{ "Event": { "analysis": "1", "date": "2024-01-01", "extends_uuid": "", "info": "[Threat Intel] APT44: Unearthing Sandworm", "protected": false, "publish_timestamp": "1772407444", "published": true, "threat_level_id": "1", "timestamp": "1772407441", "uuid": "6b78d9dc-0fb8-423f-9745-804e0f8759d1", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Mandiant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Sandworm\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-groups=\"Sandworm\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"BlackEnergy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"CaddyWiper\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"EternalPetya\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"HermeticWiper\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"INDUSTROYER2\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Industroyer\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Olympic Destroyer\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"PartyTicket\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"RoarBAT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"VPNFilter\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772346516", "to_ids": false, "type": "link", "uuid": "aab96ad6-e544-4fe8-b851-ab3f76323647", "value": "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772346579", "to_ids": false, "type": "link", "uuid": "4faec5b6-bc2e-43c5-970b-f8da402e5964", "value": "https://www.virustotal.com/gui/collection/0bd93a520cae1fd917441e6e54ff263c88069ac5a7f8b9e55ef99cd961b6a1c7/" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772346783", "uuid": "13baf034-2d4e-42f4-8e78-6dec58714428", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772346783", "to_ids": false, "type": "text", "uuid": "d3c57583-42ce-4ce8-bee0-3e1df97ce8b9", "value": "M_APT_Downloader_BACKORDER_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772346783", "to_ids": false, "type": "comment", "uuid": "0383d25f-905e-420c-8bd6-3058ef0b9a8a", "value": "This rule is designed to detect on events related to BACKORDER. BACKORDER is a downloader written in GoLang which\r\ndownload and executes a second stage payload from a remote server. BACKORDER is usually delivered within trojanized installer files and is hard\r\ncoded to execute the original setup executable" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772346783", "to_ids": true, "type": "yara", "uuid": "d7f28089-faee-4489-b254-25b57a85b45b", "value": "rule M_APT_Downloader_BACKORDER_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule is designed to detect on events related to BACKORDER. BACKORDER is a downloader written in GoLang which\r\ndownload and executes a second stage payload from a remote server. BACKORDER is usually delivered within trojanized installer files and is hard\r\ncoded to execute the original setup executable.\"\r\nstrings:\r\n $go = \"Go build ID:\" ascii wide\r\n $a1 = \"main.proc1esar\"\r\n $a2 = \"main.obt_zip\"\r\n $a3 = \"main.un1_zip\"\r\n $a4 = \"main.primer1_paso\"\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 10MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772346807", "uuid": "cf1b4961-c55f-442c-a560-ed856b7fe965", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772346807", "to_ids": false, "type": "text", "uuid": "d4746a43-36cb-452d-ab3b-a46905018aba", "value": "M_APT_Downloader_BACKORDER_2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772346807", "to_ids": false, "type": "comment", "uuid": "e4ea4be6-7132-4536-b60b-40297ca52b6a", "value": "Detects strings and sleep timer in the BACKORDER downloader" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772346807", "to_ids": true, "type": "yara", "uuid": "83fba88d-2dcc-4158-9920-97b4ff90d97f", "value": "rule M_APT_Downloader_BACKORDER_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects strings and sleep timer in the BACKORDER downloader\"\r\n strings:\r\n $ = \"data/setup.exe\"\r\n $ = \"http://\"\r\n $ = {c7 04 ?? 00 CA 9A 3B C7 44 ?? 04 00 00 00 00 e8} // Sleep timer\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 10MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772346824", "uuid": "ccd2f473-1a11-4d30-9809-b0c918962cf3", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772346824", "to_ids": false, "type": "text", "uuid": "6a985f1e-c2dd-4c7b-a934-858e08e256f8", "value": "M_APT_Disrupt_NIKOWIPER_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772346824", "to_ids": false, "type": "comment", "uuid": "410fe775-c47e-454e-ad93-1611c10e43cb", "value": "Detects code in NIKOWIPER" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772346824", "to_ids": true, "type": "yara", "uuid": "d7499e1f-d025-4ad8-9330-e3b685d6ffe9", "value": "rule M_APT_Disrupt_NIKOWIPER_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects code in NIKOWIPER\"\r\n strings:\r\n $ = \"SDelete\"\r\n $ = \"-accepteula -r -s -q \" wide\r\n $ = {68 ?? ?? 02 00 68 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 2MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772346845", "uuid": "6b496e16-583e-4dde-85f5-9cd690d20add", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772346845", "to_ids": false, "type": "text", "uuid": "9f3d1f48-4936-4ab0-8589-d98b0d56d4cc", "value": "M_APT_Disrupt_NIKOWIPER_2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772346845", "to_ids": false, "type": "comment", "uuid": "778a6cbe-a211-47ee-af27-a03a320ab0a4", "value": "NikoWiper unique strings" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772346845", "to_ids": true, "type": "yara", "uuid": "eb1ebfa4-1a28-4c37-a0e6-d742f4ecb650", "value": "rule M_APT_Disrupt_NIKOWIPER_2\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndescription = \"NikoWiper unique strings\"\r\nstrings:\r\n$sdelete = \"SDelete is set for %d pass\" ascii wide\r\n $dlihost = {77 00 73 00 [3] 5C 00 53 00 [3] 79 00 73 00 [3] 74 00 65 00 [3] 6D 00 33 00 [3] 32 00 5C 00 [3] 63 00 6D 00 [3] 64\r\n00 2E 00 [3] 65 00 78 00 [3] 65 00 00 00 [3] 43 00 3A 00 [3] 5C 00 57 00 [3] 69 00 6E 00 [3] 64 00 6F 00 [3] 77 00 73 00 [3] 5C 00 64 00 [3] 6C\r\n00 49 00 [3] 68 00 6F 00 [3] 73 00 74 00 [3] 2E 00 65 00 [3] 78 00 65 00}\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize < 2MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772346866", "uuid": "b8385f88-67d0-4d41-ac24-271d7784c5d3", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772346866", "to_ids": false, "type": "text", "uuid": "02bbcbaf-84bb-4c35-a6d7-715739fdd1b0", "value": "M_APT_Disrupt_NIKOWIPER_MBR_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772346866", "to_ids": false, "type": "comment", "uuid": "19b695ef-126e-4b82-8bf5-f5110c539d23", "value": "Detects code in NIKOWIPER.MBR" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772346866", "to_ids": true, "type": "yara", "uuid": "5d6829b8-83f6-4711-bd83-aaaa1eefa0f8", "value": "rule M_APT_Disrupt_NIKOWIPER_MBR_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects code in NIKOWIPER.MBR\"\r\n strings:\r\n $ = {FF 37 FF 15 [4] 8B 4D F8}\r\n $ = {69 C0 60 EA 00 00 50 FF 15}\r\n $ = {8D 85 90 FB FF FF 68 00 02 00 00 50 E8}\r\n $ = {68 ?? ?? 02 00 68 [4] 56 FF 15}\r\n $ = {68 00 00 07 00 57 FF D0}\r\n $ = {8B B5 9C FB FF FF C1 E6 04}\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 2MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772346887", "uuid": "8a88fd49-eecf-47ee-8d10-d6de15f3f6fd", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772346887", "to_ids": false, "type": "text", "uuid": "5ca85d78-d06e-4e81-ad91-3c01bc687d5b", "value": "M_Hunting_Windows_Powershell_CharSubstitutionFunction_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772346887", "to_ids": false, "type": "comment", "uuid": "d1e60b06-bab7-4638-8aea-c6fe52fb69ea", "value": "Finds a function that does a character substitution" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772346887", "to_ids": true, "type": "yara", "uuid": "1754611d-33e0-41f9-8069-47355ecb89f7", "value": "rule M_Hunting_Windows_Powershell_CharSubstitutionFunction_1\r\n{\r\nmeta:\r\nauthor=\"Mandiant\"\r\ndescription=\"Finds a function that does a character substitution\"\r\nstrings:\r\n$func_strTr =\r\n/public\\sString.{1,100}\\(string\\s.{1,100},\\sstring\\s.{1,100},\\sstring\\s.{1,100}\\)\\s*\\{\\s*String\\s[\\w\\d_]+\\s?=\\s?\\\"\\\";\\s*for\\(int\\s[\\w\\d_]+=0;\\s?[\\w\\d_\r\n]+\\<\\s?[\\w\\d_]+\\.Length;\\s?[\\w\\d_]+\\+\\+\\)\\s*\\{\\s*int\\s[\\w\\d_]+\\s?=\\s?[\\w\\d_]+\\.IndexOf\\([\\w\\d_]+\\[[\\w\\d_]+\\]\\);\\s*if\\\r\n([\\w\\d_]+\\s?!=\\s?-\\d\\)\\s*[\\w\\d_]+\\s?\\+=\\s?[\\w\\d_]+\\[[\\w\\d_]+\\];\\s*else\\s*[\\w\\d_]+\\s?\\+=\\s?[\\w\\d_]+\\[[\\w\\d_]+\\];\\s*\\}\\s*return\\s[\\w\\d_]+;\\s*\\}/is\r\ncondition:\r\nfilesize < 2MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772346910", "uuid": "21f01697-b075-4a61-b9bf-b168c2d4dc11", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772346910", "to_ids": false, "type": "text", "uuid": "43e177a4-b356-4ff7-be95-3f5b6e781caf", "value": "M_Hunting_Windows_Powershell_HTTPHeaderParsing_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772346910", "to_ids": false, "type": "comment", "uuid": "0f28be9f-0f60-47f5-8323-069a7350b77a", "value": "Finds powershell 1-liners typically used in webshells to decode an HTTP header variable and use it as a command" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772346910", "to_ids": true, "type": "yara", "uuid": "0b43602c-80a3-4b57-814f-430cb9fd00d6", "value": "rule M_Hunting_Windows_Powershell_HTTPHeaderParsing_1\r\n{\r\nmeta:\r\nauthor=\"Mandiant\"\r\ndescription=\"Finds powershell 1-liners typically used in webshells to decode an HTTP header variable and use it as a command\"\r\nstrings:\r\n$httpParser1 = /getstring\\(convert\\.frombase64string\\(([\\w\\d_]+)?\\(request\\.headers\\.get\\(['\"][\\w\\d_]+['\"]/ ascii wide nocase\r\ncondition:\r\nfilesize < 2MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772346927", "uuid": "bfeb082a-2f29-43bd-a682-2c472f9d6f1d", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772346927", "to_ids": false, "type": "text", "uuid": "cd3858af-e35d-47ab-a40d-0c770f330853", "value": "M_Hunting_REGEORG_Tunneller_Generic_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772346927", "to_ids": false, "type": "comment", "uuid": "ca644586-1b0f-4cda-a199-e9e1afb4aef6", "value": "M_Hunting_REGEORG_Tunneller_Generic_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772346927", "to_ids": true, "type": "yara", "uuid": "47aced28-60cc-4b6c-bc45-a97a91bbc83e", "value": "rule M_Hunting_REGEORG_Tunneller_Generic_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $s1 = \"System.Net.IPEndPoint\"\r\n $s2 = \"Response.AddHeader\"\r\n $s3 = \"Request.InputStream.Read\"\r\n $s4 = \"Request.Headers.Get\"\r\n $s5 = \"Response.Write\"\r\n $s6 = \"System.Buffer.BlockCopy\"\r\n $s7 = \"Response.BinaryWrite\"\r\n $s8 = \"SocketException soex\"\r\n condition:\r\n filesize < 1MB and 7 of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772346979", "uuid": "f84fdd60-32da-40d4-a70f-f4f7f0a5c625", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772346979", "to_ids": false, "type": "text", "uuid": "9441abcd-fd2c-41d5-8d2f-e834f4c6d570", "value": "M_APT_Webshell_BRUSHPASS_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772346979", "to_ids": false, "type": "comment", "uuid": "2d28f674-e74c-426c-ade6-eff58c1cb033", "value": "Detects the string in the BRUSHPASS webshell" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772346979", "to_ids": true, "type": "yara", "uuid": "4c63ebc1-292a-4a11-adcb-1e2c520cc2b1", "value": "rule M_APT_Webshell_BRUSHPASS_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects the string in the BRUSHPASS webshell\"\r\n strings:\r\n $ = \".DataSource = \"\r\n $ = \"<%@ Page Language=\"\r\n $ = \"RedirectStandardOutput = true;\"\r\n $ = \"UseShellExecute = false;\"\r\n $ = \".WindowStyle = ProcessWindowStyle.Hidden;\"\r\n $ = \" -Direction inbound -Profile Any -Action Allow -LocalPort\"\r\n\r\n condition:\r\n filesize < 5MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347013", "uuid": "82f06119-8f55-4d6c-a723-fb6152dd446a", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347013", "to_ids": false, "type": "text", "uuid": "15684119-47d2-4d0a-9d7e-23b302f92164", "value": "M_APT_Dropper_NEWRETURN_2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347013", "to_ids": false, "type": "comment", "uuid": "231ab27c-06ce-43cf-b07b-9abc08e6d175", "value": "Detects strings in the NEWRETURN payloads" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347013", "to_ids": true, "type": "yara", "uuid": "71728f69-1ed4-4ebe-991f-ccb71940c0da", "value": "rule M_APT_Dropper_NEWRETURN_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects strings in the NEWRETURN payloads\"\r\n strings:\r\n $a1 = \"GetLists\"\r\n $a2 = \"GetBuffer\"\r\n $a3 = \"Delays\"\r\n $a4 = \"InvokeMember\"\r\n $a5 = \"Array\"\r\n $o1 = {1f 8b 08 00 00 00 00 00 04 00}\r\n $o2 = \"http://\"\r\n $a6 = \"Form1\"\r\n $a7 = \"mscoree.dll\"\r\n condition:\r\n all of ($a*) and ($o1 or $o2)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347125", "uuid": "08521289-e01f-4ef6-bb87-c802fa634869", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347125", "to_ids": false, "type": "text", "uuid": "2f0ea565-5f82-4c50-b53e-c2c64e180106", "value": "M_APT_Dropper_ILLICITORDER_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347125", "to_ids": false, "type": "comment", "uuid": "cc07f29d-d5a0-40a4-92bf-ed45ef57d12d", "value": "Detects code segments in the ILLICITORDER dropper" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347125", "to_ids": true, "type": "yara", "uuid": "dbe8bc59-a90a-4378-a58b-536cb9931bbc", "value": "rule M_APT_Dropper_ILLICITORDER_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects code segments in the ILLICITORDER dropper\"\r\n strings:\r\n $push_8nn = {41 B8 3? 03 00 00 48 8B}\r\n $mov_8nn = {49 8B 9D 3B 03 00 00}\r\n $string_autorun = {C7 [3] 4f 66 66 69 C7 [3] 63 65 5c 41 c7 [3] 55 54 4f 52 c7 [3] 55 4e 2e 65 c7 [3] 78 65}\r\n $xor_13 = {B8 4F EC C4 4E F7 E9 C1 FA 02 8B C2 C1 E8 1F 03 D0 6B D2 0D 8B C1 2B C2}\r\n $xor_13_2 = {B9 0D 00 00 00 F7 F9 8B C2}\r\n $import_CryptStringToBinaryA = \"CryptStringToBinaryA\\x00\"\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 10MB and ($push_8nn or $string_autorun or $mov_8nn) and ($xor_13 or $xor_13_2) and $import_\r\nCryptStringToBinaryA\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347144", "uuid": "2acbac82-f003-478b-8069-13a6aa003a2e", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347144", "to_ids": false, "type": "text", "uuid": "7ec40a8f-bd6b-478d-a711-fb2a0cebc81f", "value": "M_APT_Backdoor_SPAREPART_Strings" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347144", "to_ids": false, "type": "comment", "uuid": "d2331829-456b-449b-86a0-342999a929a7", "value": "Detects the PDB and a struct used in SPAREPART" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347144", "to_ids": true, "type": "yara", "uuid": "cb9e76ab-eee6-47b7-8bf0-6660395e6107", "value": "rule M_APT_Backdoor_SPAREPART_Strings\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects the PDB and a struct used in SPAREPART\"\r\n strings:\r\n $pdb = \"c:\\\\Users\\\\user\\\\Desktop\\\\ImageAgent\\\\ImageAgent\\\\PreAgent\\\\src\\\\builder\\\\agent.pdb\" ascii nocase\r\n $struct = { 44 89 ac ?? ?? ?? ?? ?? 4? 8b ac ?? ?? ?? ?? ?? 4? 83 c5 28 89 84 ?? ?? ?? ?? ?? 89 8c ?? ?? ?? ?? ?? 89 54 ?? ?? 44 89 44 ?? ?? 44 89 4c\r\n?? ?? 44 89 54 ?? ?? 44 89 5c ?? ?? 89 5c ?? ?? 89 7c ?? ?? 89 74 ?? ?? 89 6c ?? ?? 44 89 74 ?? ?? 44 89 7c ?? ?? 44 89 64 ?? ?? 8b 84 ?? ?? ?? ?? ?? 44\r\n8b c8 8b 84 ?? ?? ?? ?? ?? 44 8b c0 4? 8d 15 ?? ?? ?? ?? 4? 8b cd ff 15 ?? ?? ?? ?? }\r\n condition:\r\n (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and\r\n $pdb and\r\n $struct and\r\n filesize < 20KB\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347161", "uuid": "f2423957-4ff2-46cd-b99a-09b92cd8fe52", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347161", "to_ids": false, "type": "text", "uuid": "62a0c48e-e87e-477b-a012-27f6d209ccc4", "value": "M_APT_Backdoor_SPAREPART_SleepGenerator" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347161", "to_ids": false, "type": "comment", "uuid": "9878e64b-cec8-4b84-8b70-24bcecd4b3ed", "value": "Detects the algorithm used to determine the next sleep timer" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347161", "to_ids": true, "type": "yara", "uuid": "610c2e6d-564f-4d64-a786-8bd6a20d630c", "value": "rule M_APT_Backdoor_SPAREPART_SleepGenerator\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects the algorithm used to determine the next sleep timer\"\r\n strings:\r\n $ = {C1 E8 06 89 [5] C1 E8 02 8B}\r\n $ = {c1 e9 03 33 c1 [3] c1 e9 05 33 c1 83 e0 01}\r\n $ = {8B 80 FC 00 00 00}\r\n $ = {D1 E8 [4] c1 E1 0f 0b c1}\r\n condition:\r\n all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347176", "uuid": "848cbd29-07ac-4e30-9494-9594f1d73f62", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347176", "to_ids": false, "type": "text", "uuid": "3cb689fd-431b-4362-92eb-a5c2d1e59ba9", "value": "M_APT_Backdoor_QUICKTOW_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347176", "to_ids": false, "type": "comment", "uuid": "eaebef2e-505c-4a2b-9ccb-8c00a6b21b26", "value": "Hunting rule looking for QUICKTOW by strings" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347176", "to_ids": true, "type": "yara", "uuid": "da90a86d-5358-47ee-81be-5ba0a29d17eb", "value": "rule M_APT_Backdoor_QUICKTOW_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for QUICKTOW by strings.\"\r\n strings:\r\n $useragent = {4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 4f 57 36 34 29 20 41 70 70 6c 65\r\n57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 31 30 31 2e 30 2e 34\r\n39 35 31 2e 35 34 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36}\r\n $s1 = \"NewErgoClientSessions\" ascii nocase\r\n $s2 = \"SetDisconnected\" ascii nocase\r\n $s3 = \"IsDisconnected\" ascii nocase\r\n $s4 = \"getDelay\" ascii nocase\r\n $s5 = \"setDelay\" ascii nocase\r\n $s6 = \"getMessagesFromServer\" ascii nocase\r\n $s7 = \"getOneMessageFromServer\" ascii nocase\r\n $s8 = \"getMessagesFromServer\" ascii nocase\r\n condition:\r\n ((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or uint16(0) == 0x457f) and filesize < 20MB and $useragent and (6 of ($s*))\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347195", "uuid": "7c922a19-71f8-48c1-a792-b7c35a3a2724", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347195", "to_ids": false, "type": "text", "uuid": "fcb0344f-185d-4e87-b876-327498ab1b45", "value": "M_APT_Backdoor_QUICKTOW_2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347195", "to_ids": false, "type": "comment", "uuid": "027a8ac9-ea06-4741-8139-9ff0c5b0efe4", "value": "Function names matching QUICKTOW" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347195", "to_ids": true, "type": "yara", "uuid": "6e46c8a8-52aa-4e5d-b537-4d7a73233819", "value": "rule M_APT_Backdoor_QUICKTOW_2\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndescription = \"Function names matching QUICKTOW\"\r\nstrings:\r\n$go = \"Go build\" ascii wide\r\n$str1 = \"main.(*Client).Auth\" ascii wide\r\n$str2 = \"main.(*Client).Disconnect\" ascii wide\r\n$str3 = \"main.(*Client).Disconnect.func1\" ascii wide\r\n$str4 = \"main.(*Client).IsDisconnected\" ascii wide\r\n$str5 = \"main.(*Client).MakeMessage\" ascii wide\r\n$str6 = \"main.(*Client).NewErgoClientSessions\" ascii wide\r\n$str7 = \"main.(*Client).NewHTTPHandler\" ascii wide\r\n$str8 = \"main.(*Client).NewSession\" ascii wide\r\n$str9 = \"main.(*Client).ProcessingMessages\" ascii wide\r\n$str10 = \"main.(*Client).RandomSleep\" ascii wide\r\n$str11 = \"main.(*Client).SetDisconnected\" ascii wide\r\n$str12 = \"main.(*Client).getDelay\" ascii wide\r\n$str13 = \"main.(*Client).getMessagesFromServer\" ascii wide\r\n$str14 = \"main.(*Client).getOneMessageFromServer\" ascii wide\r\n$str15 = \"main.(*Client).setDelay\" ascii wide\r\n$str16 = \"main.(*ErgoHTTPHandler).Lock\" ascii wide\r\n$str17 = \"main.(*ErgoHTTPHandler).Unlock\" ascii wide\r\n$str18 = \"main.(*ErgoHTTPHandler).doRequest\" ascii wide\r\n$str19 = \"main.(*Session).IsAlive\" ascii wide\r\n$str20 = \"main.(*Session).Lock\" ascii wide\r\n$str21 = \"main.(*Session).MakeMessage\" ascii wide\r\n$str22 = \"main.(*Session).ResetAlive\" ascii wide\r\n$str23 = \"main.(*Session).SetAlive\" ascii wide\r\n$str24 = \"main.(*Session).Unlock\" ascii wide\r\n$str25 = \"main.(*Session).getDelay\" ascii wide\r\n$str26 = \"main.(*Session).getMessagesForSession\" ascii wide\r\n$str27 = \"main.(*Session).getOneMessageForSession\" ascii wide\r\n$str28 = \"main.(*Session).handle\" ascii wide\r\n$str29 = \"main.(*Session).handle.func1\" ascii wide\r\n$str30 = \"main.(*Session).processingMessage\" ascii wide\r\n$str31 = \"main.(*Session).setDelay\" ascii wide\r\n$str32 = \"main.(*Sessions).Add\" ascii wide\r\n$str33 = \"main.(*Sessions).Range\" ascii wide\r\n$str34 = \"main.GetHash\" ascii wide\r\n$str35 = \"main.NewAddress\" ascii wide\r\n$str36 = \"main.NewClient\" ascii wide\r\ncondition:\r\n(uint16(0) == 0x5a4d or uint16(0) == 0x457f) and filesize < 20MB and $go and 30 of ($str*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347220", "uuid": "247f8262-c1d6-4808-b4fd-d8f15755b86c", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347220", "to_ids": false, "type": "text", "uuid": "516821fb-a378-423d-861b-cfe3b33e2fe0", "value": "M_APT_Backdoor_EARLYBLOOM_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347220", "to_ids": false, "type": "comment", "uuid": "3419db07-0de9-4f1d-9377-44025c4ff972", "value": "Code blocks indicative of EARLYBLOOM" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347220", "to_ids": true, "type": "yara", "uuid": "2efc9023-4ed0-42cb-8360-d22a10de3262", "value": "rule M_APT_Backdoor_EARLYBLOOM_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Code blocks indicative of EARLYBLOOM.\"\r\n strings:\r\n $code1 = { 8B 4D ?? 3B 4D ?? 73 24 8B 55 ?? 8B 45 ?? 8B 0A 33 48 ?? 8B 55 ?? 89 0A 8B 45 ?? 83 C0 ?? 89 45 ?? 8B 4D ?? 83 C1 ?? 89 4D ?? EB CB\r\n}\r\n $code2 = { 83 7D ?? 00 7C 20 8B 45 ?? 83 E0 ?? 83 E8 ?? F7 D0 89 45 ?? 8B 4D ?? D1 E9 8B 55 ?? 23 55 ?? 33 CA 89 4D ?? EB D1 }\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347236", "uuid": "1b28379c-afd9-4ed9-afa1-d0b8dce26c88", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347236", "to_ids": false, "type": "text", "uuid": "4bcccf00-c304-4730-b90d-5a8697af1015", "value": "M_APT_Backdoor_EARLYBLOOM_2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347236", "to_ids": false, "type": "comment", "uuid": "39c2b718-9e3b-49f7-92e8-0c2b6181744f", "value": "Hunting rule looking for EARLYBLOOM, a backdoor written in C++ that communicates over HTTPS" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347236", "to_ids": true, "type": "yara", "uuid": "6e8f87b3-5cbf-4ee3-a6c4-76fe0923b50d", "value": "rule M_APT_Backdoor_EARLYBLOOM_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for EARLYBLOOM, a backdoor written in C++ that communicates over HTTPS.\"\r\n strings:\r\n $a1 = \"bsd.bst\" xor\r\n $a2 = \"bat.bdt\" xor\r\n $a3 = \"chkdsk.exe\" xor\r\n $a4 = \"Windows check disk\" xor\r\n $a5 = \"https://\" xor\r\n condition:\r\n uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize <300KB and 3 of ($a*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347255", "uuid": "115ab291-1191-4d72-b2d5-4ca97b6b406f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347255", "to_ids": false, "type": "text", "uuid": "3448431e-bb86-4d44-8bd3-f11ed0966939", "value": "M_Hunting_TANKTRAP_XML_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347255", "to_ids": false, "type": "comment", "uuid": "c9810e5c-6f40-4cf4-b9ca-2691054ce228", "value": "Strings associated TANKTRAP XML GPO policy" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347255", "to_ids": true, "type": "yara", "uuid": "28664f4b-72fb-4da1-878e-1e7bb4ea973a", "value": "rule M_Hunting_TANKTRAP_XML_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Strings associated TANKTRAP XML GPO policy\"\r\n strings:\r\n $r1 = /ImmediateTask clsid=\\\"\\{9F030D12-DDA3-4C26-8548-B7CE9151166A\\}\\\" name=\\\"[a-zA-Z]{5}\\\"/\r\n condition:\r\n filesize < 5MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347277", "uuid": "a9a14ac6-320a-48a6-8806-725c629bc24f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347277", "to_ids": false, "type": "text", "uuid": "8a0c097d-0578-454c-bdff-1b7f6728ec90", "value": "M_Hunting_TANKTRAP_PS1_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347277", "to_ids": false, "type": "comment", "uuid": "d5ede6b7-3e9a-42df-8728-fc1a7abb2291", "value": "Strings associated TANKTRAP PowerShell" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347277", "to_ids": true, "type": "yara", "uuid": "8625ce49-a8e8-465f-a7d2-f54cfe2a5bee", "value": "rule M_Hunting_TANKTRAP_PS1_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Strings associated TANKTRAP PowerShell\"\r\n strings:\r\n $s1 = \"ImmediateTaskV2 clsid = \\\"{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}\\\"\"\r\n $s2 = \"SharpGPOAbuse\"\r\n $s3 = \"GuidExtension \\\"AADCED64-746C-4633-A97C-D61349046527\\\"\"\r\n $s4 = \"ImmediateTaskV2 clsid = \\\"\\\"{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}\\\"\"\r\n condition:\r\n filesize < 5MB and 3 of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347301", "uuid": "0a61ef4a-c68e-446a-8d98-90af73415c39", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347301", "to_ids": false, "type": "text", "uuid": "4d823e53-3745-4f28-9e06-6b631aa8bcd0", "value": "M_APT_Launcher_ARGUEPATCH_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347301", "to_ids": false, "type": "comment", "uuid": "8eb15e41-882a-4ef4-86dc-0f90ac68c773", "value": "Identifies the code used by the sleep functionality in ARGUEPATCH" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347301", "to_ids": true, "type": "yara", "uuid": "64da16dd-059d-43ad-9b93-5b00b44c720c", "value": "rule M_APT_Launcher_ARGUEPATCH_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Identifies the code used by the sleep functionality in ARGUEPATCH\"\r\n strings:\r\n $ = {2b ?? 81 f? 00 2E 93 02}\r\n $ = {83 C0 18 6B C0 3C [5-12] 69 C0 60 EA 00 00}\r\n $ = {68 00 DD 6D 00}\r\n condition:\r\n filesize < 5MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347319", "uuid": "f7ed3e53-5468-4343-ba06-4d0a3f38467d", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347319", "to_ids": false, "type": "text", "uuid": "72925335-5347-4e81-8246-36067f3ff48b", "value": "M_APT_Launcher_ARGUEPATCH_2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347319", "to_ids": false, "type": "comment", "uuid": "63574f56-7b42-4097-87d4-ba0d8ea184c3", "value": "To detect executable with patched function used to load encrypted shellcode" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347319", "to_ids": true, "type": "yara", "uuid": "434b2526-c88e-43e3-a675-fc603c698412", "value": "rule M_APT_Launcher_ARGUEPATCH_2\r\n{\r\n meta:\r\n description = \"To detect executable with patched function used to load encrypted shellcode\"\r\n author = \"Mandiant\"\r\n strings:\r\n /*\r\n XOR loop:\r\n .text:004719C6 xor_loop: ; CODE XREF: PATCHED+468\r\n .text:004719C6 8A 01 mov al, [ecx] ; 8A 01\r\n .text:004719C8 33 D2 xor edx, edx ; 33 D2\r\n .text:004719C8\r\n .text:004719CA\r\n .text:004719CA xor_loop_inner: ; CODE XREF: PATCHED+45F\r\n .text:004719CA 8B 7D F8 mov edi, [ebp+String] ; 8B 7D ??\r\n .text:004719CD 32 04 57 xor al, [edi+edx*2] ; 32 04 57\r\n .text:004719D0 42 inc edx ; 42\r\n .text:004719D1 88 01 mov [ecx], al ; 88 01\r\n .text:004719D3 83 FA 10 cmp edx, 16 ; 83 FA 10\r\n .text:004719D6 72 F2 jb short xor_loop_inner ; 72 F2\r\n .text:004719D6\r\n .text:004719D8 FF 4D FC dec [ebp+var_4] ; FF 4D ??\r\n .text:004719DB 41 inc ecx ; 41\r\n .text:004719DC 39 5D FC cmp [ebp+var_4], ebx ; 39 5D ??\r\n .text:004719DF 75 E5 jnz short xor_loop ; 75 E5\r\n */\r\n $xor_loop = {8A 01 33 D2 8B 7D ?? 32 04 57 42 88 01 83 FA 10 72 F2 FF 4D ?? 41 39 5D ?? 75 E5}\r\n condition:\r\n (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and\r\n $xor_loop\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347337", "uuid": "b85290a3-1b93-4dfc-a9ae-e3e5383ecad6", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347337", "to_ids": false, "type": "text", "uuid": "0cfce8ed-7c16-4c8e-854b-36946ac09c8f", "value": "M_APT_Launcher_ARGUEPATCH_3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347337", "to_ids": false, "type": "comment", "uuid": "1f1b2866-ef54-43d1-ac5b-962ad13d1ad1", "value": "arguepatch malware family" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347337", "to_ids": true, "type": "yara", "uuid": "056dc816-f810-45fc-8d65-97caa9045b72", "value": "rule M_APT_Launcher_ARGUEPATCH_3\r\n{\r\n meta:\r\n description = \"arguepatch malware family\"\r\n strings:\r\n $p00_0 = {85ff74??83ff??75??33db8bfbeb??a1[4]6a}\r\n $p00_1 = {8a064684c075??2bf23bf35e73??51}\r\n $p01_0 = {2bc183e0??3d[4]72??8b51??83c0??2bca83c1??83f9}\r\n $p01_1 = {75??eb??803d[5]74??cc68[4]e8[4]803d[5]74}\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n (\r\n ($p00_0 in (92000..99000) and $p00_1 in (640..8300))\r\n or\r\n ($p01_0 in (170000..190000) and $p01_1 in (140000..160000))\r\n )\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347370", "uuid": "e1e48113-0b37-47e7-ad24-9914aaa0fcec", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347370", "to_ids": false, "type": "text", "uuid": "f92df2b9-b2e8-4a45-ae9b-7f1972ca94d1", "value": "M_APT_Dropper_FREETOW_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347370", "to_ids": false, "type": "comment", "uuid": "2ee631d8-8d7f-465e-983f-632d4738e384", "value": "M_APT_Dropper_FREETOW_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347370", "to_ids": true, "type": "yara", "uuid": "94dcbc7b-a5eb-46a5-90c8-0a17c5336c31", "value": "rule M_APT_Dropper_FREETOW_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $hex49_add_arg_check = { 83 C1 49 88 08 FF D0 }\r\n $shell32_stack_string = { C7 ( 41 | 42 | 43 | 45 | 46 | 47 ) ?? 73 68 65 6C C7 ( 41 | 42 | 43 | 45 | 46 | 47 ) ?? 6C 33 32 2E C7 ( 41 | 42 | 43 | 45 | 46 |\r\n47 ) ?? 64 6C 6C 00 }\r\n condition:\r\n filesize < 5MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347385", "uuid": "be03081f-6eb7-4577-8f25-f0ca64e895d9", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347385", "to_ids": false, "type": "text", "uuid": "d6303882-7bd6-4f63-9384-2a2d893359b5", "value": "M_APT_Dropper_FREETOW_2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347385", "to_ids": false, "type": "comment", "uuid": "799ff994-bc2f-43b3-b5e6-c4fef91be97f", "value": "M_APT_Dropper_FREETOW_2" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347385", "to_ids": true, "type": "yara", "uuid": "0d1bb84e-35af-46d0-a705-1932f38d515d", "value": "rule M_APT_Dropper_FREETOW_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $push_ror13_api_hash_getcommandlinew = { 68 55 CE E0 2E }\r\n $push_ror13_api_hash_loadlibrary = { 68 4C 77 26 07 }\r\n $push_ror13_api_hash_virtualalloc = { 68 58 A4 53 E5 }\r\n $ror13_api_hash_commandlinetoargw = { 11 4B AF 1C }\r\n condition:\r\n filesize < 5MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347397", "uuid": "a0ec35b4-be20-4489-8f41-29bca0a8a96f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347398", "to_ids": false, "type": "text", "uuid": "675f2fad-f83b-406f-8357-e1376c520ecb", "value": "M_APT_Dropper_FREETOW_3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347398", "to_ids": false, "type": "comment", "uuid": "e3e149de-a21d-4df0-b0e2-427ba808722c", "value": "M_APT_Dropper_FREETOW_3" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347398", "to_ids": true, "type": "yara", "uuid": "1458da49-4a20-4ee3-8b86-3ceb46733ced", "value": "rule M_APT_Dropper_FREETOW_3\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $func_args1 = { 6A 40 68 00 10 00 00 6A 10 6A 00 }\r\n $func_args2 = { 6A 40 68 00 10 00 00 68 00 00 40 00 6A 00 }\r\n condition:\r\n all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347420", "uuid": "0fc3819d-525c-4f8d-aa39-3dbe4c8afea3", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347420", "to_ids": false, "type": "text", "uuid": "a834eee2-abee-4912-9c5b-0564bf94fb76", "value": "M_APT_Dropper_FREETOW_4" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347420", "to_ids": false, "type": "comment", "uuid": "3e513a64-d141-49b0-a28d-2d193999e8a9", "value": "Patched ftp with shellcode, run with z option to launch" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347420", "to_ids": true, "type": "yara", "uuid": "ada3b265-682b-48e2-baee-b7c086ce70f7", "value": "rule M_APT_Dropper_FREETOW_4\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Patched ftp with shellcode, run with z option to launch.\"\r\n strings:\r\n $h1 = {0FB70983 C1498808 FFD0}\r\n// 0F B7 09 movzx ecx, word ptr [ecx]\r\n// 83 C1 49 add ecx, 49h ; 'I'\r\n// 88 08 mov [eax], cl\r\n// FF D0 call eax\r\n $h2 = {80CAFF2A 11881141 3BC876F4}\r\n// 80 CA FF or dl, 0FFh ;\r\n// 2A 11 sub dl, [ecx]\r\n// 88 11 mov [ecx], dl\r\n// 41 inc ecx\r\n// 3B C8 cmp ecx, eax\r\n// 76 F4 jbe short loc_1001757\r\n $s1 = \"local-file:\"\r\n $s2 = \"xpsp2res.dll\"\r\n $s3 = \"anonymous\"\r\n condition:\r\n uint16(0) == 0x5A4D and filesize < 50KB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347438", "uuid": "e08ca6a1-ae9c-47d4-b01a-4824784edca8", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347438", "to_ids": false, "type": "text", "uuid": "e09243ae-37c4-4834-9995-77c6dea10e10", "value": "M_APT_Worm_Win32_ITCHYSPARK_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347438", "to_ids": false, "type": "comment", "uuid": "1d141e6b-32b0-45e3-93ed-fcdf6e42a796", "value": "Looking for ITCHYSPARK samples based on opcode patterns observed on relevant functions" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347438", "to_ids": true, "type": "yara", "uuid": "f5324681-4450-4e1d-af9c-61d9d4d5bb48", "value": "rule M_APT_Worm_Win32_ITCHYSPARK_1\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndescription = \"Looking for ITCHYSPARK samples based on opcode patterns observed on relevant functions.\"\r\nstrings:\r\n$b1 = {5? 5? 8B ?? 8B [2] 2B ?? C1 ?? 02 8D [2] 8D [2] 8D [2] 85 ?? 7? ?? 8B ?? 8D [2] 8B ?? 33 ?? 8B ?? 4? 89 ?? 8D ?? 85 ?? 7? ?? 8B ?? 81\r\n?? A3 B1 29 4A 5? 5? 5? C3}\r\n$b2 = {6A 01 5? 6A 00 FF ?? 83 F8 ?? 0F 8? [4] 8B [2] E8 [4] 8B ?? 85 ?? 0F 8? [4] 6A 01 8D [2] 5? 5? FF ?? 85 C0 0F 8? [4] 33 ?? 89 [2] 39 ??\r\n0F 8? [4] 8D [2] 89 [2] 83 [2] 02 0F 8? [4] 83 [2] 04 0F 8?}\r\n$b3 = {5? 5? 5? 68 AE 00 00 00 6A 02 89 [2] 89 [2] FF ?? 83 ?? 6F 0F 8? [4] 8B [2] E8 [4] 8B ?? 89 [2] 85 ?? 0F 8? [4] 8D [2] 5? 5? 6A 00 68\r\nAE 00 00 00 6A 02 FF ?? 85 ?? 0F 8?}\r\n$b4 = {5? 6A 65 5? 89 [2] FF 15 [4] 85 C0 0F 8? [4] 8B [2] 85 C0 0F 8? [4] [4-12] 85 ?? 0F 8? [4] 81 ?? F4 01 00 00 7?}\r\ncondition:\r\n(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347458", "uuid": "896e744c-7bd5-4246-acc7-a153ab555da1", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347458", "to_ids": false, "type": "text", "uuid": "44f22bea-de02-4b76-9a4e-be001c1861f1", "value": "M_APT_Worm_Win32_ITCHYSPARK_2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347458", "to_ids": false, "type": "comment", "uuid": "f984d39b-d953-49ad-9065-ba543d520023", "value": "Looking for WMI spreader component of ITCHYSPARK (ITCHYSPARK.WMI) samples based on opcodes observed at relevant functions" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347458", "to_ids": true, "type": "yara", "uuid": "c2fb1e79-53d9-43e3-8273-bfce1039f41c", "value": "rule M_APT_Worm_Win32_ITCHYSPARK_2\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndescription = \"Looking for WMI spreader component of ITCHYSPARK (ITCHYSPARK.WMI) samples based on opcodes observed at\r\nrelevant functions.\"\\\r\nstrings:\r\n$b1 = {5? 6A 03 6A 09 5? 68 [4] 68 [4] FF 15 [4] 85 C0 7? ?? FF 74 24 ?? FF 15 [4] FF 74 24 ?? FF 15}\r\n$b2 = {8B [5] 68 FF 01 0F 00 FF [2] 5? FF ?? 85 C0 7? ?? 32 ?? EB ?? 8B ?? E8 [4] 88 [2] 84 ?? 7? ?? 68 88 13 00 00 FF 15 [4] 68 FF 01 0F\r\n00 FF [2] 5? FF ?? 85 C0 7?}\r\n$b3 = {5? [0-2] 5? 5? 5? FF 15 [4] 85 C0 7? ?? FF 15 [4] 3D 1D 04 00 00 7? ?? B0 01 EB ?? 83 ?? 1E 7? ?? 68 E8 03 00 00 FF 15 [4] 4? 8B ??\r\nE8 [4] 83 F8 04 7? ?? EB ?? 32 C0 5? 5? C3}\r\n$b4 = {6A 00 FF 76 ?? FF 76 ?? FF 15 [4] 85 C0 0F 95 ?? 85 C0 7? ?? 6A 41 [0-12] 6A 44 [0-12] 6A 4D [0-12] 6A 49 [0-12] 6A 4E [0-12] 6A\r\n24 [0-12] FF 76 [0-12] FF 76 [0-12] FF 76 ?? E8 [4] 83 C4 0C 88 [2] 6A 00 FF 76 ?? FF 76 ?? FF 15 [4] 85 C0 0F 95}\r\ncondition:\r\n(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347479", "uuid": "dbb05901-1026-4521-92eb-cacefefed516", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347479", "to_ids": false, "type": "text", "uuid": "468543b4-94f5-4ec1-a37a-a78bd9997b46", "value": "M_APT_Worm_Win32_ITCHYSPARK_3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347479", "to_ids": false, "type": "comment", "uuid": "6c00e3a9-d36b-4e90-97d9-5cb35980bdfc", "value": "Looking for SMB spreader component of ITCHYSPARK (ITCHYSPARK.SMB) samples based on op code patterns\r\nobserved on relevant functions." }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347479", "to_ids": true, "type": "yara", "uuid": "7455e5cc-dbf9-4546-8399-dab9a10ee8d1", "value": "rule M_APT_Worm_Win32_ITCHYSPARK_3\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndescription = \"Looking for SMB spreader component of ITCHYSPARK (ITCHYSPARK.SMB) samples based on op code patterns\r\nobserved on relevant functions.\"\r\nstrings:\r\n$b1 = { E8 [4] 5? 84 C0 7? ?? 8D ?? 24 ?? 5? 68 02 02 00 00 FF 15 [4] 85 C0 7? ?? 8D ?? 24 ?? 8D ?? 24 ?? 4? FF 15 [4] 5? FF 15 }\r\n$b2 = { 80 ?? 01 7? ?? 80 ?? 02 7? ?? 33 ?? B? [4] 80 ?? 01 6A 04 5? 0F 45 ?? 0F B7 ?? 33 C0 80 F? 01 0F 45 ?? 80 F? 02 7? ?? 6A 02 5? B?\r\n[4] 33 ?? 33 ?? 66 3B ?? 7? ?? 8B [2] 0F B7 ?? 8B [2] 89 [2] E8 [4] 8B ?? 83 F? 12 7? ?? 4? 66 3B ?? 7? }\r\n$b3 = { ( 68 | FF ) [2-4] FF 7? ?? 68 [4] 5? E8 [4] A1 60 F0 04 10 8B ?? 89 45 ?? 66 A1 [4] 66 89 45 ?? [4-12] E8 [4] 6A 12 5? }\r\n$b4 = { 33 ?? 89 [2] 8B ?? 85 [4] 89 46 ?? 33 C0 89 [2] 66 39 45 ?? 7? ?? 8B [2] EB ?? 0F B7 ?? 4? 89 [2] 8B ?? 85 [4] 8B [2] [8-16] 85 ?? 7? ??\r\n6A 00 33 C0 4? 5? 6A 02 5? 5? FF }\r\n$b5 = { E8 [4] 3B ?? 7? ?? 8B [2] B? 06 02 FC 23 3B ?? 7? ?? 7? ?? 3? 05 01 28 0A 7? ?? 3? 05 02 CE 0E 7? ?? 3? 06 00 72 17 7? ?? 3? 06 01\r\nB0 1D 7? ?? 3? 06 01 B1 1D 7? ?? 3? 06 02 F0 23 7? ?? [0-32] 3? 06 03 80 25 7? ?? 3? 0A 00 00 28 7? ?? 3? 0A 00 5A 29 7? ?? 3? 0A 00 39 38 7? ?? 3?\r\n0A 00 D7 3A 7? ?? B? 9A 08 00 00 EB ?? }\r\ncondition:\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and 3 of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347498", "uuid": "de04ad70-2637-4f1f-b7d3-3dd004690748", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347498", "to_ids": false, "type": "text", "uuid": "68d234f2-c988-4d3e-9c61-921cb4e32a36", "value": "M_APT_Tunneler_GOGETTER_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347498", "to_ids": false, "type": "comment", "uuid": "a2f461bf-d7c7-40d8-bbf0-d4e0378d8e35", "value": "Hunting for GOGETTER ELF files" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347498", "to_ids": true, "type": "yara", "uuid": "cc2a6857-31d6-45d5-942a-9d05b5781dad", "value": "rule M_APT_Tunneler_GOGETTER_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting for GOGETTER ELF files.\"\r\n strings:\r\n $g1 = \"go.buildid\"\r\n $g2 = \"Go build ID:\"\r\n $g3 = \"Go buildinf:\"\r\n $proxy1 = \"proxy/pkg/client.(*Client)\"\r\n $proxy2 = \"proxy/pkg/\"\r\n $yamux = \"hashicorp/yamux\"\r\n condition:\r\n filesize < 25MB and uint32(0) == 0x464c457f and any of ($g*) and all of ($proxy*) and $yamux\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347513", "uuid": "543ddad9-806b-40b9-a221-2332e0720959", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347513", "to_ids": false, "type": "text", "uuid": "7df54fff-4d2b-49bb-b724-1bc4925d8033", "value": "M_APT_Tunneler_GOGETTER_2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347513", "to_ids": false, "type": "comment", "uuid": "f80af2a5-2d67-456a-a20c-d60869dcda6d", "value": "M_APT_Tunneler_GOGETTER_2" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347513", "to_ids": true, "type": "yara", "uuid": "3436bd03-105b-4c7a-9deb-ce17dfefd663", "value": "rule M_APT_Tunneler_GOGETTER_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $s1 = \"\\x00github.com/hashicorp/yamux.Client\\x00\"\r\n $s2 = \"\\x00github.com/hashicorp/yamux.(*Session).AcceptStream\\x00\"\r\n $sb1 = { 8D ?? 24 [1-5] 89 04 24 E8 [4-5] 8B 44 24 [1-2] 8B 4C 24 [4-32] 83 ?? 03 75 0D 66 81 3? 65 6E 75 06 80 7? 02 64 7? [1-2] C7 04 24 00 00\r\n00 00 E8 }\r\n condition:\r\n (uint32(0) == 0x464c457f) and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347526", "uuid": "881e9200-dce4-4f61-960a-cf5bf068d601", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347526", "to_ids": false, "type": "text", "uuid": "2ef9e040-21ef-42ba-a1c7-49c6ccff7bcd", "value": "M_APT_Tunneler_GOGETTER_3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347526", "to_ids": false, "type": "comment", "uuid": "0bd1d184-a9b6-4cad-9079-d49fd3a927c2", "value": "M_APT_Tunneler_GOGETTER_3" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347526", "to_ids": true, "type": "yara", "uuid": "b65be6f7-84fb-4f0d-8a38-7c535366af28", "value": "rule M_APT_Tunneler_GOGETTER_3\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $sb1 = { 48 C7 ?? 24 [4] 00 10 00 00 48 C7 ?? 24 [4] 00 10 00 00 48 8D 15 [4] 48 89 ?? 24 [4] 48 8B ?? 24 ?? 48 89 ?? 24 [4] 48 C7 ?? 24 [4] FF FF\r\nFF FF 48 C7 ?? 24 [4] FF FF FF FF [32-150] 48 8D ?? 24 [4] 0F 1F 40 00 E8 [4] 48 8? ?? 0F 85 [4] 48 89 ?? 24 ?? 48 89 ?? 24 ?? 48 89 D9 48 89 C3 48\r\n8D 44 24 ?? E8 [4] 48 89 ?? 24 ?? 48 89 ?? 24 ?? E8 [4] 48 8B 4C 24 ?? 0F 1F 40 00 48 3? ?? 7? ?? 48 8? ?? 48 8B 44 24 ?? E8 [4] 84 C0 }\r\n condition:\r\n (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347547", "uuid": "92a0e7ae-c9cf-47b0-8ade-9c32f9a6e8d1", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347547", "to_ids": false, "type": "text", "uuid": "7639f47e-1ac8-4b76-a8ae-2d9181368eca", "value": "M_APT_Wiper_CADDYWIPER_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347547", "to_ids": false, "type": "comment", "uuid": "d074b874-4f11-4541-88ae-e91c7b5cecbc", "value": "Searches code segments in CADDYWIPER" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347547", "to_ids": true, "type": "yara", "uuid": "76730923-b8aa-4d5d-8f34-ace9250b0cec", "value": "rule M_APT_Wiper_CADDYWIPER_1\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndescription = \"Searches code segments in CADDYWIPER\"\r\nstrings:\r\n// C7 45 FC 44 3A 5C 00 mov [ebp+var_4], '\\:D'\r\n$ = {c7 ?? ?? 44 3A 5C 00}\r\n// B8 00 00 A0 00 mov eax, 0A00000h\r\n$ = {B8 00 00 A0 00}\r\n/*\r\n51 push ecx\r\n68 54 C0 07 00 push 7C054h\r\n*/\r\n$ = {51 68 54 C0 07 00}\r\ncondition:\r\nfilesize < 3MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347561", "uuid": "d90bec4c-ad73-4a1c-be2b-b8d3d603c049", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347561", "to_ids": false, "type": "text", "uuid": "3122e060-d891-474a-8d9f-71350e8cd041", "value": "M_APT_Wiper_CADDYWIPER_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347561", "to_ids": false, "type": "comment", "uuid": "0558559a-2d61-43b1-a031-92a09381a6d9", "value": "Searches for the Physical Device call within CADDYWIPER" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347561", "to_ids": true, "type": "yara", "uuid": "b4de7e6d-3e7f-41b7-ac69-1a39b421dee6", "value": "rule M_APT_Wiper_CADDYWIPER_1\r\n{\r\nmeta:\r\n author = \"Mandiant\"\r\n description = \"Searches for the Physical Device call within CADDYWIPER\"\r\nstrings:\r\n// LocalAlloc, push 0xa00000 and 0x40\r\n$ = {00 00 A0 00}\r\n$ = {43 3A 5C 55 C7 ?? ?? 73 65 72 73}\r\n$ = {C7 45 FC 44 3A 5C 00} // d:\\\\\r\n//$ = {68 54 C0 07 00}\r\ncondition:\r\nall of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347602", "uuid": "c3aea161-732a-4798-ab60-7e7084355d97", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347602", "to_ids": false, "type": "text", "uuid": "865e28f5-f359-4cef-b89c-1b6389116983", "value": "M_APT_Disrupt_NEARTWIST_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347602", "to_ids": false, "type": "comment", "uuid": "8a0ea7de-f8db-4450-8db0-b7cb53e9255f", "value": "M_APT_Disrupt_NEARTWIST_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347602", "to_ids": true, "type": "yara", "uuid": "1b8a0e9c-82ee-4d34-8cbe-dd6a8110e571", "value": "rule M_APT_Disrupt_NEARTWIST_1\r\n{\r\nmeta:\r\n author = \"Mandiant\"\r\nstrings:\r\n $mersenne_alg = { D1 EA 83 E1 01 69 C9 DF B0 08 99 33 CA }\r\n $s1 = \"PhysicalDrive\" wide fullword\r\n $wipe_drive = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 [0-32] FF 15 [4-64] 5? 6A 00 6A 00 6A 00 6A 00 68 18 00 09 00 5? FF 15 [4-256] 68\r\n00 00 01 00 [0-32] FF 15 }\r\n $wipe_file = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 [0-32] FF 15 [4-64] 5? 5? FF 15 [4-32] 6A 00 68 00 00 01 00 5? 5? E8 }\r\ncondition:\r\n (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347621", "uuid": "aa8b2413-d3df-4cbb-beb7-70861fdaef75", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347621", "to_ids": false, "type": "text", "uuid": "5ad6ed6f-9c41-4243-aba8-1403e3f8d077", "value": "M_APT_Wiper_Win32_NEARTWIST_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347621", "to_ids": false, "type": "comment", "uuid": "31c245a3-9a72-40ce-b842-46b31bba8b94", "value": "Looking for NEARTWIST samples based on opcode patterns observed on relevant functions" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347621", "to_ids": true, "type": "yara", "uuid": "192b1678-f453-4da9-a647-63f4cb5817b4", "value": "rule M_APT_Wiper_Win32_NEARTWIST_1\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndescription = \"Looking for NEARTWIST samples based on opcode patterns observed on relevant functions.\"\r\nstrings:\r\n$b1 = {68 05 01 00 00 8D [4-6] 5? FF 15 [4] 85 C0 0F 8? [4] 3? 05 01 00 00 0F 8? [4] 8B 85 [4-5] 85 C0 0F 8?}\r\n$b2 = {FF 15 [4] 89 8? [4-6] B? 01 00 00 00 [4-32] C1 ?? 1E 33 ?? 69 ?? 65 89 07 6C 03 ?? 89 [6] 4? (3D|81 FA) 70 02 00 00 7? ?? B? 70 02\r\n00 00 }\r\n$b3 = {6A 00 5? 68 00 00 01 00 8D ?? 24 [4] 5? 5? FF 15 [4] 85 C0 7? ?? 8B 44 24 ?? 3D 00 00 01 00 7? ?? 2B ?? 83 ?? 00 E9}\r\ncondition:\r\n(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347642", "uuid": "e634319a-df06-46b7-8370-5fcf8d7d7f26", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347642", "to_ids": false, "type": "text", "uuid": "38e4cec6-5632-4417-9509-3b08ba87ef4a", "value": "M_APT_Wiper_Win_NEARTWIST_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347642", "to_ids": false, "type": "comment", "uuid": "d81e073e-172c-4b94-9da9-1a35e3b57381", "value": "Looking for NEARTWIST samples based on strings, imports, and constants for Mersenne Twister / ISAAC PRNG" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347642", "to_ids": true, "type": "yara", "uuid": "f42c1fcd-e127-4a36-856a-d209d0e277cc", "value": "rule M_APT_Wiper_Win_NEARTWIST_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Looking for NEARTWIST samples based on strings, imports, and constants for Mersenne Twister / ISAAC PRNG.\"\r\n strings:\r\n $b1 = { 65 89 07 6C }\r\n $b2 = { AD 58 3A FF }\r\n $b3 = { 8C DF FF FF }\r\n $i1 = \"GetTickCount\"\r\n $i2 = \"DeviceIoControl\"\r\n $i3 = \"GetLogicalDrives\"\r\n $i4 = \"FindFirstFile\"\r\n $i5 = \"FindNextFile\"\r\n $i6 = \"WriteFile\"\r\n $i7 = \"GetDiskFreeSpaceEx\"\r\n $i8 = \"CreateThread\"\r\n $i9 = \"GetWindowsDirectory\"\r\n $i10 = \"GetTempFileName\"\r\n $n1 = \"Cleaner.exe\" ascii fullword wide\r\n $n2 = \"Cleaner.dll\" ascii fullword wide\r\n $s1 = \"PhysicalDrive\" ascii fullword wide\r\n $s2 = \"\\\\\\\\.\\\\\" ascii fullword wide\r\n $s3 = \"*.*\" ascii fullword wide\r\n $s4 = \"Tmf\" ascii fullword wide\r\n $s5 = \"Tmd\" ascii fullword wide\r\n condition:\r\n (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of ($n*) and all of ($s*) and all of ($i*) and all of ($b*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347662", "uuid": "666fc76b-d8a7-4d22-9c04-51af3a6f8c1b", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347662", "to_ids": false, "type": "text", "uuid": "3cf275a6-53a6-4187-92b8-62c1662bb2bf", "value": "M_APT_Disrupt_PARTYTICKET_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347662", "to_ids": false, "type": "comment", "uuid": "499c346d-c315-4522-a984-9f75161ea992", "value": "Looking for PARTYTICKET samples via strings" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347662", "to_ids": true, "type": "yara", "uuid": "3fb63d18-26fe-4b9c-9204-3ee84535ca24", "value": "rule M_APT_Disrupt_PARTYTICKET_1\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndescription = \"Looking for PARTYTICKET samples via strings.\"\r\nstrings:\r\n$s1 = \"/403forBiden/\" ascii wide\r\n$s2 = \"/wHiteHousE/\" ascii wide\r\n$s3 = \"partyTicket.\" ascii wide\r\n$s4 = \"vote_result.\" ascii wide\r\n$s5 = \".encryptedJB\" ascii wide\r\n$f1 = \"/wHiteHousE.baggageGatherings\" ascii wide\r\n$f2 = \"/wHiteHousE.primaryElectionProcess\" ascii wide\r\n$f3 = \"/wHiteHousE.GoodOffice1\" ascii wide\r\n$f4 = \"/wHiteHousE.lookUp\" ascii wide\r\n$f5 = \"/wHiteHousE.init\" ascii wide\r\n$m1 = \"

Thank you for your vote! All your files, documents, photoes, videos, databases etc. have been successfully encrypted!

\"\r\nascii wide fullword\r\n$m2 = \"

Now your computer has a special ID:

\" ascii wide fullword\r\n$m3 = \"

NOTE: Do not send file with sensitive content. In the email write us your computer's special ID (mentioned above).\"\r\nascii wide fullword\r\ncondition:\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (3 of ($s*) or 3 of ($f*) or 2 of ($m*))\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347684", "uuid": "61c30c53-0c56-4424-a39e-0e3576b2cb4e", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347684", "to_ids": false, "type": "text", "uuid": "870b429a-1ead-4ad9-9f8e-722c13c3c2bb", "value": "M_APT_Disrupt_PARTYTICKET_2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347684", "to_ids": false, "type": "comment", "uuid": "af738249-7f78-47b2-a86f-325967fd5c8e", "value": "Looking for PARTYTICKET samples via opcode patterns observed on relevant functions" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347684", "to_ids": true, "type": "yara", "uuid": "9745cfc6-e2cb-4a3d-af56-2ab312f54d34", "value": "rule M_APT_Disrupt_PARTYTICKET_2\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndescription = \"Looking for PARTYTICKET samples via opcode patterns observed on relevant functions.\"\r\nstrings:\r\n$b1 = {48 83 F8 1B 0F 8D [4] 48 89 [3] 48 89 [3] 48 89 [3] 48 8D 35 [4] 0F B6 3C 06 81 FF 80 00 00 00 0F 8? [4] 48 FF C0 [16-32] E8\r\n[16-64] E8 [8-32] E8 [4] 48 8B 44 24 ?? 48 85 C0 7? ?? [8-24] E9}\r\n$b2 = {48 83 F8 37 0F 8D [24-32] E8 [16-32] E8 [16-32] 48 C1 E? 04 [8-16] 7? ?? 0F B6 44 24 ?? EB ?? [8-16] E8 [4] 0F B6 44 24 ?? 84 C0\r\n7? ?? [4-8] B8 01 00 00 00 E9 }\r\n$b3 = {3D 77 69 6E 64 0F 85 [4-12] 66 3D 6F 77 0F 85 [4-12] 3C 73 0F 85 [4] E8 [4] [8-24] 31 ?? EB}\r\ncondition:\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347699", "uuid": "629f42d8-7d5a-41d9-8a03-23e1c15aa81b", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347699", "to_ids": false, "type": "text", "uuid": "63c44c61-1625-4588-a550-c79ced7ba752", "value": "M_APT_Distupt_NEARMISS_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347699", "to_ids": false, "type": "comment", "uuid": "0528febd-3162-4aaf-86da-c479e321419a", "value": "M_APT_Distupt_NEARMISS_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347699", "to_ids": true, "type": "yara", "uuid": "4269fcbe-2a0e-41d8-8bb2-3512d68ce5c8", "value": "rule M_APT_Distupt_NEARMISS_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $code_fat_corruption = { 8B ?? 56 8B ?? 52 [1-64] 0F B? ?? 16 [1-32] 8B ?? 24 [0-32] 0F B? ?? 0D [1-32] 0F B? ?? 10 [1-32] 0F B? ?? 0E }\r\n $code_ntfs_corruption = { 0F B? ?? 0B 0F B? ?? 0D [1-64] FF ?? 34 FF ?? 30 [1-64] 0F B? ?? 0B [1-64] FF ?? 3C FF ?? 38 }\r\n $s1 = \"\\\\\\\\.\\\\PhysicalDrive%u\" fullword wide\r\n $s2 = \"\\\\\\\\.\\\\EPMNTDRV\\\\%u\" fullword wide\r\n $s3 = \"DRV_X64\" fullword wide\r\n $s4 = \"DRV_X86\" fullword wide\r\n $s5 = \"DRV_XP_X64\" fullword wide\r\n $s6 = \"DRV_XP_X86\" fullword wide\r\n $s7 = \"$ATTRIBUTE_LIST\" fullword wide\r\n $s8 = \"$EA_INFORMATION\" fullword wide\r\n $s9 = \"$SECURITY_DESCRIPTOR\" fullword wide\r\n $s10 = \"$INDEX_ROOT\" fullword wide\r\n $s11 = \"$INDEX_ALLOCATION\" fullword wide\r\n $s12 = \"$LOGGED_UTILITY_STREAM\" fullword wide\r\n condition:\r\n (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (8 of ($s*) or all of ($code*))\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347719", "uuid": "32bd81e4-5568-41fa-95be-fdf78edb13ee", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347719", "to_ids": false, "type": "text", "uuid": "c837a71d-abc6-45f2-8083-92120ed92c87", "value": "M_Hunting_Win32_NEARMISS_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347719", "to_ids": false, "type": "comment", "uuid": "7f0b57a9-19bf-4835-a719-d50cdc85b51f", "value": "Rule looks for code present in NEARMISS samples. Based on a rule generated by symhunt for symfunc/\r\ncef8160083d485a3676d55b3fc5e1c42" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347719", "to_ids": true, "type": "yara", "uuid": "991dac7b-822f-405f-8fed-cfe87757aa81", "value": "rule M_Hunting_Win32_NEARMISS_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looks for code present in NEARMISS samples. Based on a rule generated by symhunt for symfunc/\r\ncef8160083d485a3676d55b3fc5e1c42.\"\r\n strings:\r\n $c = { 55 8B EC 81 EC AC 08 ?? ?? 53 56 57 33 DB 89 4D E0 68 ?? ?? ?? ?? 8D 85 78 FC FF FF C7 45 DC ?? ?? ?? ?? 53 50 C7 45 E4 ?? ?? ?? ?? 89\r\n5D F8 89 5D A4 E8 ?? ?? ?? ?? 83 C4 0C 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B F8 8D 85 78 FC FF FF 68 ?? ?? ?? ?? 50 FF ?? ?? ?? ?? ?? 83\r\nC4 0C 89 45 F0 85 FF 74 ?? 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF D6 68 ?? ?? ?? ?? 57 8B D8 FF D6 68 ?? ?? ?? ?? 57 FF D6 8B F0 85 F6 74 ?? 8D 45\r\nF8 50 FF }\r\n condition:\r\n filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and any of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347735", "uuid": "be2b5842-23ff-43c7-ad2f-a9ffea138110", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347735", "to_ids": false, "type": "text", "uuid": "50450763-18d8-4c5c-a8f8-63f2a9c85128", "value": "M_Hunting_Win32_NEARMISS_2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347735", "to_ids": false, "type": "comment", "uuid": "5969ffd7-2e6c-46ef-877b-92fb5ace6b5b", "value": "Rule looks for a specific stackstring - mangled SeShutdownPrivilege - found in NEARMISS samples" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347735", "to_ids": true, "type": "yara", "uuid": "880a20ac-fb50-47ec-a72c-1afb81ffe16b", "value": "rule M_Hunting_Win32_NEARMISS_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looks for a specific stackstring - mangled SeShutdownPrivilege - found in NEARMISS samples.\"\r\n strings:\r\n $s1 = { 53 00 65 00 [4] 53 00 68 00 [4] 75 00 74 00 [4] 64 00 6F 00 [4] 9A 02 00 00 [4] 00 00 00 00 }\r\n $s2 = { 77 00 6E 00 [7] 50 00 72 00 }\r\n condition:\r\n filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347750", "uuid": "6788fce4-3dd4-40a8-b674-22afa5c17316", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347750", "to_ids": false, "type": "text", "uuid": "be2c3081-cc47-400e-be33-719567ffe2f1", "value": "M_Hunting_Win_WiperPaths_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347750", "to_ids": false, "type": "comment", "uuid": "9ff2fac2-c9c3-4b6d-8e09-8f40a97ef94e", "value": "Detects notable wiper strings" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347750", "to_ids": true, "type": "yara", "uuid": "01ee065c-0278-4bba-a7f2-a92f331a875c", "value": "rule M_Hunting_Win_WiperPaths_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects notable wiper strings\"\r\n reference = \"https://twitter.com/ESETresearch/status/1496581903205511181\"\r\n strings:\r\n$w1 = \"\\\\\\\\.\\\\EPMNTDRV\" wide fullword\r\n$w2 = \"\\\\\\\\.\\\\PhysicalDrive\" wide fullword\r\n$w3 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\" wide fullword\r\n$w4 = \"\\\\\\\\?\\\\C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\" wide fullword\r\n$w5 = \"\\\\\\\\?\\\\C:\\\\Documents and Settings\" wide fullword\r\n$w6 = \"<>\" wide fullword\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (all of them)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347769", "uuid": "09472ed7-2d5a-45cf-9f3b-0252190072bd", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347769", "to_ids": false, "type": "text", "uuid": "1238f257-2b50-4e28-af79-5b7564958dc3", "value": "M_Webshell_PHP_WEEVELY_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347769", "to_ids": false, "type": "comment", "uuid": "ca8d7c2f-fb9d-40eb-8167-bf8dc54bfc0c", "value": "Weevely3 open source webshell detection from https://artikrh.github.io/posts/weevely-backdoor-analysis -- Webshell source\r\ncode: https://github.com/epinna/weevely3/tree/master/core" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347769", "to_ids": true, "type": "yara", "uuid": "63edb27c-1d68-4282-bd35-75ec8299877f", "value": "rule M_Webshell_PHP_WEEVELY_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Weevely3 open source webshell detection from https://artikrh.github.io/posts/weevely-backdoor-analysis -- Webshell source\r\ncode: https://github.com/epinna/weevely3/tree/master/core\"\r\n strings:\r\n $php = \" 500 and filesize < 1000\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347797", "uuid": "f081bed3-3fde-4266-a708-a589f5efcb3c", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347797", "to_ids": false, "type": "text", "uuid": "50b68b30-2d7f-4af0-a102-ffdaff1c0d98", "value": "M_Backdoor_DARKCRYSTALRAT_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347797", "to_ids": false, "type": "comment", "uuid": "87456671-f72e-441f-8256-f19e8c317484", "value": "Detection for DARKCRYSTAL RAT's C2 checkin and CSharp compiling code" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347797", "to_ids": true, "type": "yara", "uuid": "bb8535eb-9870-49bc-a0a0-1238cfdf2fc2", "value": "import \"pe\"\r\nrule M_Backdoor_DARKCRYSTALRAT_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detection for DARKCRYSTAL RAT's C2 checkin and CSharp compiling code\"\r\n strings:\r\n $c1 = {72????????a2251907a2251a72????????a2251b11??28????????72????????28????????28????????a2251c72????????a2251d11??28????????2\r\n8????????a2251e72????????a2251f??11??28????????72????????28????????28????????a2251f??72????????a2251f??\r\n7e????????28????????28????????1628????????28????????28????????a2251f??72????????a2251f??07a228????????}\r\n $c2 = {0228????????0000000428????????0a0428????????0b0672????????6f????????72????????28????????2d??0672????????6f????????72?????\r\n???28????????2b??170c0839????????00140d0672????????6f????????72????????28????????13??11??2c??73????????0d2b??73????????0d73????????\r\n25176f????????0025166f????????0013??11??6f????????0672????????6f????????178d????????25161f??9d6f????????6f????????000911??17\r\n8d????????25160672????????6f????????a26f????????13??11??6f????????6f????????13??11??39????????0072????????13??0011??6f????????6f??????\r\n??13??2b??11??6f????????74????????13??1e8d????????251611??a2251772????????a2251811??6f????????a2251972????????a2251a11??6f????????13\r\n??12??28????????a2251b72????????a2251c11??6f????????a2251d72????????a228????????13??11??6f????????2d??de??11??75????????13??11??2c??1\r\n1??6f????????00dc0211??7d????????02177d????????dd????????11??6f????????72????????6f????????13??0011??6f????????6f????????13??1613??2b?\r\n?11??11??9a13??0011??6f????????72????????28????????13??11??2c??0011??11??146f????????262b??0011??175813??11??11??8e6932??0038???????\r\n?0672????????6f????????72????????28????????13??11??39????????0028????????72????????1f??28????????72????????28????????13??11??0672????\r\n????6f????????28????????000772????????6f????????a5????????13??11??2c??0073????????25176f????????002528????????2d??72????????2b??72??\r\n??????6f????????0025176f????????002511??6f????????0013??11??28????????6f????????00002b??0073????????25166f????????002528????????2d??\r\n72????????2b??72????????6f????????002572????????6f????????002572????????11??72????????28????????6f????????0013??11??28????????\r\n6f????????0000000011??28????????0000de??260000de??0038????????0672????????6f????????72????????28????????13??11??39????????0028????\r\n????72????????1f??28????????72????????28????????13??11??0672????????6f????????28????????0073????????25176f????????002528????????2d??7\r\n2????????2b??72????????6f????????002572????????6f????????002572????????11??72????????28????????6f????????0013??11??28????????\r\n6f????????000011??28????????0000de??260000de??0038????????0672????????6f????????72????????28????????13??11??2c??0073????????2517\r\n6f????????002528????????2d??72????????2b??72????????6f????????002572????????6f????????002572????????0672????????6f????????72????????\r\n28????????6f????????0013??11??28????????6f????????000002167d????????00de??13??000211??6f????????7d????????02177d????????00de??2a}\r\n $c3 = {73????????0d2b??73????????0d73????????25176f????????0025166f????????0013??11??6f????????0672????????6f????????178d????????2\r\n5161f??9d6f????????6f????????000911??178d????????25160672????????6f????????a26f????????13??11??6f????????\r\n6f????????13??11??39????????0072????????13??0011??6f????????6f????????13??2b??11??6f????????74????????13??1e8d????????251611??a225177\r\n2????????a2251811??6f????????a2251972????????a2251a11??6f????????13??12??28????????a2251b72????????a2251c11??6f????????a2251d72?????\r\n???a228????????13??11??6f????????2d??de??11??75????????13??11??2c??11??6f????????00dc0211??7d????????02177d????????dd????????11??\r\n6f????????72????????6f????????13??0011??6f????????6f????????13??1613??2b??11??11??9a13??0011??6f????????72????????28????????13??11??2c?\r\n?0011??11??146f????????262b??0011??175813??11??11??8e6932??0038????????0672????????\r\n6f????????72????????28????????13??11??39????????0028????????72????????1f??28????????72????????28????????13??11??0672????????\r\n6f????????28????????000772????????6f????????a5????????13??11??2c??0073????????25176f????????002528????????2d??72????????2b??72??????\r\n??6f????????0025176f????????002511??6f????????0013??11??28????????6f????????00002b??0073????????25166f????????002528????????2d??72??\r\n??????2b??72????????6f????????002572????????6f????????002572????????11??72????????28????????6f????????0013??11??28????????\r\n6f????????0000000011??28????????0000de??260000de??0038????????0672????????6f????????72????????28????????13??11??39????????0028????\r\n????72????????1f??28????????72????????28????????13??11??0672????????6f????????28????????0073????????25176f????????002528????????2d??7\r\n2????????2b??72????????6f????????002572????????6f????????002572????????11??72????????28????????6f????????0013??11??28????????\r\n6f????????000011??28????????0000de??260000de??0038????????0672????????6f????????72????????28????????13??11??2c??0073????????2517\r\n6f????????002528????????2d??72????????2b??72????????6f????????002572????????6f????????002572????????0672????????6f????????72????????\r\n28????????6f????????0013??11??28????????6f????????000002167d????????00de??13??000211??6f????????7d????????02177d????????00de??2a}\r\n\r\n /*\r\n 0c245b2700e9417c0e1cbfd0f8d1aa70\r\n DCRatBuild.Managers.DCRat.CreatorAuthenticationTask.ReflectGetter() : void @06000E8D\r\n */\r\n $c4 = {0073????????2572????????72????????6f????????0a0673????????0b73????????25176f????????25166f????????256f????????72????????6f?\r\n???????26256f????????72????????6f????????26256f????????72????????6f????????26256f????????72????????6f????????26256f????????72????????6f\r\n????????26256f????????72????????6f????????26256f????????72????????6f????????260c0708178d????????2516027b????????28????????a2\r\n6f????????0d096f????????6f????????2c??1f??8d????????25167e????????a2251772????????a225187e????????28????????28????????a2251972???????\r\n?a2251a7e????????a2251b72????????a2251c72????????7e????????28????????28????????a2251d72????????a2251e72????????28????????a228??????\r\n??28????????262b??1f??8d????????25167e????????a2251772????????a225187e????????28????????28????????a2251972????????a2251a7e????????a\r\n2251b72????????a2251c72????????7e????????28????????28????????a2251d72????????a2251e72????????28????????a228????????28????????2609\r\n6f????????72????????6f????????13??11??6f????????72????????6f????????13??11??11??146f????????26de??261f??8d????????25167e????????a22517\r\n72????????a225187e????????28????????28????????a2251972????????a2251a7e????????a2251b72????????a2251c72????????7e????????28????????2\r\n8????????a2251d72????????a2251e72????????28????????a228????????28????????26de??2a}\r\n condition:\r\n uint16(0) == 0x5a4d\r\n and pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].virtual_address != 0\r\n and 1 of ($c*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347814", "uuid": "c8928c26-737c-49fc-83ed-a10c3da33dc9", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347814", "to_ids": false, "type": "text", "uuid": "ccaeac4b-f1d4-44cc-a860-a3a7cd88f313", "value": "M_Backdoor_Win_DARKCRYSTALRAT_Config_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347814", "to_ids": false, "type": "comment", "uuid": "1bc14d50-cfae-46a6-9026-d09e129d9da0", "value": "This rule looks for PE files containing part of DARKCRYSTALRAT configuration string. Configuration JSON is stored as base64\r\nencoded, reversed, gzip compressed and again bas64 encoded string" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347814", "to_ids": true, "type": "yara", "uuid": "b58a4942-e8fc-45ec-96f3-a67abc98f072", "value": "rule M_Backdoor_Win_DARKCRYSTALRAT_Config_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule looks for PE files containing part of DARKCRYSTALRAT configuration string. Configuration JSON is stored as base64\r\nencoded, reversed, gzip compressed and again bas64 encoded string.\"\r\n strings:\r\n $s = { 48 00 34 00 73 00 49 00 41 00 41 00 41 00 41 00 41 00 41 00 41 00 45 00 41 00 46 00 32 00 54 00 58 00 58 00 75 00 69 00 4D 00 42 00\r\n43 00 46 00 66 00 39 00 }\r\n condition:\r\n filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and $s\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347831", "uuid": "07cd2bf2-527f-482e-afeb-b15afad2ab53", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347831", "to_ids": false, "type": "text", "uuid": "82ebfa3e-0a46-46ba-8254-ba1dcbbdbe69", "value": "M_Downloader_SMOKELOADER_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347831", "to_ids": false, "type": "comment", "uuid": "fb54ee5e-dfdf-4a7e-bcd4-4eec9a2894b7", "value": "This rule is designed to detect on events related to smokeloader. SMOKELOADER is a downloader that retrieves additional\r\npayloads via HTTP. Retrieved payloads are mapped into memory and may include plugins that expand SMOKELOADER's functionality. Capabilities\r\nadded via plugins include keylogging, credential theft, and DDoS. Retrieved payloads may also include additional malware such as AZORULT,\r\nFORMBOOK, REMCOS, URSNIF, SILENTNIGHT, TRICKBOT, and SYSTEMBC" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347831", "to_ids": true, "type": "yara", "uuid": "0ee8772a-ff2b-4565-9b40-d79f1b9d87f0", "value": "rule M_Downloader_SMOKELOADER_1\r\n{\r\n meta:\r\n author = \" Mandiant\"\r\n description = \"This rule is designed to detect on events related to smokeloader. SMOKELOADER is a downloader that retrieves additional\r\npayloads via HTTP. Retrieved payloads are mapped into memory and may include plugins that expand SMOKELOADER's functionality. Capabilities\r\nadded via plugins include keylogging, credential theft, and DDoS. Retrieved payloads may also include additional malware such as AZORULT,\r\nFORMBOOK, REMCOS, URSNIF, SILENTNIGHT, TRICKBOT, and SYSTEMBC.\"\r\n\r\n strings:\r\n $part_of_winmain = {81 3D [4] 00 04 00 00 5? 5? 75 ?? 8D 45 ?? E8 [4] 8D 75 ?? E8 [4] 8B 3D [4] 5? 8B 5D ?? 33 F6 FF D7 81 FE [4] 7E ?? 81 FB ??\r\n?? ?? 78 75 ?? 4? 81 FE ?? 1D 00 00 7C ?? 8B 3D [4] 8B 1D [4] 33 F6 8D A4 24 00 00 00 00 6A 00 FF D7 FF D3 FF 15 [4] 81 FE 47 6D 20 00 7F ?? 46 81\r\nFE A4 F6 04 00 7C ?? 8B 3D [4] 33 F6 5B}\r\n $part_of_alloc_memeory = {8B [5] 05 4B 13 01 00 50 6A 00 89 [5] A3 [4] FF 15 [4] A3 [4] E8 [4] 33 F6 39 35}\r\n $part_of_stackstring_virtualprotect = {68 38 2B 42 00 FF 15 [4] B1 74 B2 72 68 80 97 42 00 50 A3 [4] C6 05 [4] 56 C6 05 [4] 69 88 15 [4] C6 05\r\n[4] 50 88 0D [4] C6 05 [4] 00 88 0D [4] C6 05 [4] 63 C6 05 [4] 75 C6 05 [4] 61 C6 05 [4] 6C 88 15 [4] C6 05 [4] 6F 88 0D [4] C6 05 [4] 65 FF 15 [4] A3}\r\n condition:\r\n uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and 2 of the\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347846", "uuid": "5dfd99f3-8f66-409a-bf1e-3529516a1580", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347846", "to_ids": false, "type": "text", "uuid": "b349089f-42ca-4da5-b019-e8849f20dccb", "value": "M_Downloader_SHARPCOFFEE_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347846", "to_ids": false, "type": "comment", "uuid": "3518c13e-7210-4f63-8cc3-d78bc4ee6600", "value": "M_Downloader_SHARPCOFFEE_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347846", "to_ids": true, "type": "yara", "uuid": "afb9f51b-b49f-48b1-a6b3-9b6ffe5b428e", "value": "rule M_Downloader_SHARPCOFFEE_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $str1 = \"ActiveXObject(\\\"WScript.Shell\\\").Run(\\\"powershell.exe\" nocase\r\n $str2 = \"new-object net.webclient;\" nocase\r\n $str3 = \".downloaddata('http\" nocase\r\n $str4 = \".uploaddata('http\" nocase\r\n $str5 = \"[System.Net.Dns]\" nocase\r\n condition:\r\n all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347873", "uuid": "07e6ec5e-7da5-45f9-be53-ce648a6e2ab0", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347873", "to_ids": false, "type": "text", "uuid": "3794af40-f29e-4b07-8059-99a4f243fd34", "value": "M_APT_Downloader_SHARPCOFFEEVBS_2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347873", "to_ids": false, "type": "comment", "uuid": "02ff7149-46bd-43fa-9d6d-a33ee5efe741", "value": "Detects SHARPCOFFE.VBS variant, a VBS script used to download and run a secondary payload, and upload the output of the secondary payload during the same script execution" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347873", "to_ids": true, "type": "yara", "uuid": "18290ba5-a2b8-4d7d-a619-a42f6135a597", "value": "rule M_APT_Downloader_SHARPCOFFEEVBS_2\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndescription = \"Detects SHARPCOFFE.VBS variant, a VBS script used to download and run a secondary payload, and upload the output\r\nof the secondary payload during the same script execution.\"\r\nstrings:\r\n$vbs = \"dim\" ascii wide nocase\r\n$a1 = /\\$\\w{1,20}\\.uploaddata\\('http:\\/\\/.{1,20}\\/page\\d{1,3}',\\$\\w{1,10}\\);/\r\n$a2 = /=\\$\\w{1,20}\\.downloaddata\\('http:\\/\\/.{1,50}\\/page\\d{1,3}\\/upgrade\\.txt'\\);if\\(/\r\ncondition:\r\nfilesize < 1MB and $vbs at 0 and any of ($a*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347889", "uuid": "bd2e9737-ed63-4308-b72a-c83ffe84d056", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347889", "to_ids": false, "type": "text", "uuid": "5f8ae118-bea0-4cd0-9303-170425e95cc8", "value": "M_Dropper_COLDWELL_Permission_Arch_Check_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347889", "to_ids": false, "type": "comment", "uuid": "c2380da7-173f-491b-b162-58c06c1de1c2", "value": "M_Dropper_COLDWELL_Permission_Arch_Check_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347889", "to_ids": true, "type": "yara", "uuid": "0a581816-ec17-4999-afc8-bf64b81b1076", "value": "rule M_Dropper_COLDWELL_Permission_Arch_Check_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $ = {C7 45 F? 00 05 50 C7 45 F? }\r\n $ = {C7 45 F? 00 00 00 00 C7 45 F? }\r\n $ = {0F 95 C3 6A 04 83 C3 [7] F7 D8 6A 0A}\r\n condition:\r\n all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347913", "uuid": "85ddb338-55c4-4ce9-91da-b84a1172e05a", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347913", "to_ids": false, "type": "text", "uuid": "e4eeca8b-fa4f-4df6-939c-4636121e8f5e", "value": "M_Disrupt_ROARBAT_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347913", "to_ids": false, "type": "comment", "uuid": "032e5006-b25c-4c2f-9c67-cc81215e9946", "value": "M_Disrupt_ROARBAT_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347913", "to_ids": true, "type": "yara", "uuid": "771af6bf-87dc-42de-9b9b-32c965b2f0e8", "value": "rule M_Disrupt_ROARBAT_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $ = \"takeown /a /f \\\"%%\"\r\n $ = \"in (C:\\\\Users,\"\r\n $ = \"a -df %\"\r\n $ = \"\\\" & del %\"\r\n condition:\r\n all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347934", "uuid": "bfa63d5a-5062-401d-a64e-61004788b517", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347934", "to_ids": false, "type": "text", "uuid": "10eede94-5ef7-4f5c-98ed-7cc8a02f7449", "value": "M_Hunting_Backdoor_PowerShell_WILDDIME_Strings_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347934", "to_ids": false, "type": "comment", "uuid": "5da16acb-9b1c-49f5-b361-37b6f86e19bf", "value": "Searching for PowerShell scripts with strings associated with WILDDIME" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347934", "to_ids": true, "type": "yara", "uuid": "b30e531b-0ab4-425e-8717-ef85ae188c71", "value": "rule M_Hunting_Backdoor_PowerShell_WILDDIME_Strings_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Searching for PowerShell scripts with strings associated with WILDDIME.\"\r\n strings:\r\n $s1 = \"GetEnviron\" nocase ascii wide\r\n $s2 = \"R64Encoder\" nocase ascii wide\r\n $s3 = \"R64Decoder\" nocase ascii wide\r\n $s4 = \"Send-HttpRequest\" nocase ascii wide\r\n $s5 = \"JVBERi0xLjcNCiW1tb\" nocase ascii wide\r\n condition:\r\n filesize < 200KB and\r\n all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347959", "uuid": "667c55a2-30dc-4c06-aa2e-1f9cca1e9e94", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347959", "to_ids": false, "type": "text", "uuid": "9bdafe0f-d527-4331-bdef-7c60558e5e6b", "value": "M_Hunting_Downloader_SHARPENTRY_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347959", "to_ids": false, "type": "comment", "uuid": "fc69fdeb-6b75-4a83-9124-a7e174e85ec7", "value": "Detects code fragments connected to the payload decoding and mining routines found within SHARPENTRY" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347959", "to_ids": true, "type": "yara", "uuid": "2f4d5f32-0816-4c01-af07-55e9b60df8ea", "value": "rule M_Hunting_Downloader_SHARPENTRY_1\r\n{\r\n meta:\r\n author= \"Mandiant\"\r\n description=\"Detects code fragments connected to the payload decoding and mining routines found within SHARPENTRY.\"\r\n strings:\r\n $decode_routine = { 0F B6 ?? ?? 0F B6 ?? ?? 33 C2 88 ?? ?? 0F B6 ?? ?? 83 ?? 4D }\r\n $payload_mine = { 8B ?? ?? 03 ?? ?? 81 ?? 89 C3 81 C3 }\r\n condition:\r\n uint16(0) == 0x5A4D\r\n and $decode_routine\r\n and $payload_mine\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772347980", "uuid": "5c820fa0-d47c-4cbc-b903-3e175a4709ba", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772347980", "to_ids": false, "type": "text", "uuid": "0cb6aefe-4d8b-4952-9abb-4d8b59ee0add", "value": "M_Hunting_Dropper_SHARPIVORY_Strings_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772347980", "to_ids": false, "type": "comment", "uuid": "40e219e7-7c99-48e5-8e9b-ce4b63c78c3d", "value": "Searching for executables containing strings references to the SHARPIVORY code family" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772347980", "to_ids": true, "type": "yara", "uuid": "35f2d5cf-c98f-4315-a38f-86f78bc683e7", "value": "rule M_Hunting_Dropper_SHARPIVORY_Strings_1\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndescription = \"Searching for executables containing strings references to the SHARPIVORY code family.\"\r\nstrings:\r\n$s1 = \"WriteAllBytes\"\r\n$s2 = \"FromBase64String\"\r\n$w1 = \"schtasks.exe\" wide\r\n$w2 = \"kernel32.dll\" wide\r\n$w3 = \"/create /tn\" wide\r\n$w4 = \"/sc minute /mo 20 /f\" wide\r\ncondition:\r\nfilesize < 5MB and\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\nall of them\r\n}" } ] } ] } }