ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Yara_Rule_SideWinder_Dec19.yar

Browse Source
This commit is contained in:
StrangerealIntel 2019-12-28 19:19:09 +01:00 committed by GitHub
parent bd8675064d
commit 03336b6559
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
Indian/APT/SideWinder/25-12-19/Yara/Yara_Rule_SideWinder_Dec19.yar
View File

@ -13,7 +13,7 @@ rule APT_SideWinder_LNK_Dec19_1 {
$s1 = "@shell32.dll,-21769" fullword wide $s1 = "@shell32.dll,-21769" fullword wide
$s2 = "S-1-5-21-1302019708-1500728564-335382590-1000" fullword wide $s2 = "S-1-5-21-1302019708-1500728564-335382590-1000" fullword wide
$s3 = "@shell32.dll,-21813" fullword wide $s3 = "@shell32.dll,-21813" fullword wide
$s4 = "[..\\..\\..\\..\\..\\Desktop\\" fullword wide $s4 = "[..\\..\\..\\..\\..\\Desktop\\" fullword wide
$s5 = ".rtf" fullword wide $s5 = ".rtf" fullword wide
condition: condition:
uint16(0) == 0x004c and filesize < 3KB and all of them uint16(0) == 0x004c and filesize < 3KB and all of them
@ -62,9 +62,9 @@ rule APT_SideWinder_NET_Loader_Dec19_1 {
$s2 = ".tmp " fullword wide $s2 = ".tmp " fullword wide
$s3 = "FileRipper" fullword ascii $s3 = "FileRipper" fullword ascii
$s4 = "pluginAssembly" fullword ascii $s4 = "pluginAssembly" fullword ascii
$s5 = "InitGadgets" fullword ascii $s5 = "InitGadgets" fullword ascii
$s6 = "Start" fullword ascii $s6 = "Start" fullword ascii
$s7 = "Program" fullword ascii $s7 = "Program" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and filesize < 20KB and ( pe.exports("FileRipper") or all of them ) uint16(0) == 0x5a4d and filesize < 20KB and ( pe.exports("FileRipper") or all of them )
} }
@ -78,28 +78,28 @@ rule APT_SideWinder_JS_Dec19_1 {
hash1 = "c733dba9451c632c19aaad8d1de61e905dac88453b0839e8900777e121de1755" hash1 = "c733dba9451c632c19aaad8d1de61e905dac88453b0839e8900777e121de1755"
strings: strings:
$s1 = "ABCDEFGHIJKLMNOPQRSTUVWXY" $s1 = "ABCDEFGHIJKLMNOPQRSTUVWXY"
$s2 = "Zabcdefghijklmnopqrstuvwxyz0123456789+/=" ascii $s2 = "Zabcdefghijklmnopqrstuvwxyz0123456789+/=" ascii
$s3 = "window.resizeTo(1, 1)" ascii $s3 = "window.resizeTo(1, 1)" ascii
$s4 = "window.moveTo(-1000, -1200)" ascii $s4 = "window.moveTo(-1000, -1200)" ascii
$s5 = "new Enumerator(" ascii $s5 = "new Enumerator(" ascii
$s6 = "](x,y" ascii $s6 = "](x,y" ascii
$s7 = "finally{window.close();}" ascii $s7 = "finally{window.close();}" ascii
$s8 = "^ key." ascii $s8 = "^ key." ascii
$s9 = ".GetFolder(" ascii $s9 = ".GetFolder(" ascii
$s10 = ".Environment(" ascii $s10 = ".Environment(" ascii
$s11 = "(key, bytes){" ascii $s11 = "(key, bytes){" ascii
$s12 = "TransformFinalBlock(" ascii $s12 = "TransformFinalBlock(" ascii
$s13 = "GetByteCount_2(" ascii $s13 = "GetByteCount_2(" ascii
$s14 = "GetBytes_4(" ascii $s14 = "GetBytes_4(" ascii
$s15 = "ActiveXObject;" ascii $s15 = "ActiveXObject;" ascii
$s16 = "String.fromCharCode;" ascii $s16 = "String.fromCharCode;" ascii
$s17 = ".join("")" ascii $s17 = ".join("")" ascii
$s18 = ".Position = 0;" ascii $s18 = ".Position = 0;" ascii
$s19 = ".charCodeAt(" ascii $s19 = ".charCodeAt(" ascii
$s20 = "& 255" ascii $s20 = "& 255" ascii
$s21 = ".charAt(" ascii $s21 = ".charAt(" ascii
$s22 = ".GetSpecialFolder(" ascii $s22 = ".GetSpecialFolder(" ascii
$s23 = ".atEnd() == false)" ascii $s23 = ".atEnd() == false)" ascii
condition: condition:
uint16(0) == 0x090a and filesize < 3000KB and all of them uint16(0) == 0x090a and filesize < 3000KB and all of them
} }