Links

Yara

US-CERT

/*
Yara Rule Set
Author: US-CERT
Date: 2017-10-21
Identifier: TA17-293A
Reference: https://www.us-cert.gov/ncas/alerts/TA17-293A
Beware: Rules have been modified to reduce complexity and false positives as well as to
improve the overall performance
*/
import "pe"
rule TA17_293A_malware_1 {
meta:
description = "inveigh pen testing tools & related artifacts"
author = "US-CERT Code Analysis Team (modified by Florian Roth)"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
date = "2017/07/17"
hash0 = "61C909D2F625223DB2FB858BBDF42A76"
hash1 = "A07AA521E7CAFB360294E56969EDA5D6"
hash2 = "BA756DD64C1147515BA2298B6A760260"
hash3 = "8943E71A8C73B5E343AA9D2E19002373"
hash4 = "04738CA02F59A5CD394998A99FCD9613"
hash5 = "038A97B4E2F37F34B255F0643E49FC9D"
hash6 = "65A1A73253F04354886F375B59550B46"
hash7 = "AA905A3508D9309A93AD5C0EC26EBC9B"
hash8 = "5DBEF7BDDAF50624E840CCBCE2816594"
hash9 = "722154A36F32BA10E98020A8AD758A7A"
hash10 = "4595DBE00A538DF127E0079294C87DA0"
strings:
$n1 = "file://"
$ax1 = "184.154.150.66"
$ax2 = "5.153.58.45"
$ax3 = "62.8.193.206"
$ax4 = "/pshare1/icon"
$ax5 = "/ame_icon.png"
$ax6 = "/1/ree_stat/p"
/* Too many false positives with these strings
$au1 = "/icon.png"
$au2 = "/notepad.png"
$au3 = "/pic.png"
*/
$s1 = "(g.charCodeAt(c)^l[(l[b]+l[e])%256])"
$s2 = "for(b=0;256>b;b++)k[b]=b;for(b=0;256>b;b++)"
$s3 = "VXNESWJfSjY3grKEkEkRuZeSvkE="
$s4 = "NlZzSZk="
$s5 = "WlJTb1q5kaxqZaRnser3sw=="
$x1 = { 87D081F60C67F5086A003315D49A4000F7D6E8EB12000081F7F01BDD21F7DE }
$x2 = { 33C42BCB333DC0AD400043C1C61A33C3F7DE33F042C705B5AC400026AF2102 }
$x3 = "fromCharCode(d.charCodeAt(e)^k[(k[b]+k[h])%256])"
$x4 = "ps.exe -accepteula \\%ws% -u %user% -p %pass% -s cmd /c netstat"
$x5 = { 22546F6B656E733D312064656C696D733D5C5C222025254920494E20286C6973742E74787429 }
$x6 = { 68656C6C2E657865202D6E6F65786974202D657865637574696F6E706F6C69637920627970617373202D636F6D6D616E6420222E202E5C496E76656967682E70 }
$x7 = { 476F206275696C642049443A202266626433373937623163313465306531 }
$x8 = { 24696E76656967682E7374617475735F71756575652E4164642822507265737320616E79206B657920746F2073746F70207265616C2074696D65 }
//specific malicious word document PK archive
$x9 = { 2F73657474696E67732E786D6CB456616FDB3613FEFE02EF7F10F4798E64C54D06A14ED125F19A225E87C9FD0194485B }
$x10 = { 6C732F73657474696E67732E786D6C2E72656C7355540500010076A41275780B0001040000000004000000008D90B94E03311086EBF014D6F4D87B48214471D2 }
$x11 = { 8D90B94E03311086EBF014D6F4D87B48214471D210A41450A0E50146EBD943F8923D41C9DBE3A54A240ACA394A240ACA39 }
$x12 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 }
$x13 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 }
$x14 = "http://bit.ly/2m0x8IH"
condition:
( $n1 and 1 of ($ax*) ) or
2 of ($s*) or
1 of ($x*)
}
rule TA17_293A_energetic_bear_api_hashing_tool {
meta:
description = "Energetic Bear API Hashing Tool"
assoc_report = "DHS Report TA17-293A"
author = "CERT RE Team"
version = "2"
strings:
$api_hash_func_v1 = { 8A 08 84 C9 74 ?? 80 C9 60 01 CB C1 E3 01 03 45 10 EB ED }
$api_hash_func_v2 = { 8A 08 84 C9 74 ?? 80 C9 60 01 CB C1 E3 01 03 44 24 14 EB EC }
$api_hash_func_x64 = { 8A 08 84 C9 74 ?? 80 C9 60 48 01 CB 48 C1 E3 01 48 03 45 20 EB EA }
$http_push = "X-mode: push" nocase
$http_pop = "X-mode: pop" nocase
condition:
$api_hash_func_v1 or $api_hash_func_v2 or $api_hash_func_x64 and (uint16(0) == 0x5a4d or $http_push or $http_pop)
}
rule TA17_293A_Query_XML_Code_MAL_DOC_PT_2 {
meta:
name= "Query_XML_Code_MAL_DOC_PT_2"
author = "other (modified by Florian Roth)"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
strings:
$dir1 = "word/_rels/settings.xml.rels"
$bytes = {8c 90 cd 4e eb 30 10 85 d7}
condition:
uint32(0) == 0x04034b50 and $dir1 and $bytes
}
rule TA17_293A_Query_XML_Code_MAL_DOC {
meta:
name= "Query_XML_Code_MAL_DOC"
author = "other (modified by Florian Roth)"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
strings:
$dir = "word/_rels/" ascii
$dir2 = "word/theme/theme1.xml" ascii
$style = "word/styles.xml" ascii
condition:
uint32(0) == 0x04034b50 and $dir at 0x0145 and $dir2 at 0x02b7 and $style at 0x08fd
}
rule TA17_293A_Query_Javascript_Decode_Function {
meta:
name= "Query_Javascript_Decode_Function"
author = "other (modified by Florian Roth)"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
strings:
$decode1 = {72 65 70 6C 61 63 65 28 2F 5B 5E 41 2D 5A 61 2D 7A 30 2D 39 5C 2B 5C 2F 5C 3D 5D 2F 67 2C 22 22 29 3B}
$decode2 = {22 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F 3D 22 2E 69 6E 64 65 78 4F 66 28 ?? 2E 63 68 61 72 41 74 28 ?? 2B 2B 29 29}
$decode3 = {3D ?? 3C 3C 32 7C ?? 3E 3E 34 2C ?? 3D 28 ?? 26 31 35 29 3C 3C 34 7C ?? 3E 3E 32 2C ?? 3D 28 ?? 26 33 29 3C 3C 36 7C ?? 2C ?? 2B 3D [1-2] 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29 2C 36 34 21 3D ?? 26 26 28 ?? 2B 3D 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29}
$decode4 = {73 75 62 73 74 72 69 6E 67 28 34 2C ?? 2E 6C 65 6E 67 74 68 29}
/* Only 3 characters atom - this is bad for performance - we're trying to leave this out
$func_call="a(\""
*/
condition:
filesize < 20KB and
/* #func_call > 20 and */
all of ($decode*)
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-10-21
Identifier: TA17-293A Extensions
Reference: https://www.us-cert.gov/ncas/alerts/TA17-293A
*/
/* Rule Set ----------------------------------------------------------------- */
rule TA17_293A_Hacktool_PS_1 {
meta:
description = "Auto-generated rule"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
date = "2017-10-21"
hash1 = "72a28efb6e32e653b656ca32ccd44b3111145a695f6f6161965deebbdc437076"
strings:
$x1 = "$HashFormat = '$krb5tgs$23$*ID#124_DISTINGUISHED NAME: CN=fakesvc,OU=Service,OU=Accounts,OU=EnterpriseObjects,DC=asdf,DC=pd,DC=f" ascii
$x2 = "} | Where-Object {$_.SamAccountName -notmatch 'krbtgt'} | Get-SPNTicket @GetSPNTicketArguments" fullword ascii
condition:
( filesize < 80KB and 1 of them )
}
rule TA17_293A_Hacktool_Touch_MAC_modification {
meta:
description = "Auto-generated rule"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
date = "2017-10-21"
hash1 = "070d7082a5abe1112615877214ec82241fd17e5bd465e24d794a470f699af88e"
strings:
$s1 = "-t time - use the time specified to update the access and modification times" fullword ascii
$s2 = "Failed to set file times for %s. Error: %x" fullword ascii
$s3 = "touch [-acm][ -r ref_file | -t time] file..." fullword ascii
$s4 = "-m - change the modification time only" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them )
}
rule TA17_293A_Hacktool_Exploit_MS16_032 {
meta:
description = "Auto-generated rule"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
date = "2017-10-21"
hash1 = "9b97290300abb68fb48480718e6318ee2cdd4f099aa6438010fb2f44803e0b58"
strings:
$x1 = "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread)))" ascii
$x2 = "0x00000002, \"C:\\Windows\\System32\\cmd.exe\", \"\"," fullword ascii
$x3 = "PowerShell implementation of MS16-032. The exploit targets all vulnerable" fullword ascii
$x4 = "If we can't open the process token it's a SYSTEM shell!" fullword ascii
condition:
( filesize < 40KB and 1 of them )
}
/* Extra Rules based on Imphash of involved malware - Generic approach */
rule Imphash_UPX_Packed_Malware_1_TA17_293A {
meta:
description = "Detects malware based on Imphash of malware used in TA17-293A"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
date = "2017-10-21"
hash1 = "a278256fbf2f061cfded7fdd58feded6765fade730374c508adad89282f67d77"
condition:
( uint16(0) == 0x5a4d and filesize < 5000KB and pe.imphash() == "d7d745ea39c8c5b82d5e153d3313096c" )
}
rule Imphash_Malware_2_TA17_293A : HIGHVOL {
meta:
description = "Detects malware based on Imphash of malware used in TA17-293A"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
date = "2017-10-21"
condition:
( uint16(0) == 0x5a4d and filesize < 5000KB and pe.imphash() == "a8f69eb2cf9f30ea96961c86b4347282" )
}

NCSC

/*
Yara Rule Set
Author: NCSC (modified for performance reasons by Florian Roth)
Date: 2018-04-06
Identifier: Hostile state actors compromising UK organisations
Reference: https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
*/
rule Bytes_used_in_AES_key_generation {
meta:
author = "NCSC"
description = "Detects Backdoor.goodor"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b5278301da06450fe4442a25dda2d83d21485be63598642573f59c59e980ad46"
strings:
$a1 = {35 34 36 35 4B 4A 55 54 5E 49 55 5F 29 7B 68 36 35 67 34 36 64 66 35 68}
/* $a2 = {fb ff ff ff 00 00} disabled due to performance issues */
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and all of ($a*)
}
rule Partial_Implant_ID {
meta:
author = "NCSC"
description = "Detects implant from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b5278301da06450fe4442a25dda2d83d21485be63598642573f59c59e980ad46"
strings:
$a1 = {38 38 31 34 35 36 46 43}
/* $a2 = {fb ff ff ff 00 00} disabled due to performance issues */
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of ($a*)
}
rule Sleep_Timer_Choice {
meta:
author = "NCSC"
description = "Detects malware from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b5278301da06450fe4442a25dda2d83d21485be63598642573f59c59e980ad46"
strings:
$a1 = {8b0424b90f00000083f9ff743499f7f98d420f}
/* $a2 = {fb ff ff ff 00 00} disabled due to performance issues */
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of ($a*)
}
rule User_Function_String {
meta:
author = "NCSC"
description = "Detects user function string from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b5278301da06450fe4442a25dda2d83d21485be63598642573f59c59e980ad46"
strings:
/* $b1 = {fb ff ff ff 00 00} disabled due to performance issues */
$a2 = "e.RandomHashString"
$a3 = "e.Decode"
$a4 = "e.Decrypt"
$a5 = "e.HashStr"
$a6 = "e.FromB64"
condition:
/* $b1 and */ 4 of ($a*)
}
rule generic_shellcode_downloader_specific {
meta:
author = "NCSC"
description = "Detects Doorshell from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b8bc0611a7fd321d2483a0a9a505251e15c22402e0cfdc62c0258af53ed3658a"
strings:
$push1 = {68 6C 6C 6F 63}
$push2 = {68 75 61 6C 41}
$push3 = {68 56 69 72 74}
$a = {BA 90 02 00 00 46 C1 C6 19 03 DD 2B F4 33 DE}
$b = {87 C0 81 F2 D1 19 89 14 C1 C8 1F FF E0}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3C)) == 0x4550) and ($a or $b) and @push1 < @push2 and @push2 < @push3
}
rule Batch_Script_To_Run_PsExec {
meta:
author = "NCSC"
description = "Detects malicious batch file from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18"
strings:
$ = "Tokens=1 delims=" ascii
$ = "SET ws=%1" ascii
$ = "Checking %ws%" ascii
$ = "%TEMP%\\%ws%ns.txt" ascii
$ = "ps.exe -accepteula" ascii
condition:
3 of them
}
rule Batch_Powershell_Invoke_Inveigh {
meta:
author = "NCSC"
description = "Detects malicious batch file from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "0a6b1b29496d4514f6485e78680ec4cd0296ef4d21862d8bf363900a4f8e3fd2"
strings:
$ = "Inveigh.ps1" ascii
$ = "Invoke-Inveigh" ascii
$ = "-LLMNR N -HTTP N -FileOutput Y" ascii
$ = "powershell.exe" ascii
condition:
all of them
}
rule lnk_detect {
meta:
author = "NCSC"
description = "Detects malicious LNK file from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
strings:
$lnk_magic = {4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46}
$lnk_target = {41 00 55 00 54 00 4F 00 45 00 58 00 45 00 43 00 2E 00 42 00 41 00 54}
$s1 = {5C 00 5C 00 31 00}
$s2 = {5C 00 5C 00 32 00}
$s3 = {5C 00 5C 00 33 00}
$s4 = {5C 00 5C 00 34 00}
$s5 = {5C 00 5C 00 35 00}
$s6 = {5C 00 5C 00 36 00}
$s7 = {5C 00 5C 00 37 00}
$s8 = {5C 00 5C 00 38 00}
$s9 = {5C 00 5C 00 39 00}
condition:
uint32be(0) == 0x4c000000 and
uint32be(4) == 0x01140200 and
(($lnk_magic at 0) and $lnk_target) and 1 of ($s*)
}
rule RDP_Brute_Strings {
meta:
author = "NCSC"
description = "Detects RDP brute forcer from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "8234bf8a1b53efd2a452780a69666d1aedcec9eb1bb714769283ccc2c2bdcc65"
strings:
$ = "RDP Brute" ascii wide
$ = "RdpChecker" ascii
$ = "RdpBrute" ascii
$ = "Brute_Count_Password" ascii
$ = "BruteIPList" ascii
$ = "Chilkat_Socket_Key" ascii
$ = "Brute_Sync_Stat" ascii
$ = "(Error! Hyperlink reference not valid.)" wide
$ = "BadRDP" wide
$ = "GoodRDP" wide
$ = "@echo off{0}:loop{0}del {1}{0}if exist {1} goto loop{0}del {2}{0}del \"{2}\"" wide
$ = "Coded by z668" wide
condition:
4 of them
}
rule Z_WebShell {
meta:
author = "NCSC"
description = "Detects Z Webshell from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "ace12552f3a980f1eed4cadb02afe1bfb851cafc8e58fb130e1329719a07dbf0"
strings:
$ = "Z_PostBackJS" ascii wide
$ = "z_file_download" ascii wide
$ = "z_WebShell" ascii wide
$ = "1367948c7859d6533226042549228228" ascii wide
condition:
3 of them
}

Yara-signator

rule win_goodor_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2020-10-14"
version = "1"
description = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.5.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor"
malpedia_rule_date = "20201014"
malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
malpedia_version = "20201014"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { e8???????? 0f0b 8b842458010000 890424 8d0d451b6000 894c2404 c74424080a000000 }
// n = 7, score = 100
// e8???????? |
// 0f0b | ud2
// 8b842458010000 | mov eax, dword ptr [esp + 0x158]
// 890424 | mov dword ptr [esp], eax
// 8d0d451b6000 | lea ecx, [0x601b45]
// 894c2404 | mov dword ptr [esp + 4], ecx
// c74424080a000000 | mov dword ptr [esp + 8], 0xa
$sequence_1 = { 8d2de07d5c00 892c24 89442404 897c2408 894c240c 89742410 e8???????? }
// n = 7, score = 100
// 8d2de07d5c00 | lea ebp, [0x5c7de0]
// 892c24 | mov dword ptr [esp], ebp
// 89442404 | mov dword ptr [esp + 4], eax
// 897c2408 | mov dword ptr [esp + 8], edi
// 894c240c | mov dword ptr [esp + 0xc], ecx
// 89742410 | mov dword ptr [esp + 0x10], esi
// e8???????? |
$sequence_2 = { 8b6b24 896c2404 8d2d409a5c00 892c24 8d742440 89742408 e8???????? }
// n = 7, score = 100
// 8b6b24 | mov ebp, dword ptr [ebx + 0x24]
// 896c2404 | mov dword ptr [esp + 4], ebp
// 8d2d409a5c00 | lea ebp, [0x5c9a40]
// 892c24 | mov dword ptr [esp], ebp
// 8d742440 | lea esi, [esp + 0x40]
// 89742408 | mov dword ptr [esp + 8], esi
// e8???????? |
$sequence_3 = { f20f11440508 8d5301 89e8 89542418 8b5c2448 39da 0f8c5fffffff }
// n = 7, score = 100
// f20f11440508 | movsd qword ptr [ebp + eax + 8], xmm0
// 8d5301 | lea edx, [ebx + 1]
// 89e8 | mov eax, ebp
// 89542418 | mov dword ptr [esp + 0x18], edx
// 8b5c2448 | mov ebx, dword ptr [esp + 0x48]
// 39da | cmp edx, ebx
// 0f8c5fffffff | jl 0xffffff65
$sequence_4 = { ebdd 8d2de07d5c00 892c24 89442404 897c2408 894c240c 89742410 }
// n = 7, score = 100
// ebdd | jmp 0xffffffdf
// 8d2de07d5c00 | lea ebp, [0x5c7de0]
// 892c24 | mov dword ptr [esp], ebp
// 89442404 | mov dword ptr [esp + 4], eax
// 897c2408 | mov dword ptr [esp + 8], edi
// 894c240c | mov dword ptr [esp + 0xc], ecx
// 89742410 | mov dword ptr [esp + 0x10], esi
$sequence_5 = { c7042400000000 89442404 894c2408 8d053a026000 8944240c c744241002000000 e8???????? }
// n = 7, score = 100
// c7042400000000 | mov dword ptr [esp], 0
// 89442404 | mov dword ptr [esp + 4], eax
// 894c2408 | mov dword ptr [esp + 8], ecx
// 8d053a026000 | lea eax, [0x60023a]
// 8944240c | mov dword ptr [esp + 0xc], eax
// c744241002000000 | mov dword ptr [esp + 0x10], 2
// e8???????? |
$sequence_6 = { e9???????? 891424 894c2404 895c2408 e8???????? 8b54240c 8b4c2410 }
// n = 7, score = 100
// e9???????? |
// 891424 | mov dword ptr [esp], edx
// 894c2404 | mov dword ptr [esp + 4], ecx
// 895c2408 | mov dword ptr [esp + 8], ebx
// e8???????? |
// 8b54240c | mov edx, dword ptr [esp + 0xc]
// 8b4c2410 | mov ecx, dword ptr [esp + 0x10]
$sequence_7 = { 8d0598096000 890424 c744240405000000 8d055b396000 89442408 c744240c11000000 8d058a086000 }
// n = 7, score = 100
// 8d0598096000 | lea eax, [0x600998]
// 890424 | mov dword ptr [esp], eax
// c744240405000000 | mov dword ptr [esp + 4], 5
// 8d055b396000 | lea eax, [0x60395b]
// 89442408 | mov dword ptr [esp + 8], eax
// c744240c11000000 | mov dword ptr [esp + 0xc], 0x11
// 8d058a086000 | lea eax, [0x60088a]
$sequence_8 = { 8d15e07b5c00 891424 c744240400000000 89442408 e8???????? 8b442410 8b4c240c }
// n = 7, score = 100
// 8d15e07b5c00 | lea edx, [0x5c7be0]
// 891424 | mov dword ptr [esp], edx
// c744240400000000 | mov dword ptr [esp + 4], 0
// 89442408 | mov dword ptr [esp + 8], eax
// e8???????? |
// 8b442410 | mov eax, dword ptr [esp + 0x10]
// 8b4c240c | mov ecx, dword ptr [esp + 0xc]
$sequence_9 = { 8d05354e6000 890424 c744240414000000 e8???????? 0f0b 8b15???????? 890a }
// n = 7, score = 100
// 8d05354e6000 | lea eax, [0x604e35]
// 890424 | mov dword ptr [esp], eax
// c744240414000000 | mov dword ptr [esp + 4], 0x14
// e8???????? |
// 0f0b | ud2
// 8b15???????? |
// 890a | mov dword ptr [edx], ecx
condition:
7 of them and filesize < 6545408
}

Unknown

rule win_goodor_w0 {
meta:
author = "NCSC"
hash = "b5278301da06450fe4442a25dda2d83d21485be63598642573f59c59e980ad46"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor"
malpedia_version = "20180413"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
strings:
$a1 = { 35 34 36 35 4B 4A 55 54 5E 49 55 5F 29 7B 68 36 35 67 34 36 64 66 35 68 }
$a2 = { fb ff ff ff 00 00 }
condition:
all of them
}