Goal: Write actionable Sourcefire rule and Yara signature for this specific WEBC2-CSON APT1 binary based on the static analysis performed in the previous post.
Sourcefire Rule: alert tcp $HOME_NET any -> 65.114.195.226 80 (msg: "WEBC2-CSON APT1 DOWNLOADER ALERT"; content:"/Default.aspx?INDEX="; "/Default.aspx?ID="; "User Agent: Mozilla/4.o (compatible; MSIE 8.0; Win32)"; pcre:"/\/Default.aspx?INDEX=[A-Z]{1,10}/"; "/\/Default.aspx?ID=[A-Z]{1,10}/"; noncase; flow: to_server; seq: 8192; classtype: Trojan-activity) Yara Signature: rule Win_Downloader_APT1_WEBC2_CSON : APT { meta: author = "Vitali Kremez" date = "2015-12-07" description = "APT1 Downloader WebC2-CSON" hash0 = "a38a367d6696ba90b2e778a5a4bf98fd" sample_filetype = "exe" strings: $string0 = "OpenRequset Failed" $string1 = "ReadFile Failed" $string2 = "Getfile failed" $string3 = "/Default.aspx?INDEX=" $string4 = "jPhX@@" $string5 = "cXVpdA" $string6 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" $string7 = "/Default.aspx?ID=" $string8 = "cXVpdAdW5zdXBwb3J0" $string9 = "Google.exe" $string10 = "3@YAXPAX@Z" $string11 = "Open Web Failed" $string12 = "Content-Type: application/x-www-form-urlencoded" $string13 = "dW5zdXBwb3J0" $string14 = "2@YAPAXI@Z" $string15 = "y21k" $string16 = "Mozilla/4.o (compatible; MSIE 8.0;Win32)" $string17 = "65.114.195.226" condition: 4 of them and filesize < 10KB } Testing Yara Signature with yara -rg: $ yara -rg Win_Downloader_APT1_WEBC2-CSON.yar ~/Desktop/malware_analysis_all_materials_2014-09-08_1/labs Win_Downloader_APT1_WEBC2_CSON [APT] /Users/_____/Desktop/malware_analysis_all_materials_2014-09-08_1/labs/1/WEBC2-CSON_sample_A38A367D6696BA90B2E778A5A4BF98FD Outcome: 100% hits on test binary 100% true negatives on clean binaries
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |