-
Notifications
You must be signed in to change notification settings - Fork 1
/
SierraBravo.yara
95 lines (79 loc) · 4.3 KB
/
SierraBravo.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
// Brambul related signatures
import "pe"
rule SierraBravo_Two
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - [email protected]"
strings:
/*
.text:00403D5A mov word ptr [esi+0Eh], 0C807h
.text:00403D60 mov dword ptr [esi+39h], 800000D4h
.text:00403D67 mov byte ptr [edi], 0Ch <---- ignored
.text:00403D6A mov word ptr [esi+25h], 0FFh
.text:00403D70 mov word ptr [esi+27h], 0A4h
.text:00403D76 mov word ptr [esi+29h], 4104h
.text:00403D7C mov word ptr [esi+2Bh], 32h
or
.text:100036F9 mov word ptr [ebx+0Eh], 0C807h
---- begin ignored -----
.text:100036FF rep movsd
.text:10003701 lea edi, [ebx+60h]
.text:10003704 mov ecx, 9
.text:10003709 mov esi, offset aWindows2000219 ; "windows 2000 2195"
---- end ignored -----
.text:1000370E mov dword ptr [ebx+39h], 800000D4h
.text:10003715 mov word ptr [ebx+25h], 0FFh
.text:1000371B mov word ptr [ebx+27h], 0A4h
.text:10003721 mov word ptr [ebx+29h], 4104h
.text:10003727 mov word ptr [ebx+2Bh], 32h
*/
$smbComNegotiationPacketGen = { 66 C7 ?? 0E 07 C8 [0-32] C7 ?? 39 D4 00 00 80 [0-32] 66 C7 ?? 25 FF 00 [0-32] 66 C7 ?? 27 A4 00 [0-32] 66 C7 ?? 29 04 41 [0-32] 66 C7 ?? 2B 32 00}
$lib = "!emCFgv7Xc8ItaVGN0bMf"
$api1 = "!ctRHFEX5m9JnZdDfpK"
$api2 = "!emCFgv7Xc8ItaVGN0bMf"
$api3 = "!VWBeBxYx1nzrCkBLGQO"
$pwd = "iamsorry!@1234567"
condition:
$smbComNegotiationPacketGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or ($pwd in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
and
($lib in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
or $api1 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
or $api2 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
or $api3 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
))
}
rule SierraBravo_One
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - [email protected]"
strings:
/*
.text:00402A65 push 8004667Eh ; cmd
.text:00402A6A push esi ; s
.text:00402A6B call ioctlsocket
.text:00402A70 push 32h ; dwMilliseconds
.text:00402A72 mov [esp+24Ch+writefds.fd_array], esi
.text:00402A79 mov [esp+24Ch+writefds.fd_count], 1
.text:00402A84 mov [esp+24Ch+timeout.tv_sec], 3
.text:00402A8C mov [esp+24Ch+timeout.tv_usec], 0
*/
$spreaderSetup = {68 7E 66 04 80 5? E8 [4] 6A 32 89 B4 [5] C7 84 [5] 01 00 00 00 C7 44 [2] 03 00 00 00 C7 44 [2] 00 00 00 00 }
condition:
$spreaderSetup in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
rule SierraBravo_packed
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - [email protected]"
strings:
$ = "cmd.exe /c \"net share admin$ /d\""
$ = "MAIL FROM:<"
$ = ".petite"
$ = "Subject: %s|%s|%s"
condition:
3 of them
}