-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathOlympicDestroyer
58 lines (55 loc) · 3.44 KB
/
OlympicDestroyer
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
rule olympic_destroyer_WriteFile
{
meta:
description = "Bytecode observable associated with OlympicDestroyer File Write"
author = "Joe Slowik, Dragos Inc"
sha256 = "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"
strings:
$a = { 55 8B EC 51 53 56 57 8B F9 8B DA 85 FF 74 ?? 85 DB 74 ?? 6A 00 6A 00 6A 02 6A 00 6A 03 68 00 00 00 C0 57 FF ?? ?? ?? 41 00 8B F0 85 F6 74 43 81 FE CC CC CC CC 74 ?? 83 FE FF 74 ?? 6A 00 8D ?? ?? C7 ?? ?? ?? ?? 00 00 50 FF ?? ?? FF ?? 56 FF ?? ?? ?? ?? 00 }
condition:
uint16(0) == 0x5a4d and all of them
}
rule olympic_destroyer_notepad
{
meta:
description = "Bytecode observable associated with OlympicDestroyer Notepad creation and injection"
author = "Joe Slowik, Dragos Inc"
sha256 = "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"
strings:
$a = { 66 ?? ?? ?? 83 C7 02 66 85 C0 75 ?? 6A 40 8D ?? ?? ?? B9 0B 00 00 00 BE ?? ?? ?? 00 0F 57 C0 6A 00 F3 A5 50 0F ?? ?? ?? 28 E8 ?? ?? ?? 00 83 C4 0C 83 ?? ?? ?? 01 8D ?? ?? 1C C7 ?? ?? ?? 44 00 00 00 50 8D ?? ?? ?? 50 6A 00 6A 00 68 00 00 00 08 6A 00 6A 00 6A 00 6A 00 8D ?? ?? ?? ?? 00 00 50 FF ?? ?? ?? 41 00 }
$b = { 8B ?? ?? ?? 41 00 6A 04 68 00 30 00 00 68 00 20 00 00 6A 00 FF ?? ?? ?? FF D6 8B F8 85 FF 0F ?? ?? ?? 00 00 8B ?? ?? ?? 41 00 8D ?? ?? ?? 50 68 48 08 00 00 8D ?? ?? ?? ?? 00 00 C7 ?? ?? ?? ?? ?? 00 00 50 57 FF ?? ?? ?? FF D3 85 C0 0F ?? ?? ?? 00 00 8D ?? ?? ?? C7 ?? ?? ?? 00 00 00 00 50 8D ?? ?? ?? C7 ?? ?? ?? 00 00 00 00 50 E8 ?? ?? ?? ?? 8B ?? ?? ?? 83 C4 08 85 C0 0F ?? ?? ?? 00 00 83 ?? ?? ?? 00 0F ?? ?? ?? 00 00 3D 00 10 00 00 0F ?? ?? ?? 00 00 6A 04 68 00 30 00 00 68 00 20 00 00 6A 00 FF ?? ?? ?? FF D6 }
condition:
uint16(0) == 0x5a4d and all of them
}
rule olympic_destroyer_ransomware_like_observables
{
meta:
description = "Plaintext observables reminiscent of ransomware-like functionality in Olympic Destroyer"
author = "Joe Slowik, Dragos Inc"
sha256 = "ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85"
strings:
$s1 = "vssadmin.exe" nocase ascii wide
$s2 = "wbadmin.exe" nocase ascii wide
$s3 = "delete shadows" nocase ascii wide
$s4 = "delete catalog" nocase ascii wide
$s5 = "bcdedit.exe" nocase ascii wide
$s6 = "bootstatuspolicy ignoreallfailures" nocase ascii wide
$s7 = "recoveryenabled" nocase ascii wide
$s8 = "wevtutil.exe" nocase ascii wide
$s9 = "cl system" nocase ascii wide
$s10 = "cl security" nocase ascii wide
condition:
uint16(0) == 0x5a4d and 7 of ($s*)
}
rule olympic_destroyer_service_manipulator
{
meta:
description = "Plaintext observables reminiscent of ransomware-like functionality in Olympic Destroyer"
author = "Joe Slowik, Dragos Inc"
sha256 = "ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85"
strings:
$a = { 55 8B EC 83 EC 28 56 68 00 00 00 80 68 ?? ?? ?? 00 33 F6 56 FF 15 ?? ?? 40 00 89 ?? ?? 3B C6 0F ?? ?? ?? ?? 00 53 8B ?? ?? ?? ?? 00 57 8D ?? ?? 51 8D ?? ?? 51 8D ?? ?? 51 56 56 6A 03 68 3F 01 00 00 50 89 ?? ?? 89 ?? ?? 89 ?? ?? FF ?? FF ?? ?? 8B ?? ?? ?? ?? 00 6A 08 FF ?? 50 FF ?? ?? ?? 40 00 8D ?? ?? 51 8D ?? ?? 51 8D ?? ?? 51 FF ?? ?? 89 ?? ?? 50 6A 03 68 3F 01 00 00 }
$b = { 8B ?? ?? 68 00 00 00 10 FF ?? FF ?? ?? FF ?? ?? ?? 40 00 89 ?? ?? 3B C6 74 ?? 8D ?? ?? 51 56 56 50 89 ?? ?? FF ?? FF ?? ?? 6A 08 FF ?? 50 FF ?? ?? ?? 40 00 56 56 56 56 56 56 56 6A FF 6A 04 6A FF FF ?? ?? 89 ?? ?? FF ?? ?? ?? 40 00 8D ?? ?? 50 FF ?? ?? FF ?? ?? FF ?? ?? FF D3 85 C0 }
condition:
uint16(0) == 0x5a4d and all of them
}