23 Şubat 2015 Pazartesi

Equation APT YARA Rules

Equation APT YARA Rules


1 - apt_equation_exploitlib_mutexes
rule apt_equation_exploitlib_mutexes {
meta:
copyright = “Kaspersky Lab”
description = “Rule to detect Equation group's Exploitation library”
version = “1.0”
last_modified = “2015-02-16”
reference = “https://securelist.com/blog/”
strings:
$mz=“MZ”
$a1=“prkMtx” wide
$a2=“cnFormSyncExFBC” wide
$a3=“cnFormVoidFBC” wide
$a4=“cnFormSyncExFBC”
$a5=“cnFormVoidFBC”
condition:
(($mz at 0) and any of ($a*))
}

Equation APT IoC

Equation APT  Indicators Of Compromise


C&C Domain Adresleri

·         advancing-technology.com
·         avidnewssource.com
·         businessdealsblog.com
·         businessedgeadvance.com
·         charging-technology.com
·         computertechanalysis.com
·         config.getmyip.com
·         globalnetworkanalys.com
·         melding-technology.com
·         myhousetechnews.com
·         newsterminalvelocity.com
·         selective-business.com
·         slayinglance.com

18 Şubat 2015 Çarşamba

Carbanak APT

 BAT file to detect infection

@echo off
for /f %%a in ('hostname') do set "name=%%a" echo %name%
del /f %name%.log 2> nul
if exist "c:\Documents and settings\All users\application data\
mozilla\*.bin" echo "BIN detected" >> %name%.log
if exist %SYSTEMROOT%\System32\com\svchost.exe echo "COM
detected" >> %name%.log
if exist "c:\ProgramData\mozilla\*.bin" echo "BIN2 detected"
>> %name%.log
if exist %SYSTEMROOT%\paexec* echo "Paexec detected"
>> %name%.log
if exist %SYSTEMROOT%\Syswow64\com\svchost.exe echo "COM64
detected" >> %name%.log
SC QUERY state= all | find "SERVICE_NAME" | findstr "Sys$"
if q%ERRORLEVEL% == q0 SC QUERY state= all | find
"SERVICE_NAME" | findstr "Sys$" >> %name%.log
if not exist %name%.log echo Ok > %name%.log xcopy /y %name%.log
"\\<IP>\logVirus