22 Nisan 2015 Çarşamba

Hellsing Yara Rules

rule apt_hellsing_implantstrings {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing implants"
strings:
$mz="MZ"
$a1="the file uploaded failed !"
$a2="ping 127.0.0.1"
$b1="the file downloaded failed !"
$b2="common.asp"

$c="xweber_server.exe"
$d="action="
$debugpath1="d:\\Hellsing\\release\\msger\\" nocase
$debugpath2="d:\\hellsing\\sys\\xrat\\" nocase
$debugpath3="D:\\Hellsing\\release\\exe\\" nocase
$debugpath4="d:\\hellsing\\sys\\xkat\\" nocase
$debugpath5="e:\\Hellsing\\release\\clare" nocase
$debugpath6="e:\\Hellsing\\release\\irene\\" nocase
$debugpath7="d:\\hellsing\\sys\\irene\\" nocase
$e="msger_server.dll"
$f="ServiceMain"
condition:
($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
}

rule apt_hellsing_installer {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing xweber/msger installers"
strings:
$mz="MZ"
$cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
$a1="xweber_install_uac.exe"
$a2="system32\\cmd.exe" wide
$a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y="
$a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg="
$a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g="
$a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw=="
$a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI"
$a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide
$a10="%SystemRoot%\\system32\\cmd.exe" wide
$a11="msger_install.dll"
$a12={00 65 78 2E 64 6C 6C 00}
condition:
($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
}

rule apt_hellsing_proxytool {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing proxy testing tool"
strings:
$mz="MZ"
$a1="PROXY_INFO: automatic proxy url => %s "
$a2="PROXY_INFO: connection type => %d "
$a3="PROXY_INFO: proxy server => %s "
$a4="PROXY_INFO: bypass list => %s "
$a5="InternetQueryOption failed with GetLastError() %d"
$a6="D:\\Hellsing\\release\\exe\\exe\\" nocase
condition:
($mz at 0) and (2 of ($a*)) and filesize < 300000
}

rule apt_hellsing_xkat {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing xKat tool"
strings:
$mz="MZ"
$a1="\\Dbgv.sys"
$a2="XKAT_BIN"
$a3="release sys file error."
$a4="driver_load error. "
$a5="driver_create error."
$a6="delete file:%s error."
$a7="delete file:%s ok."
$a8="kill pid:%d error."
$a9="kill pid:%d ok."
$a10="-pid-delete"
$a11="kill and delete pid:%d error."
$a12="kill and delete pid:%d ok."
condition:
($mz at 0) and (6 of ($a*)) and filesize < 300000
}

rule apt_hellsing_msgertype2 {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing msger type 2 implants"
strings:
$mz="MZ"
$a1="%s\\system\\%d.txt"
$a2="_msger"
$a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
$a4="http://%s/data/%s.1000001000"
$a5="/lib/common.asp?action=user_upload&file="
$a6="%02X-%02X-%02X-%02X-%02X-%02X"
condition:
($mz at 0) and (4 of ($a*)) and filesize < 500000
}

rule apt_hellsing_irene {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing msger irene installer"
strings:
$mz="MZ"
$a1="\\Drivers\\usbmgr.tmp" wide
$a2="\\Drivers\\usbmgr.sys" wide
$a3="common_loadDriver CreateFile error! "
$a4="common_loadDriver StartService error && GetLastError():%d! "
$a5="irene" wide
$a6="aPLib v0.43 - the smaller the better"
condition:
($mz at 0) and (4 of ($a*)) and filesize < 500000
}

Ref: http://securelist.com

Hiç yorum yok:

Yorum Gönder