Added new yara rules 2024-02-13

shu-tom · shu-tom · commit 0722a9365ec6 · 2024-02-13T07:20:35.000Z
diff --git a/Lazarus/lazarus.yara b/Lazarus/lazarus.yara
@@ -576,3 +576,28 @@ rule lazarus_dbgsymbols_str{
          uint32(uint32(0x3c)) == 0x00004550 and
          3 of ($str*) and all of ($filename)
 }
+
+rule Lazarus_npmLoader_dll {
+     meta:
+        description = "npmLoaderDll using Lazarus"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "b4c8c149005a43ae043038d4d62631dc1a0f57514c7cbf4f7726add7ec67981a"
+        hash = "eb8756ace46662a031c1d2422a91f0725ea7c4de74bfff4fce2693e7967be16e"
+        hash = "aec915753612bb003330ce7ffc67cfa9d7e3c12310f0ecfd0b7e50abf427989a"
+
+     strings:
+        $jnkcode = { 66 66 66 66 ?? ?? ?? ?? 00 00 00 00 00 }
+        $enccode1 = { 81 E2 FF 03 00 00 41 81 E1 FF 03 00 00 81 E7 FF 03 00 00 81 E1 FF 03 00 00 }
+        $enccode2 = { 48 33 D1 8B C1 41 C1 CA 0A C1 C0 09 81 E2 FF 03 00 00 44 33 D0 }
+        $pdb1 = "F:\\workspace\\CBG\\Loader\\npmLoaderDll\\x64\\Release\\npmLoaderDll.pdb" ascii wide
+        $pdb2 = "F:\\workspace\\CBG\\npmLoaderDll\\x64\\Release\\npmLoaderDll.pdb" ascii wide
+        $pdb3 = "D:\\workspace\\CBG\\Windows\\Loader\\npmLoaderDll\\x64\\Release\\npmLoaderDll.pdb" ascii wide
+        $pdb4 = "npmLoaderDll\\x64\\Release\\npmLoaderDll.pdb" ascii wide
+
+     condition:
+       uint16(0) == 0x5A4D and
+       uint32(uint32(0x3c)) == 0x00004550 and
+       (
+        (1 of ($pdb*)) or ($jnkcode and all of ($enccode*))
+       )
+}
diff --git a/other/ivanti_connect_secure.yara b/other/ivanti_connect_secure.yara
@@ -0,0 +1,16 @@
+rule webshell_DSLog_str {
+    meta:
+        description = "Ivanti Connect Secure infected DSLog.pm backdoor"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "88071ac4500021da896d0a92c935dcb9ca5c2dfe02caa0ee1b924d8b72ae404e"
+
+    strings:
+        $str1 = "my $ua = $ENV{HTTP_USER_AGENT};" ascii
+        $str2 = "my $req = $ENV{QUERY_STRING};" ascii
+        $str3 = "my @param = split(/&/, $req);" ascii
+        $str4 = "system(${res[1]});" ascii
+        $str5 = "$res[1] =~ tr/!-~/P-~!-O/;" ascii
+
+    condition:
+    	all of them
+}
diff --git a/other/phpmal.yara b/other/phpmal.yara
@@ -36,3 +36,36 @@ rule malware_seospam_php {
      condition:
        7 of them
 }
+
+rule malware_ruoji_phpwebshell {
+     meta:
+        description = "ruoji webshell"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "8a389390a9ce4aba962e752218c5e9ab879b58280049a5e02b9143e750265064"
+
+     strings:
+        $s1 = "zxcszxctzxcrzxc_zxcrzxcezxc" ascii
+        $s2 = "<?php if ($_COOKIE[" ascii
+        $s3 = "'] !== $_GET['" ascii
+        $s4 = "'] && @md5($_GET['" ascii
+        $s5 = "']) === @md5($_GET['" ascii
+
+     condition:
+       4 of them
+}
+
+rule malware_spider_phpwebshell {
+     meta:
+        description = "Spider PHP Shell"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "ae17d97d8f7fd5216776e2ec457a2d60567bc6cc175206d0641861f71a7e7614"
+
+     strings:
+        $s1 = "<title> Spider PHP Shell" ascii
+        $s2 = "<li><a href=\"?s=k\" id=\"t_10\" onclick=\"switchTab('t_10')\" target=\"main\"> Linux" ascii
+        $s3 = "if($_COOKIE['admin_spiderpass'] != md5($password))" ascii
+        $s4 = "case \"b\" : Guama_b(); break;" ascii
+        
+     condition:
+       2 of them
+}
diff --git a/other/sqroot.yara b/other/sqroot.yara
@@ -90,4 +90,117 @@ rule malware_sqroot_webphp {
      condition:
        uint32(0) == 0x68703f3c and
        4 of ($func*)
-}
+}
+
+rule malware_sqroot_cat {
+   meta:
+     description = "cat plugin downloaded by sqroot"
+     author = "JPCERT/CC Incident Response Group"
+     
+   strings:
+     $s1 = "Catcher start" wide
+     $s2 = "Catcher exit" wide
+     $s3 = "[%04d/%02d/%02d %02d:%02d:%02d] %s\n" wide
+     $s4 = {2A 00 6C 00 6F 00 67 00  00 00 00 00 23 00 21 00}
+
+   condition:
+     uint16(0) == 0x5A4D and
+     uint32(uint32(0x3c)) == 0x00004550 and
+     3 of them
+}
+
+rule malware_sqroot_snapshot {
+   meta:
+     description = "snapshot plugin downloaded by sqroot"
+     author = "JPCERT/CC Incident Response Group"
+     
+   strings:
+     $s1 = "e:\\vsprojects\\crataegus\\snaptik\\maz\\miniz.c" wide
+     $s2 = "%s-%02d%02d_%02d%02d%02d.maz" wide
+     $s3 = "%s%s_%02d%02d%02d(%d).png" wide
+     $s4 = "gdi_cache" wide
+     $s5 = "capture_flag.ini" wide
+     $s6 = "cf_mptmb" wide
+     $s7 = "cf_pakdir" wide
+     $s8 = "DoGdiCapture" ascii
+     
+   condition:
+     uint16(0) == 0x5A4D and
+     uint32(uint32(0x3c)) == 0x00004550 and
+     4 of them
+}
+
+rule malware_sqroot_keylogger {
+   meta:
+     description = "keylog plugin downloaded by sqroot"
+     author = "JPCERT/CC Incident Response Group"
+     
+   strings:
+     $s1 = "record-%04d%02d%02d-%02d%02d%02d.ini" ascii
+     $s2 = "g_hKeyLogMsgLoopThread exit" ascii
+     $s3 = "OCR_INI_DEBUG.abc" ascii
+     $s4 = {59 6F 75 27 72 65 20 61  63 74 69 76 61 74 65 64 00 00 00 00 52 33 32 41 63 74 69 76 65}
+
+   condition:
+     uint16(0) == 0x5A4D and
+     uint32(uint32(0x3c)) == 0x00004550 and
+     2 of them
+}
+
+rule malware_sqroot_pluginloader {
+   meta:
+     description = "plugin loader downloaded by sqroot"
+     author = "JPCERT/CC Incident Response Group"
+     
+   strings:
+     $a1 = "Active() found" ascii
+     $a2 = "Active:Thread created!" ascii
+     $b1 = {6A 74 70 61 00}
+     $b2 = {6A 74 70 63 00}
+     $b3 = {6A 74 70 74 00}
+     $b4 = "%s*.tmp" ascii
+     $c1 = "SignalS1" ascii
+     $c2 = "SignalS2" ascii
+     $c3 = "SignalS3" ascii
+     
+   condition:
+     uint16(0) == 0x5A4D and
+     uint32(uint32(0x3c)) == 0x00004550 and
+     5 of them
+}
+
+rule malware_sqroot_coreloader {
+   meta:
+     description = "loader downloaded by sqroot"
+     author = "JPCERT/CC Incident Response Group"
+     
+   strings:
+     $query = "%s?hid=%s&uid=%s&cid=%x" ascii
+     $decode_routine = {8A 8A ?? ?? ?? ?? 02 C1 32 C1 2A C1 0F B6 8E ?? ?? ?? ?? 88 86 ?? ?? ?? ?? 8D 46 ?? 99 F7 FF 8A 82 ?? ?? ?? ?? 02 C8 32 C8 2A C8 88 8E ?? ?? ?? ?? 83 C6 02 81 FE 0A 04 00 00}
+     
+   condition:
+     uint16(0) == 0x5A4D and
+     uint32(uint32(0x3c)) == 0x00004550 and
+     all of them
+}
+
+rule malware_sqroot_corerat {
+   meta:
+     description = "RAT downloaded by sqroot"
+     author = "JPCERT/CC Incident Response Group"
+     
+   strings:
+     $a1 = "openfile %s error!" ascii
+     $a2 = "remote file error!" ascii
+     $a3 = "upload well!" ascii
+     $a4 = "%s?hid=%s&uid=%s&cid=%x" ascii
+     $a5 = "%s|%s|%s|%s|%s|%s|%d|%s|" ascii
+     $b1 = {68 24 11 00 00 E8}
+     $b2 = {C7 03 37 11 00 00}
+     
+   condition:
+     uint16(0) == 0x5A4D and
+     uint32(uint32(0x3c)) == 0x00004550 and
+     (all of ($a*) or all of ($b*))
+}
+
diff --git a/other/stealc.yara b/other/stealc.yara
@@ -0,0 +1,32 @@
+rule malware_Stealc_str {
+    meta:
+        description = "Stealc infostealer"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "c9bcdc77108fd94f32851543d38be6982f3bb611c3a1115fc90013f965ed0b66"
+
+    strings:
+        $decode_code = {
+          68 D0 07 00 00
+          6A 00
+          8D 85 ?? ?? ?? ??
+          50
+          FF 15 ?? ?? ?? ??
+          83 C4 0C
+          C7 85 ?? ?? ?? ?? 00 00 00 00
+          EB ??
+          8B 8D ?? ?? ?? ??
+          83 C1 01
+          89 8D ?? ?? ?? ??
+          81 BD ?? ?? ?? ?? 00 01 00 00
+        }
+        $anti_code1 = {6A 04 68 00 30 00 00 68 C0 41 C8 17 6A 00 FF 15}
+        $anti_code2 = {90 8A C0 68 C0 9E E6 05 8B 45 ?? 50 E8}
+        $s1 = "- IP: IP?" ascii
+        $s2 = "- Country: ISO?" ascii
+        $s3 = "- Display Resolution:" ascii
+
+     condition:
+       uint16(0) == 0x5A4D and
+       uint32(uint32(0x3c)) == 0x00004550 and
+       ($decode_code or all of ($anti_code*) or all of ($s*))
+}
