-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathAPT_CrashOverride.yar
147 lines (137 loc) · 5.4 KB
/
APT_CrashOverride.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
import "pe"
import "hash"
rule dragos_crashoverride_exporting_dlls {
meta:
description = "CRASHOVERRIDE v1 Suspicious Export"
author = "Dragos Inc"
reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
condition:
pe.exports("Crash") & pe.characteristics
}
rule dragos_crashoverride_suspcious {
meta:
description = "CRASHOVERRIDE v1 Wiper"
author = "Dragos Inc"
reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
strings:
$s0 = "SYS_BASCON.COM" fullword nocase wide
$s1 = ".pcmp" fullword nocase wide
$s2 = ".pcmi" fullword nocase wide
$s3 = ".pcmt" fullword nocase wide
$s4 = ".cin" fullword nocase wide
condition:
pe.exports("Crash") and any of ($s*)
}
rule dragos_crashoverride_name_search {
meta:
description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
author = "Dragos Inc"
reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
strings:
$s0 = "101.dll" fullword nocase wide
$s1 = "Crash101.dll" fullword nocase wide
$s2 = "104.dll" fullword nocase wide
$s3 = "Crash104.dll" fullword nocase wide
$s4 = "61850.dll" fullword nocase wide
$s5 = "Crash61850.dll" fullword nocase wide
$s6 = "OPCClientDemo.dll" fullword nocase wide
$s7 = "OPC" fullword nocase wide
$s8 = "CrashOPCClientDemo.dll" fullword nocase wide
$s9 = "D2MultiCommService.exe" fullword nocase wide
$s10 = "CrashD2MultiCommService.exe" fullword nocase wide
$s11 = "61850.exe" fullword nocase wide
$s12 = "OPC.exe" fullword nocase wide
$s13 = "haslo.exe" fullword nocase wide
$s14 = "haslo.dat" fullword nocase wide
condition:
any of ($s*) and pe.exports("Crash")
}
rule dragos_crashoverride_hashes {
meta:
description = "CRASHOVERRIDE Malware Hashes"
author = "Dragos Inc"
reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
condition:
filesize < 1MB and
hash.sha1(0, filesize) == "f6c21f8189ced6ae150f9ef2e82a3a57843b587d" or
hash.sha1(0, filesize) == "cccce62996d578b984984426a024d9b250237533" or
hash.sha1(0, filesize) == "8e39eca1e48240c01ee570631ae8f0c9a9637187" or
hash.sha1(0, filesize) == "2cb8230281b86fa944d3043ae906016c8b5984d9" or
hash.sha1(0, filesize) == "79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a" or
hash.sha1(0, filesize) == "94488f214b165512d2fc0438a581f5c9e3bd4d4c" or
hash.sha1(0, filesize) == "5a5fafbc3fec8d36fd57b075ebf34119ba3bff04" or
hash.sha1(0, filesize) == "b92149f046f00bb69de329b8457d32c24726ee00" or
hash.sha1(0, filesize) == "b335163e6eb854df5e08e85026b2c3518891eda8"
}
rule dragos_crashoverride_moduleStrings {
meta:
description = "IEC-104 Interaction Module Program Strings"
author = "Dragos Inc"
reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
strings:
$s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" nocase wide ascii
$s2 = " MSTR ->> SLV" nocase wide ascii
$s3 = " MSTR <<- SLV" nocase wide ascii
$s4 = "Unknown APDU format !!!" nocase wide ascii
$s5 = "iec104.log" nocase wide ascii
condition:
any of ($s*)
}
rule dragos_crashoverride_configReader {
meta:
description = "CRASHOVERRIDE v1 Config File Parsing"
author = "Dragos Inc"
reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
strings:
$s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
$s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }
$s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }
$s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }
condition:
all of them
}
rule dragos_crashoverride_weirdMutex {
meta:
description = "Blank mutex creation assoicated with CRASHOVERRIDE"
author = "Dragos Inc"
reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
strings:
$s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }
$s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}
condition:
all of them
}
rule dragos_crashoverride_serviceStomper {
meta:
description = "Identify service hollowing and persistence setting"
author = "Dragos Inc"
reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
strings:
$s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }
$s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }
condition:
all of them
}
rule dragos_crashoverride_wiperModuleRegistry {
meta:
description = "Registry Wiper functionality assoicated with CRASHOVERRIDE"
author = "Dragos Inc"
reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
strings:
$s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }
$s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }
$s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }
condition:
all of them
}
rule dragos_crashoverride_wiperFileManipulation {
meta:
description = "File manipulation actions associated with CRASHOVERRIDE wiper"
author = "Dragos Inc"
reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
strings:
$s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }
$s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }
condition:
all of them
}