dfir, mostly
That’s it! #100DaysofYARA is complete for 2024. As a final post I have collected all of my rules into a single ruleset that can be used to easily triage a set of samples. Some of the rules use the base64 string modifier which may not be supported on older versions of YARA, and a few make use of regular expressions which may cause performance issues on larger sample sets.
Given the size of the ruleset it’s probably easier to just grab it directly from my Github repository.
I hope it’s helpful!
In October 2023 Kaspersky Labs published a write-up of an interesting Tor-based C2 framework which masqueraded as a cryptominer. I couldn’t find any samples despite Kaspersky’s claim of observing infections in the hundreds of thousands, so this rule is a bit speculative.
rule HUNT_StripedFly {
meta:
description = "Matches strings found in Kaspersky Labs analysis of StripedFly malware."
last_modified = "2024-02-15"
author = "@petermstewart"
DaysofYara = "46/100"
ref = "https://securelist.com/stripedfly-perennially-flying-under-the-radar/110903/"
strings:
$a1 = "gpiekd65jgshwp2p53igifv43aug2adacdebmuuri34hduvijr5pfjad.onion" ascii wide
$a2 = "ghtyqipha6mcwxiz.onion" ascii wide
$a3 = "ajiumbl2p2mjzx3l.onion" ascii wide
$b1 = "HKCU\\Software\\Classes\\TypeLib" ascii wide
$b2 = "uname -nmo" ascii wide
$b3 = "%s; chmod +x %s; nohup sh -c \"%s; rm %s\" &>/dev/null" ascii wide
$b4 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters" ascii wide
condition:
(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
1 of ($a*) and
1 of ($b*)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
XMRig is an open-source cross-platform cryptominer, available on Github and often on compromised webservers following mass-exploitation campaigns. Today’s rule matches strings found in a Windows XMRig sample, which was also flagged up by my generic cryptominer string rule from Day 32.
rule MAL_XMRig_strings {
meta:
description = "Matches strings found in XMRig cryptominer samples."
last_modified = "2024-02-14"
author = "@petermstewart"
DaysofYara = "45/100"
sha256 = "3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1"
strings:
$a1 = "Usage: xmrig [OPTIONS]"
$a2 = "mining algorithm https://xmrig.com/docs/algorithms"
$a3 = "username:password pair for mining server"
$a4 = "--rig-id=ID"
$a5 = "control donate over xmrig-proxy feature"
$a6 = "https://xmrig.com/benchmark/%s"
$a7 = "\\xmrig\\.cache\\"
$a8 = "XMRIG_INCLUDE_RANDOM_MATH"
$a9 = "XMRIG_INCLUDE_PROGPOW_RANDOM_MATH"
$a10 = "'h' hashrate, 'p' pause, 'r' resume, 's' results, 'c' connection"
condition:
7 of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Here is a simple rule to catch the Stratum URL strings commonly found in cryptominer binaries.
rule TTP_cryptominer_stratum_strings {
meta:
description = "Matches stratum URL strings commonly found in cryptominers."
last_modified = "2024-02-01"
author = "@petermstewart"
DaysofYara = "32/100"
strings:
$a1 = "stratum+tcp" ascii wide
$a2 = "stratum+udp" ascii wide
$a3 = "stratum+ssl" ascii wide
condition:
(uint16(0) == 0x5a4d or //PE
uint32(0) == 0x464c457f or //ELF
uint32(0) == 0xfeedface or //MH_MAGIC
uint32(0) == 0xcefaedfe or //MH_CIGAM
uint32(0) == 0xfeedfacf or //MH_MAGIC_64
uint32(0) == 0xcffaedfe or //MH_CIGAM_64
uint32(0) == 0xcafebabe or //FAT_MAGIC
uint32(0) == 0xbebafeca) and //FAT_CIGAM
any of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
I see a lot of cryptominers. LemonDuck is interesting because it goes beyond the basics of mining and can even be used as a foothold for hands-on-keyboard activity following the initial breach.
This rule matches strings found in Windows and Linux LemonDuck variants.
rule MAL_LemonDuck_strings {
meta:
description = "Matches strings found in Lemonduck cryptominer samples."
last_modified = "2024-01-31"
author = "@petermstewart"
DaysofYara = "31/100"
sha256 = "a5de49d6b14b04ba854246e1945ea1cfc8a7e7e254d0974efaba6415922c756f"
strings:
$a1 = "stratum+tcp"
$a2 = "stratum+ssl"
$b1 = "\"donate-level\":"
$b2 = "\"health-print-time\":"
$b3 = "\"retry-pause\":"
$b4 = "\"nicehash\":"
$b5 = "\"coin\":"
$b6 = "\"randomx\":"
$b7 = "\"opencl\":"
$b8 = "\"cuda\":"
$b9 = "This is a test This is a test This is a test"
condition:
(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
1 of ($a*) and
8 of ($b*)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 