dfir, mostly
That’s it! #100DaysofYARA is complete for 2024. As a final post I have collected all of my rules into a single ruleset that can be used to easily triage a set of samples. Some of the rules use the base64 string modifier which may not be supported on older versions of YARA, and a few make use of regular expressions which may cause performance issues on larger sample sets.
Given the size of the ruleset it’s probably easier to just grab it directly from my Github repository.
I hope it’s helpful!
Just the one rule today – matching strings found in the Royal ransom note.
rule MAL_Royal_ransomnote {
meta:
description = "Matches strings found in Royal ransom note sample."
last_modified = "2024-01-21"
author = "@petermstewart"
DaysofYara = "21/100"
strings:
$a = "royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion"
$b1 = "If you are reading this, it means that your system were hit by Royal ransomware"
$b2 = "Please contact us via :"
$b3 = "In the meantime, let us explain this case"
$b4 = "It may seem complicated, but it is not!"
$b5 = "Most likely what happened was that you decided to save some money on your security infrastructure"
$b6 = "Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server"
$b7 = "From there it can be published online"
$b8 = "Then anyone on the internet from darknet criminals, ACLU journalists, Chinese government"
$b9 = "and even your employees will be able to see your internal documentation: personal data, HR reviews, internal lawsuitsand complains, financial reports, accounting, intellectual property, and more"
$b10 = "Fortunately we got you covered!"
$b11 = "Royal offers you a unique deal.For a modest royalty(got it; got it ? )"
$b12 = "for our pentesting services we will not only provide you with an amazing risk mitigation service"
$b13 = "covering you from reputational, legal, financial, regulatory, and insurance risks, but will also provide you with a security review for your systems"
$b14 = "To put it simply, your files will be decrypted, your data restoredand kept confidential, and your systems will remain secure"
$b15 = "Try Royal today and enter the new era of data security"
$b16 = "We are looking to hearing from you soon"
condition:
filesize < 5KB and
1 of ($a*) and
13 of ($b*)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Royal is a ransomware-as-a-service operated by ROYAL SPIDER, which emerged following the Conti leaks in 2022. Today’s rule matches strings found in Windows and Linux samples of Royal ransomware:
rule MAL_Royal_strings {
meta:
description = "Matches strings found in Windows and Linux samples of Royal ransomware."
last_modified = "2024-01-20"
author = "@petermstewart"
DaysofYara = "20/100"
sha256 = "312f34ee8c7b2199a3e78b4a52bd87700cc8f3aa01aa641e5d899501cb720775"
sha256 = "9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926"
sha256 = "b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c"
strings:
$a = "royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion"
$b1 = "If you are reading this, it means that your system were hit by Royal ransomware"
$b2 = "Please contact us via :"
$b3 = "In the meantime, let us explain this case"
$b4 = "It may seem complicated, but it is not!"
$b5 = "Most likely what happened was that you decided to save some money on your security infrastructure"
$b6 = "Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server"
$b7 = "From there it can be published online"
$b8 = "Then anyone on the internet from darknet criminals, ACLU journalists, Chinese government"
$b9 = "and even your employees will be able to see your internal documentation: personal data, HR reviews, internal lawsuitsand complains, financial reports, accounting, intellectual property, and more"
$b10 = "Fortunately we got you covered!"
$b11 = "Royal offers you a unique deal.For a modest royalty(got it; got it ? )"
$b12 = "Try Royal today and enter the new era of data security"
$b13 = "We are looking to hearing from you soon"
condition:
filesize > 2000KB and filesize < 3500KB and
(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
$a and
10 of ($b*)
}
But wait, there’s more! When I was looking at the Linux sample (SHA256: b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c) I found an RSA Public Key block. I don’t know what it’s for, but my rule matches at least one more sample (SHA256: 06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725) so it might be interesting.
rule HUNT_Royal_RSA_Public_Key {
meta:
description = "Matches an RSA Public Key block found in Royal ransomware Linux samples."
last_modified = "2024-01-20"
author = "@petermstewart"
DaysofYara = "20/100"
sha256 = "b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c"
sha256 = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725"
strings:
$key1 = "-----BEGIN RSA PUBLIC KEY-----"
$key2 = "MIICCAKCAgEAp/24TNvKoZ9rzwMaH9kVGq4x1j+L/tgWH5ncB1TQA6eT5NDtgsQH"
$key3 = "jv+6N3IY8P4SPSnG5QUBp9uYm3berObDuLURZ4wGW+HEKY+jNht5JD4aE+SS2Gjl"
$key4 = "+lht2N+S8lRDAjcYXJZaCePN4pHDWQ65cVHnonyo5FfjKkQpDlzbAZ8/wBY+5gE4"
$key5 = "Tex2Fdh7pvs7ek8+cnzkSi19xC0plj4zoMZBwFQST9iLK7KbRTKnaF1ZAHnDKaTQ"
$key6 = "uCkJkcdhpQnaDyuUojb2k+gD3n+k/oN33Il9hfO4s67gyiIBH03qG3CYBJ0XfEWU"
$key7 = "cvvahe+nZ3D0ffV/7LN6FO588RBlI2ZH+pMsyUWobI3TdjkdoHvMgJItrqrCK7BZ"
$key8 = "TIKcZ0Rub+RQJsNowXbC+CbgDl38nESpKimPztcd6rzY32Jo7IcvAqPSckRuaghB"
$key9 = "rkci/d377b6IT+vOWpNciS87dUQ0lUOmtsI2LLSkwyxauG5Y1W/MDUYZEuhHYlZM"
$key10 = "cKqlSLmu8OTitL6bYOEQSy31PtCg2BOtlSu0NzW4pEXvg2hQyuSEbeWEGkrJrjTK"
$key11 = "v9K7eu+eT5/arOy/onM56fFZSXfVseuC48R9TWktgCpPMkszLmwY14rp1ds6S7OO"
$key12 = "/HLRayEWjwa0eR0r/GhEHX80C8IU54ksEuf3uHbpq8jFnN1A+U239q0CAQM="
$key13 = "-----END RSA PUBLIC KEY-----"
condition:
filesize > 2MB and filesize < 3MB and
(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
all of ($key*)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 