Added new yara rules 2023-12-15

shu-tom · shu-tom · commit 28762bd618bf · 2023-12-15T05:29:24.000Z
diff --git a/Lazarus/lazarus.yara b/Lazarus/lazarus.yara
@@ -555,4 +555,24 @@ rule Lazarus_magicpoint_code {
        uint16(0) == 0x5A4D and
        uint32(uint32(0x3c)) == 0x00004550 and
        4 of ($str*)
-}
+}
+
+rule lazarus_dbgsymbols_str{
+       meta:
+         description = "Exploit tools in Lazarus"
+         author = "JPCERT/CC Incident Response Group"
+         hash = "50869d2a713acf406e160d6cde3b442fafe7cfe1221f936f3f28c4b9650a66e9" 
+
+       strings:
+         $str1 = "getsymbol" nocase
+         $str2 = "dbgsymbol.com" wide
+         $str3 = "c:\\symbols" wide
+         $str4 = "symchk.exe /r /if %s /s SRV*%s*%s" wide
+         $str5 = "Symbol Download Finished!" wide
+	      $filename = "symbolcheck.dll" wide
+
+       condition:
+         uint16(0) == 0x5A4D and
+         uint32(uint32(0x3c)) == 0x00004550 and
+         3 of ($str*) and all of ($filename)
+}
diff --git a/Tick/tick.yara b/Tick/tick.yara
@@ -287,3 +287,37 @@ rule tick_ABK_downloader_susp_ua {
 //        (filesize<50MB) and
 //        (cuckoo.sync.mutex(/PPGword/) or cuckoo.sync.mutex(/CQFB/))
 //}
+
+rule malware_gokcpdoor_golang {
+    meta:
+        description = "gokcpdoor"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "2dd8ab1493a97e0a4416e077d6ce1c35c7b2d8749592b319a7e2a8f4cd1cc008"
+
+     strings:
+        $gofunc1 = "CopyConn2StdinPipe" ascii wide
+        $gofunc2 = "CopyStdoutPipe2Conn" ascii wide
+        $gofunc3 = "handleConnection" ascii wide
+        $gofunc4 = "addudpforward" ascii wide
+        $gofunc5 = "addtcpforward" ascii wide
+        $gofunc6 = "addsocks5" ascii wide
+        $gofunc7 = "handleConnWait" ascii wide
+        $gofunc8 = "readconfig" ascii wide
+        $log1 = "[+] socks5 add ok" ascii wide
+        $log2 = "[+] portforward add ok" ascii wide
+        $log3 = "[-] First param must be one of [add,del,list]" ascii wide
+        $log4 = "[-] socks5 del param num must exceed 3!" ascii wide
+        $log5 = "[*] portforward list:" ascii wide
+        $log6 = "[*] please input a supported command, you can see help first!" ascii wide
+        $str1 = "!!!ok!!!"
+        $str2 = {23 23 23 64 6F 77 6E 6C} // ###downloadend$$$
+        $str3 = {23 23 23 75 70 6C 6F 61} // ###uploadend$$$
+        $gofile1 = "kcp.go" ascii wide
+        $gofile2 = "udp.go" ascii wide
+        $gofile3 = "target.go" ascii wide
+        $gofile4 = "exec_lin.go" ascii wide
+        $gofile5 = "gokcpdoor[0-9]" ascii wide
+
+     condition:
+        6 of ($gofunc*) or 5 of ($log*) or all of ($str*) or all of ($gofile*)
+}
diff --git a/other/IcedID.yara b/other/IcedID.yara
@@ -0,0 +1,20 @@
+rule malware_IcedID_loader {
+     meta:
+        description = "IcedID Loader"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "6ae543b0a3380779b65bff8c3ca0267f741173aed0d35265d6c92c0298fb924c"
+
+     strings:
+        $a1 = "update_data.dat" wide
+        $a2 = "files/bp.dat" ascii
+        $a3 = "Update_%x" wide
+        $a4 = "Custom_update" wide
+        $b1 = {35 87 63 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 35 9A 76 00 00}
+        $b2 = {C7 ?? ?? C5 9D 1C 81} // FNV1a
+        $b3 = {69 ?? ?? 93 01 00 01} // FNV1a
+
+     condition:
+       uint16(0) == 0x5A4D and
+       uint32(uint32(0x3c)) == 0x00004550 and
+       (all of ($a*) or all of ($b*))
+}
diff --git a/other/MedusaLocker.yara b/other/MedusaLocker.yara
@@ -0,0 +1,17 @@
+rule malware_MedusaLocker3_str {
+     meta:
+        description = "MedusaLocker3 ransomware"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae"
+
+     strings:
+        $s1 = "D:\\Education\\locker\\bin\\stub_win_x64_encrypter.pdb" ascii
+        $s2 = "SOFTWARE\\PAIDMEMES" wide
+        $s3 = "sMasterPublicKey" ascii
+        $s4 = "[+] Keys retrieved from registry" wide
+
+     condition:
+       uint16(0) == 0x5A4D and
+       uint32(uint32(0x3c)) == 0x00004550 and
+       3 of them
+}
diff --git a/other/SteelClover.yara b/other/SteelClover.yara
diff --git a/other/TokyoX.yara b/other/TokyoX.yara
@@ -19,11 +19,10 @@ rule malware_TokyoX_RAT {
 
     strings:
         $mz = { 74 6F 6B 79 6F 00 00 00 } // tokyo
-        $pe = "PE"
         $format1 = "%08lX%04lX%04lX%02lx%02lx%02lx%02lx%02lx%02lx%02lx%02lx"
         $format2 = "%d-%d-%d %d:%d:%d" wide
         $uniq_path = "C:\\Windows\\SysteSOFTWARE\\Microsoft\\Windows NT\\Cu"
 
     condition:
-        ($mz at 0 and $pe in (0x0..0x200)) or all of ($format*) or $uniq_path
+        ($mz at 0 and all of ($format*)) or $uniq_path
 }
diff --git a/other/machOdownloader.yara b/other/machOdownloader.yara
@@ -0,0 +1,47 @@
+
+
+rule malware_unknown_machOdownloader {
+     meta:
+        description = "Mach-O malware"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "3266e99f14079b55e428193d5b23aa60862fe784ac8b767c5a1d49dfe80afeeb "
+
+     strings:
+        $str1 = "DiagPeersHelper" ascii
+        $str2 = "DiagnosticsPeer" ascii
+        $str3 = "ticsPeer/" ascii
+
+        /*
+        48 B9 3F 72 65 73 70 6F 6E 73       mov     rcx, 736E6F707365723Fh
+        */
+        $func0 = { 48 B9 3F 72 65 73 70 6F 6E 73 }
+
+        /*
+        48 B8 74 61 72 20 7A 78 76 66       mov     rax, 6676787A20726174h
+        */
+        $func1 = { 48 B8 74 61 72 20 7A 78 76 66 }
+
+        /*
+        E8 60 04 00 00                      call    _strlen
+        C7 84 05 20 E7 FF FF 27 20 2D 43    mov     dword ptr [rbp+rax+shellcmd], 432D2027h
+        C7 84 05 23 E7 FF FF 43 20 27 00    mov     dword ptr [rbp+rax+shellcmd+3], 272043h
+        48 89 DF                            mov     rdi, rbx        ; __s1
+        4C 89 E6                            mov     rsi, r12        ; __s2
+        E8 33 04 00 00                      call    _strcat
+        48 89 DF                            mov     rdi, rbx        ; __s
+        E8 37 04 00 00                      call    _strlen
+        */
+        $func2 = { E8 [4] C7 84 05 [4] 27 20 2D 43 C7 84 05 [4] 43 20 27 00 48 89 DF 4C 89 E6 E8 33 04 00 00 }
+
+     condition: 
+        (uint32(0) == 0xfeedface or /* 32 bit */
+         uint32(0) == 0xcefaedfe or /* NXSwapInt(MH_MAGIC */
+         uint32(0) == 0xfeedfacf or /* 64 bit */
+         uint32(0) == 0xcffaedfe or /* NXSwapInt(MH_MAGIC_64) */
+         uint32(0) == 0xcafebabe or /* FAT, Java */
+         uint32(0) == 0xbebafeca or /* NXSwapInt(FAT_MAGIC) */
+         uint32(0) == 0xcafebabf or /* FAT 64 bit */
+         uint32(0) == 0xbfbafeca )  /* NXSwapLong(FAT_MAGIC_64) */
+        and (filesize < 10MB)
+        and ( ( 2 of ($str*) ) or ( 2 of ($func*) ))
+}
diff --git a/other/phpmal.yara b/other/phpmal.yara
@@ -13,3 +13,26 @@ rule malware_lvscam_phpwebshell {
     condition:
         2 of them
 }
+
+rule malware_seospam_php {
+     meta:
+        description = "PHP using Japanese SEO Spam"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "619cf6a757a1967382287c30d95b55bed3750e029a7040878d2f23efda29f8f0"
+
+     strings:
+        $func1 = "function dageget($" ascii
+        $func2 = "function sbot()" ascii
+        $func3 = "function st_uri()" ascii
+        $func4 = "function is_htps()" ascii
+        $query1 = /sha1\(sha1\(@\$_GET\[\"(a|\\x61|\\141)"\]\)\);/ ascii
+        $query2 = /sha1\(sha1\(@\$_GET\[\"(b|\\x62|\\142)"\]\)\);/ ascii
+        $query3 = /@\$_GET\[\"(p|\\x70|\\160)(d|\\x64|\\144)\"\]/ ascii
+        $content1 = "nobotuseragent" ascii
+        $content2 = "okhtmlgetcontent" ascii
+        $content3 = "okxmlgetcontent" ascii
+        $content4 = "pingxmlgetcontent" ascii
+
+     condition:
+       7 of them
+}
diff --git a/other/seaspy.yara b/other/seaspy.yara
@@ -0,0 +1,28 @@
+rule malware_SeaSpy_str {
+     meta:
+        description = "malware SeaSpy"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115"
+        hash = "5e3c128749f7ae4616a4620e0b53c0e5381724a790bba8314acb502ce7334df2" 
+
+     strings:
+        $msg1 = "<Network-Interface> <Listen-Port>" ascii fullword
+        $msg2 = "<Network-Interface>. e.g." ascii fullword
+        $msg3 = "Port value out of range." ascii fullword
+        $msg4 = "enter open tty shell..." ascii fullword
+        $msg5 = "NO port code" ascii fullword
+        $msg6 = "pcap_lookupnet: %s" ascii fullword
+        $msg7 = "pcap_compile" ascii fullword
+        $msg8 = "pcap_setfilter" ascii fullword
+        $msg9 = "Child process id:%d" ascii fullword
+        $func1 = "open_tty_shell" ascii fullword
+        $func2 = "start_pcap_listener" ascii fullword
+        $func3 = "pcap_open_live" ascii fullword
+        $func4 = "pcap_setfilter" ascii fullword
+        $func5 = "reverse_shell" ascii fullword
+        $key1 = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuJDBIgz2Gb70ExKb7fww" ascii fullword
+
+     condition:
+       uint32(0) == 0x464C457F and
+       (4 of ($msg*) or 4 of ($func*) or 1 of ($key*))
+}
diff --git a/other/steelclover.yara b/other/steelclover.yara
@@ -25,11 +25,11 @@ rule SteelClover_PowerShell_str {
         hash = "05e6f7a4184c9688ccef4dd17ae8ce0fe788df1677c6ba754b37a895a1e430e9"
 
     strings:
-        $a1 = "function Add-Encryption" ascii wide nocase
-        $a2 = "function Remove-Encryption" ascii wide nocase
-        $a3 = "Remove-Encryption -FolderPath $env:APPDATA -Password" ascii wide nocase
-        $b1 = "function Install-GnuPg" ascii wide nocase
-        $b2 = "Install-GnuPG -DownloadFolderPath $env:APPDATA" ascii wide nocase
+        $a1 = "function Add-Encryption" ascii
+        $a2 = "function Remove-Encryption" ascii
+        $a3 = "Remove-Encryption -FolderPath $env:APPDATA -Password" ascii
+        $b1 = "function Install-GnuPg" ascii
+        $b2 = "Install-GnuPG -DownloadFolderPath $env:APPDATA" ascii
 
      condition:
         all of ($a*) or all of ($b*)
diff --git a/other/tool.yara b/other/tool.yara
@@ -0,0 +1,22 @@
+rule tool_frp_str {
+    meta:
+        description = "Detect fast reverse proxy (frp)"
+        author = "JPCERT/CC Incident Response Group"
+        reference = "https://github.com/fatedier/frp"
+
+    strings:
+        $str1 = "json:\"dst_addr\""
+        $str2 = "json:\"bind_addr\""
+        $str3 = "json:\"proxy_name\""
+        $str4 = "json:\"log_way\""
+        $str5 = "json:\"maxdays\""
+        $str6 = "json:\"sk\""
+        $str7 = "json:\"authenticate_new_work_conns\""
+        $str8 = "json:\"detailed_errors_to_client\""
+        $str9 = "json:\"oidc_skip_expiry_check\""
+        $str10 = "json:\"health_check_interval_s\""
+        $str11 = "json:\"token_type,omitempty\""
+
+    condition:
+        6 of ($str*)
+}
