{
"Event": {
"analysis": "2",
"date": "2015-04-03",
"extends_uuid": "",
"info": "OSINT APT Volatile Cedar APT yara rules by Florian Roth",
"publish_timestamp": "1487757979",
"published": true,
"threat_level_id": "2",
"timestamp": "1487757919",
"uuid": "551e7a4b-3774-4565-b850-7455950d210b",
"Orgc": {
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060786",
"to_ids": false,
"type": "link",
"uuid": "551e7a72-f7c0-4731-babf-9144950d210b",
"value": "https://github.com/Neo23x0/Loki/blob/master/signatures/apt_volatile_cedar.yar"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060786",
"to_ids": false,
"type": "link",
"uuid": "551e7a72-3f9c-41d1-9f3d-9144950d210b",
"value": "https://github.com/Neo23x0/Loki/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060794",
"to_ids": false,
"type": "text",
"uuid": "551e7a7a-fb58-4d36-aa95-8c54950d210b",
"value": "Volatile Cedar"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060813",
"to_ids": true,
"type": "yara",
"uuid": "551e7a8d-cb64-4bfb-9324-0d4d950d210b",
"value": "rule Explosion_Sample_1 {\r\n\tmeta:\r\n\t\tdescription = \"Explosion/Explosive Malware - Volatile Cedar APT - file b74bd5660baf67038353136978ed16dbc7d105c60c121cf64c61d8f3d31de32c\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"http://goo.gl/5vYaNb\"\r\n\t\tdate = \"2015/04/03\"\r\n\t\tscore = 70\r\n\t\thash = \"c97693ecb36247bdb44ab3f12dfeae8be4d299bb\"\r\n\tstrings:\r\n\t\t$s5 = \"REG ADD \\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" ascii\r\n\t\t$s9 = \"WinAutologon From Winlogon Reg\" fullword ascii\r\n\t\t$s10 = \"82BD0E67-9FEA-4748-8672-D5EFE5B779B0\" fullword ascii\r\n\t\t$s11 = \"IE:Password-Protected sites\" fullword ascii\r\n\t\t$s12 = \"\\\\his.sys\" fullword ascii\r\n\t\t$s13 = \"HTTP Password\" fullword ascii\r\n\t\t$s14 = \"\\\\data.sys\" fullword ascii\r\n\t\t$s15 = \"EL$_RasDefaultCredentials#0\" fullword wide\r\n\t\t$s17 = \"Office Outlook HTTP\" fullword ascii\r\n\t\t$s20 = \"Hist : %ws :%s \" fullword ascii\r\n\tcondition:\r\n\t\tall of them and\r\n uint16(0) == 0x5A4D\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060848",
"to_ids": true,
"type": "sha256",
"uuid": "551e7ab0-6058-4c27-a3d3-1888950d210b",
"value": "b74bd5660baf67038353136978ed16dbc7d105c60c121cf64c61d8f3d31de32c"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060848",
"to_ids": true,
"type": "sha1",
"uuid": "551e7ab0-563c-423f-a38e-1888950d210b",
"value": "c97693ecb36247bdb44ab3f12dfeae8be4d299bb"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060869",
"to_ids": true,
"type": "yara",
"uuid": "551e7ac5-33e8-4f73-b75a-1879950d210b",
"value": "rule Explosion_Sample_2 {\r\n\tmeta:\r\n\t\tdescription = \"Explosion/Explosive Malware - Volatile Cedar APT - file bfc63b30624332f4fc2e510f95b69d18dd0241eb0d2fcd33ed2e81b7275ab488\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"http://goo.gl/5vYaNb\"\r\n\t\tdate = \"2015/04/03\"\r\n\t\tscore = 70\r\n\t\thash = \"62fe6e9e395f70dd632c70d5d154a16ff38dcd29\"\r\n\tstrings:\r\n\t\t$s0 = \"serverhelp.dll\" fullword wide\r\n\t\t$s1 = \"Windows Help DLL\" fullword wide\r\n\t\t$s5 = \"SetWinHoK\" fullword ascii\r\n\tcondition:\r\n\t\tall of them and\r\n uint16(0) == 0x5A4D\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060894",
"to_ids": true,
"type": "sha256",
"uuid": "551e7ade-a6ac-4ece-8c6f-9144950d210b",
"value": "bfc63b30624332f4fc2e510f95b69d18dd0241eb0d2fcd33ed2e81b7275ab488"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060894",
"to_ids": true,
"type": "sha1",
"uuid": "551e7ade-52cc-4ddc-988c-9144950d210b",
"value": "62fe6e9e395f70dd632c70d5d154a16ff38dcd29"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060918",
"to_ids": true,
"type": "yara",
"uuid": "551e7af6-4868-4fc9-a9c0-0d4d950d210b",
"value": "rule Explosion_Generic_1 {\r\n\tmeta:\r\n\t\tdescription = \"Generic Rule for Explosion/Explosive Malware - Volatile Cedar APT\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"not set\"\r\n\t\tdate = \"2015/04/03\"\r\n\t\tscore = 70\r\n\t\tsuper_rule = 1\r\n\t\thash0 = \"d0f059ba21f06021579835a55220d1e822d1233f95879ea6f7cb9d301408c821\"\r\n\t\thash1 = \"1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908\"\r\n\t\thash2 = \"d8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726\"\r\n\t\thash3 = \"e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747\"\r\n\t\thash4 = \"03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0\"\r\n\tstrings:\r\n\t\t$s0 = \"autorun.exe\" fullword\r\n\t\t$s1 = \"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 5.1; .NET CL\"\r\n\t\t$s2 = \"%drp.exe\" fullword\r\n\t\t$s3 = \"%s_%s%d.exe\" fullword\r\n\t\t$s4 = \"open=autorun.exe\" fullword\r\n\t\t$s5 = \"http://www.microsoft.com/en-us/default.aspx\" fullword\r\n\t\t$s10 = \"error.renamefile\" fullword\r\n\t\t$s12 = \"insufficient lookahead\" fullword\r\n\t\t$s13 = \"%s %s|\" fullword\r\n\t\t$s16 = \":\\\\autorun.exe\" fullword\r\n\tcondition:\r\n\t\t7 of them and\r\n uint16(0) == 0x5A4D\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060967",
"to_ids": true,
"type": "sha256",
"uuid": "551e7b27-4b2c-4218-a89d-13b6950d210b",
"value": "d0f059ba21f06021579835a55220d1e822d1233f95879ea6f7cb9d301408c821"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060967",
"to_ids": true,
"type": "sha256",
"uuid": "551e7b27-c880-4330-8ba6-13b6950d210b",
"value": "1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060967",
"to_ids": true,
"type": "sha256",
"uuid": "551e7b27-868c-4295-b668-13b6950d210b",
"value": "d8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060967",
"to_ids": true,
"type": "sha256",
"uuid": "551e7b27-dde8-44ac-b0e8-13b6950d210b",
"value": "e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060967",
"to_ids": true,
"type": "sha256",
"uuid": "551e7b27-e69c-40e8-9655-13b6950d210b",
"value": "03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428060991",
"to_ids": true,
"type": "yara",
"uuid": "551e7b3f-3ad0-4087-a566-1888950d210b",
"value": "rule Explosive_UA {\r\n\tmeta:\r\n\t\tdescription = \"Explosive Malware Embedded User Agent - Volatile Cedar APT http://goo.gl/HQRCdw\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"http://goo.gl/HQRCdw\"\r\n\t\tdate = \"2015/04/03\"\r\n\t\tscore = 60\r\n\tstrings:\r\n\t\t$x1 = \"Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)\" fullword\r\n\tcondition:\r\n\t\t$x1 and\r\n uint16(0) == 0x5A4D\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "copy/paste typo?",
"deleted": false,
"disable_correlation": false,
"timestamp": "1487757919",
"to_ids": true,
"type": "yara",
"uuid": "551e7b52-cdc8-45b3-a4d0-1879950d210b",
"value": "rule Webshell_Caterpillar_ASPX {\r\n\tmeta:\r\n\t\tdescription = \"Volatile Cedar Webshell - from file caterpillar.aspx\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"http://goo.gl/emons5\"\r\n\t\tdate = \"2015/04/03\"\r\n\t\tsuper_rule = 1\r\n\t\thash0 = \"af4c99208fb92dc42bc98c4f96c3536ec8f3fe56\"\r\n\tstrings:\r\n\t\t$s0 = \"Dim objNewRequest As WebRequest = HttpWebRequest.Create(sURL)\" fullword\r\n\t\t$s1 = \"command = \\\"ipconfig /all\\\"\" fullword\r\n\t\t$s3 = \"For Each xfile In mydir.GetFiles()\" fullword\r\n\t\t$s6 = \"Dim oScriptNet = Server.CreateObject(\\\"WSCRIPT.NETWORK\\\")\" fullword\r\n\t\t$s10 = \"recResult = adoConn.Execute(strQuery)\" fullword\r\n\t\t$s12 = \"b = Request.QueryString(\\\"src\\\")\" fullword\r\n\t\t$s13 = \"rw(\\\"\\\" + title + \\\"\\\")\" fullword\r\n\tcondition:\r\n\t\tall of them\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1428061029",
"to_ids": true,
"type": "sha1",
"uuid": "551e7b65-6df0-45de-b935-9144950d210b",
"value": "af4c99208fb92dc42bc98c4f96c3536ec8f3fe56"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via c97693ecb36247bdb44ab3f12dfeae8be4d299bb)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839491",
"to_ids": true,
"type": "md5",
"uuid": "56c65903-68f0-43e4-b3a7-4fa6950d210f",
"value": "08c988d6cebdd55f3b123f2d9d5507a6"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via 62fe6e9e395f70dd632c70d5d154a16ff38dcd29)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839492",
"to_ids": true,
"type": "md5",
"uuid": "56c65904-4070-4328-9210-4eb8950d210f",
"value": "981234d969a4c5e6edea50df009efedd"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via d0f059ba21f06021579835a55220d1e822d1233f95879ea6f7cb9d301408c821)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839494",
"to_ids": true,
"type": "md5",
"uuid": "56c65906-89ac-4e77-af74-4a78950d210f",
"value": "7dbc46559efafe8ec8446b836129598c"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via 1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839496",
"to_ids": true,
"type": "md5",
"uuid": "56c65908-f42c-4e3b-8b06-599c950d210f",
"value": "9a5a99def615966ea05e3067057d6b37"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via d8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839497",
"to_ids": true,
"type": "md5",
"uuid": "56c65909-337c-4c17-ba93-4cfc950d210f",
"value": "4f8b989bc424a39649805b5b93318295"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839499",
"to_ids": true,
"type": "md5",
"uuid": "56c6590b-9788-4c39-a6f6-5ca1950d210f",
"value": "eb7042ad32f41c0e577b5b504c7558ea"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839501",
"to_ids": true,
"type": "md5",
"uuid": "56c6590d-7160-446b-8b5b-59a3950d210f",
"value": "2b9106e8df3aa98c3654a4e0733d83e7"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via d0f059ba21f06021579835a55220d1e822d1233f95879ea6f7cb9d301408c821)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839495",
"to_ids": true,
"type": "sha1",
"uuid": "56c65907-2484-4306-ba55-59a2950d210f",
"value": "a1d364c17007a80b8be11d362969b13ada78747e"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via 1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839496",
"to_ids": true,
"type": "sha1",
"uuid": "56c65908-cee8-448f-ac42-599e950d210f",
"value": "441e2ac0f144ea9c6ff25670cae8d463e0422d3f"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via d8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839498",
"to_ids": true,
"type": "sha1",
"uuid": "56c6590a-0664-45ce-8ed6-44fe950d210f",
"value": "1d28d97271072d8736b85372637830e7a1f5d2a9"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839500",
"to_ids": true,
"type": "sha1",
"uuid": "56c6590c-9720-4fb2-961e-c650950d210f",
"value": "0da0331e07bb33f6091fc6e1ff0061a00cf88887"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839502",
"to_ids": true,
"type": "sha1",
"uuid": "56c6590e-36f8-459f-a230-c652950d210f",
"value": "db5b0f6256a2e68acffd14c4946971e2e9e90bfb"
}
]
}
}