12 Mayıs 2015 Salı

RawPOS YARA Rules

rule PoS_Malware_RawPOS2015_service : RawPOS2015_service
{
meta:
author = "Trend Micro, Inc."
date = "2015-03-10"
description = "Used to detect RawPOS RAM service, including 2015 sample set"
sample_filetype = "exe"
strings:
$string0 = "OpenService failed -%s"
$string1 = "OpenSCManager failed -%s"
$string2 = "Unable to install %s -%s"
$string3 = "File already exists"
$string4 = "Stopping %s."
$string5 = "This may take several seconds.  Please wait."
$string6 = "%s failed to stop."
$string7 = "%s removed."
$string8 = "Debugging %s."
$string9 = "Could not create registery key"
$string10 = "\\\\.\\pipe\\susrv"
$string11 = "SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\%s"
condition:
all of ($string*)
}


rule PoS_Malware_RawPOS2015_dumper: RawPOS2015_dumper
{
meta:
author = "Trend Micro, Inc."
date = "2015-03-10"
description = "Used to detect RawPOS RAM dumper, including 2015 sample set"
sample_filetype = "exe"
strings:
$string1 = "(1[0-2]))([0-9]"
$string2 = "(1[0-2]))[0-9]{8,30})"
$string3 = "((B(([0-9]{13,16})"
$mess1 = "Found track data at %s with PID %d"
$mess2 = "Enter Process Id: "
$mess3 = " Dump private process memory by PID"
$mess4 = "Dumping private memory for pid %s to %s.dmp..."
$mess5 = " Full private dump of all running processes"
$memd1 = "memdump\\%s-%d.dmp"
$memd2 = "mkdir memdump >NUL 2>NUL"
condition:
(all of ($memd*)) and (
all of ($mess*)) and (any of ($string*))
}

rule PoS_Malware_RawPOS2015_dumper_old : RawPOS2015_dumper_old
{
meta:
author = "Trend Micro, Inc."
date = "2015-03-10"
description = "Used to detect RawPOS memory dumper, pre-2012"
sample_filetype = "exe"
strings:
$string0 = " Full private dump of all running processes"
$string1 = " show info on Process like Path"
$string2 = " Show this help"
$string3 = " List all running processes"
$string4 = "Dumping private memory for pid %s to %s.dmp..."
$string5 = "%s-%d.dmp"
$string6 = "memdump\\%s-%d.dmp"
$string7 = "del memdump\\"
$string8 = "Process Memory Dumper"
$string9 = "Base size: %u"
$string10 = "Module ID: %u"
$string11 = "Hex: %xh"
condition:
all of ($string*)
}

Hiç yorum yok:

Yorum Gönder