-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathSandWorm IoCs and Yara Rules.txt
315 lines (276 loc) · 9.18 KB
/
SandWorm IoCs and Yara Rules.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
#Hashes
BlackEnergy
4c424d5c8cfedf8d2164b9f833f7c631f94c5a4c Lite Dropper
896fcacff6310bbe5335677e99e4c3d370f73d96 Dropper
069163e1fb606c6178e23066e0ac7b7f0e18506b Drivers
0b4be96ada3b54453bd37130087618ea90168d72 Drivers
1a716bf5532c13fa0dc407d00acdc4a457fa87cd Drivers
1a86f7ef10849da7d36ca27d0c9b1d686768e177 Drivers
1cbe4e22b034ee8ea8567e3f8eb9426b30d4affe Drivers
20901cc767055f29ca3b676550164a66f85e2a42 Drivers
2c1260fd5ceaef3b5cb11d702edc4cdd1610c2ed Drivers
2d805bca41aa0eb1fc7ec3bd944efd7dba686ae1 Drivers
4bc2bbd1809c8b66eecd7c28ac319b948577de7b Drivers
502bd7662a553397bbdcfa27b585d740a20c49fc Drivers
672f5f332a6303080d807200a7f258c8155c54af Drivers
84248bc0ac1f2f42a41cfffa70b21b347ddc70e9 Drivers
KillDisk Components
16f44fac7e8bc94eccd7ad9692e6665ef540eec4 KillDisk
8ad6f88c5813c2b4cd7abab1d6c056d95d6ac569 KillDisk
6d6ba221da5b1ae1e910bbeaa07bd44aff26a7c0c425d3e72a KillDisk
General
aa67ca4fb712374f5301d1d2bab0ac66107a4df1 XLS document containing macro
72d0b326410e1d0705281fde83cb7c33c67bc8ca VBS/Agent.AD Trojan
166d71c63d0eb609c4f77499112965db7d9a51bb Win32/SSHBearDoor.A Trojan
Olympic Destroyer
76ab6e2a89c9df04387913983f636999d2241470fc21b32d718e49a55c0014a3 Olympic Destroyer
53a53a483e869c0dca4f1c105fbed6bdf3335d670c36c14e5aabddc56050b7d8 Olympic Destroyer
15def0208d0c18e5177ea1649ca22197b236100523e2af9cece0737fe5c1ff63 Olympic Destroyer
f2b33dbdee8cd78b67bc27140289a82da22eb646dce1c7b9c13e9dae21d985a8 Olympic Destroyer
31e666bc8675018f52243225163631847b337c551ba120ffb23661e6d6b8d56a Olympic Destroyer
2d431cbc5cf5a1e17cd806234e13648714d831fa54a7f98710629600f9a4f00d Olympic Destroyer
c86e149b4583f887b8cfe5ab2b90050c4572907d5256b53764d0ed667d1deb9c Olympic Destroyer
6224837560a95b4677856d012e1d567ebdd15ce06799c5a7720343b9ddb8cd9c Olympic Destroyer
b861064dd95af4412a3231c77b9d2bdd55107ce410516cba2f31cec2c155ef92 Olympic Destroyer
e6e58454c52704af982ee3706e370fe86ea0af8ac3051678072174f3786e8931 Olympic Destroyer
21116a6a09f44e578b36e7884b8aff4dd96f5dfea7312ff39c5c3e825480617c Olympic Destroyer
a73fc13f47cef3f9e92841ea48e8e44a27bd938c2f21d7dd2bff8715370220f7 Olympic Destroyer
5e990930ddde3939d1e2e32fdef6eaa868c29d93e0c8ffb7618ecd5522063fad Olympic Destroyer
be4dd2d468242eb1b19d36b0c9c6cb119c3b10df8f7ae85ac5befdb9a30575d9 Olympic Destroyer
#IP Addresses (C&C)
• 5.149.254.114
• 5.9.32.230
• 31.210.111.154
• 88.198.25.92
• 146.0.4.74.7
• 188.40.8.72
• 95.216.13.196
• 103.94.157.5
#YARA Rules
Detecting webshell P.A.S
rule WEBSHELL_PAS_webshell {
meta:
author = "FR/ANSSI/SDO (modified by Florian Roth)"
description = "Detects P.A.S. PHP webshell - Based on DHS/FBI JAR-16-
2029 (Grizzly Steppe)"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-
005.pdf"
date = "2021-02-15"
score = 70
strings:
$php = "<?php"
$strreplace = "(str_replace("
$md5 = ".substr(md5(strrev($"
$gzinflate = "gzinflate"
$cookie = "_COOKIE"
$isset = "isset"
condition:
( filesize > 20KB and filesize < 200KB ) and all of them
}
Detection of Zip archives created by P.A.S
rule WEBSHELL_PAS_webshell_ZIPArchiveFile {
meta:
author = "FR/ANSSI/SDO (modified by Florian Roth)"
description = "Detects an archive file created by P.A.S. for download operation"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
date = "2021-02-15"
score = 80
strings:
$s1 = "Archive created by P.A.S. v."
condition:
$s1
}
Detection of SQL files created by P.A.S.
rule WEBSHELL_PAS_webshell_SQLDumpFile {
meta:
author = "FR/ANSSI/SDO"
description = "Detects SQL dump file created by P.A.S. webshell"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-
005.pdf"
date = "2021-02-15"
score = 90
strings:
$ = "-- [ SQL Dump created by P.A.S. ] --"
condition:
1 of them }
Detection of PERL network scripts generated by P.A.S.
rule WEBSHELL_PAS_webshell_PerlNetworkScript {
meta:
author = "FR/ANSSI/SDO"
description = "Detects PERL scripts created by P.A.S. webshell"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-
005.pdf"
date = "2021-02-15"
score = 90
strings:
$pl_start = "#!/usr/bin/perl\n$SIG{'CHLD'}='IGNORE'; use IO::Socket; use
FileHandle;"
$pl_status = "$o=\" [OK]\";$e=\" Error: \""
$pl_socket = "socket(SOCKET, PF_INET, SOCK_STREAM,$tcp) or die print
\"$l$e$!$l"
$msg1 = "print \"$l OK! I\\'m successful connected.$l\""
$msg2 = "print \"$l OK! I\\'m accept connection.$l\""
condition:
filesize < 6000 and
( $pl_start at 0 and all of ($pl*) ) or
any of ($msg*)
}
Exaramel Backdoor Detection
rule APT_MAL_Sandworm_Exaramel_Configuration_Key {
meta:
author = "FR/ANSSI/SDO"
description = "Detects the encryption key for the configuration file used
by Exaramel malware as seen in sample e1ff72[...]"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-
005.pdf"
date = "2021-02-15"
score = 80
strings:
$ = "odhyrfjcnfkdtslt"
condition:
all of them
}
rule APT_MAL_Sandworm_Exaramel_Configuration_Name_Encrypted {
meta:
author = "FR/ANSSI/SDO"
description = "Detects the specific name of the configuration file in
Exaramel malware as seen in sample e1ff72[...]"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-
005.pdf"
date = "2021-02-15"
score = 80
strings:
$ = "configtx.json"
condition:
all of them
}
rule APT_MAL_Sandworm_Exaramel_Configuration_File_Plaintext {
meta:
author = "FR/ANSSI/SDO"
description = "Detects contents of the configuration file used by
Exaramel (plaintext)"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-
005.pdf"
date = "2021-02-15"
score = 80
strings:
$ = /{"Hosts":\[".{10,512}"\],"Proxy":".{0,512}","Version":".{1,32}","Guid":"/
condition:
all of them
}
rule APT_MAL_Sandworm_Exaramel_Configuration_File_Ciphertext {
meta:
author = "FR/ANSSI/SDO"
description = "Detects contents of the configuration file used by
Exaramel (encrypted with key odhyrfjcnfkdtslt, sample e1ff72[...]"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-
005.pdf"
date = "2021-02-15"
score = 80
strings:
$ = { 6F B6 08 E9 A3 0C 8D 5E DD BE D4 } // encrypted with key
odhyrfjcnfkdtslt
condition:
all of them
}
rule APT_MAL_Sandworm_Exaramel_Socket_Path {
meta:
author = "FR/ANSSI/SDO"
description = "Detects path of the unix socket created to prevent
concurrent executions in Exaramel malware"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-
005.pdf"
date = "2021-02-15"
score = 80
strings:
$ = "/tmp/.applocktx"
condition:
all of them }
rule APT_MAL_Sandworm_Exaramel_Strings_Typo {
meta:
author = "FR/ANSSI/SDO"
description = "Detects misc strings in Exaramel malware with typos"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-
005.pdf"
date = "2021-02-15"
score = 80
strings:
$typo1 = "/sbin/init | awk "
$typo2 = "Syslog service for monitoring \n"
$typo3 = "Error.Can't update app! Not enough update archive."
$typo4 = ":\"metod\""
condition:
3 of ($typo*) }
rule APT_MAL_Sandworm_Exaramel_Task_Names {
meta:
author = "FR/ANSSI/SDO"
description = "Detects names of the tasks received from the CC server in
Exaramel malware"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-
005.pdf"
date = "2021-02-15"
score = 80
strings:
$ = "App.Delete"
$ = "App.SetServer"
$ = "App.SetProxy"
$ = "App.SetTimeout"
$ = "App.Update"
$ = "IO.ReadFile"
$ = "IO.WriteFile"
$ = "OS.ShellExecute"
condition:
all of them
}
Exaramel backdoor detection
rule APT_MAL_Sandworm_Exaramel_Struct {
meta:
author = "FR/ANSSI/SDO"
description = "Detects the beginning of type _type struct for some of the
most important structs in Exaramel malware"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-
005.pdf"
date = "2021-02-15"
strings:
$struct_le_config = {70 00 00 00 00 00 00 00 58 00 00 00 00 00 00 00 47
2d 28 42 0? [2] 19}
$struct_le_worker = {30 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00
46 6a 13 e2 0? [2] 19}
$struct_le_client = {20 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 7b
6a 49 84 0? [2] 19}
$struct_le_report = {30 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 bf
35 0d f9 0? [2] 19}
$struct_le_task = {50 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 88
60 a1 c5 0? [2] 19}
condition:
any of them
}
Exaramel backdoor detection
rule APT_MAL_Sandworm_Exaramel_Strings {
meta:
author = "FR/ANSSI/SDO (composed from 4 saparate rules by Florian
Roth)"
description = "Detects Strings used by Exaramel malware"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-
005.pdf"
date = "2021-02-15"
score = 80
strings:
$persistence1 = "systemd"
$persistence2 = "upstart"
$persistence3 = "systemV"
$persistence4 = "freebsd rc"
$report1 = "systemdupdate.rep"
$report2 = "upstartupdate.rep"
$report3 = "remove.rep"
$url1 = "/tasks.get/"
$url2 = "/time.get/"
$url3 = "/time.set"
$url4 = "/tasks.report"
$url5 = "/attachment.get/"
$url6 = "/auth/app"
condition:
( 5 of ($url*) and all of ($persistence*) ) or
( all of ($persistence*) and all of ($report*) ) or
( 5 of ($url*) and all of ($report*) )
}