-%02d %02d:%02d:%02d" ascii wide | ||
$ = "%hs|%hs|%hs|%hs|%hs|%hs|%hs" ascii wide | ||
$ = "%hs|%s|%hs|%s|%s|%s|%s|%s|%s|%s|%hs" ascii wide | ||
$ = "%s;%s;%s;%.2f GB;%.2f GB|" ascii wide | ||
$ = "Cmd shell is not running,or your cmd is error!" ascii wide | ||
$ = "Domain: [%s]" ascii wide | ||
$ = "Error:Cmd file not exists!" ascii wide | ||
$ = "Error:Create read pipe error!" ascii wide | ||
$ = "Error:No user is logoned!" ascii wide | ||
$ = "Error:You have in a shell,please exit first!" ascii wide | ||
$ = "Error:You have in a shell,please exit it first!" ascii wide | ||
$ = "Error:cmd.exe not exist!" ascii wide | ||
$ = "LogonUser: [%s]" ascii wide | ||
$ = "WriteFile session error!" ascii wide | ||
$ = "You have no permission to write on" ascii wide | ||
$ = "cannot delete directory:" ascii wide | ||
$ = "cannot delete file:" ascii wide | ||
$ = "cannot upload file to %s" ascii wide | ||
$ = "copy failed:" ascii wide | ||
$ = "exec failed:" ascii wide | ||
$ = "exec ok:" ascii wide | ||
$ = "explorer.exe" ascii wide | ||
$ = "file list error:open path [%s] error." ascii wide | ||
$ = "is already exist!" ascii wide | ||
$ = "is not exist!" ascii wide | ||
$ = "not exe:" ascii wide | ||
$ = "open file error:" ascii wide | ||
$ = "read file error:" ascii wide | ||
$ = "set config items error." ascii wide | ||
$ = "set config ok." ascii wide | ||
condition: | ||
15 of them or ( for any i in (0..pe.number_of_sections-1) : (pe.sections[i].name==".cotx")) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
rule RokRAT | ||
{ | ||
meta: | ||
id = "67CbAcgxp3LrNC8G138xsq" | ||
fingerprint = "9a421d0257276c98d57abdaeb1e31e98956ec8ecf97d48827b35b527d174f35e" | ||
version = "1.0" | ||
modified = "2024-03-08" | ||
status = "RELEASED" | ||
sharing = "TLP:WHITE" | ||
source = "BARTBLAZE" | ||
author = "@bartblaze" | ||
description = "Identifies RokRAT." | ||
category = "MALWARE" | ||
malware_type = "RAT" | ||
reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat" | ||
|
||
strings: | ||
$new_pe = {0f b6 03 8d 4b 05 03 c8 89 4? ?? 8b 44 18 01 89 4? ?? 8d ?? 98 f4 ff ff 50 68 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 8d ?? 98 f4 ff ff 4f 8a | ||
4? ?? 47 84 c0 75 ?? 8b 5? ?? be ?? ?? ?? ?? 33 c0 8b c8 a5 a5 a5 a5 a4 8b 7? ?? 85 d2 74 ?? 8a 26 8a 04 31 32 c4 34 ?? 88 04 31 41 3b ca} | ||
$str_1 = "%s%04X%04X.tmp" ascii wide | ||
$str_2 = "360Tray.exe" ascii wide | ||
$str_3 = "dir /A /S %s >> \"%%temp%%/%c_.TMP\"" ascii wide | ||
$str_4 = "KB400928_doc.exe" ascii wide | ||
$str_5 = "\\%d.dat" ascii wide | ||
$str_6 = "%spid:%d,name:%s,path:%s%s" ascii wide | ||
$str_7 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" ascii wide | ||
$comms_1 = "127.0.0.1" ascii wide | ||
$comms_2 = "api.pcloud.com" ascii wide | ||
$comms_3 = "my.pcloud.com" ascii wide | ||
$comms_4 = "cloud-api.yandex.net" ascii wide | ||
$comms_5 = "api.dropboxapi.com" ascii wide | ||
$comms_6 = "content.dropboxapi.com" ascii wide | ||
$comms_7 = "Content-Type: voice/mp3" ascii wide | ||
condition: | ||
$new_pe or | ||
4 of ($str_*) or | ||
(6 of ($comms_*) and 2 of ($str_*)) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
rule RoyalRoad_RTF | ||
{ | ||
meta: | ||
id = "p1XW7z3B1sdN89zXF7Nel" | ||
fingerprint = "52be45a991322fa96f4e806cf6fa7a77886f63799c1f67723484bc3796363a4e" | ||
version = "1.0" | ||
creation_date = "2020-01-01" | ||
first_imported = "2021-12-30" | ||
last_modified = "2021-12-30" | ||
status = "RELEASED" | ||
sharing = "TLP:WHITE" | ||
source = "BARTBLAZE" | ||
author = "@bartblaze" | ||
description = "Identifies RoyalRoad RTF, used by multiple Chinese APT groups." | ||
category = "MALWARE" | ||
malware = "ROYALROAD" | ||
malware_type = "EXPLOITKIT" | ||
reference = "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html" | ||
|
||
|
||
strings: | ||
$rtf = "{\\rt" | ||
$RR1 = "5C746D705C382E74" ascii wide nocase | ||
$RR2 = "5C417070446174615C4C6F63616C5C54656D705C382E74" ascii wide nocase | ||
condition: | ||
$rtf at 0 and any of ($RR*) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
MIT License | ||
|
||
Copyright (c) 2020 Bart | ||
|
||
Permission is hereby granted, free of charge, to any person obtaining a copy | ||
of this software and associated documentation files (the "Software"), to deal | ||
in the Software without restriction, including without limitation the rights | ||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
copies of the Software, and to permit persons to whom the Software is | ||
furnished to do so, subject to the following conditions: | ||
|
||
The above copyright notice and this permission notice shall be included in all | ||
copies or substantial portions of the Software. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
# About | ||
## What is this? | ||
A repo containing some of my privately developed Yara rules. | ||
|
||
## Why? | ||
To contribute to the community. | ||
|
||
## Can I use these rules? | ||
Of course! That's why I created this repo. | ||
|
||
You can use them in your detection systems. For example, [CAPE sandbox](https://github.com/kevoreilly/CAPEv2), [MalwareBazaar](https://bazaar.abuse.ch/), [UnPac.me](https://www.unpac.me/) and [VirusTotal](https://www.virustotal.com/) (must be logged in, signup is free) and others are using these rules. Furthermore, the rules can work natively with [AssemblyLine](https://www.cyber.gc.ca/en/tools-services/assemblyline) due to the CCCS Yara rule standard adoption. | ||
|
||
All rules are TLP:White, so you can use and distribute them freely. Please retain the meta. | ||
|
||
## Help! A generic rule is hitting my software! | ||
If one of the rules in the [generic](https://github.com/bartblaze/Yara-rules/tree/master/rules/generic) rules section hits on your software: this is not a false positive. It is simply an objective fact that, for example, your software has been compiled or wrapped using AutoIT. It equally does **not** mean your software is malicious. | ||
|
||
Note the meta also mentions _category = "**INFO**"_, in which case it is a purely generic or informational rule. | ||
|
||
## Actions | ||
There's two workflows running on this Github repository: | ||
|
||
* [YARA-CI](https://yara-ci.cloud.virustotal.com/): runs automatically to detect signature errors, as well as false positives and negatives. | ||
* [Package Yara rules](https://github.com/bartblaze/Yara-rules/blob/master/.github/workflows/yara.yml): allows download of a complete rules file (all Yara rules from this repo in one file) for convenience from the Actions tab > Choose the last workflow run > Artifacts (see image below). | ||
|
||
![image](https://user-images.githubusercontent.com/3075118/113322817-731feb00-9315-11eb-86ab-94f133f07038.png) | ||
|
||
[![Package Yara Rules](https://github.com/bartblaze/Yara-rules/actions/workflows/yara.yml/badge.svg)](https://github.com/bartblaze/Yara-rules/actions/workflows/yara.yml) | ||
|
||
## Minimum Yara version needed? | ||
v3.3.0 is minimally needed, as some rules may require a specific module. Note that it's recommended to always use the latest Yara version as found [here](https://github.com/VirusTotal/yara/releases). | ||
|
||
## Do the rules work with Yara-X? | ||
[Yara-X](https://github.com/VirusTotal/yara-x), a rewrite of Yara in Rust, should have no difficulty running the rules in this repo. At time of writing, Yara-X v0.4.0 works fine with the rules presented here. | ||
|
||
## Feedback? | ||
If you spot an issue or improvement with one of the rules, feel free to submit a PR or open an Issue. | ||
|
||
# Extra | ||
|
||
## What is Yara? | ||
From the official Github repo, https://github.com/VirusTotal/yara: | ||
> YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. | ||
More information: https://yara.readthedocs.io/en/stable/index.html | ||
|
||
## What is TLP? | ||
> The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information. | ||
The rules in this repo are TLP:White. | ||
> Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. | ||
More information: https://www.us-cert.gov/tlp | ||
|
||
## Where can I find other open-source Yara rules? | ||
InQuest has made a Github repo which contains a curated list of Yara rules: https://github.com/InQuest/awesome-yara. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
/tmp/tmp.dxdSSSmhxM ~/src/bincapz/third_party/yara | ||
dd8cfd8c456159c7201f5d4209fe007dfff1636e | ||
~/src/bincapz/third_party/yara |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
rule Andromeda | ||
{ | ||
meta: | ||
id = "66EiRJfwdRpNnHru6KDjKX" | ||
fingerprint = "45a5315e4ffe5156ce4a7dc8e2d6e27d6152cd1d5ce327bfa576bf0c4a4767d8" | ||
version = "1.0" | ||
creation_date = "2021-03-01" | ||
first_imported = "2022-01-24" | ||
last_modified = "2022-01-24" | ||
status = "RELEASED" | ||
sharing = "TLP:WHITE" | ||
source = "BARTBLAZE" | ||
author = "@bartblaze" | ||
description = "Identifies Andromeda aka Gamarue botnet." | ||
category = "MALWARE" | ||
malware = "ANDROMEDA" | ||
malware_type = "WORM" | ||
|
||
|
||
|
||
strings: | ||
//IndexerVolumeGuid | ||
$ = { 8d ?? dc fd ff ff 50 8d ?? d8 fd ff ff 50 e8 ?? ?? ?? ?? 8a 00 53 68 ?? ?? ?? ?? 56 | ||
ff b? ?? ?? ?? ?? a2 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 18 53 ff 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 | ||
53 ff 15 ?? ?? ?? ?? ff b? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? a3 ?? ?? ?? ?? 83 f8 | ||
ff 74 ?? 6a 01 50 ff 15 ?? ?? ?? ?? } | ||
$ = { 83 c4 10 ff b? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? ff b? ?? ?? ?? ?? ff b? | ||
?? ?? ?? ?? ff 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? } | ||
/* | ||
MOV DL ,byte ptr SS :[EAX + EBP *0x1 + 0xffffff00 ] | ||
MOV DH ,byte ptr SS :[EBX + EBP *0x1 + 0xffffff00 ] | ||
MOV byte ptr SS :[EAX + EBP *0x1 + 0xffffff00 ],DH | ||
MOV byte ptr SS :[EBX + EBP *0x1 + 0xffffff00 ],DL | ||
*/ | ||
$ = { 36 8a 94 28 00 ff ff ff 02 da 36 8a b4 2b 00 ff ff ff 36 88 b4 28 00 ff ff ff 36 88 94 2b 00 ff ff ff } | ||
condition: | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
rule ArechClient | ||
{ | ||
meta: | ||
id = "1POsZzKWdklwDRUysnEJ9J" | ||
fingerprint = "949f1c6596fffe0aca581e61bcc522e70775ad16c651875539c32d6de6801729" | ||
version = "1.0" | ||
creation_date = "2021-07-01" | ||
first_imported = "2021-12-30" | ||
last_modified = "2021-12-30" | ||
status = "RELEASED" | ||
sharing = "TLP:WHITE" | ||
source = "BARTBLAZE" | ||
author = "@bartblaze" | ||
description = "Identifies ArechClient, infostealer." | ||
category = "MALWARE" | ||
malware = "ARECHCLIENT" | ||
malware_type = "INFOSTEALER" | ||
|
||
|
||
strings: | ||
$ = "is_secure" ascii wide | ||
$ = "encrypted_value" ascii wide | ||
$ = "host_keyexpires_utc" ascii wide | ||
condition: | ||
all of them | ||
} |
25 changes: 25 additions & 0 deletions
25
third_party/yara/bartblaze/crimeware/ArechClient_Campaign_July2021.yar
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
import "dotnet" | ||
|
||
rule ArechClient_Campaign_July2021 | ||
{ | ||
meta: | ||
id = "16N9HHtspErd7pE2A261Mh" | ||
fingerprint = "971fcef8b604c185c14af001633a3f83297d183f47620a9c4fc014815b26a28f" | ||
version = "1.0" | ||
creation_date = "2021-07-01" | ||
first_imported = "2021-12-30" | ||
last_modified = "2021-12-30" | ||
status = "RELEASED" | ||
sharing = "TLP:WHITE" | ||
source = "BARTBLAZE" | ||
author = "@bartblaze" | ||
description = "Identifies ArechClient stealer's July 2021 campaign." | ||
category = "MALWARE" | ||
malware = "ARECHCLIENT" | ||
malware_type = "INFOSTEALER" | ||
reference = "https://twitter.com/bcrypt/status/1420471176137113601" | ||
|
||
|
||
condition: | ||
dotnet.guids[0]=="10867a7d-8f80-4d52-8c58-47f5626e7d52" or dotnet.guids[0]=="7596afea-18b9-41f9-91dd-bee131501b08" | ||
} |
Oops, something went wrong.