-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathAPT_Grasshopper.yar
144 lines (122 loc) · 2.97 KB
/
APT_Grasshopper.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
/*
Set of rules for Grasshopper APT.
Infected DLL hashes of Stolen Goods 2.1.
Ref: https://wikileaks.org/vault7/document/StolenGoods-2_1-UserGuide/StolenGoods-2_1-UserGuide.pdf
Author: Jaume Martin
Date: 07-04-2017
*/
import "hash"
rule Control32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "b3dc808fc7cb4492669ec019911ef22a"
}
rule Control64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "bec30379078d5c5c7845d3be33707b89"
}
rule GH_PM32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "2f2c5b3f3b1f97908074f526ac90a28d"
}
rule GH_PM64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "fe6c0097412b2c7b7f4b8a489004dd14"
}
rule MemStub32_GH1 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "0a579ad25fdd4db8110aac4dbb7d2da3"
}
rule MemStub32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "8987652f26732607b769247adb4e9cce"
}
rule MemStub64_GH1 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "2350403a09e6928f0a7ba5d74da58cb9"
}
rule MemStub64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "6b5b46d3212fc3fc5b455d9efd8d3ffa"
}
rule msvcrt_Win7AMD64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "c8fc794cc5a22b5a1e0803b0b8acce77"
}
rule msvcrt_Win7x86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "7713e5c5a48b020c9575b1b50f2e5e9e"
}
rule msvcrt_WIN8AMD64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "33c59fcdf027470e0ab1d366f54a6ebf"
}
rule msvcrt_WIN8x86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "95490c2b284a9bb63f0ee49254ab727e"
}
rule msvcrt_WinXPx86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "b68f72d77754f8b76168ced0924a4174"
}
rule Network_Win7AMD64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "eb92031a38f17d0e63285b5142b31966"
}
rule Network_Win7x86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "548889baed7768b828d9c2f373abd225"
}
rule Network_WinXPx86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "877341a16d5d223435c43a9db7f721bc"
}
rule RabbitStew32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "a9d2e8ae5ddbf8f2842d96f7de2faef8"
}
rule RabbitStew64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "fa415b6280104e813770df520b303897"
}
rule Vbr {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "961d2fd68fde2ae0b7c52e0c90767d0d"
}