Tag: 100DaysofYARA

#100DaysofYARA 2024 – Day 31 – LemonDuck

I see a lot of cryptominers. LemonDuck is interesting because it goes beyond the basics of mining and can even be used as a foothold for hands-on-keyboard activity following the initial breach.

This rule matches strings found in Windows and Linux LemonDuck variants.

rule MAL_LemonDuck_strings {
	meta:
		description = "Matches strings found in Lemonduck cryptominer samples."
		last_modified = "2024-01-31"
		author = "@petermstewart"
		DaysofYara = "31/100"
		sha256 = "a5de49d6b14b04ba854246e1945ea1cfc8a7e7e254d0974efaba6415922c756f"

	strings:
		$a1 = "stratum+tcp"
		$a2 = "stratum+ssl"
		$b1 = "\"donate-level\":"
		$b2 = "\"health-print-time\":"
		$b3 = "\"retry-pause\":"
		$b4 = "\"nicehash\":"
		$b5 = "\"coin\":"
		$b6 = "\"randomx\":"
		$b7 = "\"opencl\":"
		$b8 = "\"cuda\":"
		$b9 = "This is a test This is a test This is a test"

	condition:
		(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
		1 of ($a*) and
		8 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 30 – BumbleBee DLL Strings

Following on from yesterday’s rule on BumbleBee’s obfuscated PowerShell loader, today’s rule matches on strings found in the DLL payload.

rule MAL_BumbleBee_DLL_strings {
	meta:
		description = "Matches strings found in BumbleBee DLL sample extracted from initial PowerShell loader."
		last_modified = "2024-01-30"
		author = "@petermstewart"
		DaysofYara = "30/100"
		sha256 = "39e300a5b4278a3ff5fe48c7fa4bd248779b93bbb6ade55e38b22de5f9d64c3c"

	strings:
		$a1 = "powershell -ep bypass -Command"
		$a2 = " -Command \"Wait-Process -Id "
		$a3 = "schtasks.exe /F /create /sc minute /mo 4 /TN \""
		$a4 = "/ST 04:00 /TR \"wscript /nologo"
		$b1 = "SELECT * FROM Win32_ComputerSystemProduct"
		$b2 = "SELECT * FROM Win32_ComputerSystem"
		$b3 = "SELECT * FROM Win32_OperatingSystem"
		$b4 = "SELECT * FROM Win32_NetworkAdapterConfiguration" wide
		$b5 = "SELECT * FROM Win32_NTEventlogFile" wide
		$b6 = "SELECT * FROM Win32_PnPEntity" wide

	condition:
		uint16(0) == 0x5a4d and
		3 of ($a*) and
		4 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 29 – BumbleBee PowerShell Loader

The BumbleBee malware typically functions as a loader for second-stage implants such as CobaltStrike, and has been associated with multiple ransomware affiliates. The malware itself takes the form of a DLL, but Bumblebee uses multiple distribution methods including ISO files, trojanised installers, JavaScript, and obfuscated PowerShell.

Today’s rule focuses on the BumbleBee PowerShell loader.

rule MAL_BumbleBee_PowerShell_strings {
	meta:
		description = "Matches strings found in BumbleBee PowerShell loaders."
		last_modified = "2024-01-29"
		author = "@petermstewart"
		DaysofYara = "29/100"
		sha256 = "0ff8988d76fc6bd764a70a7a4f07a15b2b2c604138d9aadc784c9aeb6b77e275"
		sha256 = "9b6125e1aa889f2027111106ee406d08a21c894a83975b785a2b82aab3e2ac52"
		sha256 = "2102214c6a288819112b69005737bcfdf256730ac859e8c53c9697e3f87839f2"
		sha256 = "e9a1ce3417838013412f81425ef74a37608754586722e00cacb333ba88eb9aa7"

	strings:
		$a1 = "[System.Convert]::FromBase64String" ascii wide
		$a2 = "System.IO.Compression.GZipStream" ascii wide
		$elem = "$elem" ascii wide
		$invoke1 = ".Invoke(0,1)" ascii wide
		$invoke2 = ".Invoke(0,\"H\")" ascii wide

	condition:
		filesize > 1MB and filesize < 10MB and
		all of ($a*) and
		#elem > 30 and
		#invoke1 > 30 and
		#invoke2 > 30
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 28 – Signal Desktop Sensitive File References

In addition to the usual mobile applications, the end-to-end encrypted Signal messenger provides a desktop application for Windows, Linux, and macOS that stores messages in a SQLite database. The database is encrypted, but the encryption key is stored in plaintext.

After seeing a tweet from Andrew Thompson I decided to write a rule to check for any references to the database and key filepaths.

rule HUNT_Signal_Desktop_File_References {
	meta:
		description = "Contains references to sensitive database and key files used by Signal desktop application."
		last_modified = "2024-01-28"
		author = "@petermstewart"
		DaysofYara = "28/100"
		ref = "https://www.alexbilz.com/post/2021-06-07-forensic-artifacts-signal-desktop/"
		ref = "https://www.bleepingcomputer.com/news/security/signal-desktop-leaves-message-decryption-key-in-plain-sight/"

	strings:
		$win_db = "\\AppData\\Roaming\\Signal\\sql\\db.sqlite" nocase ascii wide
		$win_key = "\\AppData\\Roaming\\Signal\\config.json" nocase ascii wide
		$lin_db = "config/Signal/sql/db.sqlite" nocase ascii wide
		$lin_key = "config/Signal/config.json" nocase ascii wide
		$macos_db = "/Signal/sql/db.sqlite" nocase ascii wide
		$macos_key = "/Signal/config.json" nocase ascii wide

	condition:
		(uint16(0) == 0x5a4d or 		//PE
		uint32(0) == 0x464c457f or		//ELF
		uint32(0) == 0xfeedface or		//MH_MAGIC
		uint32(0) == 0xcefaedfe or		//MH_CIGAM
		uint32(0) == 0xfeedfacf or		//MH_MAGIC_64
		uint32(0) == 0xcffaedfe or		//MH_CIGAM_64
		uint32(0) == 0xcafebabe or		//FAT_MAGIC
		uint32(0) == 0xbebafeca) and	//FAT_CIGAM
		2 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 27 – Generic Ransomware Strings

After spending the last couple of weeks looking at ransomware binaries I had an idea to take some common strings – mostly excerpts from the ransom notes – and create a generic ransomware binary hunting rule. I expect this rule to be pretty low-fidelity but might match some interesting files.

rule HUNT_Ransomware_generic_strings {
	meta:
		description = "Matches ransom note strings often found in ransomware binaries."
		last_modified = "2024-01-27"
		author = "@petermstewart"
		DaysofYara = "27/100"

	strings:
		$a1 = "Install TOR Browser" nocase ascii wide
		$a2 = "Download Tor" nocase ascii wide
		$a3 = "decrypt your files" nocase ascii wide
		$a4 = "your company is fully" nocase ascii wide
		$a5 = "recover your files" nocase ascii wide
		$a6 = "files were encrypted" nocase ascii wide
		$a7 = "files will be decrypted" nocase ascii wide
		$a8 = "Contact us" nocase ascii wide
		$a9 = "decrypt 1 file" nocase ascii wide
		$a10 = "has been encrypted" nocase ascii wide
		$a11 = "Contact information" nocase ascii wide
		$a12 = "pay the ransom" nocase ascii wide
		$a13 = "Decryption ID" nocase ascii wide
		$a14 = "are encrypted" nocase ascii wide

	condition:
		(uint16(0) == 0x5a4d or 		//PE
		uint32(0) == 0x464c457f or		//ELF
		uint32(0) == 0xfeedface or		//MH_MAGIC
		uint32(0) == 0xcefaedfe or		//MH_CIGAM
		uint32(0) == 0xfeedfacf or		//MH_MAGIC_64
		uint32(0) == 0xcffaedfe or		//MH_CIGAM_64
		uint32(0) == 0xcafebabe or		//FAT_MAGIC
		uint32(0) == 0xbebafeca) and	//FAT_CIGAM
		2 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 26 – Turtle Ransomware

The Turtle ransomware was first observed in November 2023 when a collection of PE, ELF, and MachO binaries were uploaded to VirusTotal. Patrick Wardle published a thorough analysis of the macOS variants. TL;DR – it works but it’s a bit rubbish; hard-coded key and doesn’t even drop a ransom note.

rule MAL_TurtleRansom_strings {
	meta:
		description = "Matches strings found in Windows, ELF, and MachO Turtle ransomware samples."
		last_modified = "2024-01-26"
        author = "@petermstewart"
        DaysofYara = "26/100"
        sha256 = "b384155b74845beeea0f781c9c216c69eceb018520d819dd09823cff6ef0e7de"
        sha256 = "f5b9b80f491e5779f646d2510a2c9c43f3072c45302d271798c4875544ace4f2"
        sha256 = "df5f7570bf0b1f99f33c31913ab9f25b9670286e8e2462278aea2157f8173a68"
        sha256 = "b5ab9c61c81dfcd2242b615c9af2cb018403c9a784b7610b39ed56222d669297"
        sha256 = "a4789e0b79a8bac486fbc3b0f00b6dcbaac6854e621d40fc3005d23f83d2e5ec"
        sha256 = "5f9cd91d8d1dcfe2f6cf4c6995ad746694ce57023dfb82b1cd6af5697113d1b0"
        sha256 = "a48af4a62358831fe5376aa52db1a3555b0c93c1665b242c0c1f49462f614c56"
        sha256 = "62f84afdab28727ab47b5c1e4af92b33dc2b11e55dca7b097fe94da5bcc9ec4e"
        sha256 = "f14ef1c911deb8714d1bb501064505c13237049ac51f0a657da4b0bf11f5f59e"
        sha256 = "65eea957148d75c29213dff0c5465c6dc1db266437865538cfe8744c2436f5e1"
        sha256 = "00b52a5905e042a9a9f365f7e5404f420ae26f463f24c069d6076e9094f61a8e"
        sha256 = "52337055cca751b8b2b716a1c8f3ba179ddd74b268b67641ade223d3d3cf773d"
        ref = "https://objective-see.org/blog/blog_0x76.html"

    strings:
    	$a1 = "D:/VirTest/TurmiRansom/main.go"
    	$a2 = "VirTest/TurmiRansom"
    	$a3 = "TurmiRansom/main.go"
    	$b1 = "TURTLERANSv0"
    	$b2 = "wugui123"
    	$b3 = "main..inittask"
    	$b4 = "main.en0cr0yp0tFile"
		$b5 = "main.main"
		$b6 = "main.main.func1"

	condition:
		(uint16(0) == 0x5a4d or 		//PE
		uint32(0) == 0x464c457f or 		//ELF
		uint32(0) == 0xfeedface or  	//MH_MAGIC
        uint32(0) == 0xcefaedfe or  	//MH_CIGAM
        uint32(0) == 0xfeedfacf or  	//MH_MAGIC_64
        uint32(0) == 0xcffaedfe or 	 	//MH_CIGAM_64
        uint32(0) == 0xcafebabe or  	//FAT_MAGIC
        uint32(0) == 0xbebafeca) and	//FAT_CIGAM
		2 of ($a*) and
		all of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 25 – BlackSuit Ransomware Note

A quarter of the way through #100DaysofYARA! Today’s rule is essentially the same as yesterday, but tuned to catch the ransom note that BlackSuit drops post-encryption.

rule MAL_BlackSuit_ransomnote {
	meta:
		description = "Matches strings found in open-source reporting of BlackSuit ransom notes."
		last_modified = "2024-01-25"
        author = "@petermstewart"
        DaysofYara = "25/100"
        ref = "https://twitter.com/siri_urz/status/1653692714750279681"
        ref = "https://twitter.com/Unit42_Intel/status/1653760405792014336"
        ref = "https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html"

	strings:
		$a = "weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion"
    	$b1 = "Good whatever time of day it is!"
    	$b2 = "Your safety service did a really poor job of protecting your files against our professionals."
    	$b3 = "Extortioner named  BlackSuit has attacked your system."
    	$b4 = "As a result all your essential files were encrypted and saved at a secure server for further use and publishing on the Web into the public realm."
    	$b5 = "Now we have all your files like: financial reports, intellectual property, accounting, law actionsand complaints, personal files and so on and so forth."
    	$b6 = "We are able to solve this problem in one touch."
    	$b7 = "We (BlackSuit) are ready to give you an opportunity to get all the things back if you agree to makea deal with us."
    	$b8 = "You have a chance to get rid of all possible financial, legal, insurance and many others risks and problems for a quite small compensation."
    	$b9 = "You can have a safety review of your systems."
    	$b10 = "All your files will be decrypted, your data will be reset, your systems will stay in safe."
    	$b11 = "Contact us through TOR browser using the link:"

	condition:
		filesize < 5KB and
		$a and
		8 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 24 – BlackSuit Ransomware

BlackSuit ransomware is thought to be a spin-off or rebrand of Royal, which I looked at on Day 20.

Again, rather than work directly from samples available on VirusTotal, I decided to put a rule together based on information in open-source reporting:

“Investigating BlackSuit Ransomware’s Similarities to Royal”, Trend Micro

As a result this rule is based on strings used to create the ransom note, but it does catch Windows and Linux samples.

rule MAL_BlackSuit_strings {
	meta:
		description = "Matches strings found in open-source reporting on BlackSuit Windows and Linux ransomware."
		last_modified = "2024-01-24"
        author = "@petermstewart"
        DaysofYara = "24/100"
        sha256 = "90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c"
        sha256 = "1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e"
        ref = "https://twitter.com/siri_urz/status/1653692714750279681"
        ref = "https://twitter.com/Unit42_Intel/status/1653760405792014336"
        ref = "https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html"

    strings:
    	$a = "weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion"
    	$b1 = "Good whatever time of day it is!"
    	$b2 = "Your safety service did a really poor job of protecting your files against our professionals."
    	$b3 = "Extortioner named  BlackSuit has attacked your system."
    	$b4 = "As a result all your essential files were encrypted and saved at a secure server for further use and publishing on the Web into the public realm."
    	$b5 = "Now we have all your files like: financial reports, intellectual property, accounting, law actionsand complaints, personal files and so on and so forth."
    	$b6 = "We are able to solve this problem in one touch."
    	$b7 = "We (BlackSuit) are ready to give you an opportunity to get all the things back if you agree to makea deal with us."
    	$b8 = "You have a chance to get rid of all possible financial, legal, insurance and many others risks and problems for a quite small compensation."
    	$b9 = "You can have a safety review of your systems."
    	$b10 = "All your files will be decrypted, your data will be reset, your systems will stay in safe."
    	$b11 = "Contact us through TOR browser using the link:"

	condition:
		(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
		$a and
		8 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 23 – Kuiper Ransomware Note

Following on from yesterday’s rule to detect Kuiper ransomware binaries, I wrote another rule to detect the ransom note that it drops. Again, I didn’t have a sample available but Stairwell’s blog contained enough details to build out a rule.

rule MAL_Kuiper_ransomnote {
	meta:
		description = "Matches strings found in Stairwell analysis blog post of Kuiper ransomware."
		last_modified = "2024-01-23"
        author = "@petermstewart"
        DaysofYara = "23/100"
        ref = "https://stairwell.com/resources/kuiper-ransomware-analysis-stairwells-technical-report/"

	strings:
		$tox = "D27A7B3711CD1442A8FAC19BB5780FF291101F6286A62AD21E5F7F08BD5F5F1B9803AAC6ECF9"
		$email = "kuipersupport@onionmail.org"
    	$a1 = "Your network has been compromised! All your important data has been encrypted!"
    	$a2 = "There is  only one way to get your data back to normal:"
    	$a3 = "1. Contact us as soon as possible to avoid damages and losses from your business."
    	$a4 = "2. Send to us any encrypted file of your choice and your personal key."
    	$a5 = "3. We will decrypt 1 file for test (maximum file size = 1 MB), its guaranteed that we can decrypt your files."
    	$a6 = "4. Pay the amount required in order to restore your network back to normal."
    	$a7 = "5. We will then send you our software to decrypt and will guide you through the whole restoration of your network."
    	$a8 = "We prefer Monero (XMR) - FIXED PRICE"
    	$a9 = "We accept Bitcoin (BTC) - 20% extra of total payment!"
    	$a10 = "WARNING!"
    	$a11 = "Do not rename encrypted data."
    	$a12 = "Do not try to decrypt using third party software, it may cause permanent data loss not being able to recover."
    	$a13 = "Contact information:"
    	$a14 = "In order to contact us, download with the following software: https://qtox.github.io or https://tox.chat/download.html"
    	$a15 = "Then just add us in TOX:"
    	$a16 = "Your personal id:"
    	$a17 = "--------- Kuiper Team ------------"

	condition:
		filesize < 5KB and
		15 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 22 – Kuiper Ransomware

I wasn’t familiar with the Kuiper ransomware until I found this write-up published by Stairwell.

I didn’t have a sample available, but the Stairwell report included enough details that I was able to write my own YARA rule using the defense evasion and self-propagation commands they highlighted.

rule MAL_Kuiper_strings {
	meta:
		description = "Matches strings found in Stairwell analysis blog post of Kuiper ransomware."
		last_modified = "2024-01-22"
        author = "@petermstewart"
        DaysofYara = "22/100"
        ref = "https://stairwell.com/resources/kuiper-ransomware-analysis-stairwells-technical-report/"

    strings:
    	$a1 = "kuiper"
    	$a2 = "README_TO_DECRYPT.txt"
    	$a3 = "vssadmin delete shadows /all /quiet"
		$a4 = "wevtutil cl application"
		$a5 = "wbadmin delete catalog -quiet"
		$a6 = "bcdedit /set {default} recoveryenabled No"
		$a7 = "wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest"
		$a8 = "wevtutil cl securit"
		$a9 = "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
		$a10 = "wbadmin DELETE SYSTEMSTATEBACKUP"
		$a11 = "wevtutil cl system"
		$a12 = "vssadmin resize shadowstorage /for="
		$a13 = "\\C$\\Users\\Public\\safemode.exe"
		$a14 = "process call create \"C:\\Users\\Public\\safemode.exe -reboot no\""

	condition:
		uint16(0) == 0x5a4d and
		10 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.