From b5d8ab9ae40872b4bca2f5231738cfc5ed504d34 Mon Sep 17 00:00:00 2001 From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com> Date: Mon, 11 May 2020 01:40:44 +0200 Subject: [PATCH] Create Lazarus_ELF_RAT_Dacls_May_2020_1.yar --- .../Yara/Lazarus_ELF_RAT_Dacls_May_2020_1.yar | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 North Korea/APT/Lazarus/2020-05-05/Yara/Lazarus_ELF_RAT_Dacls_May_2020_1.yar diff --git a/North Korea/APT/Lazarus/2020-05-05/Yara/Lazarus_ELF_RAT_Dacls_May_2020_1.yar b/North Korea/APT/Lazarus/2020-05-05/Yara/Lazarus_ELF_RAT_Dacls_May_2020_1.yar new file mode 100644 index 0000000..947b1e8 --- /dev/null +++ b/North Korea/APT/Lazarus/2020-05-05/Yara/Lazarus_ELF_RAT_Dacls_May_2020_1.yar @@ -0,0 +1,25 @@ +rule Lazarus_ELF_Dacls_May_2020_1 { + meta: + description = "Detect ELF RAT Dacls by the strings (May 2020)" + author = "Arkbird_SOLG" + reference = "https://twitter.com/philofishal/status/1257669351899086849" + date = "2020-05-10" + hash1 = "846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6" /* SubMenu.nib */ + strings: + $s1 = "rc4_cryptP9_CMataNetP9rc4_statePKhPhi" fullword ascii + $s2 = "c_2910.cls" fullword ascii + $s3 = "k_3872.cls" fullword ascii + $s4 = "plugin_" fullword ascii + $s5 = "/Library/Caches/com.apple.appstore.db" fullword ascii + $s6 = "/proc/%d/cmdline" fullword ascii + $s7 = "/proc/%d/status" fullword ascii + $s8 = "/proc/%d/task" fullword ascii + $s9 = "SCAN\\t%s\\t%d.%d.%d.%d\\t%d\\n" fullword ascii + $s10 = "start_worm_scan" fullword ascii + $s11 = "GetConfigFilename" fullword ascii + $s12 = "Host: %s\\r\\n" fullword ascii + $s13 = "Certificate:\\n" fullword ascii + condition: + (uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca) + and filesize > 250KB and 10 of them +}