Yara Rule - RTF 피싱 캠페인 CVE 2017-0199 활용, 도메인 2BUNNYDOTCOM을 가리키기 위해

Yara Rule - RTF 피싱 캠페인 CVE 2017-0199 활용, 도메인 2BUNNYDOTCOM을 가리키기 위해

Yara 정의.

Yara Rule - Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom

Yara definition.

Author: joshua.kim@FireEye. - modified by Florian Roth

https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf

date = "2019-01-25"
hash1 = "2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec"
hash2 = "45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff"
id = "6a476052-ba4e-5049-9c7a-f8949d26e7b5"
$s2 = "/Client/Login?id=" fullword ascii
$s3 = "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" fullword ascii
date = "2017-08-07"
hash1 = "9c163c3f2bd5c5181147c6f4cf2571160197de98f496d16b38c7dc46b5dc1426"
hash2 = "628d316a983383ed716e3f827720915683a8876b54677878a7d2db376d117a24"
id = "f8032616-2a54-5107-b330-65fcc84b866e"
$s1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Modules" fullword wide
hash1 = "73db4295c5b29958c5d93c20be9482c1efffc89fc4e5c8ba59ac9425a4657a88"
hash2 = "380b0353ba8cd33da8c5e5b95e3e032e83193019e73c71875b58ec1ed389bdac"
hash3 = "f27e9bba6a2635731845b4334b807c0e4f57d3b790cecdc77d8fef50629f51a2"
id = "2777443d-6f63-5948-855a-e064a6e0310f"
$s1 = { 38 21 38 2C 38 37 38 42 38 4D 38 58 38 63 38 6E
hash1 = "6ad78f069c3619d0d18eef8281219679f538cfe0c1b6d40b244beb359762cf96"
hash2 = "49c5c798689d4a54e5b7099b647b0596fb96b996a437bb8241b5dd76e974c24e"
hash3 = "e88970fa4892150441c1616028982fe63c875f149cd490c3c910a1c091d3ad49"
id = "31804208-3edb-554b-8820-e682db647435"
$s1 = "stdole2.tlb" fullword ascii
$s2 = "UnInstallW" fullword ascii
date = "2018-06-16"
score = 80
hash1 = "c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615"
id = "d5e1dd3d-4f03-5f79-898b-e612d2758b60"
$x1 = "1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s" fullword ascii
hash_8 = "3698a3630f80a632c0c7c12e929184fb"
hash_9 = "fdb674cadfa038ff9d931e376f89f1b6"
id = "a79789cd-9b16-58f5-ab51-48bb900583d1"
$sa_1 = "META-INF/MANIFEST.MF"
date = "2018-12-28"
id = "2de195a3-63a4-50ac-a83d-ab0db0f784bf"
uint16(0) == 0x5a4d and filesize < 6000KB and (
pe.imphash() == "0556ff5e5f8744bff47d4921494ba46d" or
hash1 = "f9acc706d7bec10f88f9cfbbdf80df0d85331bd4c3c0188e4d002d6929fe4eac"
hash2 = "7188f76ca5fbc6e57d23ba97655b293d5356933e2ab5261e423b3f205fe305ee"
hash3 = "4de5a22cd798950a69318fdcc1ec59e9a456b4e572c2d3ac4788ee96a4070262"
id = "7fc4fdda-b71f-5c9c-87a4-5d8290b99348"
$s1 = "R=user32.dll" fullword ascii
hash1 = "f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b"
hash2 = "db7c1534dede15be08e651784d3a5d2ae41963d192b0f8776701b4b72240c38d"
hash3 = "d956e2ff1b22ccee2c5d9819128103d4c31ecefde3ce463a6dea19ecaaf418a1"
id = "578b40d7-6818-56d5-92ce-535141c0aa8e"
uint16(0) == 0x5a4d and filesize < 1000KB and (
pe.imphash() == "7a861cd9c495e1d950a43cb708a22985" or
date = "2017-08-30"
hash1 = "dc7521c00ec2534cf494c0263ddf67ea4ba9915eb17bdc0b3ebe9e840ec63643"
hash2 = "42da51b69bd6625244921a4eef9a2a10153e012a3213e8e9877cf831aea3eced"
id = "6c9cd68f-b839-5c99-a9f5-14c2d8a28bec"
( uint16(0) == 0x5a4d and pe.imphash() == "9ba915fd04f248ad62e856c7238c0264" )
date = "2018-03-10"
hash1 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
id = "165bfa6c-1a8d-5628-8c35-da4e4a2ae04f"
$s1 = "\\Release\\RoyalCli.pdb" ascii
$s2 = "%snewcmd.exe" fullword ascii
date = "2018-03-10"
hash1 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
id = "c2f519db-2750-53ce-ae18-697ea041faaf"
$x1 = "del c:\\windows\\temp\\r.exe /f /q" fullword ascii
$x2 = "%s\\r.exe" fullword ascii
date = "2018-03-10"
hash1 = "750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b"
id = "700bbe14-d79e-5a35-aab3-31eacd5bd950"
$x1 = "AAAAKQAASCMAABi+AABnhEBj8vep7VRoAEPRWLweGc0/eiDrXGajJXRxbXsTXAcZAABK4QAAPWwAACzWAAByrg==" fullword ascii
$x2 = "AAAAKQAASCMAABi+AABnhKv3kXJJousn5YzkjGF46eE3G8ZGse4B9uoqJo8Q2oF0AABK4QAAPWwAACzWAAByrg==" fullword ascii
date = "2018-03-10"
hash1 = "16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce"
id = "81b826b6-8c2e-5a8a-a626-9515d40dbbb0"
$s1 = "\\Release\\EWSTEW.pdb" ascii
$s2 = "EWSTEW.exe" fullword wide
sha256 = "90d1f65cfa51da07e040e066d4409dc8a48c1ab451542c894a623bc75c14bf8f"
id = "c6867ad4-f7f2-5d63-bffd-07599ede635d"
$ = "eisableCMD" wide
$ = "%WINDOWS_COPYRIGHT%" wide
sha256 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
id = "432c09bf-3c44-5a2c-ba69-7b4fe7eb43cc"
$ = "%s~clitemp%08x.tmp" fullword
$ = "%s /c %s>%s" fullword
id = "d4acfd2d-385d-5063-898e-d339b50733eb"
$string1 = "%shkcmd.exe" fullword
$string2 = "myRObject" fullword
sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
id = "26baef92-1055-56dc-b274-e2a6bc05d85b"
sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
id = "3bc546a5-38b9-5504-b09e-305ba7bbd6bc"
$= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" wide ascii
$= "netsvcs" wide ascii fullword
md5 = "d21a7e349e796064ce10f2f6ede31c71"
id = "f07b9537-0741-51c8-a9fa-836430fe4855"
$s1= "subjectname" fullword
$s2= "sendername" fullword
id = "4eb50731-22df-5f7a-bf5f-166ef84cf8b5"
$str01 = "myWObject" fullword
date = "2017-10-03"
hash1 = "dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83"
id = "457312d8-5bfe-5282-9ace-2f169278569c"
$s1 = "\\spool\\prtprocs\\w32x86\\localspl.dll" ascii
$s2 = "\\spool\\prtprocs\\x64\\localspl.dll" ascii
date = "2017-10-03"
hash1 = "20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27"
id = "9f21514a-168b-5158-8322-60fa8499b11a"
$x1 = "Cookie: __xsptplus=%s" fullword ascii
$x2 = "http://services.fiveemotions.co.jp" fullword ascii
date = "2017-10-03"
hash1 = "128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f"
id = "56eec517-8b00-5cb5-9806-249e50f53b99"
$s1 = "Copyright (c) 2007 - 2011 Symantec Corporation" fullword wide
$s2 = "\\\\.\\SYMEFA" fullword wide
hash1 = "0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2"
hash2 = "07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d"
hash3 = "ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550"
id = "c2156e68-d5b5-5bd7-858c-2d5e90199287"
$x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)" fullword ascii
$x2 = "http://%s/imgres?q=A380&hl=en-US&sa=X&biw=1440&bih=809&tbm=isus&tbnid=aLW4-J8Q1lmYBM" ascii
date = "2015-05-14"
hash = "52f1add5ad28dc30f68afda5d41b354533d8bce3"
id = "e4b9b25e-8895-5ba5-b706-bfb6892c16ae"
$x1 = "Microsoft? Windows? Operating System" fullword wide
$x2 = "fxsst.dll" fullword ascii
date = "2017-06-07"
hash1 = "e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9"
id = "9354d20a-d798-55bf-a735-820f21d4a861"
$x1 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii
$x2 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
date="2017-06-02"
id = "eb15e5aa-16e5-5c07-a293-ad15c0c09d8e"
$ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
date="2017-06-02"
id = "b62ceffa-445f-517e-b86b-56e47876c6c0"
$lnkinfo = "4c0069006e006b0049006e0066006f"
$encoded1 = "4f4c45324c696e6b"
sharing = "TLP:WHITE"
hash1 = "333B52C2CFAC56B86EE9D54AEF4F0FF4144528917BC1AA1FE1613EFC2318339A"
id = "b049e163-2694-5fb9-a3a3-98cc77bcd0ca"
$decoder_routine = { 8A ?? 41 10 00 00 8B ?? 28 ?? ?? 4? 3B ?? 72 ?? }
date = "2022-01-29"
score = 80
id = "f2f015af-219d-51ab-9529-01687a879ebb"
date = "2022-02-07"
hash1 = "fc5a58bf0fce9cb96f35ee76842ff17816fe302e3164bc7c6a5ef46f6eff67ed"
id = "039e5d41-eadb-5c53-82cd-20ffd4105326"
$lznt1_compressed_pe_header_small = { FC B9 00 4D 5A 90 } // This is the lznt1 compressed PE header
date = "2022-02-07"
modified = "2023-01-07"
hash1 = "624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8"
id = "b4002777-f129-5177-a8f1-690012a207fa"
$s1 = "\\cmd.exe /A" wide
$s2 = "vftrace.dll" fullword wide
date = "2022-02-07"
hash1 = "624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8"
id = "d1fe03b9-440c-5127-9572-dddcd5c9966b"
$s1 = "api/v2/ajax" ascii wide nocase
$s2 = "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36" ascii wide nocase
date = "2022-02-07"
hash1 = "624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8"
id = "2bb1d28b-5fc4-5f0b-b546-c8b8192b0d48"
$ = "SOFTWARE\\WOW6432Node\\Microsoft\\config_" ascii
$ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\windefenders" ascii
date = "2022-02-07"
hash1 = "fc5a58bf0fce9cb96f35ee76842ff17816fe302e3164bc7c6a5ef46f6eff67ed"
id = "fa4fe057-4c3f-5785-a8d3-588398360996"
$encrypted_pe_header_shift_0 = { fc b9 00 4d 5a 90 00 03 00 00 00 82 04 00 30 ff ff 00 }
$encrypted_pe_header_shift_1 = { fd ba 01 4e 5b 91 01 04 01 01 01 83 05 01 31 00 00 01 }
date = "2015-06-02"
hash = "f4db2e0881f83f6a2387ecf446fcb4a4c9f99808"
score = 60
id = "08bc4cc2-1844-5218-bb89-20a3ac70a951"
$s0 = "jhuhugit.tmp" fullword ascii /* score: '14.005' */
$s8 = "KERNEL32.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 14405 times */
hash1 = "e2450dffa675c61aa43077b25b12851a910eeeb6"
hash2 = "d9c53adce8c35ec3b1e015ec8011078902e6800b"
score = 60
id = "d4275b8d-384f-58b7-bac5-05fb7db659e2"
$s0 = "coreshell.dll" fullword wide /* PEStudio Blacklist: strings */
$s1 = "Core Shell Runtime Service" fullword wide /* PEStudio Blacklist: strings */
hash4 = "a8551397e1f1a2c0148e6eadcb56fa35ee6009ca"
hash5 = "f5b3e98c6b5d65807da66d50bd5730d35692174d"
score = 60
id = "8a9df742-82c1-56bb-ab70-6384403f70b5"
$s0 = "coreshell.dll" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "Applicate" fullword ascii
hash8 = "f5b3e98c6b5d65807da66d50bd5730d35692174d"
hash9 = "e2450dffa675c61aa43077b25b12851a910eeeb6"
score = 60
id = "b49843b9-3a54-5525-958e-ac545cc00bde"
$s0 = "coreshell.dll" fullword wide /* PEStudio Blacklist: strings */
$s1 = "Core Shell Runtime Service" fullword wide /* PEStudio Blacklist: strings */
date = "2021-05-24"
hash1 = "12331809c3e03d84498f428a37a28cf6cbb1dafe98c36463593ad12898c588c9"
id = "ed0b2d2b-f820-57b5-9654-c24734d81996"
$ = "cmd /c DEL " ascii
/* $ = " \"" ascii */ /* slowing down scanning */
date = "2021-05-24"
hash1 ="2a652721243f29e82bdf57b565208c59937bbb6af4ab51e7b6ba7ed270ea6bce"
id = "eaf4e8e5-cbec-5000-a2ff-31d1dac4c30f"
$sha = {F4 EB 56 52 AF 4B 48 EE 08 FF 9D 44 89 4B D5 66 24 61 2A 15 1D 58 14 F9 6D 97
date = "2021-05-24"
hash1 = "ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698"
id = "c44faf95-a64c-58f4-97d4-2fe17aefc813"
$enc_string = {F3 0F 7E 05 ?? ?? ?? ?? 6? [5] 6A ?? 66 [6] 66 [7] F3 0F 7E 05 ?? ?? ?? ?? 8D```


[https://github.com/Neo23x0/signature-base/commit/572159945cf067986ef2242c83edda9211b8a975](https://github.com/Neo23x0/signature-base/commit/572159945cf067986ef2242c83edda9211b8a975)