Mirrors/APT_CyberCriminal_Campagin_Collections
6
0
Fork 0
mirror of https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections synced 2024-06-20 22:09:47 +00:00
Code Issues Projects Releases Wiki Activity
master
APT_CyberCriminal_Campagin_.../2017/2017.07.27.Operation_Wilted_Tulip/yara-apt_wilted_tulip.txt
cybermonitor 6ecca466ac 2022
2022-04-27 16:20:36 +08:00

143 lines
5.9 KiB
Plaintext
Executable File
Raw Permalink Blame History

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-07-23
Identifier: Operation Wilted Tulip
Reference: http://www.clearskysec.com/tulip
*/
import "pe"
/* Rule Set ----------------------------------------------------------------- */
rule WiltedTulip_tdtess {
meta:
description = "Detects malicious service used in Operation Wilted Tulip"
author = "Florian Roth"
reference = "http://www.clearskysec.com/tulip"
date = "2017-07-23"
hash1 = "3fd28b9d1f26bd0cee16a167184c9f4a22fd829454fd89349f2962548f70dc34"
strings:
$x1 = "d2lubG9naW4k" fullword wide /* base64 encoded string 'winlogin$' */
$x2 = "C:\\Users\\admin\\Documents\\visual studio 2015\\Projects\\Export\\TDTESS_ShortOne\\WinService Template\\" ascii
$s1 = "\\WinService Template\\obj\\x64\\x64\\winlogin" ascii
$s2 = "winlogin.exe" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($x*) or 2 of them ) )
}
rule WiltedTulip_matryoshka_Injector {
meta:
description = "Detects hack tool used in Operation Wilted Tulip"
author = "Florian Roth"
reference = "http://www.clearskysec.com/tulip"
date = "2017-07-23"
hash1 = "c41e97b3b22a3f0264f10af2e71e3db44e53c6633d0d690ac4d2f8f5005708ed"
hash2 = "b93b5d6716a4f8eee450d9f374d0294d1800784bc99c6934246570e4baffe509"
strings:
$s1 = "Injector.dll" fullword ascii
$s2 = "ReflectiveLoader" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) or
(
pe.exports("__dec") and
pe.exports("_check") and
pe.exports("_dec") and
pe.exports("start") and
pe.exports("test")
)
}
rule WiltedTulip_Zpp {
meta:
description = "Detects hack tool used in Operation Wilted Tulip"
author = "Florian Roth"
reference = "http://www.clearskysec.com/tulip"
date = "2017-07-23"
hash1 = "10ec585dc1304436821a11e35473c0710e844ba18727b302c6bd7f8ebac574bb"
hash2 = "7d046a3ed15035ea197235980a72d133863c372cc27545af652e1b2389c23918"
hash3 = "6d6816e0b9c24e904bc7c5fea5951d53465c478cc159ab900d975baf8a0921cf"
strings:
$x1 = "[ERROR] Error Main -i -s -d -gt -lt -mb" fullword wide
$x2 = "[ERROR] Error Main -i(with.) -s -d -gt -lt -mb -o -e" fullword wide
$s1 = "LT Time invalid" fullword wide
$s2 = "doCompressInNetWorkDirectory" fullword ascii
$s3 = "files remaining ,total file save = " fullword wide
$s4 = "$ec996350-79a4-477b-87ae-2d5b9dbe20fd" fullword ascii
$s5 = "Destinition Directory Not Found" fullword wide
$s6 = "\\obj\\Release\\ZPP.pdb" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 30KB and ( 1 of ($x*) or 3 of them )
}
rule WiltedTulip_Netsrv_netsrvs {
meta:
description = "Detects sample from Operation Wilted Tulip"
author = "Florian Roth"
reference = "http://www.clearskysec.com/tulip"
date = "2017-07-23"
hash1 = "a062cb4364125427b54375d51e9e9afb0baeb09b05a600937f70c9d6d365f4e5"
hash2 = "afa563221aac89f96c383f9f9f4ef81d82c69419f124a80b7f4a8c437d83ce77"
hash3 = "acf24620e544f79e55fd8ae6022e040257b60b33cf474c37f2877c39fbf2308a"
hash4 = "bff115d5fb4fd8a395d158fb18175d1d183c8869d54624c706ee48a1180b2361"
hash5 = "07ab795eeb16421a50c36257e6e703188a0fef9ed87647e588d0cd2fcf56fe43"
strings:
$s1 = "Process %d Created" fullword ascii
$s2 = "%s\\system32\\rundll32.exe" fullword wide
$s3 = "%s\\SysWOW64\\rundll32.exe" fullword wide
$c1 = "slbhttps" fullword ascii
$c2 = "/slbhttps" fullword wide
$c3 = "/slbdnsk1" fullword wide
$c4 = "netsrv" fullword wide
$c5 = "/slbhttps" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) and 1 of ($c*) ) )
}
rule WiltedTulip_ReflectiveLoader {
meta:
description = "Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip"
author = "Florian Roth"
reference = "http://www.clearskysec.com/tulip"
date = "2017-07-23"
hash1 = "1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904"
hash2 = "1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a"
hash3 = "a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f"
hash4 = "cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0"
hash5 = "eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89"
strings:
$x1 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
$x2 = "%d is an x86 process (can't inject x64 content)" fullword ascii
$x3 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii
$x4 = "Failed to impersonate token from %d (%u)" fullword ascii
$x5 = "Failed to impersonate logged on user %d (%u)" fullword ascii
$x6 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and 1 of them ) or
( 2 of them ) or
pe.exports("_ReflectiveLoader@4")
}
rule WiltedTulip_Matryoshka_RAT {
meta:
description = "Detects Matryoshka RAT used in Operation Wilted Tulip"
author = "Florian Roth"
reference = "http://www.clearskysec.com/tulip"
date = "2017-07-23"
hash1 = "6f208473df0d31987a4999eeea04d24b069fdb6a8245150aa91dfdc063cd64ab"
hash2 = "6cc1f4ecd28b833c978c8e21a20a002459b4a6c21a4fbaad637111aa9d5b1a32"
strings:
$s1 = "%S:\\Users\\public" fullword wide
$s2 = "ntuser.dat.swp" fullword wide
$s3 = "Job Save / Load Config" fullword wide
$s4 = ".?AVPSCL_CLASS_JOB_SAVE_CONFIG@@" fullword ascii
$s5 = "winupdate64.com" fullword ascii
$s6 = "Job Save KeyLogger" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and 3 of them )
}
Reference in New Issue View Git Blame Copy Permalink