424 lines
No EOL
25 KiB
JSON
424 lines
No EOL
25 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2014-12-04",
|
|
"extends_uuid": "",
|
|
"info": "Regin Scanner",
|
|
"publish_timestamp": "1521410089",
|
|
"published": true,
|
|
"threat_level_id": "1",
|
|
"timestamp": "1521409802",
|
|
"uuid": "548033ca-5854-45f3-bf00-797e950d210b",
|
|
"Orgc": {
|
|
"name": "CthulhuSPRL.be",
|
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": false,
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#33FF00",
|
|
"local": false,
|
|
"name": "tlp:green",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#086700",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Regin\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688018",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "548033d2-987c-416d-b962-503d950d210b",
|
|
"value": "Regin"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688040",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "548033e8-7bc4-4ce1-b015-2497950d210b",
|
|
"value": "https://github.com/Neo23x0/ReginScanner"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688279",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "548034d7-79e8-429d-847a-4eaf950d210b",
|
|
"value": "187044596bc1328efa0ed636d8aa4a5c"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688279",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "548034d7-3234-416c-8cea-446b950d210b",
|
|
"value": "06665b96e293b23acc80451abb413e50"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688279",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "548034d7-3880-4151-86f2-4296950d210b",
|
|
"value": "d240f06e98c8d3e647cbf4d442d79475"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688280",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "548034d8-56e4-4b92-9958-46f6950d210b",
|
|
"value": "ffb0b9b5b610191051a7bdf0806e1e47"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688280",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "548034d8-7a0c-4a1d-bc3f-4b45950d210b",
|
|
"value": "bfbe8c3ee78750c3a520480700e440f8"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688280",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "548034d8-9820-4cb6-918c-42f9950d210b",
|
|
"value": "b29ca4f22ae7b7b25f79c1d4a421139d"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688280",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "548034d8-ceac-4873-bd3f-4f0f950d210b",
|
|
"value": "2c8b9d2885543d7ade3cae98225e263b"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688280",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "548034d8-fb84-463d-bb7c-4b2e950d210b",
|
|
"value": "4b6b86c7fec1c574706cecedf44abded"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688280",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "548034d8-123c-4037-97ab-4fa6950d210b",
|
|
"value": "6662c390b2bbbd291ec7987388fc75d7"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688280",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "548034d8-1610-4a92-9d13-490e950d210b",
|
|
"value": "1c024e599ac055312a4ab75b3950040a"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688280",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "548034d8-e530-4558-9abc-4a73950d210b",
|
|
"value": "ba7bb65634ce1e30c1e5415be3d1db1d"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688280",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "548034d8-1c6c-4da3-ad78-4054950d210b",
|
|
"value": "b505d65721bb2453d5039a389113b566"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688280",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "548034d8-5194-4077-bada-44c0950d210b",
|
|
"value": "b269894f434657db2b15949641a67532"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688309",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "548034f5-dcfc-46c4-a941-41c5950d210b",
|
|
"value": "e0895336617e0b45b312383814ec6783556d7635"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688309",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "548034f5-96b4-4a90-b838-47b7950d210b",
|
|
"value": "732298fa025ed48179a3a2555b45be96f7079712"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688309",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "548034f5-ba10-426a-8bc0-4f4f950d210b",
|
|
"value": "5164edc1d54f10b7cb00a266a1b52c623ab005e2"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688309",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "548034f5-ef24-4077-843d-46e4950d210b",
|
|
"value": "773d7fab06807b5b1bc2d74fa80343e83593caf2"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688310",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "548034f6-bc40-4764-a308-4b4b950d210b",
|
|
"value": "a7b285d4b896b66fce0ebfcd15db53b3a74a0400"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688310",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "548034f6-57ac-4b35-b392-422e950d210b",
|
|
"value": "8487a961c8244004c9276979bb4b0c14392fc3b8"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688310",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "548034f6-cf0c-47a9-9e23-4710950d210b",
|
|
"value": "bcf3461d67b39a427c83f9e39b9833cfec977c61"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688340",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "54803514-7e8c-4444-b6eb-503d950d210b",
|
|
"value": "4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688340",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "54803514-6c9c-4dfe-a9c5-503d950d210b",
|
|
"value": "e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "From meta of yara rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688340",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "54803514-d928-41ea-8dd9-503d950d210b",
|
|
"value": "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1521409802",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5480352e-d554-4f67-be3c-2497950d210b",
|
|
"value": "rule Regin_APT_KernelDriver_Generic_A {\r\n\tmeta:\r\n\t\tdescription = \"Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2\"\r\n\t\tauthor = \"@Malwrsignatures - included in APT Scanner THOR\"\r\n\t\tdate = \"23.11.14\"\r\n\t\thash1 = \"187044596bc1328efa0ed636d8aa4a5c\"\r\n\t\thash2 = \"06665b96e293b23acc80451abb413e50\"\r\n\t\thash3 = \"d240f06e98c8d3e647cbf4d442d79475\"\r\n\tstrings:\r\n\t\t$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } \r\n\t\t$m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }\r\n\t\t\r\n\t\t$s0 = \"atapi.sys\" fullword wide\r\n\t\t$s1 = \"disk.sys\" fullword wide\r\n\t\t$s3 = \"h.data\" fullword ascii\r\n\t\t$s4 = \"\\\\system32\" fullword ascii\r\n\t\t$s5 = \"\\\\SystemRoot\" fullword ascii\r\n\t\t$s6 = \"system\" fullword ascii\r\n\t\t$s7 = \"temp\" fullword ascii\r\n\t\t$s8 = \"windows\" fullword ascii\r\n\r\n\t\t$x1 = \"LRich6\" fullword ascii\r\n\t\t$x2 = \"KeServiceDescriptorTable\" fullword ascii\t\t\r\n\tcondition:\r\n\t\t$m0 at 0 and $m1 and all of ($s*) and 1 of ($x*)\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688398",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5480354e-70dc-49b6-9ac9-44b0950d210b",
|
|
"value": "rule Regin_APT_KernelDriver_Generic_B {\r\n\tmeta:\r\n\t\tdescription = \"Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2\"\r\n\t\tauthor = \"@Malwrsignatures - included in APT Scanner THOR\"\r\n\t\tdate = \"23.11.14\"\r\n\t\thash1 = \"ffb0b9b5b610191051a7bdf0806e1e47\"\r\n\t\thash2 = \"bfbe8c3ee78750c3a520480700e440f8\"\r\n\t\thash3 = \"b29ca4f22ae7b7b25f79c1d4a421139d\"\r\n\t\thash4 = \"06665b96e293b23acc80451abb413e50\"\r\n\t\thash5 = \"2c8b9d2885543d7ade3cae98225e263b\"\r\n\t\thash6 = \"4b6b86c7fec1c574706cecedf44abded\"\r\n\t\thash7 = \"187044596bc1328efa0ed636d8aa4a5c\"\r\n\t\thash8 = \"d240f06e98c8d3e647cbf4d442d79475\"\r\n\t\thash9 = \"6662c390b2bbbd291ec7987388fc75d7\"\r\n\t\thash10 = \"1c024e599ac055312a4ab75b3950040a\"\r\n\t\thash11 = \"ba7bb65634ce1e30c1e5415be3d1db1d\"\r\n\t\thash12 = \"b505d65721bb2453d5039a389113b566\"\r\n\t\thash13 = \"b269894f434657db2b15949641a67532\"\r\n\tstrings:\r\n\t\t$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } \r\n\t\t$s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }\r\n\t\t$s2 = \"H.data\" fullword ascii nocase\r\n\t\t$s3 = \"INIT\" fullword ascii\r\n\t\t$s4 = \"ntoskrnl.exe\" fullword ascii\r\n\t\t\r\n\t\t$v1 = \"\\\\system32\" fullword ascii\r\n\t\t$v2 = \"\\\\SystemRoot\" fullword ascii\r\n\t\t$v3 = \"KeServiceDescriptorTable\" fullword ascii\t\r\n\t\t\r\n\t\t$w1 = \"\\\\system32\" fullword ascii\r\n\t\t$w2 = \"\\\\SystemRoot\" fullword ascii\t\t\r\n\t\t$w3 = \"LRich6\" fullword ascii\r\n\t\t\r\n\t\t$x1 = \"_snprintf\" fullword ascii\r\n\t\t$x2 = \"_except_handler3\" fullword ascii\r\n\t\t\r\n\t\t$y1 = \"mbstowcs\" fullword ascii\r\n\t\t$y2 = \"wcstombs\" fullword ascii\r\n\t\t$y3 = \"KeGetCurrentIrql\" fullword ascii\r\n\t\t\r\n\t\t$z1 = \"wcscpy\" fullword ascii\r\n\t\t$z2 = \"ZwCreateFile\" fullword ascii\r\n\t\t$z3 = \"ZwQueryInformationFile\" fullword ascii\r\n\t\t$z4 = \"wcslen\" fullword ascii\r\n\t\t$z5 = \"atoi\" fullword ascii\r\n\tcondition:\r\n\t\t$m0 at 0 and all of ($s*) and \r\n\t\t( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) ) \r\n\t\tand filesize < 20KB\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688412",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5480355c-0b58-4340-b3a9-4e07950d210b",
|
|
"value": "rule Regin_APT_KernelDriver_Generic_C {\r\n\tmeta:\r\n\t\tdescription = \"Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2\"\r\n\t\tauthor = \"@Malwrsignatures - included in APT Scanner THOR\"\r\n\t\tdate = \"23.11.14\"\r\n\t\thash1 = \"e0895336617e0b45b312383814ec6783556d7635\"\r\n\t\thash2 = \"732298fa025ed48179a3a2555b45be96f7079712\"\t\t\r\n\tstrings:\r\n\t\t$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } \r\n\t\r\n\t\t$s0 = \"KeGetCurrentIrql\" fullword ascii\r\n\t\t$s1 = \"5.2.3790.0 (srv03_rtm.030324-2048)\" fullword wide\r\n\t\t$s2 = \"usbclass\" fullword wide\r\n\t\t\r\n\t\t$x1 = \"PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING\" ascii\r\n\t\t$x2 = \"Universal Serial Bus Class Driver\" fullword wide\r\n\t\t$x3 = \"5.2.3790.0\" fullword wide\r\n\t\t\r\n\t\t$y1 = \"LSA Shell\" fullword wide\r\n\t\t$y2 = \"0Richw\" fullword ascii\t\t\r\n\tcondition:\r\n\t\t$m0 at 0 and all of ($s*) and \r\n\t\t( all of ($x*) or all of ($y*) ) \r\n\t\tand filesize < 20KB\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688425",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "54803569-9acc-4e3f-a05c-2490950d210b",
|
|
"value": "rule Regin_sig_svcsstat {\r\n\tmeta:\r\n\t\tdescription = \"Detects svcstat from Regin report - file svcsstat.exe_sample\"\r\n\t\tauthor = \"@MalwrSignatures\"\r\n\t\tdate = \"26.11.14\"\r\n\t\thash = \"5164edc1d54f10b7cb00a266a1b52c623ab005e2\"\r\n\tstrings:\r\n\t\t$s0 = \"Service Control Manager\" fullword ascii\r\n\t\t$s1 = \"_vsnwprintf\" fullword ascii\r\n\t\t$s2 = \"Root Agency\" fullword ascii\r\n\t\t$s3 = \"Root Agency0\" fullword ascii\r\n\t\t$s4 = \"StartServiceCtrlDispatcherA\" fullword ascii\r\n\t\t$s5 = \"\\\\\\\\?\\\\UNC\" fullword wide\r\n\t\t$s6 = \"%ls%ls\" fullword wide\r\n\tcondition:\r\n\t\tall of them and filesize < 15KB and filesize > 10KB \r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688439",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "54803577-2660-4dea-9bb2-4219950d210b",
|
|
"value": "rule Regin_Sample_1 {\r\n\tmeta:\r\n\t\tdescription = \"Auto-generated rule - file-3665415_sys\"\r\n\t\tauthor = \"@MalwrSignatures\"\r\n\t\tdate = \"26.11.14\"\r\n\t\thash = \"773d7fab06807b5b1bc2d74fa80343e83593caf2\"\r\n\tstrings:\r\n\t\t$s0 = \"Getting PortName/Identifier failed - %x\" fullword ascii\r\n\t\t$s1 = \"SerialAddDevice - error creating new devobj [%#08lx]\" fullword ascii\r\n\t\t$s2 = \"External Naming Failed - Status %x\" fullword ascii\r\n\t\t$s3 = \"------- Same multiport - different interrupts\" fullword ascii\r\n\t\t$s4 = \"%x occurred prior to the wait - starting the\" fullword ascii\r\n\t\t$s5 = \"'user registry info - userPortIndex: %d\" fullword ascii\r\n\t\t$s6 = \"Could not report legacy device - %x\" fullword ascii\r\n\t\t$s7 = \"entering SerialGetPortInfo\" fullword ascii\r\n\t\t$s8 = \"'user registry info - userPort: %x\" fullword ascii\r\n\t\t$s9 = \"IoOpenDeviceRegistryKey failed - %x \" fullword ascii\r\n\t\t$s10 = \"Kernel debugger is using port at address %X\" fullword ascii\r\n\t\t$s12 = \"Release - freeing multi context\" fullword ascii\r\n\t\t$s13 = \"Serial driver will not load port\" fullword ascii\r\n\t\t$s14 = \"'user registry info - userAddressSpace: %d\" fullword ascii\r\n\t\t$s15 = \"SerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES\" fullword ascii\r\n\t\t$s20 = \"'user registry info - userIndexed: %d\" fullword ascii\r\n\tcondition:\r\n\t\tall of them and filesize < 110KB and filesize > 80KB\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688455",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "54803587-1fb8-42b2-b595-503d950d210b",
|
|
"value": "rule Regin_Sample_2 {\r\n\tmeta:\r\n\t\tdescription = \"Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin\"\r\n\t\tauthor = \"@MalwrSignatures\"\r\n\t\tdate = \"26.11.14\"\r\n\t\thash = \"a7b285d4b896b66fce0ebfcd15db53b3a74a0400\"\r\n\tstrings:\r\n\t\t$s0 = \"\\\\SYSTEMROOT\\\\system32\\\\lsass.exe\" fullword wide\r\n\t\t$s1 = \"atapi.sys\" fullword wide\r\n\t\t$s2 = \"disk.sys\" fullword wide\r\n\t\t$s3 = \"IoGetRelatedDeviceObject\" fullword ascii\r\n\t\t$s4 = \"HAL.dll\" fullword ascii\r\n\t\t$s5 = \"\\\\Registry\\\\Machine\\\\System\\\\CurrentControlSet\\\\Services\" fullword ascii\r\n\t\t$s6 = \"PsGetCurrentProcessId\" fullword ascii\r\n\t\t$s7 = \"KeGetCurrentIrql\" fullword ascii\r\n\t\t$s8 = \"\\\\REGISTRY\\\\Machine\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\" wide\r\n\t\t$s9 = \"KeSetImportanceDpc\" fullword ascii\r\n\t\t$s10 = \"KeQueryPerformanceCounter\" fullword ascii\r\n\t\t$s14 = \"KeInitializeEvent\" fullword ascii\r\n\t\t$s15 = \"KeDelayExecutionThread\" fullword ascii\r\n\t\t$s16 = \"KeInitializeTimerEx\" fullword ascii\r\n\t\t$s18 = \"PsLookupProcessByProcessId\" fullword ascii\r\n\t\t$s19 = \"ExReleaseFastMutexUnsafe\" fullword ascii\r\n\t\t$s20 = \"ExAcquireFastMutexUnsafe\" fullword ascii\r\n\tcondition:\r\n\t\tall of them and filesize < 40KB and filesize > 30KB\r\n}"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1417688469",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "54803595-5428-45f6-af59-7eca950d210b",
|
|
"value": "Data entered by David Andr\u00c3\u00a9"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1511190139",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "548035a2-aecc-4a3e-95e7-79dd950d210b",
|
|
"value": "rule Regin_Sample_3 {\r\n\tmeta:\r\n\t\tdescription = \"Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129\"\r\n\t\tauthor = \"@Malwrsignatures\"\r\n\t\tdate = \"27.11.14\"\r\n\t\thash = \"fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129\"\t\t\r\n\tstrings:\r\n\t\t$hd = { fe ba dc fe }\r\n\t\r\n\t\t$s0 = \"Service Pack x\" fullword wide\r\n\t\t$s1 = \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\" fullword wide\r\n\t\t$s2 = \"\\\\REGISTRY\\\\Machine\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\HotFix\" fullword wide\r\n\t\t$s3 = \"mntoskrnl.exe\" fullword wide\r\n\t\t$s4 = \"\\\\REGISTRY\\\\Machine\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Memory Management\" fullword wide\r\n\t\t$s5 = \"Memory location: 0x%p, size 0x%08x\" wide fullword\r\n\t\t$s6 = \"Service Pack\" fullword wide\r\n\t\t$s7 = \".sys\" fullword wide\r\n\t\t$s8 = \".dll\" fullword wide\t\t\r\n\t\t\r\n\t\t$s10 = \"\\\\REGISTRY\\\\Machine\\\\Software\\\\Microsoft\\\\Updates\" fullword wide\r\n\t\t$s11 = \"IoGetRelatedDeviceObject\" fullword ascii\r\n\t\t$s12 = \"VMEM.sys\" fullword ascii\r\n\t\t$s13 = \"RtlGetVersion\" fullword wide\r\n\t\t$s14 = \"ntkrnlpa.exe\" fullword ascii\r\n\tcondition:\r\n\t\t( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1521407907",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "548035b1-90bc-4b1d-9d0d-159e950d210b",
|
|
"value": "rule Regin_Sample_Set_1 {\r\n\tmeta:\r\n\t\tdescription = \"Auto-generated rule - file SHF-000052 and ndisips.sys\"\r\n\t\tauthor = \"@MalwrSignatures\"\r\n\t\tdate = \"26.11.14\"\r\n\t\thash1 = \"8487a961c8244004c9276979bb4b0c14392fc3b8\"\r\n\t\thash2 = \"bcf3461d67b39a427c83f9e39b9833cfec977c61\"\t\t\r\n\tstrings:\r\n\t\t$s0 = \"HAL.dll\" fullword ascii\r\n\t\t$s1 = \"IoGetDeviceObjectPointer\" fullword ascii\r\n\t\t$s2 = \"MaximumPortsServiced\" fullword wide\r\n\t\t$s3 = \"KeGetCurrentIrql\" fullword ascii\r\n\t\t$s4 = \"ntkrnlpa.exe\" fullword ascii\r\n\t\t$s5 = \"\\\\REGISTRY\\\\Machine\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\" wide\r\n\t\t$s6 = \"ConnectMultiplePorts\" fullword wide\r\n\t\t$s7 = \"\\\\SYSTEMROOT\" fullword wide\r\n\t\t$s8 = \"IoWriteErrorLogEntry\" fullword ascii\r\n\t\t$s9 = \"KeQueryPerformanceCounter\" fullword ascii\r\n\t\t$s10 = \"KeServiceDescriptorTable\" fullword ascii\r\n\t\t$s11 = \"KeRemoveEntryDeviceQueue\" fullword ascii\r\n\t\t$s12 = \"SeSinglePrivilegeCheck\" fullword ascii\r\n\t\t$s13 = \"KeInitializeEvent\" fullword ascii\r\n\t\t$s14 = \"IoBuildDeviceIoControlRequest\" fullword ascii\r\n\t\t$s15 = \"KeRemoveDeviceQueue\" fullword ascii\r\n\t\t$s16 = \"IofCompleteRequest\" fullword ascii\r\n\t\t$s17 = \"KeInitializeSpinLock\" fullword ascii\r\n\t\t$s18 = \"MmIsNonPagedSystemAddressValid\" fullword ascii\r\n\t\t$s19 = \"IoCreateDevice\" fullword ascii\r\n\t\t$s20 = \"KefReleaseSpinLockFromDpcLevel\" fullword ascii\r\n\tcondition:\r\n\t\tall of them and filesize < 40KB and filesize > 30KB\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1521408207",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "548035be-b83c-4e21-98bf-2490950d210b",
|
|
"value": "rule Regin_Sample_Set_2 {\r\n meta:\r\n description = \"Detects Regin Backdoor sample 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be and e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935\"\r\n author = \"@MalwrSignatures\"\r\n date = \"27.11.14\"\r\n hash0 = \"4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be\"\r\n hash1 = \"e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935\"\r\n strings:\r\n $hd = { fe ba dc fe }\r\n \r\n $s0 = \"d%ls%ls\" fullword wide\r\n $s1 = \"\\\\\\\\?\\\\UNC\" fullword wide\r\n $s2 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\" fullword wide\r\n $s3 = \"\\\\\\\\?\\\\UNC\\\\\" fullword wide\r\n $s4 = \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\Class\\\\{4D36E972-E325-11CE-BFC1-08002BE10318}\" fullword wide\r\n $s5 = \"System\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Linkage\" wide fullword\r\n $s6 = \"\\\\\\\\.\\\\Global\\\\%s\" fullword wide\r\n $s7 = \"temp\" fullword wide\r\n $s8 = \"\\\\\\\\.\\\\%s\" fullword wide\r\n $s9 = \"Memory location: 0x%p, size 0x%08x\" fullword wide \r\n \r\n $s10 = \"sscanf\" fullword ascii\r\n $s11 = \"disp.dll\" fullword ascii\r\n $s12 = \"%x:%x:%x:%x:%x:%x:%x:%x%c\" fullword ascii\r\n $s13 = \"%d.%d.%d.%d%c\" fullword ascii\r\n $s14 = \"imagehlp.dll\" fullword ascii\r\n $s15 = \"%hd %d\" fullword ascii\r\n condition:\r\n ( $hd at 0 ) and all of ($s*) and filesize < 450KB and filesize > 360KB\r\n}"
|
|
}
|
|
]
|
|
}
|
|
} |